As with most endeavours, incorporating security into the process as early as possible is essential when building or migrating to technologies such as the cloud. Whether you are beginning your journey of migrating key services to the cloud or launching a cloud-native evergreen project, involving security specialists with a deep understanding of the cloud security model is crucial. This ensures the successful implementation of a secure and robust system.
Shared responsibility model
If you are early in this process, as a technology leader, understanding the cloud shared responsibility model is crucial. There are elements of each of the services offered by the different cloud service providers (CSPs) which are their responsibility to monitor, defend and protect, such as physical infrastructure and access controls at data centres, resilient power backups, and the like. All of the things you’d typically expect a data centre to provide, the CSPs will provide, and then some, really well-tuned by virtue of operating at a truly massive scale.
Move away from metal
The challenge lies in the details required to make informed decisions on which services to use, considering factors such as price, security, and long-term overhead and upkeep. In discussions with companies on this journey, I recommend moving as far away from bare metal as possible whenever feasible. This involves leveraging highly virtualised and containerised services like AWS’s Fargate and Lambda, Google’s Cloud Run and Cloud Functions, or Microsoft’s Azure Containers and Azure Functions.
One consideration here is that these managed services are, well, managed, and so you have to pay a higher premium for them than more basic offerings. This is worth a careful review considering the numerous staff you’d need to hire and manage to do the same level in-house.
Along with this, you’ll want to invest in your code pipeline using a Continuous Integration and Continuous Deployment (CI/CD) model that allows you to quickly run deployments that face a battery of automated tests before being approved to push to production. The key is well-defined processes that enforce service, security and code quality standards and produce repeatable results.
In many cases, these managed services (like Lamdas and container systems) mean that the CSP is responsible for some measure of monitoring and management of the security around those tools, so rather than you and your team needing to dedicate resources to staying up to date with all of the patching needed for a Linux Operating System, your cloud provider manages this for you. Note: cloud services change regularly, so you should confirm that any service you use includes automated patching and versioning before jumping in.
The idea here is that AWS, Google, and Azure are often better at some of these security management practices and keeping things up to date than most organisations. There are some notable exceptions; in particular, it is worth pointing out that Microsoft has had a very bad year in terms of security across its products. If you haven’t read it, have a look at the US government Cybersecurity Safety Review Board’s (CSRB) report on the Microsoft breaches from last year. It is a pretty sobering assessment of some catastrophic security failures inside the company.
Maturity assessments and board visibility
If you are heavily invested in cloud environments, it’s crucial to run a security risk assessment of your cloud infrastructure. Focus on key areas:
- Identity and Access Management: Review and secure privileged machine access and root accounts with and cryptographic key-based authentication for machines and FIDO2 hardware-backed MFA for users, especially privileged ones.
- Virtual Machines and Endpoints: Ensure patching processes cover all CISA Known Exploited Vulnerabilities within recommended time frames. Measure your time-to-patch and track it as an executive business metric.
- Internet-Accessible Security Posture: Ensure firewall rules are denied by default for most incoming and outgoing connections.
- Logging: Enable logging everywhere and have a team review logs regularly.
- Backup and Restoration: Implement a robust backup and restoration process, ideally with backups independent of your core cloud accounts to protect against catastrophic account compromise.
Once you’ve established a baseline for these key areas of risk and maturity, start looking at buying services or building capacity for you to keep these monitored, with visibility and reporting at the most senior levels in your organisation. This is a hugely invaluable step to ensure that understanding the cyber security risks associated with IT and cloud is not just something limited to the tech team but also the board.
Elliott Wilkes is CTO at Advanced Cyber Defence Systems. A seasoned digital transformation leader and product manager, Wilkes has over a decade of experience working with both the American and British governments, most recently as a cyber security consultant to the Civil Service.