Unlock the secrets of effective cloud security with SANS Certified Instructor, Shaun McCullough in SEC541: Cloud Security Threat Detection. Register for the course or sign up for a free demo to learn strategic insights and real world tactics tailored to your organization’s cloud security needs.
When we start at a new company or build a new cloud security program, we often face cloud resources in operations that do not meet cloud security requirements if those requirements even exist. We may want dev and ops teams to focus on improving security, but those teams are likely already stretched to keep the applications operating and provide new value to customers.
We will not be able to fix everything at once; we need to take one step at a time, each bringing us closer to perfecting a security program.
First, Pick Something Easy
When I say easy, I don’t necessarily mean technically easy. There are plenty of examples of implementing secure infrastructure in the cloud environment, such as the AWS Well-Architected Framework, AWS Maturity Model, or Azure Benchmarks. And some third parties like the CIS Benchmarks describe how to implement these controls. What is difficult is the processes, the varying skills of the deployment teams, and the time available to fix. These are less technical but just as important. By easy, we mean limited friction. What can we do that will be useful and that we can implement without a lot of pain?
Azure Activity Logs and AWS CloudTrail are the simplest yet most important logs we can collect. They provide insights into the activities against the cloud’s management API, and they are one of the first places we go to build custom detections or perform investigations.
You can also turn on cloud security tools. AWS GuardDuty and Azure Defender for Cloud are the cloud’s primary workload protection platforms that monitor activity and give alerts to be investigated. While they may not be your only solution, an advantage of the cloud-provided services is that they are simple to deploy across all your environments.
Azure Storage Logs or S3 Bucket Logs can provide details into what data is read from storage services when an attacker has gained access. These logs generate a lot of data that some companies do not want to store. But if you are breached and don’t have the logs, the boss will tell you to get the logs flowing.
Good Security – More Friction
The previous section discussed changes you can make with little friction with the development or production teams. Now, we will engage with the teams to improve the environment, but not for architectural changes, at least not yet.
If your cloud environment has been around for a while, you likely have abandoned resources. Unused or under-used resources usually mean that they are not actively managed, and unmanaged resources must be patched. This includes identity resources like IAM users and Azure Service Principals. Start contacting teams to find those virtual machines (VMs), container orchestrators, or storage accounts filled with abandoned data and shut them down. Azure has a great workbook for identifying orphaned resources.
Data is at the heart of what we are protecting, and sensitive data may not be where expected. Ensure your organization has a process for adequately tagging where sensitive data is and validate it hasn’t accidentally found its way into other places. Tools like AWS Macie can help.
Challenging, Measurable, Important
Now, it's time to start implementing security solutions that affect how people work. This requires engagement, collaboration, and leadership directives, but we can start locking down our infrastructure.
Guard rails are technical capabilities that prevent or remediate resources from being deployed improperly. Azure Policy and AWS Service Control Policies act as guard rails, though they work differently.
We want to get development teams to implement infrastructure in a more cloud-native way. VMs are no longer static and long-lived; many can be replaced or deployed in fleets. We then start looking at automated deployments, moving VM and container patching away from live systems and towards patching images and forcing redeploys. Networking constructs are different in the cloud, allowing us to move resources entirely out of public subnets and into private subnets by using Azure Bastion or AWS System Manager for access.
These security controls will last longer but require changes to how your developers build and manage infrastructure.
Push the Flywheel
Take those small, iterative steps. Ensure you audit and measure everything, including processes, friction points, and technology gaps. With each step, you adjust and repeat, and the flywheel will spin faster and faster.
Want to know how to use these logs and cloud security tools to detect adversaries? Sign up for a free demo or the register for SEC541 today! Experience firsthand how this course can empower you with the knowledge and tools to secure your cloud environments effectively.
