1-888-317-7920 info@2ndwatch.com

5 Tips for Getting Started with Cloud Security

Implementing security in a cloud environment may seem like a difficult task and slows down, or even prevents, some organizations from migrating to the cloud.  Some cloud security models have similarities to traditional data center or on-premises security; however, there are opportunities to implement new security measures as well as tweak your existing security plan. Here are five tips for getting started with cloud security.

  1. Secure your application security code
    Knowing and understanding account usage and the types of coding languages, inputs, outputs, and resource requests is essential.
  2. Implement a solid patch management and configuration management strategy
    These strategies are usually more people and process driven, but are important components to the care of feeding of the technology solution.  Organizations should take inventory of all the data they are maintaining and understand what type of data it is, where it is being stored, what accounts have access to this data, and how is it being secured.
  3. Dedicate time and resources to the design and maintenance of identity and access management solutions
    Attackers continue to use brute force attacks against accounts to crack passwords and gain authenticated privileges in your environment.  Accounts should follow the least privilege concept and account activity should be logged.  A robust logging and log review system should be a standard implementation for all systems, accounts, and configuration modifications to ensure accountability of legitimate activity.
  4. Understand the shared responsibility of security
    Generally, cloud providers will have security implemented throughout their core infrastructure, which is primarily designed to safeguard their systems and the basic foundational services for each of their customers.  Cloud providers will maintain and secure their infrastructure; however, they won’t necessarily provide customers reports or notifications from this layer unless it impacts a significant amount of customers.  Therefore, it is highly recommended that you implement a customized security plan within your own cloud environment.

    At the moment a cloud provider drops a network packet onto your systems, you should employ security monitoring and network threat detection.  The customer responsibility for security increases when moving from the network level to the host level and further to the application level.  Once you have access to your operating system, you are giving root/administrator access and therefore, that system is yours to secure and manage.

    At this point, the customer is responsible for the security of the applications and the application code that is used on the host systems. Cloud customers need to pay particular attention to the application code that is used in their environment since web application attacks are the most prevalent type of attacks used by adversaries.

  5. Stay informed about the la threats and vulnerabilities
    Organizations should also stay informed about the la threats and vulnerabilities to their cloud systems.  Adversaries, hacking groups and security researchers are constantly working to discover new vulnerabilities within systems and keeping up with these threats is imperative.  Organizations that have dedicated resources to monitoring and responding to the la threat activities are able to anticipate cyber activity and minimize the impact of an attack.

    Implementing effective security within a cloud environment may seem to be a challenging task; however, a strategic plan and the proper integration of people, process, and technology enable organizations to overcome this challenge.

Learn more about 2W Managed Cloud Security and how our partnership with Alert Logic can ensure your environment’s security.

 

Blog contributed by Alert Logic

AlertLogic_Logo_2C_RGB_V_Tag

 

 

Facebooktwittergoogle_pluslinkedinmailrss

Understanding the AWS Security Model and Services

Protecting and monitoring networks, applications and data is simple if you know and use the right tools

Security is a stifling fear for organizations considering public clouds, one frequently stoked by IT vendors with vested interests in selling enterprise IT hardware and software using security as a catalyst for overall FUD about cloud services. The fears and misconceptions about cloud security are rooted in unfamiliarity and conjecture. A survey of IT pros with actual cloud experience found the level of security incidents relative to on-premise results quite similar. When asked to compare public cloud versus on-premise security, the difference between those saying the risks are significantly lower versus higher is a mere one percent. Cloud infrastructure is probably more secure than typical enterprise data centers, but cloud users can easily create application vulnerabilities if they don’t understand the available security services and adapt existing processes to the cloud environment.

Cloud-security-survey_int-v-public

Whatever the cause, the data shows that cloud security remains an issue with IT executives. For example, a survey of security professionals found that almost half are very concerned about public cloud security, while a 2014 KPMG survey of global business executives found that security and data privacy are the most important capabilities when evaluating a cloud service and that the most significant cloud implementation challenges center on the risks of data loss, privacy intrusions and intellectual property theft.

KPMG-cloud-2014_security-eval

 

KPMG-cloud-2014_adopt-challenges

Unfortunately, such surveys are fraught with problems since they ask for subjective, comparative evaluation of two very different security models, one (on-premise) that IT pros have years of experience implementing, managing and refining, and the other (public cloud) that is relatively new to enterprise IT, particularly as a production platform, and thus often not well implemented. The ‘problem’ with public cloud security isn’t that it’s worse, no, it’s arguably better. Rather, the problem is that cloud security is different. Public cloud services necessarily use an unfamiliar and more granular security design that accommodates multi-tenant services with many users, from various organizations, mixing and matching services tailored to each one’s specific needs.

AWS Security Model

AWS designs cloud security using a shared security model that bisects security responsibilities, processes and technical implementation between the service provider, i.e. AWS, and customer, namely enterprise IT. In the cloud, IT relinquishes control over low-level infrastructure like data center networks, compute, storage and database implementation and infrastructure management to the cloud provider. The customer, i.e. enterprise IT, has control over abstracted services provided by AWS along with the operating systems, virtual networks, storage containers (object buckets, block stores), applications, data and transactions built upon those services, along with the user and administrator access to those services.

AWS_shared-security-model

The first step to cloud security is mentally relinquishing control: internalizing the fact that AWS (or your IaaS of choice) owns low-level infrastructure and is responsible for securing it, and given their scale and resources is most likely doing better than most enterprise IT organizations. Next, AWS users must understand the various security control points they do have. AWS breaks these down into five categories:

  • Network security: virtual firewalls, network link encryption and VPNs used to build a virtual private cloud (VPC).
  • Inventory and configuration: comprehensive view of AWS resources under use, a catalog of standard configuration templates and machine images (AMIs) and tools for workload deployment and decommissioning.
  • Data encryption: security for stored objects and databases and associated encryption key management.
  • Access control: user identity management (IAM), groups and policies for service access and authentication options including multifactor using one-time passwords.
  • Monitoring and logging: tools like CloudWatch and CloudTrail for tracking service access and use, with ability to aggregate data from all available services into a single pool that feeds comprehensive usage reports, facilitates post-incident forensic analysis and provides real-time application performance alerts (SNS).

Using CloudTrail Activity Logs

Organizations should apply existing IT security policies in each area by focusing first on the objectives, the policy goals and requirements, then mapping these to the available AWS services to create control points in the cloud. For example, comprehensive records of user access and service usage are critical to ensuring policy adherence, identifying security gaps and performing post hoc incident analysis. CloudTrail fills this need acting as something of a stenographer recording all AWS API calls, for every major service, whether accessed programmatically or via the CLI, along with use of the management console. CloudTrail records are written in JSON format to facilitate extraction, filtering and post-processing, including third party log analysis tools like Alert Logic, Loggly and Splunk.

CloudTrail so thoroughly monitors AWS usage that it not only logs changes to other services, but to itself. It records access to logs themselves and can trigger alerts when logs are created or don’t follow established configuration guidelines. For security pros, CloudTrail data is invaluable when used to build reports about abnormal user or application behavior and to detail activity around the time of a particular suspicious event.

The key to AWS security is understanding the division of responsibilities, the cloud control points and available tools. Mastering these can allow cloud-savvy organizations to build security processes that exceed those in many on-site data centers.

-2nd Watch Blog by Kurt Marko

Facebooktwittergoogle_pluslinkedinmailrss

Hey, You, Get Off My Cloud

2nd Watch Director of Engineering, Chris Nolan, discusses the public vs. private cloud architecture debate in the Industry Perspectives content channel of Data Center Knowledge, published today. Read the full article for Chris’ guidance on cloud strategy and points to consider when making your decision.

Facebooktwittergoogle_pluslinkedinmailrss

Cloud Myth Busters

Yes, I know, everyone is tired of hearing about the Cloud. It seems like talk about the cloud happens all day, every day, and you know that it’s hit the mainstream when your mom asks you about it. The reality is that we’re still so early in “The Journey” (yes, we call it that because it truly is one.) that it can be impossible to distill the tremendous amount of noise that exists around the topic. Let’s spend a few precious moments identifying the cloud myths that are swirling about and try to myth bust a bit.

LegacyI have too much invested in my legacy systems, tools and processes that makes moving to the cloud too hard or just not worth it.

That’s partly true. Many companies have a lot of legacy systems and infrastructure out there. So much so that it clouds (no pun intended) their view on what’s possible. It’s like quicksand; the more time and money invested in legacy systems and architectures, the deeper and deeper you get, and it just seems impossible to get out. There is a way out though, and the first step forward is actually to take a step back and understand where you are today. From there, we’d suggest taking stock of what’s in your environment and seeing what’s ready to move to the cloud.

Security – It’s not secure. I’ll be sharing my data with everyone else.

That’s absolutely not true. The public cloud is extremely secure. These environments have been built to adhere to the most stringent security standards on the planet. Cloud providers take an in depth approach, going above and beyond to ensure that security permeates throughout the environment.

http://aws.amazon.com/security/

Agility – What am I really gaining? There can’t really be as much benefit as people are saying.

When we talk to any business person, lack of agility is typically their number one challenge. Traditional legacy, or even co-location infrastructure, is designed and built so that it doesn’t allow for the flexibility companies need in the constantly changing world. The need to continually evolve and the ability to “fail fast” are so important to businesses today, and the cloud enables you to do just that. You can literally create a global infrastructure in a matter of minutes that runs only when you need it. The benefits are dizzying.

Cost – I hear that it will actually cost me more to run in the cloud.

There are tremendous economies of scale to be gained by building out the massive footprint that the existing public cloud providers have built. It’s enabled them to get such a head start that it’s downright unbelievalbe what you can do today at a fraction of the cost of doing it in a traditional IT world. There are a number of TCO calculators out there that will show you the cost of running infrastructure on-prem vs in the cloud. Take a look at the calculator we built for AWS and see for yourself by plugging in your own numbers.

Best of Breed – I can use any cloud provider. They’re all the same.

There is an entire body of knowledge dedicated to the cloud landscape, how mature each company’s offerings are and where they fit in the overall landscape. I am a firm believer that you build your company to be as agile as possible, trying to eliminate brittle and hard linkages. Please check out the following link for an independent analyst’s view of today’s cloud landscape.

See what Gartner is Saying about the Cloud

Org Structure – I can use cloud as I see fit and keep things the way they’ve normally been internally.

True innovation is happening here. The industry is attracting the absolute best and brigh talent, and the pace of innovation will only accelerate. I’m not saying you need to stay ahead of it. The goal is to keep pace and not fall behind. We can help you do that!

-Mike Triolo, General Manager – Eastern US

 

Facebooktwittergoogle_pluslinkedinmailrss