Organizations have been venturing further into the cloud, faster than they anticipated just to deal with the whipsaw effects of the COVID-19 pandemic. Prior to 2020, organizations were learning that the cloud can help make them more agile. In 2020, they discovered cloud was essential for business continuity and organizational resiliency. However, cloud environments and everything connected to them must be secured.
In fact, cloud security like enterprise security itself has many parts that address different parts of the tech stack. Following are some of the essentials enterprises should have.
Security Review of Cloud Contracts (IaaS, PaaS, SaaS)
Security professionals may not be privy to cloud contracts simply because no one thought to include them in the review. Alternatively, security may be viewed as an obstacle when a quick implementation is desirable.
One of the biggest misconceptions among non-security professionals is that a basic cloud service includes enough security, even though cloud providers offer an array of add-on security services. For example, AWS offers six categories of security services which include identity and access management (IAM), detection, infrastructure protection, data protection, incident response and compliance.
Another concept that’s not well understood is the shared responsibility model in which the cloud provider is responsible for managing and maintaining the infrastructure and the customer is responsible for:
- Customer data
- Platform, applications, IAM
- OS, network and firewall configuration
- Client-side data encryption and data integrity; authentication
- Server-side encryption
- Networking traffic protection (encryption, data integrity, authentication)
Security should review cloud contracts to ensure adherence to security policies, including the rules, mechanisms and monitoring of data ingress and egress.
Containers were originally considered inherently secure, like cloud. Then, reality kicked in. Today, most developers realize that container security is “a thing,” but they may not know what to do about it.
Container applications, including their dependencies, need to be scanned for vulnerabilities, especially since they tend to include considerable third-party software. Rather than scanning near the end of the software development lifecycle (SDLC), scans should be run at various SDLC stages to ensure that the code is secure from its creation to runtime.
The communications patterns between containers should be monitored for changes and abnormalities as well as the communications between the containers and the host operating system.
There are also environmental considerations including the security of the container orchestration platform, the infrastructure and the deployment environments.
Some consider cloud app security synonymous with a cloud application security broker (CASB), but it’s not that simple. CASB monitors user behavior to identify suspicious activity so it can adapt access to resources accordingly. CASB also controls access to resources across IaaS, PaaS and SaaS and provides insights into the security posture across those services.
However, security should be designed into applications which is best accomplished through DevSecOps and shift-left testing. In addition, application security should also include:
Web application firewalls (WAFs) are a defense mechanism that helps prevent or minimize application attacks, botnets, denial of service (DoS) attacks and other threats.
Mobile and IoT security
Mobile and IoT devices require an endpoint security solution to ensure security at the edge, which is typically paired with zero trust network access (ZTNA) for dynamic access to resources. Mobile and IoT applications use cloud as a backend so CASB might be used to monitor activity and enforce security policies. Alternatively, a secure access service edge (SASE) which combines SD-WAN with CASB, firewall as a service (FWaaS) and other security features may be used instead.
Other mobile security elements to consider include:
- Email security
- Enterprise mobility management (EMM)
- Mobile device management (MDM)
- Mobile threat defense
- Secure web gateway
IoT security is a less mature category, but there are various solutions available now, some of which are specific to IIoT:
- Data security/encryption
- Device discovery
- Device security
- Firmware security
- M2M security
- Embedded security
- IoT cloud security
- IIoT/ICS security