It’s not you, it’s me

February 2016 Information Security

Despite the rapid growth of cloud services, security is still the number one concern for business owners migrating their workloads to the cloud. Much has been documented about the financial, technical and efficiency advantages of moving business critical applications onto the cloud, and the impact it has on how products and services are developed, purchased and consumed, but there is still a lot of debate about whether cloud infrastructure is more, or less secure than managing applications in on-premise data centres.

James Brown, senior director of global solutions architecture at Alert Logic.
James Brown, senior director of global solutions architecture at Alert Logic.

The simple fact is that most cloud platforms are more secure than on-premise environments. Most cloud providers have security-in-depth strategies for their global infrastructure that cover processes, people and technology that protect the physical and foundational layers of their offering. They deploy market-leading security technologies to continuously monitor and protect their hardware, software and networking environments to ensure that vulnerabilities are identified and remediated to strict SLAs as quickly as possible – often weeks or even months before the average on-premise deployment.

But, given the volume and sophistication of cyber threats, there is still a lot of confusion about who is responsible for the security and compliance of applications and workloads hosted in the cloud, and keeping them secure. Cloud services providers have made big strides in declaring the areas of security that they are responsible for, but each cloud provider is different, and the subtleties can cause confusion. The simple way to look at it is your cloud provider is responsible for the cloud, and you are responsible for what you put in the cloud … and this is what we call sharing the responsibility for security in the cloud.

In a nutshell, your cloud provider is responsible for securing the foundational services, such as computer power, storage, database and networking services, but you will be responsible for the configuration of those services. At the network layer, your service provider is responsible for network segmentation, perimeter services, and external DDoS spoofing and scanning prevention. But you are responsible for network threat detection, security monitoring and any incident reporting. This means that your cloud provider will secure against attacks to switches and network within the cloud infrastructure, but they will not look for, or stop, network-based attacks against your instances and applications. At the host layer, you are responsible for access management, patch management configuration hardening, security monitoring and log analysis. The application security components are 100% the company’s responsibility.

Once an organisation better understands their role and the role of their cloud provider, they will be able to make better-informed decisions concerning their cloud infrastructure. In order to best protect from the next vulnerability and/or wide scale attack, there are seven key best practices for cloud security that all organisations should implement.

1. Understand your cloud service provider security model

Every company should get to know their provider, understand where the lines are drawn and then plan accordingly. Cyber attacks are going to happen; vulnerabilities and exploits are going to be identified. By having a solid security strategy, coupled with the right tools and people that understand how to respond will put your company into a better position to minimise both exposure and risk.

Understanding the shared security responsibility is an important aspect of cloud security and one that all companies need to be aware of. With cloud service providers being responsible for only part of security within the cloud, organisations must be aware of where their own responsibilities lie, and by following the best practice guide can ensure their company is as secure in the cloud as it is on premise.

2. Secure your code

Securing code is 100% your responsibility and hackers are continually looking for ways to compromise your applications. If your company is developing code, even just for basic Websites, questions should be asked about which security lifecycle development you are using. By putting this in place, your organisation will have a methodology to use internally.

Code that has not been thoroughly tested and secured makes it all the more easy for potential threats to cause harm. Using encryption wherever possible will also help to secure your application, as well as testing libraries, scanning plugins for security bugs that may not have been picked up previously, and limiting privileges to only those who need access.

3. Login credentials

Logins are the keys to your kingdom and should be treated as such. Make sure you have a solid access management policy in place, especially concerning those who are granted access on a temporary basis. Defining roles and responsibilities is important as it ensures developers are unable to delete data or shutdown instances in production that they shouldn’t have access to. By defining these, it also lowers the impact of a threat should someone’s login credentials become compromised. Integration of all applications and cloud environments into your corporate AD or LDAP centralised authentication model will help with this process as will two-factor authentication.

4. Adopt a patch management approach

With companies often rolling out patches, it is important to keep on top of an organisation’s inventory for production systems as unpatched software and systems can lead to major issues. Keep your environment secure by outlining a process where you update your systems on a regular basis. A combination of rolling out automatic patching and vulnerability scanning can lower the impact of any threats. Make sure to test all updates to confirm that they do not damage or create vulnerabilities before implementation into your live environment.

5. Log management and continuous monitoring

Logs within the cloud are of high importance and as such log management and log reviews should be an essential component of your organisation’s security protocols. Logs are now useful for far more than compliance and as such they become a powerful security tool. Using log sources means a company can view who has had access to what and by continuously monitoring logs an organisation can pick up on patterns of behaviour which can then be audited to ensure they are not out of the ordinary. Logs can also be used to identify malicious activity and assist in the subsequent forensic investigation.

6. Build a security toolkit

No single piece of software is going to handle all of your security needs and it is therefore important to implement a defence-in-depth strategy that covers all your responsibilities in the stack. Understanding which aspects of security within the cloud are your responsibility form a key aspect of this and once you have established that you can build your tool-kit out from there. Just as you have on premise, it is imperative to implement IP tables, Web application firewalls, antivirus, intrusion detection, encryption and log management.

7. Stay informed

It is always important to stay informed of the latest vulnerabilities that may affect your organisation, and for this the Internet is a wealth of information. Use the Internet to your advantage by searching for the trends, breaches and exploits that are happening in your industry and using that to educate your staff.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Deception technology crucial to unmasking data theft
Information Security Risk Management & Resilience
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Navigating South Africa's cybersecurity regulations
Sophos Information Security Infrastructure
[Sponsored] Data privacy and compliance are not just buzzwords; they are essential components of a robust cybersecurity strategy that cannot be ignored. Understanding and adhering to local data protection laws and regulations becomes paramount.

Read more...
AI augmentation in security software and the resistance to IT
Security Services & Risk Management Information Security
The integration of AI technology into security software has been met with resistance. In this, the first in a series of two articles, Paul Meyer explores the challenges and obstacles that must be overcome to empower AI-enabled, human-centric decision-making.

Read more...
Milestone Systems joins CVE programme
Milestone Systems News & Events Information Security
Milestone Systems has partnered with the Common Vulnerability and Exposures (CVE) Programme as a CVE Numbering Authority (CNA), to assist the programme to find, describe, and catalogue known cybersecurity issues.

Read more...
Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Read more...
Prepare for cyber-physical attacks
Gallagher Information Security Access Control & Identity Management
As the security landscape continues to evolve, organisations must fortify their security solutions to embrace the changing needs of the security and technology industries. Nowhere is this more present than with regard to cybersecurity.

Read more...
Zero Trust and user fatigue
Access Control & Identity Management Information Security
Paul Meyer, Security Solutions Executive, iOCO OpenText, says implementing Zero Trust and enforcing it can create user fatigue, which only leads to carelessness and a couldn’t care attitude.

Read more...