Cybersecurity practices for organizations using the cloud should be implemented differently than for those who do not. (Actually, are there any organizations who do not use the cloud for at least some part of their data these days?) Microsoft recently shared with their partners five important “best practices” for cloud security, and I’m passing these along to you today.
Strengthen access control
Understandably, we should not count on traditional security practices to defend against modern security attacks. Therefore, there is a new modern security practice: “assume breach”. In other words, take a proactive stance and protect as though the attacker has already breached the network perimeter. As we all know, today’s users work from many locations with multiple devices and apps. The only constant is the user’s identity, which is why it is the new security control variable.
Institute multifactor authentication (MFA)
As a starting point, you should add another layer of security by requiring two or more of the following authentication methods:
Have your users provide identification by using something they
- Know (typically a password or PIN)
- Have (a trusted device that is not easily duplicated, like a phone)
- Are (biometrics, such as a fingerprint)
Take advantage of conditional access
Next, you’ll want to master the balance between security and productivity by factoring how a resource is accessed into an access control decision. Implement automated access control decisions for accessing your cloud apps that are based on conditions.
- Operate in a zero-trust model
- Verify the identity of everything and anything trying to authenticate or connect before granting access.
Improve overall security posture
With more and more recommendations and security vulnerabilities identified, it is harder to triage and prioritize response. Therefore, you will want to make sure you have the tools you need to assess your current environments and assets and identify potential security issues.
Examine your current posture
Consider using a tool like Secure Score in Azure Security Center to understand and improve your security posture by implementing best practices.
Let others know of your success! By sharing progress on your secure score with stakeholders, you will demonstrate the value that you are providing to the organization as you improve organizational security.
Collaborate with your DevOps team on policies
Furthermore, to get out of reactive and into proactive mode, you must work with your DevOps teams up front to apply key security policies at the beginning of the engineering cycle as secure DevOps.
Secure apps and data
Next, you will need to protect your data, apps, and infrastructure through a layered, defense-in-depth strategy across identity, data, hosts, and networks.
Encrypt data at rest and in transit. Consider encrypting data at use with confidential computing technologies.
Follow security best practices
Ensure your open source dependencies do not have vulnerabilities. Additionally, train your developers in security best practices such as Security Development Lifecycle (SDL).
Share the responsibility
When a company operates primarily on premises, it owns the whole stack and is responsible for its own security. However, if you depend at any level on the cloud, some of those responsibilities change. Now it is your cloud provider who bears some of the burden. For instance:
- IaaS: for applications running in virtual machines, more of the burden is on the customer to ensure that both the application and OS are secure.
- PaaS: as you move to cloud-native PaaS, cloud providers like Microsoft will take more of the security responsibility at the OS level itself.
- SaaS: at the SaaS level, more responsibility shifts away from the customer.
My colleague Dan Callahan has written a series of useful posts about securing your apps and data utilizing the zero-trust model. You’ll want to give these a read if you haven’t yet done so.
Operational security posture—protect, detect, and respond—should be formed based on security intelligence to identify rapidly evolving threats early so you can respond quickly.
Enable detection for all resource types
First, ensure threat detection is enabled for virtual machines, databases, storage, and IoT. Azure Security Center has built-in threat detection that supports all Azure resource types.
Integrate threat intelligence
Next, use a cloud provider that integrates threat intelligence, providing the necessary context, relevance, and prioritization for you to make faster, better, and more proactive decisions.
Modernize your security information and event management (SIEM)
Finally, you should consider a cloud-native SIEM that scales with your needs, uses AI to reduce noise and requires no infrastructure.
Protect the network
We’re in a time of transformation for network security. As the landscape changes, your security solutions must meet the challenges of new threats and make it more difficult for attackers to exploit networks.
Keep strong firewall protection
So you’ve successfully set up identity and access management. Nonetheless, your firewall is still important. Controls still need to be in place to protect the perimeter, detect hostile activity, and build your response. A web application firewall (WAF) protects web apps from common exploits like SQL injection and cross-site scripting.
Enable Distributed Denial of Service (DDoS) Protection
Additionally, you’ll need to protect web assets and networks from malicious traffic targeting application and network layers. By doing so, you maintain availability and performance, while containing operating costs.
Create a micro-segmented network
A flat network makes it easier for attackers to move laterally. Familiarize yourself with concepts like virtual networking, subnet provisioning, and IP addressing. Use micro-segmentation, and embrace a whole new concept of micro perimeters to support zero trust networking.