Cloud Security l The Strategy You Need

I think we make things way more complicated than they need to be when it comes cloud security. This makes our lives a lot harder than they need to be there. Some massive advantages. When it comes to Security in the cloud primarily, I think we can simplify our T. The first is integrated identity and access management all three. Major Cloud providers, AWS Google and Microsoft offer. Fantastic identity and access management systems. These are things that security and they have any professionals have been clamoring for four decades. We finally have this ability, we need to take advantage of it. The second main area is the shared responsibility model. Cover that more in a minute, but it’s an absolutely wonderful tool to understand your mental model too.

Is where you need to focus, your security efforts and the third area that simplifies security for us is the universal application of apis or application programming interfaces. These give us as Security Professionals the ability to orchestrate and automate a huge amount of the grunt work away. These three things add up to Ability for us to execute a very sophisticated or very difficult to pull off security practice. But one, Ultimately is actually pretty simple in its approach. It’s just all the details are hard and we’re going to be using these three advantages to make those details simpler. So, let’s take a step back for a second. And look at what our goal is. What is the goal of cybersecurity? That’s not something you hear quite often as a question. A lot of the time you’ll hear the definition of cybersecurity is about securing, a confidentiality integrity and availability of information or data the CIA Triad different CIA, but I like to phrase this in a different Current way. I think the goal is much clearer and the goal is much simpler. It is to make sure that whatever you’re building works as intended and only as intended now you’ll realize you can’t accomplish this goal just this is security team you need to work with your developers. You need to work with operations. You need to work with the business units, with the end users of your application as well. This is a wonderful way of phrasing, our goal and realizing that we’re all in this together to make sure whatever you’re building works as intended and only as intended.

Now, if we move forward and we look at who are we up against? Who’s preventing our stuff from working? Well, you look at normally, you think, of who’s attacking our systems, who are the risks, is it nation states, is it maybe Insider threats while these are valid threats, they’re really, overblown your don’t have to worry about nation-state attacks. If you are a nation state, worry about it. If you’re not a nation state, you don’t have to worry about it. Because frankly, there’s nothing you can do to stop them. You can slow them down a little bit, but by definition.

They’re going to get through your resources as far as Insider attacks, this is an HR problem, treat your people. Well, check in with them and have a strong Information Management policy in place, and you’re going to reduce this threat naturally. If you go hunting for people, you’re going to create a very threats that you’re looking at. So for exist to the next set, what about cyber criminals? You know, we do have to worry about cyber criminals, cyber criminals are targeting systems simply because these systems are online. These are profit-motivated criminals who are organized and have a good. Of tools so we absolutely need to worry about but there’s a more Insidious or more commonplace, maybe a simpler threat that we need to worry about and that’s one of mistakes. The vast majority of issues that happen around data, breaches around security vulnerabilities in the cloud are mistake driven. In fact, to the point where I would not even worried about cyber criminals, simply because all the work we’re going to do to focus on preventing mistakes and catching and rectifying mistakes. Really, really quickly is going to give you cover all the stuff that we done to block out, cyber criminals as well.

Mistakes are very common because people are using a lot more services in the cloud. You have a lot more parts and moving complexity in your deployment and you’re going to make a mistake, which is why you need to put automated systems in place to make sure that those mistakes don’t happen. Or if they do happen that they’re caught, very very quickly. This applies to standard devops philosophies for building. It also applies to security very, very wonderfully. So this is the main thing. We’re going to focus on. So if we look at that sum up together, we have our goal of making sure whatever we’re building works as intended and only as intended and our major issue here. The biggest risk to this is simple mistakes and misconfigurations. Okay, so we’re not starting from ground zero. Here we can learn from others. In the first place we’re going to learn is the shared responsibility model.

The shared responsibility applies to all cloud service providers. If you look on the left-hand side of the slide here, you’ll see the traditional on-premise model, we roughly have six areas where something has to be done roughly daily. Whether it’s patching maintenance, just operational, visibility monitoring that kind of thing. And in a traditional on-premise environment, you’re responsible for all of it. Whether it’s your team Team or a team underneath your organization somewhere within your tree. People are on the hook for doing stuff daily here when we move into an infrastructure. So getting a virtual machine from a cloud provider right off the bat, half of the responsibilities are pushed away, that’s a huge, huge win. And as we move further, and further to the right two more managed service or SAS level Services, we have less and less daily responsibilities. And of course, you always still have to verify that the cloud service providers doing what they say they’re doing, which is why certifications and compliance Frameworks come into play.

But the bottom line is you’re doing less work. So you can focus on fewer areas that is or I should say not less work. What you’re doing less broad of a work. So you can have that deeper focus and of course you always have to worry about service configuration. You are given knobs and dials to turn to lock things down. You should use them like things like encrypting, all your data at rest. Most of the time it’s an easy check box but it’s up to you to check it because it’s your responsibility. We also have the idea of an adoption framework that this applies for Asher for AWS and for Google, and what they do is they help you map out your business processes. This is important to security because it gives you the understanding of where your data is, what’s important to the business. Where does it lie, who needs to touch it and access it. And processing, that also gives us the idea or the ability to identify the stakeholders. So that we know, you know, who is concerned about this data, who is has an investment in this data. And finally, it helps to deliver an action plan.

The output of all these Frameworks is to deliver an action plan, to help you migrate into the cloud and help you to continuously evolve. Well, it’s also a phenomenal map for your security efforts. You want to prioritize security. This is how you do it. You get it through the adoption framework understanding what’s important to the business and that lets you identify critical systems and areas for your security. Again, we want to keep things simple, right? And the third are the other thing you want to look at is the sea is foundations. They have them for a to be ours, Azure and gcp. And these provide prescriptive guidance Is there really a strong Baseline and a checklist of tasks that you can accomplish or take on, on your take on, on your own? Excuse me. In order to basically cover off the really Basics is encryption at rest on, you know, do I make sure that I don’t have kind of things, needlessly expose the internet, and that type of thing, really fantastic reference point and a starting point for your security practice. Again with this idea of keeping things as simple as possible. So when it comes to looking at our security policy, we’ve used the framework.

I’m in the Baseline to kind of set up a strong start to understand where the business is concerned in a prioritize. Then the first question we need to ask ourselves is security practitioners, what happened? If we, if something happens and we ask what happened? Do we have the ability to answer this question? So that starts us off with logging and auditing. This needs to be in place before, something happened. Let me just say that. Again, before something happened, you need to be able to have this information in place. Now, this is really to ask these key questions of what And in my account and who or what made that thing happen. So this starts in the cloud with some basic services for AWS. Its cloud trail for Azure, it’s Monitor and for Google Cloud, it used to be called stackdriver, it is now the Google Cloud operations, sweet. So these need to be enabled on at full volume. Don’t worry, you can use some lifecycle rules on the data storage, to keep your costs low. But this gives you that layer that basic auditing and logging layer, so you can answer that question. What happened?

Next question, you want to ask yourself, or have the ability to answer is, who’s there? Right? Who’s doing what in my account? And that comes down to Identity. We’ve already mentioned this is one of the key pillars of keeping security simple and getting that highly effective security in your Cloud. So here you’re answering the questions of who are you and what are you allowed to do? This is where we get a very simple privilege or principal insecurity which is the principle of least privilege, you want to give an identity so whether that’s a user or role only the Privileges.

They are require that are essential to perform the tasks that they are intended to do. Okay? So basically, if I need to write a file into a storage folder or bucket, I should only have the ability to write that file. I don’t need to read it. I don’t need to delete it. I just need to write to it. So only give me that ability. Remember that comes back to the other pillar of simple security here of kii cloud security is integrated identity. This is where it really takes off. Is that we start to assign very granular access permissions and don’t worry, we’re going to use Has the apis to automate all this stuff so that it’s not a management headache that the principle of least privilege is absolutely critical here.

The service is you’re going to be using amazingly all three Cloud providers got in line and name them the same thing. It’s, I am identity and access management, whether that’s a WS Azure or Google Cloud. Now, the next question, we’re going to ask ourselves, are the areas where we’re going to be looking at is really where should I be focusing security controls? Where should I be putting stuff in place because up? Until now we’ve really talked about leveraging, what’s available from the cloud service providers and you absolutely should be available. Maximize your usage of their native and primitive.

As primitive as far as base Concepts not meds. I’m refined, they’re very Advanced controls and but there are times where you’re going to need to put in your own controls and these are the areas you’re going to focus on. So you’re gonna start with networking, right? So in your networking, you’re going to maximize the native structures that are available in the cloud that you are in a. So whether that’s a project structure in Google Cloud, whether that’s a service, like Transit Gateway in AWS and all of them have this idea of a V PC or virtual private cloud or virtual Network. That is a very strong boundary for you to use. Remember most

Not charged for the creation of those. You have limits in your accounts but accounts are free and you can keep adding more. Virtual networks may be saying, wait a minute I’m trying to simplify things actually having multiple virtual networks or virtual private clouds ends up being far simpler because each of them has a task. You go. This application runs in this virtual private Cloud not a big shared one in this specific V PC and that gives you this wonderfully, strong security boundaries and a very simple way of looking at 1pp. See one action, very much the Unix philosophy in play.

Here, though, is understanding that while all the security controls in place for your service provider? Give you. So, you know, whether it’s ppc’s routing tables, Access Control list security groups. All the sdn features that they’ve got in place. These really help you figure out whether service a or system, a is allowed to talk to be but they don’t tell you what they’re saying and that’s where additional controls called an IPS or intrusion prevention system, come into play. You may want to look at getting a 3rd party control in to do that because none of the big

Cam providers offer an IPS at this point, but that gives you the ability to not just say, hey, you’re allowed to talk to each other, but to monitor that conversation to ensure that there’s not malicious code being passed back and forth between systems that nobody’s trying a denial-of-service attack, a whole bunch of extra things on there. So that’s where IPS comes into play in your network defense. Now we look at compute, right? We can have compute various forms whether that’s in serverless functions, whether that’s in containers, manage containers, whether that’s in traditional virtual machines but all the Apples are the same. You want to understand where the shared responsibility line is how much is on your plate. How much is on the csps? You want to understand that you need to harden EOS or the service or both, in some cases. Make sure that that’s locked down. So have administrator password. Very, very complicated. Don’t log into these systems, you know, because you want to be fixing things up stream, you want to be fixing things in the build pipeline, not logging into these systems directly. And that’s a huge thing for systems people to get over, but it’s absolutely essential for security.

You know what, it’s going to take awhile, but there’s some tricks there, you can follow with me. You can see on the slides at Market is my social everywhere. Happy to walk you through the next steps. This idea of this presentation is really just the simple Basics to start with, to give you that overview of where to focus your time and dispel that myth that cloud security is complicating things. It is a huge path is Simplicity, which is a massive Windsor for security. So the last area you want to focus, here isn’t data and storage where the this is databases, whether this is Big Blob storage or The buckets in AWS doesn’t really matter the principles again all the same. You want to encrypt your data at rest, using the native Cloud, provided cloud, service provider features, functionality, because most of the time, it’s just give it a key address and give it a check box and you’re good to go. It’s never been easier to interpret things in there. Is no excuse for it. None of the providers charge extra for encryption which is amazing. I’m you absolutely want to be taken advantage of that and you want to be as granular as possible with your I am and as a reasonable.

There’s a lot of the data stores that are native. The cloud service providers, you can go right down to the data cell level and say, Mark has access for Mark doesn’t have access to the cell that we can be highly effective and may be right for your use case. It might be too much as well, but the nice thing is you have that option. It’s integrated, it’s pretty straightforward to implement.

And then finally, you want to be looking at life cycle strategies to keep your costs under control data. Really spins out of control when you don’t have to worry about capacity. All the cloud service providers have so fantastic automations in place. Basically, just giving you a very simple rules to say, okay, after 90 days move this over to cheaper storage after a hundred eighty days, he’ll get rid of it completely reporting Cold Storage take advantage of those or your bills going to spiral out of control and that relates to availability because and reliability because more you’re spending on that kind of stuff too. You have to spend on other areas, like security and operational efficiency supper.