Best Practices for Cloud Security

Cloud services are used in enterprise environments for many purposes, from storing data in Dropbox to accessing productivity tools through Microsoft Office 365 and deploying IT infrastructure in Amazon Web Services (AWS).

See Also: What are the Security Risks of Cloud Computing?

Cloud services allow organizations to move faster in all of these uses, accelerating their business with more agile technology and often at a lower cost. However, any cloud service comes with the hassle and risk of data security in the cloud.

The security of data created, sent, and downloaded from the cloud is always the cloud customer’s responsibility. Protecting cloud data requires visibility and control. In the following steps, you can find a set of essential best practices for cloud security to guide organizations towards a secure cloud and solve cloud security issues.

See Also: Cloud Storage Security: How to Keep Data Safe in the Cloud?

The following cloud security applications are intended for small and medium-sized organizations; however, all organizations, regardless of size, can use cloud security best practices to increase their use of the cloud.

It’s important to note, though, that the best cloud security best practices described in this article aren’t exhaustive. You must complement practices defined by associations such as cloud service providers, cybersecurity best practices, regulatory compliance requirements, and the Cloud Security Alliance.

Before transferring data or software to the cloud, companies can first do their homework. For security, cloud service providers (CSPs) use a shared responsibility model. CSP recognizes that it is responsible for certain areas of defense. Other aspects of protection are either shared by CSP and the customer or are exclusively the responsibility of the consumer.

Perform Due Diligence for Cloud Computing

Cloud consumers must have a thorough understanding of their networks and applications to determine functionality, flexibility, and security for applications and systems deployed in the cloud. As mentioned below, due diligence should be performed over the life cycle of cloud-based applications and systems, including planning, development, implementation, operations, and decommissioning.

Planning

The first step to successful cloud deployment is to choose an appropriate system or application to switch to a CSP, build or purchase. Planning is a challenging task when deployed on the cloud for the first time. Leverage others’ experiences and use a cloud adoption framework to ensure efficient use of cloud services and consistent architectural designs.

See Also: Cloud Security Checklist

A framework provides a management process for defining applications, selecting cloud providers, and managing ongoing operational tasks associated with public cloud services. Cloud adoption frameworks can be CSP specific or CSP independent.

After using both a target system for cloud deployment and a cloud adoption framework to specify a CSP, train all staff involved in deploying the basics of the selected CSP, architecture, services, and tools to aid deployment. Ascertain that everybody is aware of the CSP’s shared responsibility model and how it impacts cloud implementation.

Development and Deployment

The system/application development and deployment team should be trained in using CSP services correctly to implement applications. CSPs offer best-practices advice and documentation for using their services.

If architects are designing a new cloud application or framework, they should follow CSP’s guidelines for design and creation. Suppose you are moving an existing application or system to the cloud, review its architecture and implementation according to CSP’s direction to determine what changes will be required to deploy the application appropriately. In that case, you can speak to CSP technical support staff for assistance.

See Also: What are the Security Impacts of Public Cloud?

See Also: What are the Security Impacts of Private Cloud?

Cloud computing relies on providing abstracted services that are often very similar to existing hardware, networks, and applications. Critical to adequate security, consumers need to realize that these are simply abstractions carefully created to mimic the current information technology resources organizations currently use.

Examine the organization’s security policies and current approaches to security auditing. Before applying the on-premises approach in the cloud, consult the CSP’s recommendations. First, verify that the on-premises method will be effective when applied in the cloud. Next, see if CSP services still provide a better implementation approach that meets security policy objectives.

Migrating to a cloud environment can present risks not found in the on-premises deployment of applications and systems. Check for new threats and identify new security controls needed to reduce these risks. Again, consider how the control applications provided by CSP can help. Likewise, use the tools provided by CSP to check the correct and safe use of services.

Operation

After applications and systems are developed and deployed in the cloud, they must be operated securely. Unlike physical servers, disks, and network devices, software defines virtual cloud infrastructure. As a result, infrastructure can be treated as a source code that needs to be managed in a control system by applying change control procedures.

Source code control systems have proven effective in managing software development. The same applications can be adapted to manage cloud infrastructure. Changes in production resources must require independent approval before a system administrator can implement them.

Decommissioning

There are several reasons to disable an application or system deployed in the cloud quickly. For example, CSP may go bankrupt or cease core services used by the application. CSP prices can go up, making current distribution very expensive.

Decommissioning a cloud program or device should be planned before implementation for some purpose. Since each CSP’s cloud services are currently special, transferring an application or device from one CSP to another would almost certainly be a major undertaking.

Consider what would involve leaving a cloud service provider. An essential part of any application or system for the organization is the data stored and processed. Therefore, it is necessary to understand and pre-determine how data can be extracted from one CSP and moved to another.

Develop a multi-CSP strategy

Consider how the selected system can be deployed through several CSPs while making the initial CSP pick. Mappings between CSPs that are readily available on the Internet can help determine how an application designed for one CSP can be moved to another.

Although the application or system will be deployed to only one of these CSPs, it is essential to track during development those aspects of the deployment-specific to the selected CSP and need to be redesigned when migrated.

Manage Access to Cloud Computing

Access management requires identifying and authenticating users, assigning access rights to users, and creating and enforcing access control policies for resources.

Identify and Authenticate Users

To reduce the chance of passwords being stolen, use multi-factor authentication. An attacker with stolen privileged user credentials can access and customize cloud customer services. Using multiple factors necessitates an attacker obtaining multiple individual authentication objects, lowering the risk of being compromised.

Assign User Access Rights

Prepare a list of roles that will cover both joint and consumer-specific responsibilities. Cloud service providers provide advice on designing roles. The roles established should ensure that no one adversely affects the entire virtual data center.

Software developers and system administrators should not have uncontrolled access to resources. Limiting access will limit the impact of a credential breach or a malicious insider.  Role-based access control can be used to create privileges for developers and system administrators.

Establish and Apply Resource Access Policies

Cloud service providers offer several different storage services such as virtual disks, blob storage, and content delivery services. Each of these services can have individual access policies assigned to protect the data they store. Cloud consumers must understand and configure access policies specific to this service.

Protect Data in Cloud Computing

Protecting data from unauthorized access, providing continuous access to critical data in the event of errors and malfunctions, and preventing accidental disclosure of data presumed to be deleted are challenges of data protection.

Protect Data Against Unauthorized Access

Encrypt data that is not used to protect it from disclosure due to unauthorized access. Cloud service providers typically provide encryption capabilities for the storage services they offer. Properly manage associated encryption keys to ensure effective encryption.

Cloud service providers offer consumers self-managed or consumer-managed switch options. Switches managed by cloud service providers are useful but give the consumer no control over where and how the keys are stored.

Consumer-managed switches place the burden of key management on the consumer but provide better control. Cloud service providers offer hardware security modules (HSMs) in the cloud to help manage switches securely.

Ensure Availability of Critical Data

Cloud service providers provide substantial guarantees against permanent data loss. However, no system is perfect, and even large cloud providers can accidentally lose customer data. In addition to cloud service provider errors, cloud consumer personnel can also make mistakes that could result in data loss.

You should make sure that the cloud service provider’s data backup and recovery processes meet your organization’s needs. Your organization may need to extend its CSP processes with additional backup and recovery actions. Cloud service providers can provide services that consumers can configure to perform additional backup and recovery.

Prevent Deleted Data Disclosure

Cloud service providers often copy data to ensure persistence. During the system’s operation, sensitive data can find a way to log and monitor services, backups, content delivery services, and other places.

Consider replicating and propagating data arising from normal device activity when you need to remove sensitive data or retire resources containing sensitive data. Analyze the cloud implementation carefully to decide where confidential data is copied or cached and what needs to be done to ensure that these copies are removed.

Data is eventually saved on magnetic or solid-state storage media. These media devices are prone to failure and must be replaced on a regular basis. Consumer data remains on the device, even if the device itself has been unable. Therefore, you should understand how cloud service providers handle storage media that is retired from production.

Monitor, Analyze and Defend

CSP and consumer have different responsibilities for monitoring when some systems and applications are deployed in a cloud environment. Cloud distribution adds complexity to tracking in complex environments.

Monitor Resources Deployed to the Cloud

Cloud service providers are responsible for monitoring the infrastructure and services provided to consumers. Still, they are not responsible for monitoring the systems and applications consumers create using the services provided.

Cloud service providers provide tracking information to the consumer regarding the consumer’s use of the services. As a first line of defense, depend on the cloud service provider’s monitoring information to detect unauthorized access to or usage of systems and applications, as well as suspicious activity or use of systems and applications or their users.

See Also: PCI Compliance in the Cloud

Tracking data provided by cloud service providers may differ from data collected in on-premises tracking. Therefore, you must learn how to use new data to defend your cloud-based resources. Understanding the nature of data provided by cloud service providers, deciding what is normal for your cloud deployment, and detecting anomalies using CSP-provided tools

Whenever possible, use tracking data provided by cloud service providers, but you may want to extend this data with additional monitoring of your cloud-based resources. Note that tracking approaches used on-premises may not work in the cloud.

Analyze Both Cloud and On-Premise Monitoring

With a hybrid cloud distribution that moves some resources to a CSP but keeps many resources on-premises, there is a need to combine CSP-provided tracking information, consumer cloud-based tracking information, and customer on-premises tracking information.

Cloud service providers often charge for data transfers to their services. Cloud service providers often charge more for cloud transfers to encourage the continued and potentially increased use of their services than for cloud transfers.

Depending on the data volume in question, moving data from on-premises monitoring to the cloud may be cheaper than moving cloud-based monitoring data to an on-premises region. Also, for large volumes of data, storage can be more affordable in the cloud, especially for archived data, protected but not actively used.

Finally, consumers can take advantage of the cloud’s inherent flexibility by rapidly increasing analytics capacity when needed and reducing their savings capacity when not required.

Coordinate with cloud service providers

Cloud service providers are responsible for monitoring the infrastructure used to provide cloud services, including virtual machines, networks, and storage with IaaS or any applications that include software as a service (SaaS).

Cloud service providers need to closely link the security analyst and the consumer’s security analyst. Cloud service providers can detect events that could adversely affect consumer applications. If so, cloud service providers will need to inform the consumer and coordinate a response. Similarly, the consumer may be able to detect adverse events and need assistance to investigate them.

See Also: What is Security as a Service (SECaaS)

Responding to security incidents, like all aspects of cloud computing, is a joint responsibility. Learning how to work with cloud service providers to investigate and respond to possible security incidents would be helpful.

To successfully collaborate, you must first consider what information can be exchanged, how data can be shared, and the limitations of the cloud service provider’s assistance. Cloud service providers should not share information about another customer or provide assistance that would affect another consumer’s use of the service.

Your standard operating procedures should be updated to reflect collaboration with your cloud service provider.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Latest posts

What You Need to Know About PCI Validated Point-to-Point Encryption (P2PE) Solutions

P2PE, or point-to-point encryption, is a security standard developed by the Payment Card Industry (PCI) to ensure that payment card data is encrypted from the start to the finish of a transaction.

Email Security Best Practices

Most organizations rely heavily on emails for their daily business communication, but email remains one of the most common vectors businesses are attacked. This is why it is essential to implement email security best practices.

What Is Documentation Security and Why It Matters?

Documentation security is the maintenance of all essential documents stored, filed, backed up, processed, delivered, and eventually discarded when they are no longer needed.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!