Top 10 Best Practices

for Cloud Security

Posture Management
INTRODUCTION

Public clouds have fundamentally changed the way organizations build,

operate, and manage applications. Security for applications in the cloud
is composed of hundreds of configuration parameters and is vastly
different from security in traditional data centers. According to Gartner,
“Through 2020, at least 95% of cloud breaches will be due to customer
misconfiguration, mismanaged credentials or insider theft, not cloud
provider vulnerabilities”1.

The uniqueness of cloud requires that security teams rethink classic

security concepts and adopt approaches that address serverless, dynamic,
and distributed cloud infrastructure. This includes rethinking security
practices across asset management, compliance, change management,
issue investigation, and incident response, as well as training and
education.

We interviewed several security experts and asked them how public

cloud transformation has changed their cloud security and compliance
responsibilities. In this e-book, we will share the top 10 best practices
discovered during our research.

1
Gartner, Clouds Are Secure: Are You Using Them Securely?, Jay Heiser, 31 January 2018

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 2

1 DISTRIBUTE
CLOUD SECURITY
RESPONSIBILITIES

CHALLENGE:
There is confusion over the division of security responsibilities in the cloud.
Not knowing how day to day tasks for ensuring security and compliance in
a dynamic cloud environment are distributed between the cloud provider,
customer’s security team, and application owners can lead to blind spots
in your cloud security plan.

RECOMMENDATIONS:

• Know where the division of security lies between the customer

and cloud provider. Typically, cloud providers own security of all
components from the host operating system and virtualization layer
down to the physical security. The customer assumes responsibility of
securing the guest operating system and application software, as well as
the configuration of cloud services.

• Understand how security is jointly managed by cloud security and

application developers. Clearly defining and documenting what’s
expected of each group before successfully rolling out new applications
and services is critical for minimizing security risks.

• Understand that time to deployment in public clouds is rapid. Cloud

components may also have a very short lifespan. Customers need to
investigate how their existing security teams and products will handle
these rapidly deployed and destroyed cloud components.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 3

2
CENTRALIZE CLOUD
VISIBILITY UNDER
A MULTI-ACCOUNT
MODEL

CHALLENGE:
Shadow IT and rogue assets on the network pose unknown security risks
to the entire organization.

RECOMMENDATIONS:

• Deploy applications under multiple accounts. Use separate accounts for

experimentation, development, staging, production, billing, and logging
data for auditors.

• Use a master level account for applying organization level policies across
all linked accounts.

• Classify cloud usage by aggregating cloud accounts into meaningful

sub-groups based on team ownership, parent business units, application
types, or development stages.

• Identify sub-groups that pose a higher security risk to your organization.

• Improve visibility into assets across your organization and within each
subgroup with the ability to understand relationships and assign relative
asset risk values.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 4

3 AUTOMATE COMPLIANCE
AND ALIGN WITH CLOUD
STANDARDS

CHALLENGE:
Security and compliance auditing procedures designed for on-premises
systems don’t work for applications in the cloud. Security and compliance
assessment in the cloud requires that your approach understands the
dynamic nature of cloud objects and can benchmark against rules that
are specific to the cloud provider and service type. The lifetime of an
application resource in the cloud can be extremely short-lived and
customers must ensure that their cloud security posture management
(CSPM) solution does not rely on periodic scans.

RECOMMENDATIONS:

• Continuously monitor your cloud’s security posture against established

best practices with the help of cloud-specific benchmarks from the
Center for Internet Security (CIS).

• Ensure that you’re also benchmarking for industry-specific regulatory

compliance requirements as defined by frameworks such as NIST 800-
171, SOC, GDPR, HIPPA, and PCI DSS.

• Leverage a cloud security posture management solution to automate

benchmarking against multiple compliance frameworks at once.

• Ensure that your security tools and procedures account for the dynamic
nature of your cloud environment and provide real-time visibility
necessary to audit ephemeral cloud infrastructure.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 5

4
IDENTIFY RISKS
POSED BY
INTERCONNECTED
OBJECTS

CHALLENGE:
Because today’s cloud services are comprised of many silo’d elements and
configurations, it’s hard to understand new risks without a greater context
for relationships between cloud objects. A simple cloud configuration,
which may appear to be correct, can combine with other configurations to
become a critical vulnerability in your cloud environment.

RECOMMENDATIONS:

• Ensure that your CSPM solution can navigate relationships between

cloud objects to detect not just basic misconfigurations but also
complex violation chains that occur due to a whole chain of configured
cloud services.

• Especially fix violation chains that could accidentally expose your critical
virtual machines or data to the internet due to sharing of access policies
between objects of similar types.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 6

5 PRIORITIZE SECURITY
VIOLATIONS BY
QUANTIFYING RISK

CHALLENGE:
Number of violations and alerts that security owners get from security
tools can be overwhelming. Inability to prevent false positives and isolate
critical violations from a sea of findings can lead to inaction and serious
blind spots.

RECOMMENDATIONS:

• Make sure you have an approach to quantify the risk associated with
each security or compliance vulnerability. This includes estimating both
violation level as well as cumulative object level risk. Simply classifying
each violation by “High”, “Medium”, and “Low” is not enough. Sort all
security violations by risk and focus on the issues with the highest risk.

• Sometimes, even after sorting through risk scores, the number of critical
violations can be extremely high. Begin with violations that impact
your critical cloud assets first, especially those that could expose data
publicly or lead to unauthorized access.
• If you haven’t enabled security controls previously, work with a cloud
security expert to build a custom plan to selectively enable security
checks and policies that are most critical for your environment. You
can gradually roll out new controls as you begin to feel confident about
existing security checks and operational process in place.

• Don’t blindly impose all security and compliance checks across all
groups alike. Work with application owners to identify checks that
shouldn’t apply to their applications or cloud environments and suppress
those findings and notifications.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 7

6 BUILD AUTOMATED
SECURITY GUARDRAILS

CHALLENGE:
Public clouds enable extreme agility and allow developers to build and
deploy applications faster than ever before. In addition to application code,
developers are also responsible for configuring the cloud infrastructure
supporting the app. While security shouldn’t slow things down by manually
enforcing change control, there is a need for unobtrusive governance to
ensure necessary security controls. As applications and infrastructure
code drifts over time, teams need automated security guardrails to ensure
that deployments remain compliant and secure.

RECOMMENDATIONS:

• Begin with a shortlist of security actions that need to be automated and

triggers that initiate them.

• Determine how broadly does each action apply. This includes

establishing the target accounts (single account or multiple) as well as
validating the conditions the target accounts must meet for actions to be
applicable.

• Decide how you’ll build the guardrail. Options include writing your own
actions or using out of the box automation delivered by a third-party
security tool.

• The last thing you want is for your guardrail to break a production
application. Allow exceptions to each guardrail and build a feedback
loop including notifications to, and optional approvals from, application
owners to optimize the scope of each action.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 8

7
ENFORCE SECURITY
CHECKS IN DEV
PIPELINES

CHALLENGE:
The lifespan of many objects in the cloud can be extremely short-lived.
How do you audit something or enforce security in the cloud when your
applications are constantly spinning up and down new resources every
other minute? Even if your applications are not dynamic, figuring out
security gaps late in production can be extremely expensive.

RECOMMENDATIONS:

• Define misconfiguration checks as a pipeline to find violations

immediately after your deployment pipelines are executed.

• If violations are found, communicate issues to application owners and

seek approvals for remediation (optional).

• Embed remediation steps into the re-deployment pipeline to correct

configurations.

• Continuously gather feedback from the pipeline to identify trends in

violations, if any, to update your policies.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 9

8 USE MACHINE
LEARNING FOR
ANOMALY DETECTION

CHALLENGE:
Most security breaches are detected months after an attack has begun
and can cost organizations millions of dollars to contain the breach. With
cloud security infrastructure producing massive amount of data, security
teams can leverage advancement in machine learning technologies to
proactively monitor their cloud infrastructure to detect any suspicious
activity within minutes of a security event and prevent a serious security
breach from happening.

RECOMMENDATIONS:

• Use 3rd party cloud security solutions that leverage machine learning
techniques to identify potential threats and provide deep insight into
anomalies across multiple clouds.

• Look for solutions that can complement and correlate their insights with
those from cloud-native anomaly detection services such as AWS Guard
Duty to improve the accuracy of security event detection.
• Leverage automation to block access and alert users to take appropriate
actions when malicious activity or unauthorized access to your systems
is detected.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 10

9 BUILD AN INCIDENT
RESPONSE PLAN

CHALLENGE:
You don’t want to be in a state of chaos when a cloud security breach
occurs. With the responsibility of security shared between the cloud
provider and the customer, and further distributed across multiple groups
inside the customer organization, pulling together an effective response
requires proactive planning and coordination amongst stakeholders.

RECOMMENDATIONS:

• Build a joint response plan with the cloud provider. Establish what
resources the cloud provider can offer for investigating a security
breach.

• Clearly define roles and responsibilities when it comes to addressing a

breach across groups in your organization—Information Security, GRC,
Vulnerability Management, SOC, Cloud Operations, and Development
teams.

• Look at historic events, both within your company and outside, and
create playbooks to document steps for responding to specific incident
types.

• Test systems (e.g. logging enabled) and skills (people and tooling)
readiness by conducting mock drills.

• Build a recovery plan to ensure the continuity of your applications in

case of an outage due to a security event.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 11

10 EMBRACE
DevSecOps

CHALLENGE:
With public cloud technology landscape changing rapidly over time—
virtual to containers to serverless—and cloud providers introducing many
new services every month, it’s almost impossible for both security and
developers to stay on top of best practices in the cloud.

RECOMMENDATIONS:

• Educate your developers on not just the importance of security, but on

how to write more secure software.

• Automate security and start with your application code. The only way
to embrace DevSecOps is by embedding security checks and controls
early into the development process.

• Invest in a specialized cloud security solution that supports multiple

public clouds and streamlines security operations and automation across
teams, including security, operations, and developers.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 12

CONCLUSION

Delivered as a service, VMware Secure State is an intelligent cloud

security solution that helps organizations minimize security risk and
proactively mitigate threats across AWS and Azure. VMware Secure State
helps organizations automatically remediate cloud misconfigurations and
build security guardrails that help developers innovate across multiple
clouds without compromising on agility or security risk.

To learn more about VMware Secure State, visit us online at

go.cloudhealthtech.com/vmware-secure-state to schedule a demo,
where we’ll walk you through our rich feature set and how you can
improve your cloud security posture with simple steps and industry
best practices.

CO PYR I G HT © 2 01 9 VMWAR E , IN C. ALL R I G HT S R ES E RVE D. 13