How to build a hybrid-cloud security strategy that is effective, scalable and affordable.
Cloud sprawl has become a fact of life for most organizations. As organizations shift workloads from on-premises data centers to multiple public cloud platforms, the boundaries of their traditional defense perimeter blur and dissolve, creating cloud sprawl and thorny security challenges.
To protect this new borderless, hybrid-cloud environment, you must move security controls to where they’re needed, enforce them with new tools and ground them around five core principles: unified access management, automation, shift-left, data security, and zero trust.
In this blog post, we’ll summarize and explain how you can adopt these five principles, which we covered in the webinar 5 Must-Haves for Hybrid Cloud Security.
Principle 1: Create a unified access management strategy
In cloud computing, the traditional perimeter is moved outside of the enterprise data center, so identity replaces networks as the primary trust boundary. To that end, a unified identity and access management (IAM) strategy is essential to securing the cloud. To achieve this you should look to:
- Adopt a unified identity strategy to ensure that cloud identities don’t exist in separate directories or authentication systems
- Enforce multi-factor authentication (MFA) for all access, or at minimum, use MFA for privileged accounts
- Use automated tooling to monitor cloud accounts for unusual access and enforce least privilege
It’s critical to ensure your cloud accounts are tracked by your central IAM system and to use automated tools that constantly scan for unauthorized access to cloud accounts. Basic authentication is insufficient for externally accessible user accounts, so insist on MFA for all access to public cloud. Use MFA for privileged accounts at a minimum.
Principle 2: Automate configuration and validation across all clouds
“The overwhelming majority of cloud security incidents stem from customer mistakes – far more than from malicious actors.”
In my many years of experience as an analyst and advisor to enterprises, I have found that the overwhelming majority of cloud security incidents stem from customer misconfigurations or mistakes – far more than from malicious actors. In the cloud world, getting cloud configuration right is just as important as writing secure code. Primary recommendations for reducing misconfigurations include:
- Use CSPM at a minimum to ensure secure configurations across all environments
- Use a unified security platform to gather data across all environments, such as the Tenable One Exposure Management Platform
Cloud security automation has become an increasingly important part of modern security strategies. It allows organizations to reduce the manual effort required to manage their cloud environments, while also improving their security posture and ability to scale.
This is why we have seen the continued adoption and evolution of automated Cloud Security Posture Management (CSPM) tools like Tenable Cloud Security. CSPM solutions are not only about validating cloud runtime configurations, but have evolved to be used to scan IaC code repositories and look for identity- and access-management challenges, such as over-privileged accounts and roles.
Principle 3: Adopt DevSecOps and shift controls left
“Cloud security shouldn’t be a separate entity with its own tools and processes. Teams should be unified under a single strategy and use tools that allow them to speak the same language across teams.”
Security teams and developers don’t speak the same language. When developers think about cloud security, they think about technical controls, open-source products like Hashicorp’s Terraform and cool features that can enable their cloud-native applications running on containers or Kubernetes. When security teams think about controls, they want to know about risk, both qualitative and quantitative. They want to know what controls are in place, how they are monitored and how they can be validated.
For these reasons, it is not good practice to allow cloud teams to design security controls. It is incumbent on security teams to embrace DevSecOps practices and ensure controls are implemented as early as possible in the development pipeline. Cloud security shouldn’t be a separate entity with its own tools and processes. Teams should be unified under a single strategy and use tools that allow them to speak the same language across teams. To “shift- left” you’ll need to:
- Scan your infrastructure for misconfigurations in the development pipeline using infrastructure-as-code (IaC) security tooling, such as Terrascan
- Standardize your base images and scan them in an isolated development environment
- Shift your controls left so you can scale to multiple clouds by abstracting controls and enforcing them before deploying to public cloud platforms
Also of note here is tool consolidation
It's important to use as few tools as possible to give you an accurate measure of risk exposure, and normalize risk factors across multiple on-premises and public cloud environments. There has been a proliferation of new vendors in the market when it comes to public cloud, filling control gaps using innovative techniques while the major players have taken a more measured approach. Thankfully, that is no longer the case. Solutions like Tenable One can protect both on-premises and public cloud workloads to give you a consistent hybrid-cloud security platform.
Principle 4: Strengthen data security
Organizations must secure cloud data by encrypting all data at rest. At a minimum, you should configure the cloud service provider’s (CSP) native key-management system to use a customer-controlled master key. Ideally, issue your own master encryption keys and hold them on-premises in a hardware security module (HSM) or use a virtual HSM in a public cloud environment.
Key best practices for public-cloud data security include:
- Encrypt all data at rest, but control the encryption keys
- Integrate with cloud providers’ key-management systems
- Ideally, use your own HSM and hold keys on-premises or on an alternate cloud platform
Principle 5: Use zero trust to unify strategies
Zero trust is an overused term, but for our purposes it means zero implied trust and full visibility into all user-entity behavior post-authentication and throughout the lifecycle of each session. This is a key requirement for cloud, but the principle of zero trust should be introduced to private cloud environments as well.
To benefit fully from zero trust:
- Adopt zero trust principles across both public and private cloud environments where possible
- Phase out trusted networks and the idea of “implied trust”
- Cloud-native and zero trust principles can be a driving force for security transformation, making your applications more secure across hybrid cloud environments
Conclusion
Successful hybrid cloud security requires a unified approach. Bimodal IT has left technical debt and security blind spots across public cloud workloads. Security leaders should aim to eliminate security problems before deploying to shared infrastructure by enforcing robust standards throughout the development pipeline and across public and private cloud environments.
As we continue to embrace public cloud it’s essential that we evolve our security strategy to use the best techniques from tried and tested security operations and combine them with the best security practices from cloud technologies. It’s also important to consolidate traditionally siloed tools that result in too many controls, slowing you down while also leaving control gaps resulting from a lack of unified cloud coverage.
Engaging with technology teams can be challenging, but security leaders must embrace the transition to cloud-native and zero trust principles. By using these five key principles as a foundation, you can ensure your hybrid cloud applications are more secure and easier to manage than those in your on-premises data center.
If you’re looking for more information about the five key principles recommended above, please watch the on-demand webinar 5 Must-Haves for Hybrid Cloud Security. You can also learn more about Tenable Cloud Security and sign up for a free trial today.
(Guest author Tom Croll from Lionfish Tech Advisors is a consultant for Tenable.)