Securing the Cloud Through Security Fundamentals
By Matt Kiernan, Rapid7
As organizations move critical systems and applications to the cloud, security teams often wonder whether their existing program adequately addresses their evolving IT footprint. The traditional security perimeter has disappeared, and newer technologies like containers and serverless functions present new security questions. Does securing these new technologies require new tools? Do teams need to rethink their security investment?
Before attempting to rewrite the entire security playbook, security teams should recognize that their security objectives don't really change based on the environment being secured. For teams looking to keep pace with their changing IT landscape, establishing fundamental security controls across their hybrid environment is a good start.
Luckily, there are several solid frameworks to choose from, including the CIS Critical Security Controls. Below, we'll outline five fundamentals for securing a hybrid environment that align with the "Basic" CIS Controls.
- Discover infrastructure and applications
To mangle a well-known adage, it's easier to protect what you can see, even if it's only around for a little while. Security fundamentals often start with taking inventory of everything that needs protecting. When this includes ephemeral assets that quickly disappear, security solutions that dynamically discover and assess assets as they come online can help manage risk when keeping inventory isn't as straightforward. See CIS Controls 1 and 2.
- Remediate vulnerabilities
The scope of vulnerability management grows in a hybrid world. On-premises assets are now just one component of your environment as cloud infrastructure and applications introduce potential vulnerabilities in things like container images and software packages. Approaching on-premises and cloud vulnerability management separately can make it difficult to prioritize vulnerabilities, so teams should consider solutions that address the hybrid environment as a whole. See CIS Control 3.
- Control administrative privileges
With phishing attempts among the most common attack types, properly managing administrative privileges has always been important. Because admin privileges for cloud infrastructure are often shared across DevOps teams, managing those privileges becomes even trickier for the security team. For this reason, monitoring user behavior for indicators of stolen credentials is vital for hybrid environments. See CIS Control 4.
- Configure securely
Given its degree of configurability, misconfigured cloud infrastructure is now a primary attack vector. When securing hybrid environments, assessing cloud configuration cannot be overlooked. See CIS Control 5.
- Monitor
Collecting log data can provide a strong basis for building a security program. But cloud assets, especially ephemeral ones, can make log collection challenging. This is simplified by approaching log management holistically and seeking to centralize logs from on-premises and cloud in a unified view. See CIS Control 6.
Securing the cloud doesn't mandate a complete overhaul of your security program. Instead, look at how well your existing security toolset prioritizes the controls above, and seek solutions that address the cloud as an equal component of the hybrid IT environment.