Adopt a Cloud Security Maturity Model
What it takes to secure your cloud depends on who you ask, but one way is to make sure you can adequately gather, see, and investigate your data.
Join the DZone community and get the full member experience.Join For Free
Moving to and scaling in the cloud — especially for those who came from on-premise environments — can not only be overwhelming, but confusing, too. With new services available to your organization, policies to adhere to, and users and systems to secure, where should you begin?
At Threat Stack, we use a Cloud Maturity Model as a starting point. Essentially, it lays out the stages and activities companies should follow to mature their cloud environment — but we believe security needs to play a bigger part. As such, the Threat Stack team agreed it was time to develop a Cloud Security Maturity Model to help companies understand, step by step, how to implement and scale security as they grow in the cloud.
What Is the Cloud Security Maturity Model?
Threat Stack's Cloud Security Maturity Model is important not only because it provides a clear path to security in the cloud (one that is not always easily defined otherwise) but also because:
- Security threats need to be taken seriously. Especially in the cloud, where there is no longer a defined perimeter and the attack surface is multiplied, attacks are more prevalent and pervasive. Companies can’t afford to wait until the next big vulnerability is announced to take action. As defenders, we must be proactive, and the best way to do so is building in security from the very beginning.
- Your customers will require security sooner than you think. Even if you’re not beholden to regulations like PCI, HIPAA, or SOC 2, your customers will bring up many requirements to check their compliance boxes and to ensure that their data will be safe. Instead of waiting until they ask for it and scrambling to implement big changes to close a deal, anticipate their demands. If you’re storing credit card data, for example, make sure you are following PCI data security standards and any other relevant security best practices.
We have defined three key areas it addresses and how you can meet them. Use this framework to be sure that security is integrated into each stage of your cloud journey.
Step 1: Audit
The first step to security is being in-the-know. For cloud deployments, such as those in AWS, you first need to know whether your environment is configured correctly. Have users been given the right amount of access — no more, no less? Are workloads secure, even under a continuous deployment schedule? Is infrastructure patched against vulnerabilities and locked down from potential intrusions?
Without spending a great deal of time manually testing this yourself, it may seem difficult to determine whether the environment you’ve set up is truly as secure as it should be. And how can you then verify the security of it as you grow and scale?
You need a way to automatically audit your cloud environment to understand problem areas and how to fix them. This applies not only to companies newly transitioning to the cloud, but to ones that are well established, too. So how do you do this?
Configuration Auditing, a feature that Threat Stack now offers, helps ensure cloud configurations adhere to policy and industry best practices. Config Audit works by automatically auditing current environments and providing an immediate, concise report, so your teams can quickly identify areas to secure, both as you set up your cloud and as you scale on it.
Step 2: Monitor
Once your environment has been audited and is set up to deliver configuration alerts, your security and operations teams need to begin monitoring users, processes, network connections, file access, and installed packages for known vulnerabilities. When anomalous activity occurs on any of these, that can indicate a threat — whether it be external or internal.
Monitoring gives you visibility into all of this activity, in real time. This becomes especially important as you add more users, deploy more code, and spin up new instances.
In the cloud, monitoring needs to be done at the host level (as opposed to on the network, as in on-premise deployments). With monitoring embedded deep within your environment, you gain insight into every piece of the puzzle, enabling you to spot anomalies before they cause damage.
This is a core functionality of Threat Stack’s Cloud Security Platform®. With our agent installed at the host level, it continuously monitors behavioral activity against a set of rules, and is able to spot malicious behavior accurately (read: fewer false positives), so you can target your response efforts and get on with your day without becoming a victim of alert fatigue.
Step 3: Investigate
While monitoring gives you the best security visibility, many security events require deeper investigations so you can fully understand where the threat is, what damage it has done, and what its end goal is. An informed response is the most effective response.
But without a dedicated security team to conduct investigations, this task can be a huge and overwhelming burden, especially if your ops and dev teams aren’t security pros (which, after all, is not their job). And even with a security team, the time it takes to manually review each event, recreate it, and then resolve it is not only expensive, but slows down time-to-response, often giving attackers enough leeway to accomplish their goals.
If your monitoring tool can conduct investigations for you, a lot of this work can be done automatically. Threat Stack, for example, packs each alert with context so you know the who, what, when, and where without having to do your own time-intensive research. There is also a built-in TTY timeline, which allows you to play back and record events in real time to speed up your investigations and cut mean time to resolution (MTTR).
Securing Your Journey in the Cloud
Each organization matures differently in their use of the cloud depending on their use cases and goals. But no matter how new (or not) you are to the cloud, security visibility has to be built in as early as possible to ensure that you protect valuable data, intellectual property, and resources from attacks.
Published at DZone with permission of Tim Armstrong, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.