Sign in Subscribe

Cyber Security Hygiene - The Cloud

Alex from AskAlex.How

4 min read
Cyber Security Hygiene - The Cloud

I have managed on-premises data centers and set up everything from sourcing multiple ISPs with distinct physical paths to the office, to active/passive firewalls, to redundant everything (switches, servers, storage) and virtualization on top of everything. And although that has been a great learning experience, it has also been a painful one, that took a lot of time, trial and errors and required a team behind to setup and maintain a foundation for where our apps would run. Then we had to deal with hardware failures and life cycle management of the hardware, complex storage management, virtualization, operating system and software application updates, backups and more. Keeping the lights on for the IT infrastructure was a team in itself, and then we had to keep the applications working. Running this setup also came with high capital costs and made it impossible to deal with spikes in capacity requirements without over provisioning and being locked in.

For a start up or SMB, which doesn't have specific compliance or regulation requirements regarding not using the public cloud, I highly recommend using the  public cloud. If the public cloud is not possible, then consider a private cloud option. If that is not acceptable, then at least use a data center that abstracts all the complexity away from your team. Because managing a data center is a complex endeavor and uses your resources for what should just work and be available to manage in a portal. I will focus my discussion on the public cloud here. You don't use the cloud because it costs less, you use it because it's faster to provision, more flexible to go up and down, generally more secure out of the box and generally OPEX driven.

When looking at the cloud, I will refer to a paragraph I used in another blog post as it's relevant to how you structure your cloud services. You need IT infrastructure to run a certain business service or workload. But before you commit to a certain way of doing it, I recommend going through this process:

  • do I have a Software as a Service (SaaS) option for this business requirement so that I don't need to host anything? If yes, then take it.
  • do I have a Platform as a Service (PaaS) option in the cloud for this requirement so that although I need to maintain a cloud environment to a certain degree, I don't need to worry about virtual machines and their entire stack? If yes, then take it.
  • do I have an Infrastructure as a Service (IaaS) option in the cloud that requires minimum servers to be stood up and can I have a managed service to maintain that infrastructure from the vendor? If yes, consider taking it.

If you are to group your business technology platforms into a pyramid, I would say that at the base you need to have SaaS, then 2nd layer with a lower footprint PaaS, then final layer with a small footprint if you need one at all is IaaS, all hosted in the cloud.

Once you are in the cloud, you need to secure it. I am emphasizing that security is not a one area approach, it's across multiple areas and your overall security is as strong as your weakest area. You cannot secure the cloud, if you don't have secure identities, secure endpoints and a patch & vulnerability management in place - it's all in multiple layers.

A few of the key items to consider around security in the cloud:

  • Although you don't have the complexity of running a data center, there is still a lot of complexity and you require skilled engineers to manage your cloud. Incorrect configuration of resources generally results in insecure services so make sure you recruit good talent and keep them up to speed with their training.
  • Where you will spend most of your time is in Infrastructure as a Service space. Here I recommend you do network segmentation (e.g. a Virtual Network with multiple Network Security Groups for Azure, a VPC for AWS ). If you have a custom application that you are hosting, have all the service and virtual machines in one private network. Then inside that network, start with a deny all traffic policy and only allow expected communication and on expected ports to happen (e.g. web traffic to the web servers only, database traffic from the web servers to the database servers and so on).
  • Ensure all your data is encrypted in transit and at rest. Generally that comes by default, but make sure it's there and that the way keys are managed complies with your policy and the protocols supported are not weak (e.g. TLS 1.2 as a minimum these days).
  • Consider running a Security Information & Event Management solution to capture all your cloud logs and alert on unusual security events. If you couple this with a 24/365 SOC/MTDR service, then someone will also be watching at the alerts generated and be able to reach out to you in time to prevent an incident.
  • Consider running an Endpoint Detection & Response solution if you have any virtual servers in the cloud. If coupled with a service that can take actions when alerts are generated, that significantly reduces your exposure for any servers you run in the cloud.
  • Make sure you have backups in place at the right frequency and with the right retention, in line with your Restore Point in Time objectives. It is suggested you have these backups copied over to a separate location to your cloud provider, as in case of a ransomware attack, your backups can be deleted by a Threat Actor.
  • Run regular (6 monthly recommended or with every major change in your architecture) pen testing and vulnerability assessment on your infrastructure to find out what you don't know is insecure.
  • Have a roadmap in place and create a cyber aware environment and culture within your technology team. Make sure security is part of the lifecycle of creating infrastructure, not an afterthought. Ideally you have a cyber security engineer who can champion this.

You can subscribe if you'd like to stay up to date and receive emails when new content is published. If you'd like to work together on your IT posture, here is how I can help: askalex.how.