As companies make the journey to the public cloud, they must learn from the avoidable mistakes that many other companies have made in the recent past in their respective cloud journeys. Just in the last two years, many such simple and avoidable mistakes in securing the application and data hosted in the public cloud have led to massive data and network breaches at large financial and technology firms such as Accenture, Booz Allen Hamilton, Capital One, Facebook, MGM, Microsoft, and Verizon.
To prevent breaches companies must develop a secure enterprise cloud operating model based on a cloud-first paradigm that can achieve a practical, cost-effective, and agile target state, tailored for a public cloud environment such as SaaS, PaaS, or IaaS that supports operationalization and maintains developer and business-compatible evergreen processes. In meeting the target state for infrastructure and application security in the cloud, use a two-phased approach. For Phase 1, establish a core cloud infrastructure security foundation. In Phase 2, establish a cloud application security paradigm on top of the secure foundation.
Security pros can use the following measurable objectives to implement the two phases detailed below:
The steps to design and implement a secure cloud foundation:
- Define a cloud security policy and cloud security standards and guidelines for the target state.
- Design core cloud security patterns that comply with the policy and standards.
- Design core cloud security to detect violations of fundamental security design principles.
- Implement reference architectures based on the security patterns.
- Make the patterns available to the business and technology teams. The patterns serve as guardrails for secure adoption of cloud-native tools and services.
- Build and implement operational processes for DevSecOps and the CI/CD pipelines that encompass the security patterns.
- Embrace cloud-native security tools and services, and the security needs for the new code and application build/delivery model.
- Enable the capability to perform static and dynamic code scanning and penetration testing using a self-service approach, especially focusing on the vulnerabilities that can really be exploited at runtime.
To identify, design, and implement the cloud security patterns for the core security domains for a given public or private cloud environment, prioritize the following security domains and technologies:
- Identity and Access Management: IAM includes identity federation; naming and tagging; root account protection; invocation and access to public and privately accessible APIs; and privileged access management, including vaulting of passwords and keys, cross account access, identity store or identity provider, and master role inheritance.
- Network security: Includes Direct Connect (DC) private and public interfaces; DMZ, VPC, and VNet endpoints; transit gateways; load balancers; and DNS.
- Data Security: Encrypt data in transit and at rest, S3 bucket data (at rest), and EBS root volume and dynamo db.
- Core Cloud Native Services: Consists of core cloud services (e.g., S3, RDS, CloudFront, Inspector, Security Hub, Security Center, and Azure Log Analytics).
- Monitoring: Threat modeling, native API, application and services monitoring, integration with native logging capabilities (e.g., CloudWatch, CloudTrail and Security Center), server infrastructure monitoring, server vulnerability monitoring, and business applications monitoring.
- Third-party Access: Monitoring third-party access to console.
- Operational Activity: ACL creation and updates, all operational changes in the context of DevSecOps processes and CI/CD pipelines (e.g., code build, deployment, and promotion to production).
- Infrastructure as Code: Enable infrastructure-as-code to implement the needed guardrails to secure cloud native services and applications (e.g., Service Control Policy’s (SCP) in AWS, and Azure Policy in Azure).
To establish the cloud application security paradigm:
- Design and implement application-specific security patterns.
- Design and implement patterns for new service requirements.
- Create an archetype specification for each application type.
- Develop operational processes to ensure that the application security patterns build upon the core security patterns.
- Build processes that ensure the new applications utilize the core security patterns.
- Leverage application monitoring use cases and detect pattern violations.
- Create or simulate violations to test application monitoring capability.
- Refine the application monitoring use cases.
- Ensure that the processes exist to make this cloud application security process evergreen.
- Build governance to ensure the evergreen processes have appropriate reporting capabilities.
CISOs need to lead from the front and take an active role in the evangelization and implementation of cloud security controls under the auspices of a secure enterprise cloud operating model.
Raj Badhwar, chief information security officer, Voya Financial
Note: Badhwar based this column on a session he held for the RSA Conference 2021.