Cloud Security principles to live by — Part 1
How to organically implement cloud security
If you have been following my articles then you know then Cloud Security is a topic I like to focus on every chance I get.
I truly believe there is a lack of good material on the subject and not enough professionals in the market who “get” what cloud security is and what it does
Today I want to touch upon the very important topic of Cloud Security principles
For Cloud Security to be effective you should not start with technical solutions but first set down certain key principles which will be the building blocks for your cloud security framework.
These are high level guidelines that you must always keep in mind across all cloud security initiatives.
Think of them like a company’s values or guidelines that employees are expected to embody.
If you keep these principles in mind, then whichever Cloud Solution Provider you go with; you will have the assurance that cloud security best practices are being always followed.
- Shared responsibility
- The Identity perimeter
- Zero Trust Architecture
- Security as Code
- Automation in Incident Response
- Threat intelligence
In this article , we will focus on the first three and go over what they are. I will cover the next three in the second part,
A — Shared Responsibility
The Shared Responsibility Model is a principle that is shared between all cloud providers and states that security is an obligation that is shared between the cloud provider and the customer. The cloud provider will follow all best practices to secure your data however you as a customer have to make sure you are doing your part and configuring everything as per best practices also
As AWS states “The Cloud Provider will handle security OF the cloud while the customer handles security IN the cloud”.
For example, the cloud provider will always be responsible for the security of their data centers but if you are spinning up a server in the cloud then you will be responsible for its patching, configuration, hardening, access control etc.
If it is a fully managed service like a SaaS solution, then you might only need to worry about access control while the provider handles everything. As you can see this model is not static and the level of responsibility goes up and down depending on what service you are using.
We can visualize shared responsibility of the different cloud models in the following table
The Shared Responsibility model is one of the most fundamental principles of the Cloud and something which must be understood right from the start. It impacts every single security decision you make as you must approach it from the perspective of where it falls under Shared Responsibility.
B — Identity perimeter
In the cloud, your traditional security perimeter goes away, and your focus moves away from the traditional firewall / Intrusion Detection System / Web application firewall approach. Instead, the focus moves to identities that are present on the cloud.
Don’t get me wrong as you still need firewalls, but your approach should change and focus on WHO is accessing WHAT rather than what is trying to get in.
The promise of the cloud is to give access from anywhere and boundaries have blurred immensely about where your perimeter starts and stops. By focusing on identity and enforcing the controls around it, you can rest easy knowing that security is being implemented regardless of where the person is coming from and whatever device they are using.
Some of the common controls are:
- Multi-Factor authentication
- Context-based controls (make decision based on location, device, behavior etc )
- Risk scoring
- Single Sign on
This also forms the basis for the next principle which is critical for cloud security and that is Zero Trust.
C — Zero Trust Architecture
The term Zero Trust was coined in 2010 and is one of the most fundamental principles of cloud security architecture. Provided it is implemented correctly; it can mean the difference between a secure cloud architecture and a vulnerable one
But let’s start with a few clarifications; Zero Trust is not a product but a concept.
Like the name says it revolves around providing security without relying on traditional network controls and moving towards an identity-centric model. It means that you do not trust any service or user either within or outside the network and verify everything. Verification here means authorizing every request and inspecting it to make sure it is authorized.
So, in a zero-trust network, even if an identity is sitting within your network; we will not allow the requests coming from the identity to pass through and inspect every request to make sure it is valid. The “Identity” in this context can be a user, an application, a cloud service etc.
A traditional security architecture looks like the following where everything gets restricted to a secure network
In a Zero Trust world, access decisions will be based on a centralized identity-centric policy where access will be given based on dynamically evaluating the context of each request.
User location, device, time, risk score, etc. all are evaluated, and the identity essentially becomes the firewall that allows / disallows access.
Below is the end result of a fully Zero Trust environment taken from Microsoft Cyber-Security reference architecture which is a great starting point for implementing this journey in your organization.
I hope you got a better understanding of these principles and how they help you to implement a proper cloud security framework. Stay tuned for part 2 which will be out shortly !
Taimur Ijlal is a multi-award-winning, information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on LinkedIn or on his YouTube channel “Cloud Security Guy” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.
You can get full access to every story on Medium for just $5/month by signing up through the below link :