As cloud has become the go-to approach to technology infrastructure for many organizations, attackers have inevitably thrown their attention towards it. While cloud can offer some security advantages, it nevertheless requires significant attention; not only does cloud open up the attack surface, giving attackers a greater chance of success, the complexity of the shared responsibility model — in which vendor and customer own different parts of the cloud-based stack — can create confusion which can all too easily be exploited by malicious actors.
Overcoming the challenges of securing the cloud requires a systematic and strategic approach. One way of doing this is by focusing on what we call the five pillars of cloud security:
Although they each refer to very different aspects of your technology estate — and will likely be owned by different teams with different types of expertise — uniting them in your security approach will ensure that you’re doing everything required to protect your cloud-based systems.
Moreover, these pillars are strengthened when supported by three key principles:
The pillars guide what you should focus on, while the principles outline the practices needed to properly protect your cloud. In this blog post we’ll explore how this is done.
Putting the five pillars of cloud security into practice
Let’s first look at how we can tackle some of the challenges we typically face in each of the five pillars.
Identity and access management (IAM)
Identity and access management is one of the most important things to consider when you move to the cloud. This is where you define who has access to what across your technology estate, and what kind of authorization is required when. Who gets to access a particular API, server or database? How can the system be sure they are who they say they are?
This isn’t straightforward; there are a number of challenges that need to be addressed. For example, while access keys can be a useful way to manage access to resources, if those keys are not secured properly, it becomes very easy for attackers to gain access to sensitive information.
One way of tackling this is by using secret or key management software (such as Hashicorp Vault). By using tools like these, no one needs to access a key — instead, applications can load/access required keys directly from the Vault. For ad hoc access requests, temporary, single-use keys should be used. That way there’s no chance of a key being stolen and used maliciously.
It’s also important to have unified identity management. Inconsistencies and vulnerabilities can make it easy for attackers to spoof or impersonate others to gain access to resources. The best way of doing this is by using single sign on (SSO) for cloud infrastructure access.
Data security and privacy
Data security and privacy are critical from multiple perspectives: primarily, regulation (such as GDPR and CCPA) and customer trust. Cloud can make these issues particularly challenging; as with identity and access management, there are often differences on who owns what, where something is stored.
Data stored on cloud isn’t inherently secure; it needs to be appropriately configured. Sometimes access is granted to developers for debugging purposes, opening up potential security and privacy issues, but even read-only access can be problematic: it is, in fact, the cause of many data breaches. One way of ensuring data is secure is to employ lead privileged access and promote the use of one-time access and 2FA for the debugging scenarios. Setting up the right tooling, such as auditing, central logging and observability, is also helpful.
A further common issue is storage media exposure. Sometimes, when storage components such as S3 buckets are misconfigured it’s possible for data to be accessed by people who shouldn’t have access to it. One way of dealing with this is to use the “tenancy model on cloud” to ensure data segregation. Cloud native encryption services can also be used to protect not only all this data at rest but also data shared across systems. You should also use S3 security scanning tools; they can be very effective in finding common misconfigurations.
Network and infrastructure security
A further challenge of moving to the cloud is that network boundaries inevitably become blurred. While an extensive set of controls and firewalling options should be provisioned, they must be carefully enabled and prioritized over insecure defaults.
Other challenges can also emerge. These include the visibility of your cloud inventory, ad-hoc provisioning, insecure channels for data exchange and insufficient segmentation. Many of these happen when we are in a hurry to set up our cloud and have not defined clear processes for doing so.
There are, fortunately, some practices that can be followed to mitigate common attack scenarios. These include:
Denial of Service (DoS) and Attack surface/Perimeter Security: This isn’t too difficult to solve in the cloud — controls like DoS protection, WAF, network policies and firewalls can be employed to prevent common network threats.
Network Intrusion: Not enough to secure the perimeter on the cloud. Once the attacker is inside the network, they can gain access by default. One of the most effective ways of tackling this is to segment the network to allow for least privilege and prevent or mitigate lateral movement (of the attacker) as much as possible. Another method could be to set up a VPN and deploy critical workloads there to ensure restricted access. Internal communication should also be secured end to end.
If you are at a stage where you plan to move an existing application to the cloud, security is critical when migrating the data and granting access to supporting APIs and data stores.
It’s also important to consider the tricky task of securing serverless components, containers, clusters and, most importantly, your supply chains. These can be particularly prone to exploitation given the multitude of users on them and a dynamically changing environment.
Some particularly vulnerable aspects for applications on cloud need to be dealt with in the following ways:
Supply Chain Attacks: Securing the software supply chain on cloud requires you to ensure the integrity of the supply chain at every step. You also need to tie relevant supply chain events to the native cloud IAM and restrict permissions to authorized activities only.
Container Escape Vulnerabilities: Container runtimes today (such as containerd and CRI-O) are robust. However, there still are issues such as CVE 2022-0185 and others that allow attacker code to escape the container & run on the host. The best way to mitigate this is to use secure baseline images with continuous image scanning. You should ensure images are regularly updated and avoid using privileged containers.
Security operations can help protect you against an expanding threat landscape through unified and continuous monitoring and response on the cloud. One of the primary roadblocks, however, is the ability to gather relevant security and audit events and make sense of it all in a timely manner.
While these can be a handful for any security team, there are nevertheless some essential practices you can follow to ensure security operations run smoothly:
Crypto mining and bot attacks: Attackers can compromise cloud components — when left exposed — and use compute resources to mine crypto coins or to run a DoS attack. By using tools like Datadog and Splunk you can ensure unified management for your cloud and multi-cloud workloads. By leveraging such controls you can bring about observability for not just applications but infrastructure and the wider business too.
Configuration drift: This happens when frequent changes in configurations lead to inconsistencies between lower and higher environments. Treating lower environments as a smaller security risk is a particularly big mistake. To address this, it’s important that you treat every box as production. It becomes paramount that you secure the baseline configuration and continuous scan and review all environments.
Principles to support the five pillars
The five pillars of cloud security are essential, but to manage them effectively, it’s important to follow three guiding principles. Together, they will help you do all the things discussed above so you can adopt a solid cloud security posture.
Zero trust architecture
You must ensure that you do not fall back on implicit trust boundaries; instead, you should make verification a norm. Whether it is an actor or a service, it must be authenticated and authorized to access the resource it is requesting. It’s important to follow the same rules when modifying configurations or code. For example, establish secure defaults for security groups and follow a whitelist-based egress approach to minimize the potential blast radius and avoid data exfiltration.
Shifting security left
Whether you’re moving to the cloud or starting there from scratch, start with security requirements at the earliest possible point. The security strategy for the cloud should flow from your initial set of requirements and then evolve alongside the technology and business. This means it should then be present in every event — from the small to the large — such as the right permissions for signing artifacts, defining granular access earlier in development for access between components such as application and database using routing via IAM rules, scanning images as soon as build happens.
Security as Code
Finally, it is imperative that you not only start early when it comes to cloud security, but that it is comprehensively codified. For example, you should start with defining policy as code to cover both security and compliance and use security tools to scan cloud instances. You should also secure your configuration using infrastructure as code. This will ultimately ensure that security can keep pace with development on the cloud and will not act as a blocker but, instead, as an enabler that empowers continuous secure delivery.
Cloud security is complex when the scope is large. Approaching problems in a structured way can help us to properly and effectively address them. Following a step-by-step process, moreover, makes it easier to keep complexity at bay. Following the five pillars of cloud security along with the three fundamental principles will ensure you can put together a cloud security strategy for your organization’s cloud journey.
Disclaimer: The statements and opinions expressed in this article are those of the author(s) and do not necessarily reflect the positions of Thoughtworks.