Cloud Security: People, Process, and Technology

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.”- Security Expert, Gene Spafford

Your workloads are potentially more secure in the public cloud than in your own data center. When security considerations give the CISO pause, I suggest a holistic view of cloud security:

• Most public cloud providers maintain security responsibility from the physical infrastructure layer up through the hypervisor.
• Hyperscale providers like Microsoft Azure and AWS invest millions in security infrastructure, personnel and ongoing audits to support their hardened compute environments and compliance milestones.
• A poorly-designed application will be exploitable regardless of where it resides.
• Placing your workloads into a compliant cloud provider only means their internal controls, processes, and infrastructure meet those compliance requirements. Your applications might not.
• Understanding encryption and key management is critical, and public cloud providers will generally offer self-managed or vendor-managed key systems depending on the needs of your organization.

If you’re approaching a cloud migration with a security-first mindset, you can allow the cloud provider to handle the underlying infrastructure, letting you focus on serving the business.  Security continues to focus on three pillars: people, process and technology. You can throw a multitude of whiz-bang security systems in front of your applications, but if your people are vulnerable to social engineering or your processes lack security rigor, your applications and data are ripe for breach.

At minimum, I recommend exploring the following processes and technologies (some of which are free to use):

• Utilize identity access management and granular policies while minimizing root access
• Require multi-factor authentication for ALL accounts
• Continuously audit access rights
• Install AMI/VM-based firewalls around your cloud workloads
• Conduct vulnerability assessments as needed/required
• Evaluate a SIEM solution geared for public cloud
• Evaluate managed security services to complement your security team

Some of the above solutions are offered by public cloud providers with varying degrees of efficacy. If you are unsure of the optimal security process and technology mix for your organization, a managed security provider (CDW works with several) can shore up your security posture and serve as your outsourced security staff as needed.