Network
Like enterprise data centers, well-defined network security architectures are critical to understanding and managing risk by controlling what can communicate to what. However, traditional enterprise data center network security approaches don’t translate well into public cloud.
8 Network Security Best Practices
1. Start By Treating the Cloud as an Extension of the Enterprise Data Center
Most enterprises will start by connecting their enterprise network to the cloud and treating it like a remote data center, without initially having the cloud workloads communicate directly to the public internet. This allows the enterprise to gain experience with cloud security while still using on-premises network appliances for protection from attacks through the existing firewall and intrusion prevention services.
2. Tightly Control Network Communications to/from the Public Internet
Longer term, as expertise grows, public cloud-based workloads will communicate directly to the internet. Unless specific on-premises data is needed, these cloud applications should be isolated from enterprise data centers. The built-in security groups and network controls of the cloud providers provide sufficient isolation and control for this.
3. Encrypt all Network Communications by Default
All network communications — whether to and from the cloud, across regions within a cloud provider and, ideally, within a region itself — should be encrypted by default, using validated encryption methods and protocols such as Transport Layer Security (TLS). In addition, establish the use of mutual authentication for both sides of the communication.
4. Segment Lateral Traffic by Default
“Zero trust network segmentation,” also referred to as “micro segmentation” or “software-defined segmentation,” projects apply finer-grained isolation to workloads. The built-in, software-defined networking capabilities of cloud IaaS providers offer the ability to apply granular network isolation policies based on workload identities. Enterprises should avoid the “flat network” problem pervasive in enterprise data centers by segmenting by default.
5. Use Visualization Tools to Understand, Build and Optimize Network Policies
One of the challenges of any zero trust network segmentation strategy is how to map network flows and translate these into network policy. Third-party CSPM and network traffic analysis tools may be needed to gather flows, visualize them and map them to the native network security policies of the cloud provider. Excessive permissions can be trimmed by comparing what network connectivity is initially provisioned to what is actually used.
6. Avoid In-line Network Security Appliances for Traffic Inspection
VM-based network appliances create chokepoints and potential single points of failure, and are increasingly blind to encrypted traffic if payload inspection is required. Network security appliances placed at chokepoints are a cloud antipattern. In some cases, third-party cloud-native offerings may be needed, combined with a transit-network-type architecture to centralize common inspection requirements. Alternatively, the use of workload-based controls can distribute the in-line network inspection to each VM.
7. Where Third-party Network Security Controls Are Used, Favor Cloud-native Approaches
Vendors that simply take their on-premises physical appliance into a virtual appliance don’t provide a cloud-native experience. Cloud-native security offerings offer built-in automated resiliency, scale-out architectures, ease of insertion into the programmable network fabric of the cloud provider and support for transit virtual private cloud (VPC)-like constructs.
8. Replace Legacy Virtual Private Network (VPN) And Demilitarized Zone (DMZ) Architectures With Zero Trust Network Access (ZTNA)
Where named user access is needed to a cloud-based application or front-end service, don’t use legacy DMZ and VPN architectures. Use a ZTNA (Zero Trust Network Access) solution as a stand-alone offering or as part of a broader set of secure access service edge (SASE) capabilities.
Storage
Most of the publicly reported cloud security incidents are related to the misconfiguration of cloud storage services, exposing sensitive data to the public internet.
3 Storage Security Best Practices
1. Scan For Open File Shares
Open file shares and object storage represent the most common form of public cloud security exposure. However, open file shares and object storage are entirely and relatively easy to prevent.
2. Don’t Use IaaS Object Storage Repositories as a Substitute for Enterprise-caliber Content Collaboration Platforms
Developers may be tempted to share files using IaaS/PaaS object stores. While better than email, this is not as secure as commercial content collaboration platforms services designed for this, such as solutions from Box, Citrix, Dropbox, Google, Microsoft (OneDrive) and others.
3. Encrypt all Data at Rest Using Customer-controlled Keys
The principle of default deny should be applied to data access as well. Data at rest encryption is not a panacea, but it does reduce the surface area for attacks and raises the bar for attackers. The built-in encryption capabilities of cloud infrastructure make this straightforward and seamless with the strong recommendation that the customer should maintain control of the master keys rooted in the strength of cloud-based or on-premises hardware. Encrypted data with customer-controlled keys has immense value when data needs to be deleted. For strong assurance that deleted data is no longer accessible, delete the master key (and any backup keys).
Compute
IaaS compute offerings are the building blocks for cloud workloads.
4 Compute Configuration Best Practices
1. Separate the Right to Create VMs From the Right to Delete Them
Separation of duties should extend to the rights to manage machine and storage images. No single account should be able to delete the entire set of enterprise assets in IaaS.
2. Use IAM roles for servers
Servers will have identities and permissions associated with them. The use of IAM roles provides a scalable way to assign permissions to compute-based workloads.
3. Use the Cloud Provider’s Metadata Service for Workload Secrets
Cloud workloads will need access to secrets (passwords, API keys, certificates and so on). These should not be hard-coded in system images. All of the leading cloud providers offer a metadata service that stores these outside of the machine images that can be queried as needed. More advanced capabilities are offered in the cloud provider’s secrets management service. For multi-cloud capabilities, a third-party offering may be required.
4. Require All Workloads in Production to Use Tags
Many third-party security tools are able to directly query the attributes of a workload using the native APIs of the cloud provider. Labels and tags on machine images provide a simple way to map and consume policies from third-party security consoles (such as the cloud workload protection platforms discussed later in this document).
PaaS
Leading cloud providers have a substantial number of platform services available to developers. Each of these comes with settings for configurations and permissions, creating significant complexity and the potential for misconfiguration.
4 PaaS Security Best Practices
1. If the PaaS Service Stores Data, Encrypt it at Rest
As with storage services, the default security posture should be encryption of any cloud data at rest combined with the use of customer-controlled keys. There will be exceptions (such as data lakes where extensive analytics are performed).
2. Standardize Which PaaS Services will be Used
IaaS providers are continually introducing new services. As a best practice, enterprises will define the standard subset of services for their organization. This catalog will be reevaluated on a regular basis based on developer demand and service maturity.
3. Establish Best Practice Configurations for Each PaaS Offering the Enterprise Uses
The complexity of doing this for each service requires the use of a tool to automate the process. This is discussed in the next section.
4. Attach All PaaS Services to Logical Network Constructs
Leading IaaS/PaaS providers offer the capability to restrict access to its PaaS services to the enterprise’s logical network constructs, such as network security groups, virtual networks and VPC endpoints. Use this capability to restrict access to PaaS services wherever this capability is available. This way, access and usage of PaaS can be restricted to specific applications and workloads and so that they do not have to be accessed over more broadly exposed network segments.
Conclusion
Architect for consistent visibility and control of all workloads regardless of location, size or architecture. Target the unique protection requirements of workloads in modern hybrid, multicloud data center architectures. Use a CWPP tool for achieving this. CWPP offerings should start by scanning for known vulnerabilities in development. At runtime, CWPP offerings should protect the workload from attacks, typically using a combination of system integrity protection, application control, memory protection, behavioral monitoring, host-based intrusion prevention and optional anti-malware protection.
Gartner recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.
