Best practice tips for better cloud security [Part 2]

If it has an electrical current, it can probably get hacked. And in case you were part of the minority under the impression that cloud systems can’t be breached, think again. According to this CrowdStrike report, cloud exploitation exploded by 95% in 2022, denoting a three-fold increase in “cloud-conscious threat actors.”

In our previous post, we covered keeping track of your cloud infrastructure, IAM, penetration testing, and creating an effective BCDR strategy. But those aren’t the only best practices of cloud security – there are more, lots more. Below we cover another selection of cloud security best practices to help safeguard your cloud infrastructure against those cloud-conscious threat actors.

Implement data encryption

What happens if your systems are compromised? If attackers manage to download data, what effect will it have? For many organisations, this is a potentially disastrous scenario since, at the very least, it could dramatically shake customer confidence. Cloud encryption caters to such a possibility by encrypting data with the use of a key. Without this key stolen data cannot be viewed, rendering it useless. It’s a pretty valuable cloud security strategy favoured by many security professionals.

As with anything else, encryption’s efficacy depends on implementation and management. Here are a few points to consider:

Encryption can be complex

When you take into account the various flavours of Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), and that each of these cloud services will require different encryption implementations, it’s apparent that encryption requires significant planning. It should also be noted that encryption can be applied at various architectural points, such as application level, file system-based, agent-based, and storage device level. Each of these requires a different implementation.

Multiple compliance requirements

Very often data encryption needs to satisfy the minimum compliance requirements of the country or territory where it is hosted. When data is hosted across borders in other countries, the compliance requirements of those countries come into play as well. The net result is encryption that has to pass various reviews before it can be deployed.

Key management can be challenging

Key management involves keeping track of encryption keys and ensuring that they do not fall into the wrong hands – whether attackers or unauthorised individuals. Given the various stages or locations where encryption can be implemented, different compliance standards, and also the size of the organisation (the number of people requiring access to encrypted resources), key management can be a complex and time-consuming process.

Educate stakeholders

Education about cloud and digital security is as important as encryption, disaster recovery, and other facets of cloud security. The reason is simple: most attacks start with intelligence gathering from social media and other publicly available sources.

According to Kaspersky, a data breach can also occur because of oversight. Examples include:

• An accidental insider. It is considered a data breach when a person without proper authorisation accesses data that requires higher authorisation on a co-worker’s device.
• A malicious insider. This refers to an employee who accesses or shares data with malicious intent (regardless of whether that employee has the necessary authorisation).
• Lost or stolen devices. Lost or stolen devices could be a serious breach, depending on the authorisation level of the person it belonged to. Not only is the information stored on the device at risk, but it may also contain credentials that can be extracted and used to access the cloud infrastructure.
• Malicious outside criminals. This category represents the typical cyber attacker. Note that many attacks can have a strong social engineering component.

The UK National Cyber Security Centre provides a list of training resources and locations for all skill levels.

Avoid tool / agent fatigue

Throwing software at a problem is the first course of action for many. Where cloud security is concerned this in itself can be a potential vulnerability. A Palo Alto survey found that organisations typically rely on 30 or more tools for their overall security, with six to ten of those for cloud security. Three-quarters of survey respondents admitted that all these tools effectively create security blindspots, making it difficult to prioritise risk and prevent threats.

For security teams, the problem is compounded by the fact that cloud security software typically uses ‘agents’ installed on peripheral devices. These agents can then be used to perform actions like scanning and reporting, applying patches, and even rebooting devices. At the same time, many of them offer active protection or threat remediation.

But when there’s at least one agent for every software tool, things become problematic. On the one hand, there might be policy issues, and on the other the fact that too many software agents can cause significant performance overhead. For these and other reasons ‘agentless’ security tools are enjoying time in the spotlight. But what some organisations don’t realise is that agentless tools typically don’t offer the same real-time insights, prevention, or remediation that agent-based tools do.

Needless to say, when the objective is to avoid or eliminate security blind spots and provide teams the ability to properly prioritise threats, the solution would be a careful balance between agent and agentless tools.

Security Information and Event Management (SIEM)

Think of Security Information and Event Management (SIEM – pronounced ‘sim’) as a smart way of saying ‘monitoring and logging’. Granted, SIEM refers more to a system than a best practice, but it introduces a more comprehensive dimension to ‘monitoring and logging’.

SIEM systems / tools essentially do the following:

• gather logs and event data from various sources and determines whether there’s an active threat or breach
• Identify patterns between individual event data entries to determine threat or activity
• provides alerts and audits of all activity related to an incident

One of the greatest benefits of a SIEM system is the centralised view of activity across your entire cloud infrastructure. If you’ve ever trawled logs trying to identify suspicious activity, you’ll agree that a tool that does all the heavy lifting can make life a lot easier.

Another benefit of SIEM is that it greatly simplifies compliance reporting. Many SIEM tools come equipped with built-in support for popular compliance standards such as Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the Sarbanes-Oxley Act.

SIEM tools used to be within the purview of enterprise organisations. But in recent years SIEM tools have been released that cater to small and medium organisations too. Whatever the size of your cloud infrastructure, investing in a SIEM tool can save a lot of time and effort.

Wrapping up

Cloud security is a crucial part of cloud hosting. But, just like your cloud infrastructure, it requires planning. Too many security tools and agents can leave blind spots. Use SIEM tools to bring all logs and event alerts into one central interface, and complement active monitoring and defence with data encryption. And given that employees are often targeted first, they are effectively your first line of defence against online attacks – necessitating the need for proper digital security training.