August 22, 2016 by Kenneth Fisher
In case you hadn’t noticed I’ve recently started looking at the cloud and what it entails. Well one of those aspects (duh) is security. I’m not sure where I found this (probably someone tweeted it) but one MS has put out a document on the subject (again duh) called Microsoft Cloud Security for Enterprise Architects. It’s nine pages long and full of both information and links to get more information. One of the more interesting bits (IMHO) was part four.
Customer responsibilities and roadmap
It gives you a map on how to manage your security as you move into the cloud. Note: one of the main points is that your on premise security is equally as important and has to be managed with and as a part of your cloud security.
Now if you are like me and want more than just dry reading they also provide a link to a Microsoft Virtual Academy training course called Security in a Cloud-Enabled World that follows this roadmap and provides more detail and guidance.
Here is my brief review of the outline:
Vision, Standards, Guidance
- Document – Document your processes, your policies, your protocols. Document everything and make sure it’s available when people need it.
- Balance security and usability – I’ve been saying for a while that security is a balancing game. Personally I’d add in maintainability to the juggling act.
- Embrace “Shadow IT” – Shadow IT is when a part of the business doesn’t want to use the existing IT structure for whatever reason. So they go off and hire their own developer, install their own servers etc. The idea here is to understand that it happens and try to figure out why your users feel like they need their own IT. Then try to work with them to bring their structure closer in line to the company IT. Particularly when it comes to security. I’m going to add backups here (even though it’s completely outside of the subject).
- Monitor – Create alerts, monitor them, and handle any true positives. I’ll also add that if you are getting so many false positives that you stop paying attention (“event storming”) then your alerts are actually acting against you.
- Make use of external resources – You’re moving into the cloud. There are a lot of resources available to you. Look into them and make use of them when reasonable.
- The cloud is constantly changing – Everything about the cloud is constantly changing. It’s like trying to hit a moving target. You need to be constantly reviewing the changes that are occurring and updating your processes to match.
- Assume Breach – I love this. Instead of assuming your external security will keep everyone out, assume it won’t. This does not say that you shouldn’t constantly be looking at and improving external security. What it does say is that someone, sometime, will get in. Make sure that once they get in they can’t get to anything important. Identify what’s important and add additional layers of security around it. Also isolate where possible. If a bad guy gets in then reduce the area they can actually reach from their point of entry.
Administrative Control: Defend against loss of control
- Least Privilege – Pretty common advice. If someone doesn’t actually need to be able to do something then they shouldn’t be able to.
- Harden security dependencies – The idea of security dependencies isn’t really clear to me but as I understand it this is saying make sure that no one is inheriting access that you aren’t expecting.
- Strong authentication – Use credentials secured by hardware and/or multi-factor authentication. These make it harder for stolen credentials to be used against you.
- Have dedicated admin accounts and hardware – The idea here is that when someone needs to act as an admin they should have a special account and/or special hardware to get that done. We do some of this at my office. Anyone who has administrative access (DBAs included) has two accounts. One with administrative access and one for daily use. I’ll probably log into my admin account 2-3 times a week for a specific task that I can’t do otherwise. It reduces risk of mistakes (for example) by quite a bit. It also means that if my daily use account is compromised no one has access to administrative permissions.
- Enforce stringent security standards – Well if you are going to have standards you might consider enforcing them. In the case of administrators those standards have to be much stronger. As a close personal friend of mine has said “With great power comes great responsibility.”
- Monitor admin accounts – You are probably doing a lot of monitoring anyway. Admin accounts in particular need heavier monitoring because of the range of trouble they can get into.
- Educate & empower admins – Knowledge is power. The more knowledgeable your admins are the better they understand how to protect you. Get them the knowledge and then give them the power to do their jobs.
Identify and protect your most important information assets
- Establish priorities – Obviously you want to spend more of your efforts on protecting the most important information. Therefore it’s important to figure out what data is the most important. In fact you probably want to have several levels. This is actually pretty similar to what you are going to do with a DR plan. If you know that a set of applications has to be brought up quickly in case of a disaster, that is probably, but not always, the same information you want to put your strongest protections around.
- Have minimum standards – It’s all well and good to say that some data is more valuable than the rest, but everything should be protected to some degree or another. What are your absolute minimum requirements for security?
- Establish user policy and education – Much like administrators, users play an important role in protecting the network & the data. Make sure they have the tools and knowledge they need to perform that task.
User identity and device security
Users are less powerful than administrators but also need to be secured. Devices are also a risk and require some work.
- As stated above: Use credentials secured by hardware or multi factor authentication.
- Manage your devices – Enforce modern security standards on your devices. For example regular (probably automated) security patching.
- Educate, empower and enlist users – Education has been mentioned a couple of times now. As has the idea that users are part of your security processes. Either has a big hole or a defense. Your choice.
- Monitor for abuse – Look for an account doing things it wouldn’t normally. Flag it. Alert it. Have someone (or multiple someones) watching for those alerts.
In any environment each application brings it’s own security risks. This is still true in the cloud.
- Secure applications that you acquire – Security is an ongoing process anyway, but if you bring in new software and don’t make sure it’s secure you are putting yourself at risk. Review and secure everything as it comes in. Then maintain it of course.
- Discontinue software use before it goes out of support – Once software is out of support you aren’t getting any new security patches. That means that if/when a new vulnerability is learned you are more at risk. Over time this risk will continue to grow.
- Follow Security Development Life-cycle – This is another whole set of best practices for maintaining application security.
- Make sure your network security is ready for the cloud. – Can your network transfer data to and from the cloud safely? Now is a good time to make sure you follow all of the best practices.
- Integrate cloud capabilities as needed. – Again (there is a lot of repetitive information here) there is are a lot of resources in the cloud. Add what is useful to you.
- Manage and monitor – Another case of repetition but still important. Monitor, alert and automate (the monitoring, the alerting, corrections where possible).
Operating system & middle ware
- Apply normal security best practices to cloud VM servers & operating system.
Private Cloud or on-premise: Securing the foundation
Since no matter how much you put on the cloud you still have to have some on premis hardware, software, security etc (have to be able to connect to the cloud somehow right?) you need to follow all the normal best practices to keep yourself secure.
- Physical network
- Fabric & datacenter identities
- Server and Device Firmware
- Physical operating systems and middleware
- Physical security
- Fabric management
- Virtualization solution
Wow that’s a lot of info. And that’s just scratching the surface. Be nice to the network/security person you talk to. Their job doesn’t sound easy.