As with most endeavors, integrating security into the process as early as possible is essential when building or moving to technologies like the cloud. Whether you are starting your journey to migrate core services to the cloud or launching an evergreen cloud-based project, engaging security professionals with a deep understanding of the cloud security model is crucial. This ensures the successful implementation of a secure and robust system.
Shared responsibility model
If you are early in this process, as a technology leader, understanding the shared cloud responsibility model is critical. There are elements of each of the services offered by different cloud service providers (CSPs) that are responsible for monitoring, defending, and protecting, such as physical infrastructure and access controls in data centers, elastic power backups, and the like. All the things that you would normally expect a data center to offer, the cloud providers will provide, and then some of them are fine-tuned by working at really large scale.
Stay away from metal
The challenge lies in the detail required to make informed decisions about which services to use, taking into account factors such as price, security, overhead and long-term maintenance. In discussions with companies on this journey, I recommend staying away from metal as much as possible whenever possible. This includes leveraging highly virtualized services and containers such as Fargate and Lambda from AWS, Cloud Run and Cloud Functions from Google, or Azure Containers and Azure Functions from Microsoft.
One consideration here is that these managed services are poorly managed, so you have to pay a higher premium for them compared to the basic offerings. This deserves careful review taking into account the large number of employees you will need to hire and manage to perform at the same level within the company.
Additionally, you'll need to invest in your code pipeline with a Continuous Integration and Continuous Deployment (CI/CD) model that allows you to quickly run deployments that face a set of automated tests before approval for push to production. The key is well-defined processes that enforce QoS, security, and code standards and produce repeatable results.
In many cases, these managed services (such as Lamdas and container systems) mean that the CSP is responsible for some of the security monitoring and management around these tools, so instead of you and your team needing to dedicate resources to staying up to date with all the necessary patches for Linux, Your cloud provider manages this for you. Note: Cloud services change regularly, so you should make sure that any service you use includes automatic patching and versioning before you start it.
The point here is that AWS, Google, and Azure are often better at some security management practices and keeping things up to date than most organizations. There are some notable exceptions; In particular, it's worth noting that Microsoft has had a very bad year in terms of security across its products. If you haven't read it, take a look at the US government's Cyber ​​Safety Review Board (CSRB) report on Microsoft's breaches last year. It's a very sobering assessment of some catastrophic security failures within the company.
Maturity assessments and board vision
If you are investing heavily in cloud environments, it is essential to conduct a security risk assessment of your cloud infrastructure. Focus on key areas:
Identity and Access Management: Audit and secure privileged access to devices and root accounts with hardware key-based authentication and FIDO2-enabled MFA for privileged users. Virtual machines and endpoints: Ensure that patches cover all known exploited CISA vulnerabilities within recommended time frames. Measure and track time to debug as an operational business metric. Internet Access Security Mode: Ensure that firewall rules are denied by default for most incoming and outgoing connections. Logging: Enable logging everywhere and get team review logs regularly. Backup and restore: Implement a robust backup and restore process, and it's best to use backups that are independent of your primary cloud accounts to protect against a catastrophic account breach.
Once you've established a baseline for these key areas of risk and maturity, start looking at purchasing the services or building the capabilities necessary for you to maintain monitoring of them, with visibility and reporting at the highest levels of your organization. This is an extremely invaluable step in ensuring that the cybersecurity risks associated with IT and the cloud are understood not only by the technology team, but by the board as well.
Elliott Wilkes is the CTO of Advanced Cyber ​​Defense Systems. An experienced digital transformation leader and product manager, Wilkes has more than a decade of experience working with both the US and UK governments, most recently as a civil service cybersecurity advisor.
