Recent successful attacks on and through cloud environments show that too many organizations are still dramatically underestimating cloud security hygiene requirements in some cases.
Orca Security, provider of a new cloud security technology, points out four key considerations around cloud security hygiene.
1. Categorize how complete the cloud coverage is
In the pre-cloud world it was "easy" to understand how many systems there were, after all you could always go to the data center and count them. In the cloud, however, not even this is readily possible, so any measurement of security must come with a caveat: how many of the systems are covered by this measurement? "We patched 75 systems for the latest CVE" is only a good statement if you have 75 systems. If there are a thousand, this is not a very positive result.
Maintaining an inventory may seem like a daunting task. To get started, it’s a good idea to group systems into clusters organized by how they are managed. Perhaps the production servers in AWS are one cluster, and the development systems belong to another. Employees’ laptops belong in a third cluster, and the company’s IT and network infrastructure belong in a fourth (they may not be in the "cloud," but they should not be forgotten). Now security leaders can start talking about hygiene practices within each cluster ("We patched 95 percent of our employee systems within 48 hours"), which brings them closer to understanding the results relevant to the business.
Almost done!
Please confirm your email address!
Click on the link in the email we just sent you. Look also in the spam folder and whitelist us.
More info about the newsletter.
2. Counting how comprehensive the controls are
For each system, it may be a simple matter of implementing a security control and then moving on. The web server in the cloud has been patched? Great. But what about all the other objectives? Have all relevant types of risks been controlled? There are a number of relevant frameworks that can be referenced for risk control purposes. For the cloud, the Cloud Security Alliance’s Cloud Controls Matrix is a good place to start.
However, 197 controls are a bit daunting. These are carefully detailed and divided into 17 sections. You start with one domain and look at how each of the controls affects a cluster of the systems. Although some controls may be implemented the same way in multiple clusters of systems, the goal is to first understand how comprehensive the security controls are for a given cluster of systems (and then determine for each control how many of the systems in the cluster actually meet your objectives).
3. Consider the context within the cloud
The controls have to be implemented for all systems, but some systems are "more equal" than others. Some web servers may only have publicly available information on them, and it would be embarrassing if someone were able to gain access to that system. However, some web servers have access to stores with private data. And what if those stores now contain personal identifying information? This is a much bigger problem. Identifying the systems with direct and indirect access to more sensitive data is critical to prioritizing this task.
This context can help create dynamic sub-clusters in the asset inventory. The "public cloud" cluster can now be divided into four categories along the two axes of "with Internet access" and "with access to personal data," with the cluster that has both being the highest priority for implementing controls.
4. Eliminate the uncertainty
The hardest part about such an approach is that security managers can no longer give themselves or others definitive, certain answers. Asking the question, "Are we patched??" is no longer answered with "yes". Instead, the process of understanding exactly where patching has occurred and knowing where there is not yet visibility sets in. This uncertainty will drive the improvement in hygiene that almost every company needs.
It is best to start even if you don’t know all the answers yet. However, it is important to proceed step-by-step until full coverage with comprehensive and context-appropriate controls is achieved.