Beginner’s Guide to Cloud Security Strategy

by Erkan Kahraman | on 12 APR 2021 | in Best Practices, Foundational (100), Security, Identity, & Compliance, Adoption, Enterprise Strategy

Cloud security strategy is like a compass for your cloud journey. It’s the organization’s chance to align its cloud security program on course to address risks and meet its business objectives.

In this post, I’ll explain my six top tips to help you create a robust security strategy that covers people, processes, and technology.

Needless to say, the assumption made here is that you already have a wholistic security strategy of which the cloud security strategy is a subset that addresses risk introduced by the overall business. Unless you are a native cloud shop or have already migrated all your workloads, your strategy shall address areas both inside and outside the cloud where you can have a significant impact and reduce risk.

1. Start with ensuring stakeholder buy-in.

In his re:invent 2020 keynote speech, Andy Jassy emphasized the importance of setting aggressive top-down goals in order to accelerate the cloud migration and build the right mechanisms to inspect whether you’re getting the right progress.

According to the IDG Security Priorities Survey, a third of enterprises said they do not have a separate security function, and just a little more than half say that IT is also at least partly responsible for security. Nearly three quarters of Small and Medium Businesses (SMBs) don’t have a separate security department, and 80 percent say their IT staff is responsible for cybersecurity*.With a small budget and limited staffing, it is essential f to secure the support of the entire organization’s resources to implement an effective security strategy. You will most likely need to pull in people from development teams, operations teams and even finance teams to implement the security processes and technical controls. Yes, even Finance teams. Because security and cost optimization often go hand-in-hand. They are like spirit twins; and not only because they both come as an afterthought to most organizations. Billing alerts can detect a security compromise and optimizing your costs may help reduce your attack surface. And I hope I don’t have to re-emphasize the need for the security people to be involved in the DEV cycle; “security that is built-in, not bolt-on” has literally been the motto of every single industry event I’ve been to in recent years and we’ve all been bombarded with buzzwords like “DEVSECOPS” for enough time now.

Getting the entire leadership (and their respective teams) onboard with your security strategy is really important. Afterall, the strategy is where you define the “why” of your cloud security. Best-selling author Simon Sinek discusses this in his book Start With Why where he explains the neuroscience behind the importance of knowing why you do something. The more teams are on board with the security strategy, the more will understand the “why” of the security controls and be willing to help.

2. Don’t re-invent the wheel, follow the best practices.

Whether your organization is looking to grow at speed or open up to new markets by meeting compliance requirements, security can be a business enabler when done right. This is especially true for SMBs who want to achieve that industry certification which will help it grow its market; eitherway it makes sense for SMBs to focus on industry best practices while larger enterprises may have already passed that stage and are now looking at tailoring their security controls to their specific business risks. This is not to say that security shall be a checklist exercise to get an ISO certificate; but there is clearly more to gain from addressing the most common security vulnerabilities and implementing industry standard controls at this stage.

Consider implementing a cybersecurity framework leveraging existing standards; many of which overlap in the their control requirementss. In fact, ISO 27103 promotes the same concepts and best practices reflected in the NIST Cybersecurity Framework; specifically, a framework focused on security outcomes organized around five functions (Identify, Protect, Detect, Respond, Recover) and foundational activities that crosswalk to existing standards, accreditations and frameworks. Adopting this approach can help organizations achieve security outcomes while benefiting from the efficiencies of re-using instead of re- doing.

Larger organizations and enterprises in regulated industries may already have a few industry certifications under their belt. In this case, building a unified control framework is essential to reduce duplication of effort. The Well-Architected Framework has been developed to help cloud architects build secure, high performance, resilient, and efficient infrastructure for their applications. In the cloud, there are a number of principles that can help you strengthen your workload security:

• Implement a strong identity foundation: Based on the principles of least privilege and separation of duties, implement a centralized identity and access management system, and aim to eliminate reliance on long-term static credentials.
• Enable traceability: Enable monitoring and alerting of critical actions and changes to your environment in real time. Utilize systems that integrate log and metric collection to automatically investigate and take action.
• Apply security at all layers: Apply a defense in depth approach with multiple security controls. Apply to all layers (for example, edge of network, VPC, load balancing, every instance and compute service, operating system, application, and code).
• Automate security best practices: Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively.
• Protect data in transit and at rest: Classify your data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control where appropriate.
• Keep people away from data: Use mechanisms and tools (read “infrastructure as code”) to reduce or eliminate the need for direct access or manual processing of data. This reduces the risk of mishandling or modification and human error when handling sensitive data.
• Prepare for security events: Prepare for an incident by having incident management and investigation policy and processes that align to your organizational requirements.

3. Prioritize and re-prioritize.

The primary objective of a security strategy is to address the risks; so a remember to put the risk based approach at the centre of your program and continuously re-evaluate your priorities.

A good way to stay true to your course is to focus on protecting the data and services, not the perimiter. Implement intentional data policies including guidance on what levels of data sensitivity can be placed into the cloud under what circumstances — and what is currently not acceptable.

SMBs may need to prioritize and even make certain trade-offs when choosing what to focus on. For instance, consider implementing effective logging and alerting of administrative actions and changes to critical systems if complete visibility of all user activity is too big of a task.

4. Use the cloud to protect the cloud.

Many large organizations run their regulated workloads on AWS and customers of all sizes have the same cloud-native security controls available to them. SMBs benefit from cost adventages and access to enterprise grade tools when they use the cloud to secure the cloud.

AWS’ Cloud Adoption Framework, Security Perspective organizes security in the cloud into five areas. They provide a structured approach to building security capabilities at scale by following a prescriptive order, where each pillar builds upon its predecessor.

• Identity and access management. To use AWS services, you must grant your users and applications access to resources in your accounts via AWS IAM. As you run more workloads on AWS, use policy-based management for multiple accounts via AWS Organizations and consider AWS Single Sign-On to manage access centrally.
• Detection. Start with the implementation of baseline logging and monitoring with AWS CloudTrail. Do this in a way that’s implemented automatically (i.e. via AWS Control Tower) so it is scalable. When incidents occur, this will help to ensure that basic log data is in place to aid your investigations. Configure alerts for key events and define your response plan so you are prepared to take action. Automated Amazon CloudWatch alerting and notifications should be based on defined conditions to enable your teams or tools to investigate. Finally, Amazon GuardDuty is probably the most important detection mechanism that can help your organization identify and understand the scope of anomalous activity.
• Infrastructure protection. Infrastructure protection encompasses control methodologies, such as defense in depth, that are necessary to meet best practices and organizational or regulatory obligations. Use the Amazon Virtual Private Cloud (VPC), AWS Network Firewall and AWS WAF to apply protection to all layers.
• Data protection. AWS democratized encryption by providing enterprize-grade Server-Side Encryption, Key Management Service (KMS) and AWS Secrets Manager which enables companies of all sizes with mechanisms to protect their most sensitive data. Before architecting any workload, ensure that data classification is practiced to identify the level of sensitivity and influence encryption mechanisms to be implemented. These methods are important because they support objectives such as preventing mishandling or complying with regulatory obligations.
• Incident response. Ensure your team is prepared to respond to incidents by educating your team, creating a response plan and simulating scenarios. Even with extremely mature preventive and detective controls, your organization can still benefit from automation capabilities of AWS Lambda to respond to and mitigate the potential impact of security incidents.

5. Invest in training.

Cloud security skills gap hurts both the large enterprizes and SMBs alike. It is essential to invest in continuous learning and build AWS Training and Certification into your personnel development plans, annual goals, performance reviews or whatever mechanism you might have.

As the IT infrastructure transformation accelerates, companies of all sizes are struggling to acquire the right talent that can help support their cloud initiatives, and high demand means there’s market competition for cloud-skilled professionals. The cloud skills gap hinders many organizations’ ability to adopt to the cloud quickly and securely. Up-skilling your existing staff could save time and cost when compared with recruiting and training new staff.

Your employees already have invaluable knowledge about the company and its products, and technology employees tend to be fast, flexible, and eager learners. As AWS Enterprise Strategist Mark Schwartz explains, the real question is how to take advantage of your employee’s wealth of knowledge as company insiders by helping them leverage their existing technical skills to learn critical new ones.

6. Practice makes perfect.

Perhaps the most important aspect of your cloud security strategy is how you respond to security incidents. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery. Your preparation strongly affects the ability of your teams to operate effectively during an incident, to isolate and contain issues, and to restore operations to a known good state. Putting in place the tools and access ahead of a security incident, then routinely practicing incident response through game days, helps ensure that you can recover while minimizing business disruption.

Give your team a standalone sandbox AWS account to experiment with the technology and participate in experience based training events such as the AWS Security Workshops and AWS Jam Sessions. “There is no compression algorithm for experience” says Andy Jassy, the cloudking of Amazon.

Conclusion

Firefighting is not a strategy. Having a well-defined cloud security strategy can prevent your organization from potentially overspending or misspending on your cloud security controls. But it should not be a one-time excercise, organizations shall continually evaluate their cloud security strategy to align with envisioned business outcomes and identify additional controls to mitigate risks.