Best practices for cloud security
Posted December 20, 2021
Written by Terry May, Xpanxion Technical Writer
The following is a collection of industry-standard cloud security best practices. Always check with your cloud service provider and IT security team for more suggestions about protocols and methods to protect your data in the cloud.
Training is one of the more important aspects of best practices. Personnel should be familiar with established best practices. This process is continuous and never ending as cloud security develops, adapts, and evolves. Everyone needs to think like a hacker, and ask themselves what do I have access to, do I really need access to it? How could my access be exploited? Personnel need to be continuously taught how to recognize phishing emails, malware, and the risks of unstable practices. This includes live tests through tools that let you automatically simulate phishing attacks.
Encrypt all your data, encrypt it in transit, encrypt it at rest, always, especially sensitive data with your own keys. Don’t confuse obfuscation with encryption. Use widely accepted encryption patterns and widely used and well-maintained libraries. Don’t assume you are smarter than everyone else and can do it better.
Test at all stages, and automate your testing using widely accepted tools that give you an edge against those that would love to exploit an accidental oversight. Keep it ongoing and rigorous to find vulnerable areas in your environments. Use static analysis tools at check-in to look for common issues like buffer overflows or exploited third-party libraries. Use vulnerability scanners on your interfaces in integration environments.
Observability and Audit
Enable Quality Assurance (QA) systems along with testing. Manually review logs or export them into a security analysis platform for review. As cloud services develop, these can be integrated with Security Information and Event Management (SIEM) systems. The SIEM data is processed by a Security Orchestration, Automation and Response (SOAR) system, an IT stack that helps companies and organizations deal with security threats. In a collection of physical and digital security tools, SOAR provides an architecture for optimal security response.
You need to audit configurations for infrastructure-as-a-service (IaaS), such as AWS or Azure. While you’re at it, analyze your cloud security SLAs and contracts. Be aware of who owns your data and what occurs should you stop the services.
It’s a good policy to have strong passwords with multifactor authentication. Strong passwords provide some protection against phishing attempts and malware threats, but always in these cases, the human is the weakest link. Stop data from moving to unmanaged devices you don’t know about.
For malware, apply advanced protection to the infrastructure-as-a-service (IaaS), such as Amazon’s AWS or Microsoft’s Azure. In IaaS environments, you’re responsible for the security of your operating systems, applications, and network traffic. To protect your infrastructure, you can apply anti-malware technology to the OS and virtual network. For single-purpose workloads, you can deploy application whitelisting and memory exploit prevention. For general purpose workloads and file stores, you can deploy machine –learning-based protection.
Roles-Based access control
Various roles in the company working with cloud services should only have access to those areas they need to. Limit who gets to work with the data, especially sensitive data and Personal Identity Information (PII). These are the juicy targets that make hackers salivate. If you reduce the number of people who have access, you reduce the attack vectors available to exploit your data.
Enforce robust cloud security policies. Use intrusion detection and prevention tools and techniques.
Protect against phishing and malware threats. Cloud phishing and malware threat are becoming very common. Gear up so you can protect your cloud environment against such kinds of attacks and threats. To minimize your vulnerability, create a protective layer on the cloud as an integral role. This restricts cyber criminals and attackers from exploiting your vulnerability on the cloud platform.
Emails are a primary threat. Protect your emails. If you use AWS cloud computing services, then their cloud security best practices will work for you. Be vigilant when sending any sensitive information to anyone, regardless of the security level of a system.
No cloud service is alone. Even if two connecting services are already approved, will movement of data between the two systems be accepted? People think of a chat client as a low-risk feature, but as the chat progresses, it could become interconnected with many high security systems. Chat could become a pivot point into sensitive systems from so-called trusted sources. Most modern chat clients enable data egress for the organization. Limit the capacity to install a third-party chat client to systems to ensure users in your organization can’t send confidential data and files over this pre-supposed chat client.
Any service that bills on use with ongoing monitors of current use could provide an early alert if the system is compromised. Attackers who use credentials for theft of service can be very expensive if not contained. Keep an eye on billing. An indicator of compromise is any behavior that is not normal. A database server sending four times the amount of data in a given timeframe could raise suspicions just as a user sharing multiple documents per hour from the company’s SharePoint system and all systems should be closely monitored.
Maintain your cloud services’ visibility and protect your user endpoints. Enforce responsive control of user access. Use a Cloud Access Security Broker (CASB). A CASB protects data in the cloud through data loss prevention, access control, and user behavior analysis. It can also monitor IaaS configurations and discover shadow IT (unknown cloud use).
Identify and classify sensitive or regulated data. Understand how the sensitive data is accessed and shared. Uncover malicious user behavior and apply data protection services. Evolve and adapt—adjust cloud access policies as new services come up. Remove any found malware.
As said before, cloud security and hacking attempts evolve. Be prepared for any changes and adapt your best practices and security measures to meet the threats. Inform all those involved that security is important, and it works best when everyone works together to protect data in the cloud.
About Xpanxion - Solving business problems with technology. We are software product engineering experts with over 20+ years of experience delivering the technologies, software architectures, processes and people critical to delivering success. As a trusted partner, we focus on business solutions and alliances that provide end-to-end value to solving our customer’s problems. We focus on providing best-in-class solutions by developing custom solutions with modern technologies or by delivering industry recognized off the shelf solutions.
Expertise Solutions and Alliances Platforms and Technologies Industries
Media Contact: firstname.lastname@example.org