We’re willing to assume that cloud security is important to your company, but proactively building and implementing a strategy to make it happen is often bypassed in favor of a more reactive and tactical approach to cloud security.
While companies spend a lot of time getting the right cloud technologies in place, it’s worth putting time and effort into cloud security too—regardless of whether you are in the cloud, operating in a hybrid environment, or in transition.
Developing an effective cloud security strategy all comes down to getting specific about your organization’s goals. It’s not enough to just say that you want to “secure data in the cloud.” That’s like saying you want to “get in shape.” It’s not specific, so it usually doesn’t lead to success.
An effective strategy requires getting clear on:
- Your company’s needs
- Your industry’s threat landscape
- The compliance regulations you’re required to uphold
The Threat Stack Cloud Security Playbook lays out a blueprint for defining your organization's goals. In particular, there are eight functions that your organization needs to define specific goals around when it comes to cloud security. Of course, the ones you ultimately focus on will depend on your industry, company size, compliance obligations, and the nature of your infrastructure, data, and customer base.
Each of these eight functions is defined below so you can determine how to apply them to your organization's specific cloud security goals.
1. Workload Security
The workload is the service, or, as we like to call it, the “source of truth”. Security at the workload layer provides insight into whether your environment has been compromised by insider threats, data loss, or zero-day attacks. Needless to say, this level of security is essential given the escalation in these types of threats nowadays. With workload security in place, you gain visibility into the users, processes, and activities happening deep within the workload.
2. Infrastructure Security
Just as your infrastructure encompasses many layers, so too should your approach to the security of that infrastructure. Specifically, companies should protect three critical layers:
- The security infrastructure (e.g. VPCs and security groups)
- The network infrastructure (e.g. subnets and routes)
- The data (e.g. S3 and Redshift)
With security embedded throughout these critical infrastructure layers, you can track changes to infrastructure in real-time, meaning you’ll always know if your configuration management has been tampered with or if an unauthorized system is launched or misconfigured.
3. Vulnerability Management
In a “trust but verify” world, vulnerability management is your friend. Vulnerability management systems monitor the security of your workload infrastructure, looking for vulnerable software, packages, or configurations. They can then aid in organizing workflows to run security updates, fix insecure configurations, and continuously identify common vulnerabilities and exposures (CVEs).
4. Threat Intelligence
Threat intelligence tells you when and where you’re at risk. It notifies you of malicious activity by monitoring for workload communications with active Advanced Persistent Threat command-and-control servers (a.k.a. the bad guys) so you can stop an attack before it proliferates. The moment workloads begin talking to known “bad hosts,” threat intelligence alerts you so you can kick your response process into action and get back to business unharmed.
5. Compliance Reporting
Most organizations need to maintain a certain level of reporting to ensure that compliance obligations and requirements are met. These reports capture historical records of activity in the cloud to ensure that data and infrastructure are protected. Effective compliance reporting includes such information as user access and activity, control effectiveness, file activity, alerts, and more.
6. Network Security
Having a layer of security across the network means you’re able to monitor communications across your organization’s cloud services, data, and workloads for unauthorized access, misuse, modification, or destruction. This includes the monitoring of SRCs, DST IPs, and ports, among other critical components. Effective monitoring and protection at this layer enables you to quickly identify and stop threats from entering or spreading on your network. This allows you to circumvent damage from an attacker before it gets a chance to wreak havoc.
7. Application Security
Application security is all about defending against attacks based on insecure application software or configurations. This is particularly important today considering that attacks on the application layer are growing by more than 25 percent annually. With application security in place, organizations have an opportunity to gain visibility into their software as it’s in development to verify that applications are being built and run securely.
8. Data Security
A lot of valuable data is increasingly being stored on the cloud—from sensitive customer data to payment data, and healthcare data to PII. By continuously monitoring these types of data across applications and systems on the cloud, you can know in real-time who is accessing it and if it’s at risk. This enables everything from better user access policies to upholding compliance requirements.
Defining Your Organization’s Goals
Equipped with knowledge about the key functions that comprise a comprehensive cloud security strategy, you can begin defining your organization's unique goals and requirements and map them to each of these functions. Here are a few examples:
- Meet HITECH Act requirements under HIPAA: (function: compliance; applies to: healthcare-related companies)
- Catch credit card fraud attempts (function: data security; applies to: e-commerce companies)
- Protect customers’ sensitive banking information (function: data security; applies to: financial companies)
Finally, keep in mind that fulfilling some of your goals will require you to integrate multiple security functions (especially when it comes to compliance).
To learn more about how to implement a successful cloud security strategy tailored to your organization’s unique needs, check out our Cloud Security Playbook.