The Cloud Essential Eight

Significantly improve your cloud security posture

A recent announcement by the Federal Government on the "Essential Eight" has reiterated the importance of key application level controls in protecting IT systems. The list, first published in 2017, will soon be mandated across 98 government entities. It consists of several core risk mitigation strategies from MFA to Patching to Access Management. The concept is sound, and despite seeming like common sense to many, it does well to focus mitigation efforts on activities with the highest value.

I’ve worked with many security conscious and highly regulated enterprises on cloud transformations. I thought compiling a “Cloud Essential Eight” would be an interesting exercise and might prove helpful to anyone prioritising security efforts specifically focused on cloud configurations.

The Cloud Essential Eight:

Review default configuration of cloud resources for insecure default parameters including public access, open security groups, disabled audit logging, disabled encryption, single zone deployments and overly permissive IAM roles. Appropriate values should be specified to avoid insecure defaults from being deployed.

Why - Using the default configurations of many cloud services can lead to unintended consequences including impacts to availability, compliance breaches and data exfiltration.

Enforce encryption in transit and at rest for every applicable cloud resource leveraging a key management service. Use keys aligned to workloads to minimise the reuse of keys. Leverage an encrypted secrets manager to securely store other sensitive credentials and secrets.

Why - Encryption provides strong protection against unauthorised access to your data while in transit and at rest.

Enforce least privilege roles for both human and machine access, ensuring only the permissions required to operate are applied. Utilise access analyser services in the cloud provider to identify the minimum set of permissions required for different roles and to limit permissions.

Why - Overly permissive permissions are commonly used by attackers to move horizontally across your environment, enabling them to access further cloud resources and sensitive data.

Limit the use of public subnets by using private endpoints to access cloud provider APIs. Use tiered networks with route tables and access control lists to secure traffic between subnets with appropriate security groups on resources.

Why - Private endpoints and tiered networking reduces your attack surface by limiting access to and from the internet.

Use infrastructure as code and automation to provision your cloud resources. Limit privileged actions outside of automation including write-access in the console. Use the principle of immutability to ensure resources stay consistent with definitions in code.

Why - Infrastructure as code provides consistency, auditability and control across your deployments which minimises misconfigurations that commonly lead to breaches.

Avoid overcomplicating cloud architecture. Limit the number of services and integrations required for your cloud applications and their deployment mechanisms. Use PaaS and managed services where possible. Adopt cloud services commensurate with the development, operational and security maturity of the organisation.

Why - Complexity increases the likelihood of mistakes and misconfigurations leading to breaches. Ensuring the appropriate architecture is used based on the cloud maturity of the organisation limits the potential for misconfigurations.

Enable visibility into cloud traffic to identify anomalous or malicious traffic. Enable detailed logging and audit trails for sensitive workloads. Use a security information and event monitoring (SIEM) system to monitor security events and configure alerts.

Why - Visibility allows you to make informed decisions and identify potential attacks or attack vectors in your cloud environments.

Restrict shadow IT within cloud environments. Ensure only organisation owned and managed cloud accounts are used in the operation of cloud workloads. Disable the ability for users to access personal cloud accounts to restrict data exfiltration. Provide organisation managed ‘proof of concept' cloud accounts for users to test and learn in cloud within appropriate guardrails.

Why - ‘Credit card’ and personal cloud account are uncontrolled by the organisation's controls and are commonly used to exfiltrate data.

Closing Thoughts

Although the list is not all encompassing, establishing strong cloud controls based around the above strategies can significantly improve your cloud security posture. With each strategy, the individual controls should focus on prevention over detection, as stopping a breach before it occurs is critical in maintaining a strong security posture. Although each strategy individually improves security posture, they should all be implemented to provide layered security, if one layer fails, the others can help absorb an attack. Finally, controls and the environments they protect are not static. Each control should continually tested to ensure effectiveness and appropriateness within the environment.

Do you agree with The Cloud Essential Eight? Do you have other strategies that provide high return on investment in achieving security outcomes? Please share your thoughts in the comments below.