Today's post is general. I do not want to go into overly narrow areas of cybersecurity. Over the years, I have gained experience that helps me find my way in everyday tasks related to cloud security.
This is only and exclusively my view on this issue. It is good to have your own opinion on a given topic. Looking at maps such as The Map of Cybersecurity Domains Henry Jiang | March 2021 | REV 3.0, one may get the impression that cloud security is only a small fragment of the whole. Despite the good level of detail, I would not entirely agree with the marking of "Cloud security" on the map presented by the author.
Cloud is the whole environment - where, in particular, two basic ones are distinguished - on-premise and the cloud itself. Therefore, I would not place cloud security on this diagram - but rather treat this whole diagram as something that can be referred to when wanting to take care of cloud security.
I would therefore apply the same to other diagrams - for example https://roadmap.sh/devsecops - where the diagram was simplified even further to CSPM/IAM/Key Management Service.
Three elements were chosen that are worth paying attention to among dozens that we must pay attention to. I am not saying that Cloud Security Posture Management is bad, but is it always the optimal solution?
So the following question appears: How can I secure my cloud environment?
In my opinion, one should start from the basis of formalities and industry processes, and in particular the Risk Management process.
Risk Management
We cannot be 100% secure - we must agree to a certain risk (risk acceptance).
How to assess the level of acceptable risk? How to generally refer to risk and calculate it?
Maybe about this in a separate post - but I definitely recommend the book "How to measure Anything in Cybersecurity Risk" by Douglas W. Hubbard & Richard Seiersen.
Referring to CISSP certification books, three basic steps can be distinguished:
- Value (Identification of assets for our organization and their assessment)
- Risk analysis (Determining the risk for each asset in the context of specific "Threats".)
- Treatment (Decision - Accept/Mitigate/Transfer/Avoid)
In this topic, we could go into really great detail. As in every topic, where the goal is to obtain the most important information.
So I encourage you to explore this topic on your own. For sure, at this point it is good to know more or less what is acceptable for me and what is not.
For example:
- Can an instance containing my application connect to the internet?
- Do I want additional protection against DDoS attacks from the cloud provider? And what if someone carries out an HTTP flood against me - who will pay for it?
- ...
So there are very many questions that are sometimes difficult to answer, and it is even more difficult to produce their full list in the context of a selected environment.
Risk arises where the resource that we create exists. Therefore, we must get to know well the environment in which we create a given resource and understand its mechanics.
Once we know what possibilities the cloud platform gives us - for example in creating virtual machine instances, it will be easier for us to ask the right questions.
With small environments, we care about simplicity and a practical approach. If, however, we are talking about a larger project, we must have the ability to arrange everything into one compliance-consistent whole - from frameworks.
The topic of frameworks is too deep to discuss in a simple post - but I recommend looking around in the context of Cybersecurity frameworks. For example, one can look at a simple framework containing "Security Controls" called - CIS Security Matrix.
Everything depends on scale.
It is precisely the scale of our business and the number of places where risk appears that determines how we will have to approach the whole issue of securing the cloud environment.
Do you have a small environment, low risk? A frequently encountered approach is a practical approach to security. That is, it is the knowledge of the platform/software of the person implementing the environment and their awareness of existing threats that will testify to the reputation of your environment.
If the person does not have sufficient skills, your resources will be vulnerable to compromise.
Unfortunately, few people at this level of investment find the time and resources to analyze security controls from the CIS Framework and conduct penetration tests.
Learn the rules of the game - access control
"Controlling acces to any resource in a secure system involves two entities. Subject - the active entity that requests access to a resource . Object - the pasive entity that the subject want to access.
Authorization or access control is the management of the realtionship between subjects and objects.
The basic security of a cloud environment can be based on the classic Subject-Object Access control model.
Every resource in the cloud is an object: a virtual machine, bucket, database, secret, cryptographic key, serverless function, container image, load balancer or API. Every user, application, CI/CD pipeline, service account or other cloud resource can be a subject.
Security begins at the moment when every relationship between a subject and an object is explicitly defined, monitored and whose rules are possible to determine.
This means that we must define the list of resources in the cloud and clearly define their relationships and configurations.
For example:
- Virtual machine instance - a user from the internet has access to the virtual machine instance. Access is regulated by network policies. Access can be monitored.
- IAM - a cloud platform user has access to the resource management panel. Access is regulated by access policies. Access can be monitored.
- Application - a user from the internet has access to the application running on the virtual machine instance. Queries possible to be executed by the application are defined by the application's IAM system. Access is regulated by access policies. Access can be monitored.
- KMS (Key Management Service for AWS) - access to keys used, for example, to encrypt virtual machine disks. Access is regulated by network and access policies. Access can be monitored.
- Storage - access to disks or cloud storage. Access is regulated by network policies and access policies. Access can be monitored.
- ...
As can be seen, I focus here on the resources that I use to prepare my production application and the default settings of the cloud provider account (IAM).
It is worth sticking here to the basic principles of access control and monitoring:
- Need to Know
- Least Privilege
- Separation of Duties and Responsibilities
- Zero Trust / Trust but Verify
It is impossible not to mention here the Defense in Depth approach. Our security controls must be implemented in multiple layers - we must especially ensure correct network configuration.
*Source Defense in depth
If we know what we want to protect, ultimately it is good to protect a given object/subject in many ways and not rely only on a single layer. An example here can be limiting not only network access to a virtual machine, but also having the proper IAM policy for the user, which allows access only to a limited pool of resources, while for the remaining accounts we do not establish such access to the virtual machine.
In the case of larger-scale projects, a detailed risk analysis will be a necessary step to fully illustrate the security posture of our environment. The use of frameworks and standards such as ISO 27001, ISO 27017, NIST Cybersecurity Framework, NIST Risk Management Framework, NIST SP 800-53 may turn out to be a step in the right direction in the context of ensuring appropriate steps for the process. Not to mention other standards such as PCI DSS, which is already targeted at a specific recipient/sector
Content pipeline schema.