Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
A move to the cloud requires an initial focus on information security training and governance, including understanding the shared responsibility model and key differences in tooling for traditional on-prem vs. cloud environments. From there, it’s
a matter of choosing the right cloud service provider (CSP) and establishing a critical set of CSP services, third-party controls and traditional security best practices. In this piece we outline a series of steps to take to help ensure a solid
cloud security foundation for your organization moving forward.
Here are a few high-level considerations for InfoSec teams with respect to best practices when it comes to establishing a foundation for cloud security.
Moving to the cloud can be overwhelming. Organizations that are quick to drive a cloud-first approach to try and cut costs and increase speed can sometimes fail to account for new tools, training and security best practices.
The best place to start is with training and understanding the shared responsibility model for infrastructure-, platform- and software-as-a-service (IaaS/PaaS/SaaS). These concepts (see Figure 1) are mostly cloud-agnostic, but there are some subtle differences
between providers. Training does not have to be expensive. There are plenty of very effective, reasonably priced options, such those from Udemy and Cloud Academy.
Consider a cloud-centric framework to drive regulatory standards and audit success. Frameworks provide a selection of controls that should be implemented for cloud computing and security. For example, the NIST Cybersecurity Framework (CSF) is commonly
used, even for those with no federal requirements.
Keep in mind that identity and access management (IAM) is largely up to you (not the cloud provider). It might be beneficial to start by trying to leverage cloud solutions for single sign-on (SSO) and multifactor authentication (MFA). These models allow
you to focus on what really matters most: your applications and data. It is still prudent to get visibility throughout the entire stack, but focusing on SSO and MFA narrows the scope of what you manage.
In an on-premises environment, you have rigorous rules for security and software deployments. You may only run vulnerability scans at certain times, and most security products are built to work “in line,” meaning on a network either as a proxy
or spanning ports on a device.
In the cloud, however, the best practice is to do security at the host or virtual machine (VM) level. For example, most organizations load up all hosts with firewalls, intrusion detection systems (IDS) and other endpoint security solutions to capture
information (i.e., logs) in real time from the source.
Unfortunately, on-prem security solutions do not always cut it in cloud. They are not built with modern API-based architectures, which makes data collection and integrations with CSPs extremely difficult, if not impossible.
Another challenge is figuring out which cloud provider is best for you. When it comes to IaaS, three major players are: Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. They all have great security controls and services that
help tremendously with visibility and logging, but they do have their differences, so be sure to examine each more closely.
A mix of CSP services, third-party tools and traditional security controls are all required for a secure move to the cloud. When it comes to CSP services, must-haves from CSPs include, but not limited to:
Consider using third parties to avoid CSP vendor lock-in and keep the portfolio open for a potential/eventual move to a multi-cloud environment. For example, your AWS WAF will not work on Azure or GCP. Third-party tool considerations, include:
Keep in mind, you also need to retain access to certain traditional controls, as per the shared responsibility model in Figure 1.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.