DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Cloud Security (Part 2): Where to Get Started

Cloud Security (Part 2): Where to Get Started

Whether it's hardening your configuration management or just sitting down and training your team, check out the Threat Stack team's advice to keep your cloud safe.

Pete Cheslock user avatar by
Pete Cheslock
·
Oct. 19, 16 · Opinion
Like (1)
Save
Tweet
Share
2.44K Views

Join the DZone community and get the full member experience.

Join For Free

Cloud_Security_Part_2_Blog_Banner.jpg

Last week, we released part 1 of a two-part series on the low-hanging security best practices companies can implement to improve their security posture. Since security is no longer just the domain of the security experts, it’s important that everyone within your organization feel empowered to uphold security best practices regardless of their role.

This series is designed to give organizations a “starting point” on the security journey by identifying low-hanging fruit that can be picked off to gradually improve security. In part 1, we explained the four security tools and services we recommend getting started with, and in this post, we uncover the next set of recommendations, which can take you from level one to level two, so to speak.

The Next Four Security Practices All Companies Should Implement

5. Security Training

It won’t do you much good to implement security protocols such as two-factor authentication and email encryption if your employees don’t understand how or why to use them. Without proper training, employees may knowingly or unknowingly skirt the precautions you put in place.

To be sure that your team is fully informed on the why and how of each security practice they’re expected to uphold, we recommend organizing a team-wide security training session to review what you’ve put in place up to this point. Keep it fun, interactive, and positive, and make sure to convey that you’re all in this together.

After the first meeting, decide on an ongoing training schedule that’s right for your team (we recommend either monthly or quarterly). It can be as inviting as a 30-minute brown bag lunch talk, or as elaborate as a half-day session. Just be sure you’re respectful of your team’s time and provide them only with what they really need to know and do — not the full gamut.

A great topic to begin with is phishing, an all-too-common threat these days. Explain what phishing is, what an attack looks like, how the tools you have implemented (e.g., 2FA and encryption) can help, and how employees can help uphold their end of the security equation.

6. Hardening Configuration Management

It’s rare to walk into a modern operations team and not see configuration management (CM) systems such as Puppet, Chef, or Ansible driving the infrastructure. As we explained in an earlier post, CM software directly enables the DevOps concept of treating infrastructure as code. However, with the great power enabled by CM comes great responsibility.

Since the very nature of CM is to execute arbitrary code on infrastructure, you need ways to harden the systems to protect sensitive data. You can use tools like chef-vault, which encrypts sensitive data using public keys, or file integrity monitoring, which allows you to see when unauthorized services touch a secret on the disk. If you already implemented this as recommended in Part 1 of this series, kudos and one more box checked.

7. Ensure Safe Access to Production

Teams that practice continuous delivery and agile development commonly give developers access to production in order to ship updates, features, and new products faster. In a trust-but-verify world, you need to implement certain security measures to ensure that vulnerabilities don’t go out in the wild and that developers are behaving as they should.

To do this, you should to be monitoring for events such as package installs and updates to ensure that only your CM system is managing your hosts. Tracking and monitoring the code that configures your systems is important to ensure that users are not manually installing packages on hosts, pulling in unknown security issues.

There are open source options such as OSSEC and auditd that do this if you have the time to configure and manage them. Better yet, a tool like Threat Stack can handle the configuration and ongoing monitoring for you. Either way, it’s critical to implement a system early on for monitoring activity across production servers, since this is arguably one of your most critical infrastructure levels.

8. Security Alerting

You need a system to alert you the moment something anomalous is detected. Whether it’s an unusual login to production at 2 a.m. from an IP based in Russia, or a vulnerability that was unknowingly released into production, you need to know, and you need to know fast.

Threat Stack will alert your team the moment it detects anomalous behavior. Threat Stack also helps teams to customize the severity of security alerts, so that only high-severity alerts go to your on-call developers at night, while lower-severity alerts are left to be handled during business hours.

Bringing the Security Pieces Together

If you’ve been following the security practices we’ve recommended in this two-part series, you can start to see how security builds on itself. At this point, you need a way to keep track of your security measures and system activity through a single pane of glass, rather than having to log into a variety of individual tools to then piece the information together.

security Cloud

Published at DZone with permission of Pete Cheslock. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Problems of Cloud Cost Management: A Socio-Technical Analysis
  • OpenID Connect Flows
  • The Real Democratization of AI, and Why It Has to Be Closely Monitored
  • Taming Cloud Costs With Infracost

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: