With Cloud services offering a massive variety of infrastructure, platform and software options, choosing the best fit for your business is a huge challenge. Once you make that choice, you’re then faced with the task of onboarding that new tool in a way that ensures the security and safety of your business.
While Cloud providers have extensive and highly experienced security teams, they are not responsible for mitigating your risks.
Start with knowledge
Understanding what threats and risks you face is the critical first step. When you onboard a new application, it’s vital that you understand the types of traffic and activity you can anticipate. These patterns may be pre-defined and are maintained by a central team like a Security or Cloud Centre of Excellence. The patterns should be geared to common web technology frameworks like WordPress, Joomla, Drupal or .NET that have common approaches to URL pathing, parameter/header usage, behaviour, navigation and session management.
By understanding what’s expected, you can then define policies that help identify abnormal behaviour.
For example, recognising when a logo image is being downloaded repeatedly may be an indicator that the image is going to be used by an adversary in a phishing campaign. Or knowing when to expect specific users to log in to a Cloud application, and where they are coming from, can be used to warn you when a user account has been compromised when attackers connect from unusual locations outside normal business hours.
Embed security, don’t bolt it on
Versent for instance, strongly advocates that you closely integrate your Cloud and DevOps strategies with your cybersecurity roadmap. Traditional approaches to cybersecurity assumed you could put a firewall around everything and protect data and applications. In effect, a weakness in an application was not a major issue because attackers would, theoretically, rarely reach a vulnerable system.
The Cloud has fundamentally changed those rules. You must ensure your DevOps teams build and deploy applications with security at the foundation — not around the edges. You need to stop seeing security as a fixed cost centre, and adopt a model where security is traceable through the infrastructure and application lifecycle.
With security distributed in this new way, you need to identify who has responsibility for the different phases of the operational process. Your security experts will work alongside the business to deliver security for Cloud applications in a way that mitigates risks without compromising business efficiency — something that is often a cause for angst when security teams operate in a vacuum, separated from the organisational coalface.
With critical applications operating in the Cloud, potentially using different providers for SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service), you will need to rethink how you trust and identify users. One of the catch-cries of current security thinking is “zero trust”. While that sounds negative, perhaps a better way to think about it is “proven identity”.
The use of tools such as Single Sign-On ensures users don’t need to remember multiple credentials to connect to different applications and services. Those credentials can be backed up with different authentication factors such as one-time codes provided by security application platforms, or through the use of biometrics. With a proven identity, you can adopt an ‘always-authenticated approach’, ensuring that access to your applications and data is safe.
It’s not just about production
Learning usage patterns to expect, onboarding new applications and testing changes are just as important when using the Cloud as they are in the on-premises world.
In addition to the production environment running the live application, creating and maintaining a separate pattern factory environment is required — where the patterns can be developed and maintained so you can learn what to expect when a new application or service is onboarded.
Environments for testing new applications, code changes and user acceptance are also important, so you isolate these activities. Those test environments are critical for testing everything from functional code changes, user interface modifications and alterations to web application firewall settings.
Download Managed Digital Security for more information
This article is published by Which-50’s Digital Intelligence Unit (DIU) on behalf of Versent. DIU Members pay to share their expertise and insights with Which-50’s audience of senior executives.