Professional Documents
Culture Documents
1
Gartner, Clouds Are Secure: Are You Using Them Securely?, Jay Heiser, 31 January 2018
CHALLENGE:
There is confusion over the division of security responsibilities in the cloud.
Not knowing how day to day tasks for ensuring security and compliance in
a dynamic cloud environment are distributed between the cloud provider,
customer’s security team, and application owners can lead to blind spots
in your cloud security plan.
RECOMMENDATIONS:
CHALLENGE:
Shadow IT and rogue assets on the network pose unknown security risks
to the entire organization.
RECOMMENDATIONS:
• Use a master level account for applying organization level policies across
all linked accounts.
• Improve visibility into assets across your organization and within each
subgroup with the ability to understand relationships and assign relative
asset risk values.
CHALLENGE:
Security and compliance auditing procedures designed for on-premises
systems don’t work for applications in the cloud. Security and compliance
assessment in the cloud requires that your approach understands the
dynamic nature of cloud objects and can benchmark against rules that
are specific to the cloud provider and service type. The lifetime of an
application resource in the cloud can be extremely short-lived and
customers must ensure that their cloud security posture management
(CSPM) solution does not rely on periodic scans.
RECOMMENDATIONS:
• Ensure that your security tools and procedures account for the dynamic
nature of your cloud environment and provide real-time visibility
necessary to audit ephemeral cloud infrastructure.
CHALLENGE:
Because today’s cloud services are comprised of many silo’d elements and
configurations, it’s hard to understand new risks without a greater context
for relationships between cloud objects. A simple cloud configuration,
which may appear to be correct, can combine with other configurations to
become a critical vulnerability in your cloud environment.
RECOMMENDATIONS:
• Especially fix violation chains that could accidentally expose your critical
virtual machines or data to the internet due to sharing of access policies
between objects of similar types.
CHALLENGE:
Number of violations and alerts that security owners get from security
tools can be overwhelming. Inability to prevent false positives and isolate
critical violations from a sea of findings can lead to inaction and serious
blind spots.
RECOMMENDATIONS:
• Make sure you have an approach to quantify the risk associated with
each security or compliance vulnerability. This includes estimating both
violation level as well as cumulative object level risk. Simply classifying
each violation by “High”, “Medium”, and “Low” is not enough. Sort all
security violations by risk and focus on the issues with the highest risk.
• Sometimes, even after sorting through risk scores, the number of critical
violations can be extremely high. Begin with violations that impact
your critical cloud assets first, especially those that could expose data
publicly or lead to unauthorized access.
• If you haven’t enabled security controls previously, work with a cloud
security expert to build a custom plan to selectively enable security
checks and policies that are most critical for your environment. You
can gradually roll out new controls as you begin to feel confident about
existing security checks and operational process in place.
• Don’t blindly impose all security and compliance checks across all
groups alike. Work with application owners to identify checks that
shouldn’t apply to their applications or cloud environments and suppress
those findings and notifications.
CHALLENGE:
Public clouds enable extreme agility and allow developers to build and
deploy applications faster than ever before. In addition to application code,
developers are also responsible for configuring the cloud infrastructure
supporting the app. While security shouldn’t slow things down by manually
enforcing change control, there is a need for unobtrusive governance to
ensure necessary security controls. As applications and infrastructure
code drifts over time, teams need automated security guardrails to ensure
that deployments remain compliant and secure.
RECOMMENDATIONS:
• Decide how you’ll build the guardrail. Options include writing your own
actions or using out of the box automation delivered by a third-party
security tool.
• The last thing you want is for your guardrail to break a production
application. Allow exceptions to each guardrail and build a feedback
loop including notifications to, and optional approvals from, application
owners to optimize the scope of each action.
CHALLENGE:
The lifespan of many objects in the cloud can be extremely short-lived.
How do you audit something or enforce security in the cloud when your
applications are constantly spinning up and down new resources every
other minute? Even if your applications are not dynamic, figuring out
security gaps late in production can be extremely expensive.
RECOMMENDATIONS:
CHALLENGE:
Most security breaches are detected months after an attack has begun
and can cost organizations millions of dollars to contain the breach. With
cloud security infrastructure producing massive amount of data, security
teams can leverage advancement in machine learning technologies to
proactively monitor their cloud infrastructure to detect any suspicious
activity within minutes of a security event and prevent a serious security
breach from happening.
RECOMMENDATIONS:
• Use 3rd party cloud security solutions that leverage machine learning
techniques to identify potential threats and provide deep insight into
anomalies across multiple clouds.
• Look for solutions that can complement and correlate their insights with
those from cloud-native anomaly detection services such as AWS Guard
Duty to improve the accuracy of security event detection.
• Leverage automation to block access and alert users to take appropriate
actions when malicious activity or unauthorized access to your systems
is detected.
CHALLENGE:
You don’t want to be in a state of chaos when a cloud security breach
occurs. With the responsibility of security shared between the cloud
provider and the customer, and further distributed across multiple groups
inside the customer organization, pulling together an effective response
requires proactive planning and coordination amongst stakeholders.
RECOMMENDATIONS:
• Build a joint response plan with the cloud provider. Establish what
resources the cloud provider can offer for investigating a security
breach.
• Look at historic events, both within your company and outside, and
create playbooks to document steps for responding to specific incident
types.
• Test systems (e.g. logging enabled) and skills (people and tooling)
readiness by conducting mock drills.
CHALLENGE:
With public cloud technology landscape changing rapidly over time—
virtual to containers to serverless—and cloud providers introducing many
new services every month, it’s almost impossible for both security and
developers to stay on top of best practices in the cloud.
RECOMMENDATIONS:
• Automate security and start with your application code. The only way
to embrace DevSecOps is by embedding security checks and controls
early into the development process.