With sophisticated attacks like Solorigate, it is essential to have a strong understanding of how to properly segment, secure, and monitor your cloud estate. Cloud Service Providers offer hundreds of different cloud computing solutions to organizations that allow them to innovate quickly, increase the digital experiences for customers and employees, and reduce large outlays in capital for data centers and hardware.
While cloud computing offers amazing benefits, it also introduces risks that security and IT teams must properly manage. In this blog post, I will cover the security best practices for cloud deployment that organizations should adopt to protect and monitor their workloads.
6 Security Best Practices
For enterprises that use the cloud, the key to being protected starts with understanding the different layers that make up the components of the cloud stack.
These different layers (Figure 1) – Services, Identity, Application, Network, Compute, and Storage – create multiple potential targets for attack. Each layer represents a piece of the cloud environment that can be secured against potential threats. By focusing on the different pieces of the cloud stack and addressing their unique security threats, your cloud environment will be far more resistant to cybersecurity threats.
In this article, I will share six best practices that will help you to secure all layers of your cloud stack. I will also refer to the corresponding cloud service that you can use based on Microsoft Azure, however, the same will apply whether you are using Google GCP, Amazon AWS, or Alibaba (the name of the service will be different).
1- Locking down your identity management
Identity and access management (IAM) determines what parts of the cloud stack you and your users can access and what you can do when you’re there. If a bad actor can gain access to your systems using any of your credentials, then you’re doomed!
To protect and lock down your identity management, do the following:
- Require secure passwords (enforce custom banned passwords). Use the longest password or passphrase allowed by the system, or use a complex password that includes a mix of letters, numbers, and symbols.
- Implement Multi-Factor Authentication (MFA). Having a strong password is not enough these days. You need multiple layers of protection. Using a second validation or authentication method provides another layer of protection for your user login.
- Create least privileged roles. Only give users access to the least amount of accounts and systems that allow them to be productive. This limits the damage that can be done if a mistake is made or a bad actor gets access to the account.
- Disable inactive accounts. When employees leave your organization, disable their access to all systems and disable their access keys immediately. Inactive accounts leave more endpoints vulnerable, and account activity is not usually monitored the same as active ones.
- Monitor for suspicious user behavior or compromised credentials. Use real-time monitoring that leverages machine learning and analytics to identify suspicious activity and possibly compromised account credentials.
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources.
Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more popular. Security defaults in Azure AD make it easier to help protect your organization from these attacks with pre-configured security settings:
- Requiring all users to register for Azure AD Multi-Factor Authentication.
- Requiring administrators to perform multi-factor authentication.
- Blocking legacy authentication protocols.
- Requiring users to perform multi-factor authentication when necessary.
- Protecting privileged activities like access to the Azure Portal.
By connecting Azure Active Directory (Azure AD) data to Azure Sentinel, you can start leveraging machine learning and analytics to identify suspicious activity and possibly compromised account credentials.
2- Secure the compute layer
You must secure the compute layer to ensure the availability of systems and data and keep bad actors from using your computing power (Cryptocoin Miners, for example), which can further spread malware across your entire business and the Internet.
To secure your compute layer, do the following:
- Harden the Operating System (OS). Remove unnecessary programs and disable services that only serve to broaden your attack surface. Stay up to date on service packs and patches as much as you can. You may still be vulnerable to a zero-day attack, but it makes such an attack much less likely.
- Continuously check for misconfigurations and vulnerabilities. Use automated tools (vulnerability scan) to detect changes across the environment, as well as anomalous (entity) behavior.
- Securely manage remote connectivity. Enable secure login by issuing Secure Shell (SSH) keys to individuals and lock down your Remote Desktop Protocol (RDP) with just-in-time VM access. This will keep your assets protected when moving across unsecured networks.
- Implement inbound and outbound firewall rules. Set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many organizations are reluctant to set up outbound rules, but because attackers will attempt to exfiltrate (steal) your sensitive data and intellectual property, it’s important to ensure you have outbound rules that are explicitly defined.
- Use only trusted images. Build your own images (containers and virtual machines) from scratch or get them from a very trusted source like Microsoft Azure, Google GCP, or Amazon AWS. Don’t use random images from the Internet and user communities.
Azure Bastion, Network Security Groups (NSGs), Azure Security Center, Azure Sentinel, Azure Firewall, and Azure Automation Update Management are all Azure services that you can use to protect and secure your compute layer.
3- Secure the cloud storage
Data is the most important asset to your organization, right? so you want to be sure to protect your precious information. If attackers get access to your storage layer, they can potentially delete or expose entire buckets or blobs of data.
To secure your cloud storage, do the following:
- Manage data access. Identity and access management (IAM) policies and access control lists (ACLs) help you centralize the control of permissions to your storage. Security policies allow you to enable or deny permissions by accounts, users, or based on certain conditions like date and time, IP address, or whether the request was over a Secure Sockets Layer (SSL) encrypted session.
- Classify data. Automatically classify data to ensure you know what type of data is stored and where it’s stored. Data classification policies should be matched to the security policies of your organization, and any violations should be flagged or automatically remediated.
- Encrypt your data. Data must be encrypted both in transit and at rest. Please note that the metadata is often not encrypted, so be sure not to store sensitive information in your cloud storage metadata.
- Enable versioning and logging. Versioning allows you to preserve, retrieve, and restore data if something goes wrong. With versioning turned on, you can always restore from an older version of the data if a threat or application failure causes loss of data. Additionally, you should maintain access logs that provide an audit trail in case someone or something gets into your system.
- Do not allow delete rights (enforce ABAC). You can set up roles in your cloud infrastructure that do not allow users to delete any data. In many cloud storage solutions, you can also enable a feature known as Attribute-Based Access Control (ABAC) that gives you more granular control on who can read, write and delete data.
- Continuously check for misconfigurations and anomalies. Use automated tools to detect misconfigured storage and permissions settings, as well as anomalous file share access behavior.
Azure AD, Azure Storage Encryption, Microsoft 365 data classification, Azure Backup, and Azure Security Center are all Azure services that you can use to protect and secure your storage layer.
4- Secure the network (perimeter)
As you probably know, the cloud allows you to create services quickly and easily, and by design, those services are exposed to the internet when created. An example is a virtual machine (VM)—when you create one, it’s exposed to the internet via RDP (Remote Desktop Protocol for Windows) or SSH (Secure Shell for Linux) using the default wizard. This is done so that you can then access the VM to manage it, but attackers can access it, too. Attackers scan all Cloud Service Providers IP ranges, which are publicly documented, and can quickly find open RDP/SSH ports to brute-force attack the VM.
Segmenting networks has long been a practice of secure network architecture, and it makes sense to continue this practice in the cloud. The days of perimeter-only defenses are a thing of the distant past, and one of the simplest and most effective ways to design a secure network is to apply segmentation. Good network segmentation can be an excellent foundation for a more comprehensive defense-in-depth strategy.
To protect the network, do the following:
- Use ExpressRoute or VPN (failover). ExpressRoute provides a connection that does not route over the internet and, in case of failure, a VPN backup path. The traffic is secured from on-premises to the cloud.
- Use jump host (bastion). Fully remove direct public access to management ports and use jump host (jump box) instead. In many cloud solutions, you can also enable a feature known as Bastion to provide a remote management experience only available via authenticated access to the portal. Bastion does expose a public IP address, but that address cannot be used to connect directly to the resources in the Virtual Network (VNet) where it exists. Instead, all remote access goes through a web browser via the portal.
- Use firewall (or NSGs). Use a cloud-native firewall to centrally control traffic when possible. Firewall has a growing set of capabilities to detect threats and network segmentation. Network Security Groups (NSGs), are fundamental network control that is applied to network interfaces or subnets to apply access control rules to network traffic. The basic function of NSG is similar to that of a Firewall, so decisions need to be made on how best to apply each. There are several differences between NSGs and firewalls, but the biggest is the fact that NSGs are decentralized, whereas a Firewall is centrally managed. In many scenarios, it is wise to centralize traffic management rather than having to manage many NSGs at scale.
Azure ExpressRoute, Azure Bastion, Azure Firewall, Network Security Groups (NSGs), and Azure Security Center are all Azure services that you can use to protect and secure your network layer.
5- Secure your applications
As you probably know, web applications are accessed via public and private networks, and the back-end components that make up those applications exist on networks as well. Network and application security can face different threats that exploit different vulnerabilities, but the tools used to address the security of each need to work together.
A Web Application Firewall (WAF) is a security component that inspects inbound traffic to web applications that work at Layer 7 to detect and prevent attacks. WAF is not the same thing as a firewall, which is traditionally focused on Layer 4. Firewalls usually also have some application layer capabilities, but this is not the primary focus of using only firewalls to secure your applications.
It is also important to understand that a WAF is not meant to be the only layer of defense against web application attacks. Application code, network connections, and databases all play a role in the security of an application, but no single part can assume the full burden of protecting the Confidentiality, Integrity, and Availability (CIA) of the application. Not every organization has the means to ensure applications are always completely free from vulnerability to exploit, so WAF exists as an extra layer of defense.
Azure Web Application Firewall (WAF), Azure Front Door, and Azure Security Center are all Azure services that can be used and integrated to secure your applications.
6- Protect your cloud services
After you’ve secured the network perimeter and enforced your policies, you need to focus on security specifically for your services in the cloud. Use source control to secure versions, access to builds, and deployment instances. This will reduce the surface area of your code and limit the potential for attacks across your entire network.
Additionally, you need to practice continuous security. By enabling diagnostic logging of your cloud resources, you can take advantage of security information and event management (SIEM) solutions, which will let you use analytic rules to trigger incidents. These incidents can be configured to run remediation workflows automatically through the form of playbooks.
By understanding the need for continuous security and compliance monitoring, your Security Operations Center (SOC) team will be better prepared to protect against attackers and human error which encourages a more defensive mindset within your organization. In so doing, you will create the security necessary to prevent hacking attempts before bad actors can find a hole.
In this article, I covered the importance of securing the different pieces of the cloud stack and addressing their unique security threats for any cloud deployment. Then I reviewed six security best practices that can be used to deploy services and applications in any cloud. Each security best practice has its advantages and disadvantages and allows for security in different ways. It is important to leverage those security best practices at the start and then combine them with the cloud architectures to meet the needs and requirements of the application being deployed.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.