Public cloud adoption is a growing trend among organisations going by current news. While the trend towards multi-cloud adoption is also growing, this trend has not captured as much media attention. Computer and network security experts recommend standardization on multiple IaaS cloud service providers as a measure to ensure security and for availability best practice. But what are the security priorities for cloud migration? With regard to security workloads in public clouds, the experts recommend a list of items arranged in hierarchical order. The list starts with foundational items that are grouped under operations hygiene (access control, configuration, change management) followed by those that fall under core work-load protection, like vulnerability management, log management, whitelisting and network segmentation.
Experts also recommend that organisations place not too much trust in traditional endpoint protection platforms commonly used in on-premise or physical deployments. The general best practice recommendations place emphasis on work security. But for security operation professionals that understand what success comprises in traditional enterprise environments, what does this mean? What should they first secure and what technology should they opt for? To answer these questions, the “shared responsibility model” from the cloud service provider and common compliance mandates should be considered as a start. The most critical assets (as part of a workload) should then be identified as it is they that require the highest level of protection. Often overlooked but equally important is the security of access control at the application layer. Every CPS is different and in some cases these models overlap or conflict with corporate security mandates and current best practices.
Deciding on and implementing an effective security model can be overwhelming for enterprise professionals especially given that it goes beyond simply installing software. As such, businesses should not shy away from seeking the help security professionals who are experts in this particular area, and who can then work with the enterprise throughout in coming up with and implementing all the phases of a successful security plan.
Securing the cloud workload
Securing the cloud workload should be given topmost priority. As a basic foundation, this should start with access controls. Who and what has access should be definitely determined by server workloads. This implies that administration access should have tighter controls and multi-factor authentication should be utilised.
With proper access control in place, the configurations will require the removal of all unnecessary components. Access control should then be hardened and configured in strict compliance with the enterprise standard guidelines and should be regularly patched so as to seal potential security holes.
Network isolation and segmentation is another important component of workload security. This process involves limiting the ability of the server to communicate with external sources. Network isolation and segmentation can be accomplished either through internal or external firewalls on Windows or Linux. Much as this segmentation is vital, the enterprise should also closely examine their system’s logging capabilities. Logging systems make it easier for security managers to closely monitor the overall health of the security plan.
A final point of concern in securing cloud workloads is secure code and application control. Potential attackers like to target applications and so they (the applications) should be secured as much as possible. This is best done by having security in mind from the very start of the lifecycle of the application.
Whitelisting should be applied to limit the executables that are allowed to run within the system. Whitelisting is a powerful security tool as it will render all malware that come in the form of an executable ineffective as they are prevented from running.
For enterprises utilizing cloud infrastructure services, coming up with a solid workload protection scheme should be a top priority. However, this is only one part of an effective security plan. With workload protection considered, the enterprise should proceed to evaluate other aspects of its security plan.
It must be remembered that cloud security is a shared security and that it is important to be crystal clear when considering the persons responsible for different aspects of security no matter the cloud platform the enterprise is using. Having put in place a security plan based on the security priorities for cloud migration, the power of cloud computing can be exploited to the fullest extent while affording the enterprise the peace of mind that it deserves.