Security in the public cloud
Security is one of the prime concerns when organizations think about making a move to the cloud. I have seen a number of news stories of some database that is left open in the public domain without any security controls and it could be accessed by anyone who just knows the public URL of the database or file. With such stories repeated frequently, many organizations perceive the public cloud not to be a secure place for their data. However, this perception is completely wrong and it is absolutely possible to secure your data and applications in the public cloud. It is a SOLVED problem. It just requires good knowledge and proper governance to implement great security controls to protect your data in the cloud and believe me its NOT hard.
The shared responsibility model
Public cloud operates on a shared responsibility model meaning that security is the responsibility of both the cloud provider and the consumer. The cloud providers are responsible for the security OF the cloud and the consumer is responsible for the security IN the cloud. Public cloud providers have done a great job in securing their cloud offering, for example Microsoft Azure has 90 compliance certifications including some that are specific to a region or country(clicky). Compare it to a typical data center owned by an organization, I can bet most will not even come close to that benchmark. Now, if an organization decides to use the public cloud, they are responsible for the security of their data and applications.
Defense in depth
Defense in depth approach requires that you configure multiple layers of security for your workload in the cloud. Imagine you are running a web API on AWS EC2 instances, you should put a number of layers of security to protect your web API.
1) Have a proper network design with public and private subnets.
2) Create security groups at the EC2 instance level.
3) Create NACLs(Network access control lists) at the subnet level.
4) Use an API gateway + AWS IAM to manage authentication/authorization.(API Gateway provides a number of other features apart from security)
5) Use a WAF as the first line of defense.
Furthermore, if the web API need to access other AWS PaaS services for example S3 buckets or SQS queues or SNS topics etc, it should do so through a PrivateLink(traffic never leaves the AWS network) rather than going over the internet.
Identity and Access Management
Identity and access management sits at the core of cloud security. AWS IAM provides a number of features for identity and access management. You can setup sync with your on premises AD or setup a completely new AD in the cloud. AWS IAM even supports SSO with on-premises AD. Azure Active directory provides similar features. An often overlooked feature is MFA(multi factor authentication) which provides an additional layer of security on top of the plain username password security. Moreover, if your application requires user registration, you can use AWS cognito to implement a tried and tested B2C solution rather than re-inventing the wheel.
Encryption
Data must be encrypted both at rest and in transit. You should not store anything in the cloud un-encrypted. It is just a turnkey feature in all cloud providers and very easy to implement however still gets overlooked. If you are worried about managing the encryption keys, you can use the cloud provider managed keys also. Finally, don't try to write your own encryption algorithm (that is really a bad idea).
Secrets Management
Another great feature is the secrets management in the cloud. Azure key vault and AWS secrets manager offer to securely manage your database connection strings, API keys and credentials. Azure uses HSMs (hardware security modules) to protect the secrets stored in the key vault. It even supports BYOK (Bring your own keys) generated on-premises with your own HSM. Moreover, these secrets management services support auto rotation of the keys which further enhances the security of your applications. The applications running in the cloud can transparently access the keys stored in the cloud and don't need to store any secrets with them. Azure managed identity feature solves the problem of authenticating to the key vault; for example you can create and assign a managed identity to an Azure VM and applications running on that VM will be able to access keyvault directly.
Logging, Monitoring, Auditing and Alerting
All cloud services support extensive logging and auditing capabilities. AWS CloudTrail audits all management and data events. You can configure to capture network flow logs or even packet capture (it would be an overkill IMHO). Azure application insights could provide application level logging and insights. Azure Monitor or AWS CloudWatch could provide end to end monitoring, insights and alerting. AWS GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to detect potential threats. It can correlate data from various sources (VPC flow logs, DNS logs, CloudWatch events) to flag potential threats.
Application Security
With all of the security controls applied at various levels in the cloud, you don't need to worry about securing your application code. Nah! Application code security is still very important and you need to take care of it. Set the highest possible coding standards to avoid any vulnerabilities in the code. Various SAST, DAST and IAST tools could be used to ensure that there are no vulnerabilities.
Automation
Automation is key to build the infrastructure consistently first time and every time. You may need to setup multiple environments with exactly the same configuration and you wouldn't trust human hands to do the same configuration over and over. Build infrastructure pipelines to deploy and configure the various cloud services used by your application with security baked in. Write templates to standardize the security practices across the organization. The best thing about code is that it can be reviewed, audited, linted, unit-tested and printed :-) and Infrastructure should be no exception.
Training
People need to be trained on the various aspect of security. Developers and Operations people should be trained to maximize the proper and secure usage of the cloud services. You need to understand the various configuration options and how it applies to your environment.
