Kartikesh's Blogging Site

Cloud Security Best Practices

#azure #security

Note - This article doesn’t speak about how to enforce, but rather focuses on what to enforce. Also consider this as a starting point rather than an exhaustive list of best practices.

Cloud Security

Below are some of the best practices that are probably easier to adopt and implement in majority of the scenarios -

  • Identity & Access Control

    • MFA - This is the bare minimum security control that should be enforced, as just relying on passwords for security is only going leave the organizations more vulnerable to attacks.
    • Conditional Access - Conditional access controls if available should be leveraged to enforce strict controls around the types of accesses allowed. Icould be simply to restrict access to specific browser versions, company managed devices, specific locations, etc.

  • Improve Security Posture

    • Improve current posture - It is important to utilize tools that provide visibility of the current security posture, such as Secure Score in Azure Security Center. It provides various gaps and recommendations to address the gaps in order to increase this score, thereby improving your company’s security posture.
    • Collaboration amongst teams is key - One prime example is to ensure that appropriate policies aligning to customer’s security and compliance requirements are enforced at the early stages of DevOps integration phase. This is to avoid being in reactive mode later and also inculcate the practice of Secure DevOps.

  • Secure apps and data

    • Encryption - Ensure that data at rest and in-transit is encrypted using the tools provided by the cloud providers.
    • Security Best Practices - Security best practices such as the ones defined in Security Development Lifecycle can be leveraged by Developers, so if the Developers aren’t well-versed with the same, they would need to be trained accordingly.
    • Shared responsibility - Don’t forget about the shared responsibility model from a Cloud security perspective, as the more we shift from IaaS > PaaS > SaaS we are considerably shifting the security responsibility from customer to the cloud provider.

  • Mitigate threats

    • Enable threat detection - Enable this for all supported resources, it helps to detect any threats and generate security alerts for action to be taken by the customer.
    • Integrated threat intelligence - Now you can imagine the problem with just enabling the above without the absence of any threat intelligence. There is a possibility of the SOC teams being overwhelmed with lot of alerts at once and thereby struggling to prioritize the important alerts that need immediate action. Threat intelligence being integrated natively by the cloud provider would help to provide context, relevance and priority to the alerts and thus help customers take faster, better and proactive decisions.
    • Leverage Cloud-native SIEMs - Cloud-native SIEMs can scale as per the demand and also utilize AI to reduce noise. So this would further reduce the actionable items to the ones that require real attention.

  • Protect the network

    • Firewall Protection - A strong firewall protection helps protect your perimeter. This can be via cloud-native firewall solutions. Also Web Application Firewall can help protect web applications from common exploits such as SQL injection and cross-site scripting.
    • DDoS - Most cloud providers provide Basic DDoS protection by default. However, if needed check if a paid DDoS capability is to be added for protection against malicious traffic targeting the app and network layers.
    • Avoid flat network - As part of the defense-in-depth strategy it is important to ensure that we should avoid designs that allow lateral movement across different tiers. For example, putting all the tiers of the applications in a single flat network might be easy from an implementation perspective but is least secure. Hence segregating different tiers and controlling the traffic flow between the tiers can help reduce the risks considerably.

To sum it up below are some of the key points to remember -

  • Review these best practices periodically and update them with the latest advancements in technology (if available).
  • The best practices listed here are some of the most easily adoptable ones. However note -
    • Some of these are design decisions, so its important to make it right as per customer needs and scenario.
    • Some of these are cultural and process changes, so maybe not something that can be quickly adopted, but if efforts are put to understand its importance and the value it brings in the long run, then the results will not only be noticeable and quantifiable but also can be replicated and incremented upon for similar work.
  • Also once the basic security policies and practices are adopted, it might be helpful to update this list with advanced security controls that are specific to your customer and their industry.