Did you know most successful cloud attacks are caused by customer’s own mistakes. How?
By taking explicit advantage of the built-in security capabilities and high levels of automation available from IaaS computing and network fabrics, enterprises can significantly reduce the chance of misconfiguration, mismanagement and mistakes. Doing so will reduce the surface area for attack and improve their overall cloud security posture. Cloud-based infrastructure and platform services can be more secure than those in the enterprise data center.
Best Practices to Secure Applications on Cloud
1. Overconcern About Data Location is Meaningless in Cloud Security
In order to implement the right controls, it is critical for the organization to understand its security responsibility based on the type of cloud deployment. The overconcern about data location is meaningless as data security responsibility is always owned by the organization, regardless of the type of cloud deployment, while the security responsibility of other components is variously shared depending on deployment type.
Organizations will need to implement security controls for data in the cloud, and those controls are likely different from those used on-premises, such as bring own encryption keys. By sharing some other security responsibilities with CSPs, organizations are able to focus on protecting their most core assets.
However, this incorrect focus on the physical data location sacrifices the benefits of cloud computing. CSPs can be more secure than private cloud and traditional data centers simply because of economies of scale.
2. Identify the Extent of Security Responsibilities with Cloud
Most organizations’ overfocus on data location is because they have difficulties architecting and implementing cloud security, and most cloud security failures are due to customer misconfiguration. This is not only due to the disappearance of assets’ physical boundaries, but also because organizations don’t know how to implement security with CSPs. However, cloud security is based on the shared responsibility concept and security responsibility varies depending on the type of cloud mode.
3. Establish Capabilities for Cloud Security
Cloud deployments vary depending on organizations’ needs. Cloud resources are characterized as shared concept, short-life cycle, automated and programmatic. Existing security expertise for protecting on-premises data centers is not applicable for securing all cloud resources. Check this eBook: How to use cloud IaaS more securely than a Data Center. Organizations need to establish the required cloud security capabilities.
Cloud Security Architect
Cloud Security Engineers
To adapt quickly to your organization’s security needs, its highly advisable to engage Certified Cloud Security specialists. You can engage certified partners who have on board the requisite consultative and execution capabilities on Cloud security.
4. Establish a Cloud Security Architecture
Organizations with existing processes and tools need to update their security architecture to take into account new deployment models such as SaaS, PaaS and IaaS. Follow and apply security architectures defined as standards in the industry. Few of them can be:
|Sherwood Applied Business Security Architecture (SABSA)||National Institute of Standards and Technology (NIST) Cybersecurity Framework||Cybersecurity mesh architecture (CSMA)|
Check this Infographic 2: 8 principles to secure Oracle EBS on OCI (Security)
5. Cloud Security Tool Group
Because of the shared cloud security responsibility and complexities in cloud offerings, customers require new groups of security tools to help them use the cloud securely. Cloud security vendors generally take a modular approach to provide services and consolidate capabilities into a portfolio.
|Cloud Access Security Brokers (CASBs)
CASBs provide crucial cloud governance controls for visibility, compliance, data security and threat protection by consolidating multiple types of security policy enforcement into one place for SaaS, IaaS and PaaS.
Examples: Authorization, user and entity behaviour analytics (UEBA), adaptive access control, data loss prevention (DLP), device profiling, object encryption, tokenization, logging, alerting and malware removal.
|Cloud Workload Protection Platforms (CWPPs)
CWPPs are workload-centric security offerings that protect server workloads in hybrid, multicloud data centers. CWPPs should provide consistent visibility and control for physical machines, virtual machines, containers and serverless workloads, regardless of location.
Use Case: CWPP offerings protect the workload using a combination of system integrity protection, application control, behavioural monitoring, intrusion prevention and optional anti-malware protection
|Cloud Security Posture Management (CSPM)
CSPM offerings continuously manage cloud security posture through prevention, detection, response and proactive identification of cloud infrastructure risk.
The core of CSPM offerings applies common frameworks, regulatory requirements, and enterprise policies to discover and assess risk/trust of cloud service configuration and security settings proactively and reactively. If an issue is identified, remediation options (automated or human-driven) are provided.
|Cloud-Native Application Protection Platforms (CNAAPs)
CNAPP is an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production.
Use Case: CNAPP consolidates a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlement management and runtime CWPPs.
|Emerging Tools Such as SaaS Security Posture Management (SSPM)
SaaS security posture management (SSPM) is a type of automated security tool for monitoring security risks in software-as-a-service (SaaS) applications. SSPM identifies misconfigurations, unnecessary user accounts, excessive user permissions, compliance risks, and other cloud security issues.
Cloud security posture management (CSPM) can bring broader visibility to cloud infrastructure and assets, help ensure consistent configuration management and establish a baseline of best practices for compliance mandates.
|SaaS Management Platforms (SMPS)
SaaS Management Platforms (SMP) enable SaaS Application daily operations including identifying SaaS applications, security management, IT operations, spend management, and vendor management.
Use Case: It reduces non-compliant SaaS Applications and unauthorized access, increases operational productivity through the use of workflow automation, & reduces cost by removing redundant applications and underutilized features.
Open-source tools are good options for cloud security, especially when there are no commercial tools available. They are not only cost-effective, but also provide flexibility and innovation. However, the use of open-source tools requires careful evaluation as it also brings risks.
|Security rating services for cybersecurity provide continuous, independent scoring and rating for enterprises with a visible presence on the internet. They gather data from public and private sources via non intrusive means, analyze the data, and rate security using proprietary scoring methodologies. These tools are used for internal security, cyber insurance underwriting, due diligence in mergers and acquisitions, and third-party/vendor cybersecurity assessments and monitoring.|
Advantages of Native Cloud Provider Security Tools
CSPs offer an ever-expanding range of native tools for enforcing security. Some are rudimentary, whereas others are approaching equivalency to enterprise-class vendor products:
- Taking a cloud-native-security-tool-first approach can be cost-effective and address many security requirements quickly and easily, due to existing control integration with the cloud service
- Native cloud security tools are easy to purchase and implement, it is important to evaluate them against use cases, capabilities and integration with existing on-premises security tools and processes
6. Evaluate Cloud Service Provider Risk
CSP risk is an unneglectable factor for cloud adoption regardless of the type of cloud deployment:
Tier 1 CSPs
Tier 2 CSPs
Tier 3 CSPs
|Most public cloud activity is within a small number of well-established, financially secure CSPs that have dominated the market for over five years (prominent examples include AWS and Microsoft, Oracle Cloud, Alibaba Cloud, Tencent Cloud, Huawei Cloud, e Cloud,)||A growing number of midsize providers and some large, name-brand software providers that lack a significant cloud-first track record represent the middle tier of vendor sophistication and reliability. Some Tier 2 providers are relatively immature in their security and operations, and they often lack third-party evaluations.||Most CSPs are such small providers that you cannot ever know how well-run they are. Tiny CSPs lack the resources to undergo a third-party evaluation, and they may have only a limited ability to fully answer a security questionnaire. You must assume they are not secure, both because it won’t be worth your time and effort to prove that they are and their relative financial fragility means that their status may change on short notice|
7. Take Advantage of Security Certifications
Several forms of third-party certification programs differ as to their level of rigor and areas of examination, a successfully completed evaluation provides a high level of evidence that a CSP is adequately controlling the security of its offering.
|International Organization for Standardization (ISO) 27001||Payment Card Industry (PCI) Data Security Standard (DSS)||Health Information Trust Alliance (HITRUST)|
|Health Insurance Portability and Accountability Act (HIPAA)||Health Information Technology for Economic and Clinical Health (HITECH)||Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR)|
|System and Organization Control (SOC) 2||NIST Cybersecurity Framework (NIST CSF)||FedRAMP for the U.S. federal cloud|
|Trusted Cloud Certification||ISO 27001/27017/27018 Certification||ITSS Cloud Computing Service Capability Assessment|
|CSA STAR: The Security, Trust, Assurance and Risk (STAR) Registry||SOC 2 and SOC 3 Attestations||Cybersecurity Maturity Model Certification (CMMC)|
Our experts are certified on Oracle, AWS & Microsoft cloud to implement Multi-cloud strategies. We have delivered several first-time right cloud deployments and have also ensured we deliver projects much within the committed SLAs with minimum to no disruption to your business.
With serving 1600 Enterprise customers for their critical ERP applications, ITC is one of the 7 certified CSPE partners with expertise to consult, build, architect, operate and manage critical applications: all under one contract, with Gartner Recognition 10 years in a row.