Articles & E-Books

 

How to improve the security of your cloud environment

May 12, 2020

So many companies have already moved to the cloud or are using cloud-based services to supplement their network environments. But what about securing your cloud-based environment?

It’s first important to understand that whether you have decided to completely move your environment to the cloud or use cloud-based services, there is an element of risk, and with that comes responsibility.

This concept is referred to as the shared responsibility model. Amazon specifically notes that they are responsible for security of the cloud, but consumers are responsible for security in the cloud. Depending on the type of service(s) used, that will determine the level of responsibility for each party. For example, if your company uses services like Amazon S3 or Azure Blob for storage, it is the company administrator’s responsibility to ensure access is appropriate as well as apply any required encryption levels to the items being stored.

Administrative accounts

Depending on the service provider selected, there will inevitably be key administrative or root accounts that exist when setting up the cloud provider account. Remember these administrators have access to not only create users but also easily deploy resources and create additional accounts. They also have the most visibility into pricing and billing.

It’s crucial to ensure appropriate security mechanisms are in place to protect the root user accounts or key administrative accounts. Ensure the password is complex, enable multifactor authentication and, if access keys are used, be sure to adequately protect those. These accounts should only be used for administrative purposes. A separate account for day-to-day operations should be used on a regular basis.

Logging

Logging should be turned on and monitored by someone independent. It’s important to ensure logging is enabled so that user actions and configuration changes can be traced back to the source if needed.

There are many ways to secure logs within a cloud environment, so be sure to do the research on the approach right for your organization. Some tips for securing logs include enabling log validation (a mechanism to prove the log has not been tampered with), restricting access to only those appropriate parties, and/or sending logs to a secondary location that is protected.

Disaster recovery

A key reason companies often decide to move to the cloud is the increased capacity and availability. Cloud resources are designed with this in mind. The setup is based on regional data centers with multiple failover locations, so the chance of service disruption is minimal.

If your organization requires additional availability considerations, do research to understand which regions or zones your current resources sit in. Some ways to design high availability and fault tolerance is to have a disaster recovery strategy that spans multiple data centers in separate geographic locations. This is especially important when considering where backup data resides.

Automation

Take advantage of the automation available within cloud environments. There are many vulnerability-scanning, configuration-monitoring and user-activity-logging mechanisms available within the various cloud environments. Services allow consumers to build alerts into the logging process to save time identifying suspicious activities.

Even further, in some environments, you can create functions to take action to resolve identified issues. When setting up an automated alert or action, be sure to test it and periodically check to ensure the processes are functioning as expected.

While outsourcing infrastructure and/or services to the cloud can prove to be very advantageous, it is also very important to understand your responsibilities, which can greatly help you mitigate risk to your organization.

 

Read more:

Managing risk from vendor dependencies in a crisis

How to protect your business from ransomware

Watch the free webcast: Cloud security and data privacy for tech companies

Author(s)

Mary Beth Marchione, CPA, CISA, CISSP
Senior Manager
View Profile