Best Practices for Securely Moving Workloads Into the Cloud
Gartner’s latest IT spending forecast predicts that spending on data center systems will reach $195 billion in 2019, but decrease to $190 billion through 2022. In contrast, spending on cloud infrastructure services will grow from $39.5 billion in 2019 to $63 billion through 2021. This cloud shift would be even more pronounced if many organizations still weren’t reluctant to embark on cloud transformation projects or concerned about security risks of moving workloads to the cloud. Let’s consider whether or not cloud security concerns are justified.
According to IDC’s 2018 Cloud Computing Survey, 34 percent of enterprises consider security as a top challenge standing in the way of cloud transform. Despite this statistic, many organizations are putting security concerns aside and adopting cloud computing in one way or another. This adoption is primarily being driven by the need for greater agility, flexibility, and cost savings. Gartner even predicts that organizations which do not jump on the cloud transformation bandwagon will fall behind when it comes to cost optimization and competitiveness, which can directly impact their business valuation.
Today’s Dynamic Threatscape
When transitioning to the cloud it’s important to understand that cloud security is a shared responsibility between the cloud service provider and the customer. The cloud service provider is typically securing the core infrastructure and services as part of their shared responsibilities. However, securing operating systems, platforms, and data remains the responsibility of the customer.
Another important consideration when formulating a cloud security strategy is that the easiest way for a cyber-attacker to gain access to sensitive data – even if it is stored in the cloud – is by compromising an end user’s identity and credentials. Things get even worse if a stolen identity belongs to a privileged user, who has even broader access, which essentially provides the intruder with the proverbial “keys to the kingdom”. By exploiting a “trusted” identity, a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags.
Remember, it takes just one single compromised privileged credential to impact millions of data records and result in millions of dollars in fines, etc. A recent example was the cyber-attack on Tesla in February 2018. I am not talking about the whistleblower case, whereby Tesla claimed a disgruntled employee compromised access credentials to sabotage the company, but rather a bad actor who stole the privileged credentials of a DevOps engineer to gain access to Tesla’s AWS cloud infrastructure. The attacker’s ultimate objective was to install mining malware in a far-reaching and well-hidden crypto-jacking campaign. This is just one of many examples of breaches that are targeting cloud environments.
To limit their exposure to these attacks, organizations need to rethink their enterprise security strategy and move to an identity-centric approach based on a Zero Trust model: “never trust, always verify, enforce least privilege”. This concept should be extended to the organization’s workforce, as well as partners, privileged IT admins, and outsourced IT.
Now when it comes to your cloud environment, the following best practices should be considered to stop the #1 cause of today’s breaches – privileged access abuse.
• Apply a Common Security Model Across the Entire Infrastructure – When it comes to cloud adoption, one leading inhibitor is the myth that the cloud requires a unique security model, as it resides outside the traditional network perimeter. However, conventional security and compliance concepts still apply in the cloud. Why would a cloud service environment be any different than an on-premises data center? Roles and responsibilities are still the same for users. Therefore, a common security infrastructure spanning on-premises and cloud resources should be implemented. For example, Active Directory should be extended to the cloud.
• Consolidate Identities – Avoid additional silos of identity that expand the attack surface, increase overhead, and lead to identity sprawl. Instead of local cloud provider IAM accounts and access keys, use centralized identities (e.g., Active Directory) and enable federated login.
• Ensure Accountability – Shared privileged accounts (e.g., AWS EC2-user and administrator) are anonymous. Ensure 100% accountability by having users log in with their individual accounts and only elevate privilege as required. Manage entitlements centrally from Active Directory, mapping roles and groups to cloud provider roles.
• Apply Least Privilege and Privilege Elevation – Grant users “just enough privilege” to complete the task at hand in the cloud provider management console, cloud provider services, and on cloud provider instances. Implement cross-platform privilege management for cloud provider management console, Windows, and Linux instances. In addition, secure Windows, Linux, and UNIX systems by controlling exactly who can access what and when. Avoid default privilege escalation by implementing dynamic privileges so that users can only elevate privileges at specific times, for a length of time, and on certain resources. Also, isolate servers based on time and trust relationships to further protect sensitive data.
• Audit Everything – Log and monitor both authorized and unauthorized user sessions to cloud provider instances. Associate all activity to an individual, and report on both privileged activity and access rights.
• Enforce Multi-Factor Authentication – To defeat in-progress attacks and ensure higher levels of user assurance, implement multi-factor authentication (MFA) for cloud service management, on login and privilege elevation for cloud provider instances, when checking out vaulted passwords.
Using Zero Trust Privilege services can extend corporate security policies and best practices to cloud environments, while reducing costs (e.g., by avoiding site-to-site VPN for identity directory synchronization purposes), improving scalability across multi-VPCs, -SaaS, and -directory environments, and minimizing security blind spots through centralized management.