In this article, the term cloud refers to the software in which you are accessing a server or system somewhere through the internet. Many agencies across the government use Cloud Service Providers (CSPs) like Amazon Web Services (AWS), Azure, and Google Cloud to migrate and share data with users across the nation.
Cloud services have increased their footprint over the years, but poor configurations and practices leave vast and dangerous security risks, and security compliance can affect your Authorization to Operate (ATO). Multiple recent security breaches emphasize the importance of security in the world of cloud technology and the internet. As 85% of security breaches involve human factors, these best practices will help you understand why the proper configuration of cloud services is important, and what actions need to be taken to properly manage and secure these services.
Different cloud service models have different responsibilities and security requirements. It’s important to distinguish between which security controls are applied to the Cloud Service Provider (CSP) versus the infrastructure teams and customers using services in the cloud.
Data stored in the cloud needs to be protected through encryption. A cloud environment should support data encryption for data as it moves to and from the cloud, as well as for how data is stored when it is at rest. Check with your CSP to learn which encryption policies are offered and which, if any, compliance requirements are needed for alignment.
Organizations need to ensure that appropriate controls are in place for accessing their cloud services and data. Specific rights and access policies can be assigned to different users. Applying separation of duties and least privilege is vital for checks-and-balances and delineating between privileged and non-privileged users.
Many cloud service providers have the option to enable a Multi-factor Authentication (MFA). This is a great option to provide an added layer of authentication for privileged users. Take time to train your employees around security and best practices, whether they have access or not!
Security gaps can appear anytime in your cloud environment. If these issues are not addressed, then you leave the door open for security threats to enter your environment. Many CSPs allow you to perform penetration testing which requires a notification or approval process. If not, other companies are available that provide these services to ensure controls are tested and validated by a third-party auditor.
Routine security testing should be performed in your cloud environment. Within a cloud landscape, it’s important to conduct security testing through a comprehensive approach. This means you should scan at various levels within the environment, such as the cloud infrastructure, vulnerabilities, and compliance at the resource level, code for infrastructure builds, as well as Application Programming Interface (APIs), and application-based systems.
You need to understand the type of data hosted in your cloud environment. Does this data contain Personal Identifiable Information (PII) or Protected Health Information (PHI)? What about Controlled Unclassified Information (CUI)? These factors must be considered, as certain compliance standards determine how data is protected and managed.
Additionally, as data is encrypted and restricted by access controls, policies and procedures must be developed to manage the data. Ask yourself:
How often are backups performed?
Where are these backups stored?
What are the data retention policies?
How will the data be sanitized, removed, or transferred to another environment while maintaining compliance?
It’s important to understand these types of questions to build security around the data and privacy that ensures the right compliance needed.
Threats can happen every day and can hide in your cloud environment without your knowledge. An organization should enable 'logging and monitoring using' security tools or services provided by the CSP. Leverage advanced capabilities such as artificial intelligence and machine learning (AI/ML) to establish alerts around triggered events, enabling rapid incident detection and response capabilities.
Compliance is the foundation for establishing proper security. To follow compliance needs, an organization must understand the customers being supported, what type of data needs stored, and who is hosting the data. When choosing a CSP, you must know which service model will be used to select the correct frameworks and drive compliance requirements. Many CSPs have references and documentation available on their services that meet specific compliance standards, including certifications.
Once things are up and running, you will need to maintain your cloud environment. Understand what components within your cloud infrastructure you can update based on patches, advisories, or critical updates. Perform these exercises on a routine basis for a strong security posture. Automate these processes wherever possible!
Many times, the application's built-in cloud environments or certain coding functions are used to facilitate specific business services. It’s important to apply best practices around coding to limit misconfigurations and lessen vulnerabilities.
Leverage cloud services that enable rapid and secure software delivery (i.e., DevSecOps) as they allow you to automate security testing and enable checkpoints within the software delivery process. This ensures all vulnerabilities, including any bad code, is caught and fixed before it’s deployed.10. Employee Training on Best Practices
Sometimes the biggest threat to your cloud environments is your own employees. An employee who misconfigures an important setting due to negligence or lack of knowledge can open a plethora of vulnerabilities for attackers to exploit. Just like with any technology, your organization needs to take the time to provide routine-based training and refreshers on cloud security and best practices.
Worry less about your cloud security. Have a member of the MetroStar team ensure your Cloud Service Model is secure and right for your unique mission goals.
Former MetroStar Principal Cybersecurity Engineer
Never miss a thing by signing up for our newsletter. We periodically send out important news, blogs, and other announcements. Don’t worry, we promise not to spam you.