You dont have javascript enabled! Please enable it! 6 Security Best Practices For Cloud Deployment - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

6 Security Best Practices for Cloud Deployment

9 Min. Read

With sophisticated attacks like Solorigate, it is essential to have a strong understanding of how to properly segment, secure, and monitor your cloud estate. Cloud Service Providers offer hundreds of different cloud computing solutions to organizations that allow them to innovate quickly, increase the digital experiences for customers and employees, and reduce large outlays in capital for data centers and hardware.

While cloud computing offers amazing benefits, it also introduces risks that security and IT teams must properly manage. In this article, we will cover the security best practices for cloud deployment that organizations should adopt to protect and monitor their workloads.

6 Security Best Practices

For enterprises that use the cloud, the key to being protected starts with understanding the different layers that make up the components of the cloud stack.

These different layers (Figure 1) – Services, Identity, Application, Network, Compute, and Storage – create multiple potential targets for attack. Each layer represents a piece of the cloud environment that can be secured against potential threats. By focusing on the different pieces of the cloud stack and addressing their unique security threats, your cloud environment will be far more resistant to cybersecurity threats.

The layers of the cloud stack
Figure 1: The cloud stack layers

In this article, we will share six best practices that will help you to secure all layers of your cloud stack. We will also refer to the corresponding cloud service that you can use based on Microsoft Azure; however, the same applies whether you are using Google GCP, Amazon AWS, or Alibaba (the name of the service will be different).

1) Locking down your identity management

Identity and access management (IAM) determines what parts of the cloud stack you and your users can access and what you can do when you’re there. If a bad actor can gain access to your systems using any of your credentials, then you’re doomed!

To protect and lock down your identity management, do the following:

  • Require secure passwords (enforce custom-banned passwords). Use the longest password or passphrase allowed by the system, or use a complex password that includes a mix of letters, numbers, and symbols.
  • Implement Multi-Factor Authentication (MFA). Having a strong password is not enough these days. You need multiple layers of protection. Using a second validation or authentication method provides another layer of protection for your user login.
  • Create least privileged roles. Only give users access to the least amount of accounts and systems that allow them to be productive. This limits the damage that can be done if a mistake is made or a bad actor gets access to the account.
  • Disable inactive accounts. When employees leave your organization, disable their access to all systems and disable their access keys immediately. Inactive accounts leave more endpoints vulnerable, and account activity is not usually monitored the same as active ones.
  • Monitor for suspicious user behavior or compromised credentials. Use real-time monitoring that leverages machine learning and analytics to identify suspicious activity and possibly compromised account credentials.

Microsoft Entra ID is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources.

Managing security can be difficult with common identity-related attacks like password spray, replay, and phishing becoming more popular. Security defaults in Entra ID make it easier to help protect your organization from these attacks with pre-configured security settings:

  • Requiring all users to register for Entra ID Multi-Factor Authentication.
  • Requiring administrators to perform multi-factor authentication.
  • Blocking legacy authentication protocols.
  • Requiring users to perform multi-factor authentication when necessary.
  • Protecting privileged activities like access to the Azure Portal.

Related: How to Safely Disable Security Defaults in Microsoft Entra ID.

By ingesting Microsoft Entra ID logs to Microsoft Sentinel, you can leverage machine learning and analytics to identify suspicious activity and possibly compromised account credentials.

2) Secure the compute layer

You must secure the compute layer to ensure the availability of systems and data and keep bad actors from using your computing power (Cryptocoin Miners, for example), which can further spread malware across your entire business and the Internet.

To secure your compute layer, do the following:

  • Harden the Operating System (OS). Remove unnecessary programs and disable services that only serve to broaden your attack surface. Stay up to date on service packs and patches as much as you can. You may still be vulnerable to a zero-day attack, but it makes such an attack much less likely.
  • Continuously check for misconfigurations and vulnerabilities. Use automated tools (vulnerability scan) to detect changes across the environment, as well as anomalous (entity) behavior.
  • Securely manage remote connectivity. Enable secure login by issuing Secure Shell (SSH) keys to individuals and lock down your Remote Desktop Protocol (RDP) with just-in-time VM access. This will keep your assets protected when moving across unsecured networks.
  • Implement inbound and outbound firewall rules. Set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many organizations are reluctant to set up outbound rules, but because attackers will attempt to exfiltrate (steal) your sensitive data and intellectual property, it’s important to ensure you have outbound rules that are explicitly defined.
  • Use only trusted images. Build your own images (containers and virtual machines) from scratch or get them from a very trusted source like Microsoft Azure, Google GCP, or Amazon AWS. Don’t use random images from the Internet and user communities.

Azure Bastion, Network Security Groups (NSGs), Microsoft Defender for Cloud, Microsoft Sentinel, Azure Firewall, and Azure Update Manager are all Azure services that you can use to protect and secure your compute layer.

3) Secure the cloud storage

Data is the most important asset to your organization, right? so you want to be sure to protect your precious information. If attackers get access to your storage layer, they can potentially delete or expose entire buckets or blobs of data.

To secure your cloud storage, do the following:

  • Manage data access. Identity and access management (IAM) policies and access control lists (ACLs) help you centralize the control of permissions to your storage. Security policies allow you to enable or deny permissions by accounts, users, or based on certain conditions like date and time, IP address, or whether the request was over a Secure Sockets Layer (SSL) encrypted session.
  • Classify data. Automatically classify data to ensure you know what type of data is stored and where it’s stored. Data classification policies should be matched to the security policies of your organization, and any violations should be flagged or automatically remediated.
  • Encrypt your data. Data must be encrypted both in transit and at rest. Please note that the metadata is often not encrypted, so be sure not to store sensitive information in your cloud storage metadata.
  • Enable versioning and logging. Versioning allows you to preserve, retrieve, and restore data if something goes wrong. With versioning turned on, you can always restore from an older version of the data if a threat or application failure causes a loss of data. Additionally, you should maintain access logs that provide an audit trail in case someone or something gets into your system.
  • Do not allow delete rights (enforce ABAC). You can set up roles in your cloud infrastructure that do not allow users to delete any data. In many cloud storage solutions, you can also enable a feature known as Attribute-Based Access Control (ABAC) that gives you more granular control over who can read, write and delete data.
  • Continuously check for misconfigurations and anomalies. Use automated tools to detect misconfigured storage and permissions settings, as well as anomalous file share access behavior.

Microsoft Entra ID, Azure Storage Encryption, Microsoft 365 data classification, Azure Backup, and Microsoft Defender for Cloud are all Azure services that you can use to protect and secure your storage layer.

4) Secure the network (perimeter)

As you probably know, the cloud allows you to create services quickly and easily, and by design, those services are exposed to the internet when created. An example is a virtual machine (VM)—when you create one, it’s exposed to the internet via RDP (Remote Desktop Protocol for Windows) or SSH (Secure Shell for Linux) using the default wizard. This is done so that you can then access the VM to manage it, but attackers can access it, too. Attackers scan all Cloud Service Providers’ IP ranges, which are publicly documented, and can quickly find open RDP/SSH ports to brute-force attack the VM.

Segmenting networks has long been a practice of secure network architecture, and it makes sense to continue this practice in the cloud. The days of perimeter-only defenses are a thing of the distant past, and one of the simplest and most effective ways to design a secure network is to apply segmentation. Good network segmentation can be an excellent foundation for a more comprehensive defense-in-depth strategy.

To protect the network, do the following:

  • Use ExpressRoute or VPN (failover). ExpressRoute provides a connection that does not route over the internet and, in case of failure, a VPN backup path. The traffic is secured from on-premises to the cloud.
  • Use jump host (bastion). Fully remove direct public access to management ports and use jump host (jump box) instead. In many cloud solutions, you can also enable a feature known as Bastion to provide a remote management experience only available via authenticated access to the portal. Bastion does expose a public IP address, but that address cannot be used to connect directly to the resources in the Virtual Network (VNet) where it exists. Instead, all remote access goes through a web browser via the portal.
  • Use firewall (or NSGs). Use a cloud-native firewall to centrally control traffic when possible. Firewall has a growing set of capabilities to detect threats and network segmentation. Network Security Groups (NSGs), are fundamental network control that is applied to network interfaces or subnets to apply access control rules to network traffic. The basic function of NSG is similar to that of a Firewall, so decisions need to be made on how best to apply each. There are several differences between NSGs and firewalls, but the biggest is the fact that NSGs are decentralized, whereas a Firewall is centrally managed. In many scenarios, it is wise to centralize traffic management rather than having to manage many NSGs at scale.

Azure ExpressRoute, Azure Bastion, Azure Firewall, Network Security Groups (NSGs), and Microsoft Defender for Cloud are all Azure services that you can use to protect and secure your network layer.

5) Secure your applications

As you probably know, web applications are accessed via public and private networks, and the back-end components that make up those applications exist on networks as well. Network and application security can face different threats that exploit different vulnerabilities, but the tools used to address the security of each need to work together.

A Web Application Firewall (WAF) is a security component that inspects inbound traffic to web applications that work at Layer 7 to detect and prevent attacks. WAF is not the same thing as a firewall, which is traditionally focused on Layer 4. Firewalls usually also have some application layer capabilities, but this is not the primary focus of using only firewalls to secure your applications.

It is also important to understand that a WAF is not meant to be the only layer of defense against web application attacks. Application code, network connections, and databases all play a role in the security of an application, but no single part can assume the full burden of protecting the Confidentiality, Integrity, and Availability (CIA) of the application. Not every organization has the means to ensure applications are always completely free from vulnerability to exploit, so WAF exists as an extra layer of defense.

Azure Web Application Firewall (WAF), Azure Front Door, and Microsoft Defender for Cloud are all Azure services that can be used and integrated to secure your applications.

6) Protect your cloud services

After you’ve secured the network perimeter and enforced your policies, you need to focus on security specifically for your services in the cloud. Use source control to secure versions, access to builds, and deployment instances. This will reduce the surface area of your code and limit the potential for attacks across your entire network.

Additionally, you need to practice continuous security. By enabling diagnostic logging of your cloud resources, you can take advantage of security information and event management (SIEM) solutions, which will let you use analytic rules to trigger incidents. These incidents can be configured to run remediation workflows automatically through the form of playbooks.

By understanding the need for continuous security and compliance monitoring, your Security Operations Center (SOC) team will be better prepared to protect against attackers and human error which encourages a more defensive mindset within your organization. In so doing, you will create the security necessary to prevent hacking attempts before bad actors can find a hole.

Microsoft Sentinel, Microsoft Defedner for Cloud, and Network Watcher are all Azure services that you can use to continuously monitor to make sure your environment is secure.

Improve Log Monitoring in the Cloud

As organizations transition more of their infrastructure and services to the cloud, the importance of robust log monitoring becomes increasingly evident. Effective log monitoring provides insights into system activities, helps detect anomalies, and plays a crucial role in incident response and threat detection.

Here are some key strategies to enhance log monitoring in the cloud:

1) Centralize Log Collection: Cloud environments often consist of numerous services and resources distributed across different regions. Centralizing log collection allows for easier management, analysis, and correlation of logs from various sources.

2) Implement Real-Time Monitoring: Real-time monitoring enables swift detection of security incidents and suspicious activities as they occur. Leveraging tools and services that offer real-time log streaming and analysis can significantly reduce response times to potential threats.

3) Use Cloud-Native Monitoring Solutions: Cloud service providers offer a range of native monitoring solutions tailored to their platforms. These solutions often provide deep integration with cloud services, offering enhanced visibility and control over the entire cloud infrastructure.

4) Utilize Threat Intelligence: Incorporating threat intelligence feeds into log monitoring systems enriches log data with information about known threats and malicious actors. This proactive approach helps identify and mitigate potential security risks before they escalate.

5) Employ Machine Learning and Analytics: Machine learning algorithms and advanced analytics can identify patterns, anomalies, and potential security breaches within log data. By leveraging these technologies, organizations can automate threat detection and response processes, augmenting their security posture.

6) Implement Log Retention Policies: Establishing log retention policies ensures that essential log data is retained for compliance, auditing, and forensic purposes. Define retention periods based on regulatory requirements and organizational needs to maintain a comprehensive log history.

7) Regularly Review Log Configuration: Review and update log configurations to ensure they align with evolving security policies, compliance standards, and best practices. This includes adjusting log levels, enabling relevant log sources, and refining alert thresholds.

8) Perform Log Analysis and Correlation: Conduct regular log analysis and correlation to identify trends, recurring patterns, and potential security incidents. Correlating logs from different sources can uncover complex attack scenarios and provide a holistic view of the security landscape.

By implementing these strategies, organizations can strengthen their log monitoring capabilities and enhance their overall security posture in the cloud. Effective log monitoring facilitates proactive threat detection and response and enables continuous improvement of security practices in dynamic cloud environments.

In Summary

In this article, we covered the importance of securing the different pieces of the cloud stack and addressing their unique security threats for any cloud deployment. Then we reviewed six security best practices that can be used to deploy services and applications in any cloud.

Each security best practice has its advantages and disadvantages and allows for security in different ways. It is important to leverage those security best practices at the start and then combine them with the cloud architectures to meet the needs and requirements of the application being deployed.

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author:
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

6 Efficient Collaboration Tools Students Can Use For Remote Group Tasks

Enable Azure Site Recovery (ASR) on VMs using Azure Policy


Let us know what you think, or ask a question...