Continuing the thought from my previous blog: Does Your Organization Need a Cloud Security Architect? – CyberOne (cyberonesecurity.com)
Building a Strong Cloud Posture: Key Considerations for Cloud Cyber Architects
When it comes to deploying and managing cloud services, security should be a top priority. In this blog, we will explore three vital aspects that organizations should focus on during the building out of their cloud environment: segmentation, policies (identity-based and organizational), and infrastructure as code (IaC). By understanding the importance of these elements, businesses can enhance their cloud security measures and mitigate potential risks.
Segmentation: A Fundamental Security Measure
One reason organizations separate workloads in data centers by geographical locations and within them is to satisfy security requirements. For the same reason, cloud environments should also establish segmentation boundaries for workloads. Thinking back to the house analogy in my previous post: a house has doors between various rooms; some of those doors leverage deadbolt locks, where others are secured by children who have simply posted on the door “Stay Out!”. The key takeaway here is segmentation should be defined to handle various types of sensitive workloads and data. Segmentation is accomplished by leveraging both cloud accounts and cloud objects. Regardless of the chosen CSP (AWS, Azure, GCP, etc), they all have essentially the same approach for organizing accounts as well as the constructs for cloud objects (VPCs, Subnets, NACLs, Security Groups). Organizations typically leverage segmentation to isolate the following environments: Production, Development, Sandbox – with possibly micro-segmentation taking place within those environments. Mature, security-minded organizations will leverage dedicated accounts for Security and Infrastructure services. Deploying all workloads in a single account, relying on a single VPC/Subnet, is suboptimal even for smaller organizations.
Establishing Effective Cloud Policies
After completing the segmentation, it is crucial for the organization to prioritize the establishment of policies for effectively controlling cloud consumption. This sequence is essential due to the nature of how cloud policies are formulated, which are primarily based on the account and object structures. Three key types of cloud policies exist:
- Account policies: These policies are applied at the organizational/account level, providing users with broad controls to limit actions. Examples include enforcing encryption, restricting object deployment to specific regions, and denying high-risk or unapproved cloud services.
- IAM policies: IAM (Identity and Access Management) policies define who can perform specific actions and should adhere to the principle of least privilege. They can be used independently or in conjunction with resource-level policies to establish a defense-in-depth posture.
- Resource-level policies: These policies limit the actions that can be performed on cloud objects and, like IAM policies, should prioritize the least amount of privilege.
Leveraging Infrastructure as Code (IaC) for Enhanced Security
One common approach for those new to the cloud is to obtain an account and then deploy objects directly from the CSP console – I’m guilty of this approach myself. Unlike the common approach of deploying objects directly from the CSP console, IaC offers an organized and discrete manner of provisioning cloud resources. IaC supports automation, agility, auditing, and compliance, etc. IaC also provides the ability for security teams to examine what the object owner intends to push to the cloud, aligning with the principles of DevSecOps. Security teams have two approaches for the inspection – manual review of code or leveraging cloud native or 3rd party tools. Obviously, the manual approach is time consuming but opens up opportunities for the security team to see specific aspects of the cloud service that might conflict with organizational policies. Leveraging tools, native or 3rd party, to perform the review can be beneficial seeing as they provide built-in compliance frameworks. Ideally, organizations should combine both approaches based on contextual insight, allowing for a comprehensive security assessment. Going back to the house analogy, IaC provides the ability to compartmentalize your cloud environment and allows for the possible reinspection by the security team to only consist of what is being requested to change.
In today’s cloud-driven landscape, prioritizing security is paramount for organizations deploying and managing cloud services. Segmentation, accomplished through the strategic use of cloud accounts and objects, is vital for effectively handling different types of sensitive workloads and data. Establishing effective cloud policies allows for granular control over cloud consumption and fosters a defense-in-depth posture. By embracing IaC, organizations can provision cloud resources in an organized, automated, and compliant manner with effective collaboration between development, security, and operations teams. By combining manual review and tool-based assessments, organizations can achieve a comprehensive security assessment. Embracing these aspects empowers organizations to build a robust and secure cloud environment for their critical workloads.
Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University).