This blog is part one of a five-part series exploring the critical steps to building a secure cloud environment. This resource offers a snapshot of the key points from the corresponding webcast Cloud Security Strategy: First Principles and Future Opportunities (Part 1 of 5), Building a Cloud Security Strategy: A Step-by-Step Guide. Register and watch the replay to reinforce your learning.
Setting the Stage: What is a Cloud Security Strategy?
A cloud security strategy is a comprehensive plan for safeguarding an organization’s cloud environments by identifying critical assets, managing access, detecting threats, and preparing for incidents. In essence, it’s a roadmap that enables organizations to understand and secure their cloud footprint.
Cybersecurity experts like SANS Institute’s Sean McCullough, Ashish Rajan, and Megan Roddie-Fonseca emphasize that an effective strategy involves strong identity and access management, continuous logging and monitoring, and a well-prepared incident response plan. This approach ensures an organization can protect its cloud resources, respond to threats, and adapt as its cloud infrastructure evolves.
Sean, a cloud security architect at GitHub and lead author of SEC541, Ashish, a CISO and host of the Cloud Security Podcast, and Megan, a senior security engineer at IBM, brought their expertise on these subjects to the recent SANS Cloud Security Exchange event. Their discussion focused on the practical steps needed to identify key assets, manage identities, and prepare for incident response in cloud security.
Understanding the Cloud Footprint
The first step in securing the cloud is understanding the extent of your organization’s cloud footprint. As Ashish highlighted, "You can’t protect what you can’t see." This starts with identifying critical systems and data, which are often spread across multiple cloud providers. Combined on-premises infrastructure and multiple cloud platforms make it crucial to understand where assets are hosted. Whether it's business-critical applications or sensitive customer data, knowing what you have and where it resides is foundational to your security strategy.
"These days, you have your...human and non-human identities," Rajan noted, referring to the roles and permissions needed for both users and systems within the cloud environment. An identity and access management (IAM) strategy is essential. Implementing single sign-on (SSO) solutions and standards like SAML and OAuth are vital steps in scaling security across cloud resources, allowing organizations to manage access effectively as their cloud usage grows.
Building a Threat Detection Program
Once your cloud footprint is understood, the next step is to establish a threat detection program. McCullough emphasized the importance of logging, "Logs tell the story of what is happening inside of the environment," making collecting the right ones essential. Cloud providers offer tools for capturing API, storage access, and network flow logs for monitoring and detecting threats. Sean specifically noted that "API logs...track nearly everything," in cloud environments.
Understanding the attack surface is another key aspect of building an effective threat detection program. "What is the attack surface likely for your environment?" McCullough asked, urging organizations to assess which resources are public-facing and which may be unnecessarily exposed. Ensuring patching and credential management is also critical. "Are they being patched? How often do they get patched?" McCullough asked, stressing the importance of regular maintenance.
Investigating and Responding to Incidents
Incidents are inevitable, that’s why preparation is key. Roddie-Fonseca explained that teams need to be prepared to act quickly, "If you try and go into incidents having never looked at the content of your cloud logs before, you will spend more time understanding those logs than you will working the incident."
In addition to preparation, creating forensic-ready environments is essential. Roddie-Fonseca emphasized the importance of being able to spin up cloud-based forensic workstations quickly. "You can create golden images of forensic workstations that are ready to deploy with all the tools you need," she said, emphasizing the value of having pre-configured environments ready to go. This ensures that when an incident occurs, teams can begin their investigation without setup delays and focus on what happened and respond.
The Role of Access and Tools in Incident Response
Access is a critical factor in any incident response process. As Roddie-Fonseca explained, "Responders are going to need access to pretty much everything," emphasizing that investigation efforts will be hindered without proper access. Access is a balancing act. To maintain security while allowing visibility, "Do not go give them global admin... in most cases, they’re probably only going to need read-only access," Megan advised.
Managing access is another important consideration. Roddie-Fonseca suggested using groups or roles for incident response teams, stating, "Don’t go and give each individual user this read-only privilege. Have a group... that is going to be used in incidents." This simplifies the process of granting necessary permissions so teams can get access to the right resources quickly.
Preparing for the Cloud Security Journey
Cloud security is an ongoing journey that requires continuous monitoring, preparation, and adjustment. As the three outlined, the first steps involve understanding your organization’s cloud footprint, managing identities, and building a threat detection program. From there, it’s about preparing for incident response, proper logs, access management, and the right tools.
To stay secure in the cloud, organizations need to invest in security readiness and ensure they have the tools, processes, and personnel to respond to any incident. As the panel emphasized, cloud security is about preparation, and there is no better time to start than today.
Complete Your Learning Experience
Register for the full five-part series, and for additional insights, check out Part 2 in this blog series. These sessions and corresponding blogs are essential for security leaders aiming to proactively secure their cloud environments and stay ahead in the rapidly evolving cloud security landscape.
