Many of our clients are adopting cloud. They are moving some or all of their data centre resources into the cloud. The cloud infrastructure/resources are offered by cloud service providers (CSP’s). Many of our client’s think that if cloud service provider is secure, they are automatically secure. We do explain them that as they have to secure their cloud resources especially the data. In my opinion, cloud security is a complex game, and the best part is this needs to be based on your organization’s security needs.
You have to implement multiple controls based on your needs. I recommend the following controls for cloud infrastructure:
- Identity and Access Management
- Threat Intelligence and Monitoring
- Encryption
- Vulnerability Assessment
- Penetration Testing
- Vendors Security Best Practices
Identity and Access Management: This is something which clients already use for their data centre resources. Same concept needs to be implemented in cloud by using cloud technologies. I do recommend using Multi Factor Authentication (MFA).
Threat Intelligence and Monitoring: Threat Intelligence and IDS tools provide functionality to identify attackers who are currently targeting your systems or will be a future threat. This is very much required to ensure your cloud resources are secure.
Encryption: This is same as you do in your data centre. You need to encrypt data ate rest and data in transit. This gives enhanced protection against unauthorized data access from other public cloud tenants and further provide, compliance with regulatory standards regarding data privacy and protection.
Vulnerability Assessment: Vulnerability assessment provides complete and continuous visibility of exposures across all of your cloud resources. Many tools are available to conduct these tests the same way you did for your own data centre.
Penetration Testing: Now this is something different then what you do in your data centre. Traditional penetration testing methodologies are not cloud-native and only focus on processes relevant to on-premise environments. Cloud penetration testing also requires unique and specific expertise that is different from standard penetration testing. For example, cloud penetration testing would examine the security of cloud-specific configurations, cloud system passwords, cloud applications and encryption, and APIs, databases, and storage access. Cloud penetration testing is also influenced by the Shared Responsibility Model, which defines who is responsible for the components within a cloud infrastructure, platform, or software.
Cloud penetration testing helps organizations improve overall their overall cloud security, avoid breaches, and achieve compliance.
Vendor Security Best Practices: Cloud security practices are the techniques companies can use to protect their cloud-based services and applications. They refer to a combination of tools, supervision policies, and security methodologies that organizations use to conserve data and intellectual property and safeguard against data leakage.
Many vendors publish the good practices and it is highly recommendable to implement the same.
Finally, Let me conclude that you as cloud customer has to select a managed service provider or you need to go for your own team to ensure that your cloud resources are secure. Outsourcing for sure is the best option as operating an in-house team means you have substantial sunk costs such as monthly salaries, benefits, insurance, and office upkeep. Further, it takes both time and money to educateteam members to become acquainted with your current systems and processes. By outsourcing your IT initiatives to the specialists, you for sure cut large capital expenditures and focus on adding value to your business.