As part of the Application Security, Cloud Security & Virtualization and Security Strategy tracks at RSAC 2018, DisruptOPS CEO Rich Mogull and Informatica CTO Bill Burns detailed how to build a complete cloud security program in Building and Adopting a Cloud-Native Security Program.
The responsibility of security is shared between the cloud provider and the consumer (the organization building infrastructure security), but cloud providers are typically building controls to protect themselves, not necessarily your infrastructure or organization. Part of your security strategy should include figuring out how you can push more security responsibility onto cloud providers.
The three cloud-native security program principles include APIs, automation and immutability/isolation. The cloud application security process includes:
- Secure architecture and design
- Secure deployment/DevOps
- External security controls
- Secure operations
Start with application design first - since it's easy to configure and reconfigure in the cloud if you get anything wrong. Replace and don’t patch; just redeploy updates in case of misconfiguration. The cost and friction required to implement infrastructure controls is much lower. Figure out the application flow first and get all of the basic components in place.
Good design can eliminate common traditional security issues.
DevOps allows you to embed security into your program, while architecture lets you leverage shared responsibilities to reduce your security management surface by pushing them onto a cloud provider that is incentivized to avoid security incidents. The cloud gives you multiple data centers that scale to exactly what you need at the same time - giving you an inexpensive way to conduct disaster recovery simulations.
When it comes to building infrastructure and cloud management, it's key to secure the root account and non-root users with good identity management practices, such as don't allow super admin rights for all users. For identity management, they suggest using a federated ID broker to connect cloud providers and different accounts to manage security access.
They also recommend using ABAC - attribute-based access controls - policies that only allow access if, for example, you’re using multi-factor authentication (MFA) with certain IP addresses.
For cloud network security, fit the network to the application. Design your application architecture first, then design the network around it (not the other way around). This is something you can't do with data centers, but you can do using the cloud.
Encryption is easy, as it’s default for the cloud. Key management is the hardest part, but it’s very important to provision different groups and roles as part of IAM (Identity Access Management). App-level encryption is advised for regulated data - do not allow your developers to implement their own encryption.
Finally, leverage your cloud provider’s security threat alerts (if offered), by building native alerts into your environment for the fastest delivery, and then also feed them into a SIEM (security information and event management) system for deeper analysis.
Check out the presentation slides for more on incident response in the cloud, automated security management, and three-month plan to adopting cloud security at your organization.