As applications become increasingly cloud-based – or even cloud-native – more and more such code sends data to and from cloud-based stores, both public and private. This makes the methods and controls that such applications use to access the cloud of particular interest. It also keeps the onus on application owners to protect and preserve application data, particularly when it involves information subject to compliance and regulatory requirements. That brings a host of other concerns into play, ranging from preserving privacy and confidentiality to the “right to be forgotten” (a GDPR requirement that obliges organizations to dispose of data about any registered individuals within 30 days of a request for the same, or face fines and penalties).
Pass the data, but not the buck
Indeed, organizations must recognize and own their responsibility for data, even when it leaves their hands and moves to the cloud. At best, the cloud service provider will assume a “shared responsibility” for an organization’s data once it hits their servers or data stores. But always, the organization that acquires (and presumably controls and protects) such data remains legally responsible for its privacy, confidentiality, and for disclosures of breaches, thefts, or unwanted access or disclosure. Thus, organizations that use cloud platforms should thoroughly understand the provider’s security capabilities, the data protection (such as encryption, access control, audit, and so forth) it offers, and the responsibility and liability it assumes for data and applications that run within its systems.
Best security practices for cloud access
For cloud-consuming organizations, that’s just the beginning. Best security practices also insist that organizations implement the following principles, where access to cloud applications, data, configurations, and resource consumption is concerned:
- Apply the Principle of Least Privilege (PLP): all access should be set to “deny” by default and only so much access allowed for authorized parties as they need to use an application (ordinary users) or administer the organization’s cloud environments and settings (and all admin level access should be logged, and routinely audited, especially use of privilege, account management, configuration and set-up of applications and data stores, and so forth).
- Use strong authentication, 2FA or better: Ideally, all access to cloud-based applications and data should require jumping demanding hurdles before access requests get granted. At a minimum, ordinary users should be required to use two-factor authentication (2FA: cellphone or email confirmation of one-time pads). Higher-level access should probably use multi-factor authentication that extends beyond 2FA, such as a certificate, a smart token device, biometric data (fingerprint, facial scan, and so on), or be tied to a specific admin workstation’s MAC address.
- Encryption for data in motion and at rest: By default, organizations should enable and use the strongest encryption available without unduly affecting data access or application performance. Data should also be encrypted wherever it’s stored, both at endpoints when used on the client side and in data stores when used by an application or when truly at rest (active or multi-tiered storage repositories). Even if such data is leaked, it shouldn’t be accessible to those without the decryption keys.
- Proactive use of threat intelligence and attack surface management: Even though the provider should take security responsibility for patching and updating its platforms and services, those who consume them must remain aware when exposures or vulnerabilities are discovered.
Because the application-providing organization remains responsible for data and application security, even when running in the cloud, they must know when exposure is possible and properly manage the associated risks. This should include continuous security and vulnerability monitoring, as well as code monitoring for open-source and proprietary APIs that the cloud provider offers for application use. In fact, organizations are well-advised to plan regular white hat or red
team exercises, and make sure that penetration testing includes checks on cloud security as well as code under the organization’s direct and more immediate control. Remediation and workaround responses to vulnerabilities and exposures should therefore also include cloud- focused fixes (code updates, workarounds, security policy changes, privilege management, and so forth).
- Proactive use of monitoring and anomaly detection: Here again, the provider should take responsibility for ensuring that its authentication, authorization, and access control mechanisms are safe and secure. And again, the application-providing organization is also responsible for safeguarding data and applications from unauthorized access, use, disclosure, and loss. Thus, organizations should not just periodically audit logs (and track administrative access). Ideally,
they should use AI/ML-based tools to establish a security baseline for typical usage and access behaviors. Then, they can use sophisticated anomaly-detection tools to respond quickly and decisively to evidence of an attack or unauthorized access. Thus, for example, wholesale encryption of files not usually encrypted in batches or bunches becomes a big red flag that a ransomware attack might be underway. Other big red flags that anomaly detection can alarm about include the
creation of new and unexpected administrative accounts, unwanted delegation or extension of administrative privileges, and so on, which often indicate slow infiltration and takeover of systems by outside attackers. Likewise, for sudden deletions or alterations of security log and audit files themselves.
- Use of strong backup and recovery tools: The ultimate defense against compromise is a safe, secure write-protected backup image, snapshot, or file-by-file copy that is inaccessible to outside attackers. Should the worst come to worst, and data be lost or corrupted, this provides the final line of defense against complete and total loss. It also usually provides a starting point, along with transaction logs or other replay techniques, to bring a disaster recovery or business continuity scenario into active use. Thus, it also provides an important, tamper-free baseline for security recovery.
In fact, cloud security is becoming an important enough field that numerous training and certification programs and credentials make it their primary focus. In 2018, I wrote a story for HPE about this area, titled 5 surefire cloud security certifications that remain accurate and relevant in 2021, which remains accurate and relevant in 2021. That said, organizations that include SANS GIAC (which offers a dedicated cloud security track), cloud platform providers (including AWS, Microsoft Azure, and the Google Cloud Platform), ISC-Squared (home to the Certified Cloud Security professional or CCSP, as well as the well-known Certified Information Systems Security Specialist or CISSP), and others offer a wide variety of cloud security credentials. Companies that wish to play the cloud game seriously and that develop cloud-based applications would be well-advised to have one or more certified cloud professionals on staff on both the development and the operations sides of IT.
