12 considerations for Cloud Security

A cloud refers to an IT environment which has been designed for remote access of IT resources. The term Cloud originated as a metaphor of the Internet which is a network of networks providing access to a remote set of decentralized IT resources. A cloud is accessible through the Internet and there are many different clouds that are accessible through the Internet.

Cloud computing provides several benefits for organizations and users. They are as follows:

-      Almost any type of computing resources can be provisioned on demand.

-      Organizations can scale up and scale down the used resource as per requirement.

-      Users are required only to pay for what resources and workloads have been used.

Whether using any type of cloud service provider, Cloud Security is very essential to assess the security of your operating systems and applications running on cloud. To ensure the ongoing security in the cloud requires a highly equipped cloud instances with defensive security controls to assess the ability and withstand to the latest data breach threats.  

Here are the following points can help secure a cloud based deployment.

1. Understand your shared responsibility: While the cloud security provides a greater part of the virtualization and physical infrastructure, the rest of the responsibility for the infrastructure falls on the organization users. Depending on the services used, it is the user’s responsibility to enforce Application Security, Policies, Configuration etc.

2. Network Protection: Use in depth defense and secured services like

- Virtual private Networks(VPN)

- Routing Rules

- Network ACLs

- Proxy Servers: Nginx

- Stateful Firewalls

- Network Address Translation(NAT)

- Application: modsecurity

                                          i.    Host: iptables

                                         ii.    Network : pfSense

3. Protection of the Cloud Machine Images

- Harden machine images

- Change default passwords

- Disable insecure ports and services

- Install the AV Software

- Use a baseline (STIGs) – System specific checklist

- Learn Security Content Automation Protocol(SCAP): which provides multiple tools for assisting administrators and auditors by enforcing security baselines.

4. Protection of Data at Rest: Data at rest refers to the inactive data stored digitally. For protecting such data

- Understand the different mechanisms of cloud storage and their security implications.

- Review the options of encryption primitives.

- Consider Secure Archival and data disposal

- Tools: Luks, dm-crypt, Gnu-Shred 

5.  Protection of Data in transit: Data in transit refers to that which in flowing through a public or a private network.

- Always use secure application protocols like the TLS (Transport Layer -Security), SSH(Secure Shell), RDP(Remote Desktop Protocol).

- When the application does not secure protocols for communication, securely Tunnel traffic – IPSEC, SSL VPN, SSH.

- Consider using a Key Management System.

- Tools: OpenVPN, OpenSwan.

           6.  Protection and Patching of Instances

- Use a Configuration Management System to patch all the cloud based instances.

-  for Zero Days and classify risks.

- Tools: OpenVAS

7.  Protection of Instance Access:

- Manage your access to cloud instances by using a directory service.

- Create Individual User Accounts(IAM)

- Based on business needs, grant least privileges.

- Enable MFA(Multi Factor Auth) for the privileged Users.

- Audit all the User activities.

- Refrain from using Root Cloud Accounts.

8.   Application protection

- Get AAA(Authentication, Authorization and Auditing) implemented.

- Understand the OWASP Top 10 Security Flaws.

- Follow the best practices for Secure Development

- Tools: Jenkins, PMD, FindBugs

9.    Auditing and monitoring the cloud

- Gather the monitoring data in a separate secure network.

- Establish baselines and monitor all layers and protocols.

- Deploy IDS(Intrusion Detection System) behind the Network Firewall.

- Fine tune the alert levels and use redundant channels for alerting.

- Tools: Nagios, ELK Stack, Watcher, Snort.

10.   Validate protection

- Periodically test the Network, Applications and Infrastructure for security vulnerabilities.

- Check for Input validation, Session Manipulation, Authentication and leakage of information.

- Wherever possible use 3^rd party tools.

- Tools: Metaspliot, Kali Linux, OpenVAS.

11.   Automation: Automated provisioning helps in documentation, Disaster Recovery and Planning and change management.

- Make use of a configuration management system like Chef/Puppet  to manage configuration centrally.

-Consider infrastructure as Code.

- Implement Continuous Integration and Continuous Delivery.

- Tools: Docker, Ansible and Chef.

12.   Update security policy

- Define the scope and boundaries of security.

- Implement proper Risk Assessment Methodology, Identification and -Addressing Methodology.

- Align policies with the contractual obligations of the cloud provider.

- Make use of the Compliance Management Tools: OpenFISMA, PTA, SOMAP, GLPI.

Conclusion 

There are some things that are easier and some things that harder in the Cloud. The steps listed above will however get you started on your improvement cycle for continuous security. Before you get stared and implement a cloud application on  grounds of time and cost, it is very essential to understand about the data and security breach threats. 

Whenever an organization is moving to new application or positioning it, it will either drive the sales up or drive down your operational costs or do the both. By making well-informed choices, cloud computing can offer business value, choice and litheness to you which will be the most undoubted reasons for implementing a new application on cloud.

For more details on Cloud security, Please visit: http://www.gallop.net/cloud-application-security-testing