Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
A move to the cloud requires an initial focus on information security training and governance, including understanding the shared responsibility model and key differences in tooling for traditional on-prem vs. cloud environments. From there, it’s
a matter of choosing the right cloud service provider (CSP) and establishing a critical set of CSP services, third-party controls and traditional security best practices. In this piece we outline a series of steps to take to help ensure a solid
cloud security foundation for your organization moving forward.
Here are a few high-level considerations for InfoSec teams with respect to best practices when it comes to establishing a foundation for cloud security.
Moving to the cloud can be overwhelming. Organizations that are quick to drive a cloud-first approach to try and cut costs and increase speed can sometimes fail to account for new tools, training and security best practices.
The best place to start is with training and understanding the shared responsibility model for infrastructure-, platform- and software-as-a-service (IaaS/PaaS/SaaS). These concepts (see Figure 1) are mostly cloud-agnostic, but there are some subtle differences
between providers. Training does not have to be expensive. There are plenty of very effective, reasonably priced options, such those from Udemy and Cloud Academy.
Consider a cloud-centric framework to drive regulatory standards and audit success. Frameworks provide a selection of controls that should be implemented for cloud computing and security. For example, the NIST Cybersecurity Framework (CSF) is commonly
used, even for those with no federal requirements.
Keep in mind that identity and access management (IAM) is largely up to you (not the cloud provider). It might be beneficial to start by trying to leverage cloud solutions for single sign-on (SSO) and multifactor authentication (MFA). These models allow
you to focus on what really matters most: your applications and data. It is still prudent to get visibility throughout the entire stack, but focusing on SSO and MFA narrows the scope of what you manage.
In an on-premises environment, you have rigorous rules for security and software deployments. You may only run vulnerability scans at certain times, and most security products are built to work “in line,” meaning on a network either as a proxy
or spanning ports on a device.
In the cloud, however, the best practice is to do security at the host or virtual machine (VM) level. For example, most organizations load up all hosts with firewalls, intrusion detection systems (IDS) and other endpoint security solutions to capture
information (i.e., logs) in real time from the source.
Unfortunately, on-prem security solutions do not always cut it in cloud. They are not built with modern API-based architectures, which makes data collection and integrations with CSPs extremely difficult, if not impossible.
Another challenge is figuring out which cloud provider is best for you. When it comes to IaaS, three major players are: Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. They all have great security controls and services that
help tremendously with visibility and logging, but they do have their differences, so be sure to examine each more closely.
A mix of CSP services, third-party tools and traditional security controls are all required for a secure move to the cloud. When it comes to CSP services, must-haves from CSPs include, but not limited to:
Consider using third parties to avoid CSP vendor lock-in and keep the portfolio open for a potential/eventual move to a multi-cloud environment. For example, your AWS WAF will not work on Azure or GCP. Third-party tool considerations, include:
Keep in mind, you also need to retain access to certain traditional controls, as per the shared responsibility model in Figure 1.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.