I find that the second week of a diet is easier than the first – I’ve always given up by then! The secret to getting fit and losing weight is an uncomfortable truth which, in all honesty, we already know: A permanent shift in lifestyle is going to be needed, eat less, eat better, and get active. Cyber Security Best Practices are not really much different.
Even so, this won’t ever stop us looking for new alternatives, and in the case of the Smoothie, there are a number of health benefits: they increase fiber intake, contribute towards our 5 a day, boost vitamin C levels and may help with conditions like high blood pressure. But it’s not all good news - when we blend or juice fruit, we’re breaking down the plant cell walls and exposing the natural sugars, the type we are advised to cut back on. These ‘Free Sugars’ may lead to dental decay, cause an unhealthily rapid rise in blood sugar levels and crucially, provide excess calories.
In other words, a smoothie won’t improve your fitness and is unlikely to help you lose weight. And yet the market for nutrient-extracting blenders and smoothies is predicted to grow to over $7B in the coming year, a classic case of hope triumphing over experience.
And just as there are no real shortcuts to weight loss and fitness, attaining 24/7 cyber security is similar, in that there is no alternative to doing the hard yards. However the trends show we may be pinning our hopes on the cyber-equivalent of the Kale Smoothie. A recent survey from IBM surveyed over 3,000 IT Security Professionals and there were a couple of stand-out findings that should really grab everyone’s’ attention
§
The simple conclusion is that the threat to cloud IT systems is increasing. True, we are seeing the number of Cloud deployments increasing, and therefore there is now a bigger target that is easier to hit. Even so, the need to get a lot smarter with cyber security defenses is clear. Just as there is only one effective solution to weight loss and fitness, cyber security also only works when a disciplined and consistent practice is maintained, albeit with some technology to help. Not quite ‘no pain no gain’, but it’s so much more than just buying a SIEM system and configuring some firewall rules.
Cloud systems have given us some new problems as well as re-enforcing some of the age-old security issues. The technology and platforms are comparatively new, so none of us have as much experience of the pitfalls as we do with say, Linux and Windows. Many of the key benefits of cloud comes from the new properties introduced, such as
§ Dynamic/ephemeral provision of container applications and cloud infrastructure on demand
§ DevOps practices such as CI/CD (continuous integration/continuous deployment)
§ The flexibility of Public, Private and Hybrid cloud environments, almost always additional options on top of the standard data center infrastructure we already need to secure
As a brief summary, best practices for migrating IT Services to the Cloud might looks something like the following. We’ll assume that a strategic business case has already been made to migrate to cloud: Today its often when the realization dawns that a new datacenter is going to be needed or a hardware refresh is coming around. The eye-watering costs and the anticipated logistical challenges almost inevitably lead to a conclusion that cloud computing would make life much better.
Key questions: Are we simply re-hosting, re-platforming or re-architecting? Much of this is driven by whether these are your own in-house developed applications or not, and what the current state, and future direction, of IT services is? For most it’s a combination of all three paths because every application has different requirements for now and moving forwards. If you are stuck with any legacy applications running on old platforms then it’s likely that Hybrid Cloud is coming your way. At least you will now have the opportunity to exploit the benefits of the world of DevOps with a Continuous Integration/deployment (CI/CD) pipeline, and instantly refreshed, elastic, container-based microservices applications down the line!
From a security standpoint, Cloud is highly attractive if it removes your data center security and business continuity responsibilities – or does it? In terms of security best practices, yes and no. You no longer have a physical data center to secure, but you will still need to implement new, alternative access security controls and get a very clear understanding of the activities and rights of your in-house resources and those of the service provider.
In response to the phishing attacks and account compromise stats being reported and the separate, but related, increased targeted attacks on cloud systems, the industry is now re-purposing long-standing security best practices for the cloud. The Principle of Least Privilege is nothing new but is a discipline that is routinely flouted, despite being a critical security control. It’s the cyber security equivalent of being too busy to go to the gym today, because it’s always easier to over-provision than tailor rights as tightly as possible. In today’s industry-speak, Cloud Infrastructure Entitlement Management (CIEM) provides the tools to not just operate the Principle of Least Privilege for Cloud and Container environments but encompasses the requirements for monitoring user/account activity, providing clear audit trails of and point-in-time User Entitlement Reviews.
In the purest implementations, this can be taken even further with operation of a Zero Standing Privilege (ZSP) philosophy. ZSP introduces a zero-tolerance policy to over-provisioned entitlement by ensuring all root-level access is only available temporarily on demand when required, but is otherwise disabled.
Of course, attacks on Cloud systems aren’t wholly related to loose privileges and abuse of hijacked credentials.
Cloud environments introduce an entirely new layer of infrastructure to underpin the virtual data centers being operated. This necessarily comes with its own complex, fine-grain configuration, and as always, choices for configuration settings are left up to you depending on how much security you want at the expense of a restricted and/or reduced function. For example, and continuing the theme of Cloud access control, before you implement a strategic CIEM or Zero Standing Privilege strategy, Multi-Factor Authentication is offered as a configurable option, but isn’t a default setting.
As a starting point, pre-built hardened images are always a good option, and for the Cloud system itself, CIS Benchmarks provide secure configuration guidance. Hardening is never a one-off practice but needs to be backed up with automated, continuous monitoring to report if your cloud security posture decays. The challenge then is to get a consistent picture across all cloud systems in use, including hybrid and private cloud while not excluding traditional datacenter and even legacy IT platforms and applications. Every IT asset is a potential attack vector, especially when we are looking to defend against attacks using compromised credentials.
As with Entitlement Management, developing, implementing and maintaining a secure, hardened cloud infrastructure needs a blend of activity monitoring, point-in-time status reporting and alerts if your chosen build standard drifts. Change Control – another critical security control – is an essential discipline for Cloud just as it is for all other area of IT Operations. Until you are in control change – which first requires complete visibility of all change – how do you know that changes have been made to systems, let alone whether these changes are planned or unplanned, good or bad, expected or potentially malicious?
So set the alarm clock and get to the gym early - as soon as you finish your workout there’s another busy day of cloud security to get on with!