Measuring a cloud implementation against the vendor’s recommended best practices can provide a quick reduction of information security risk to a business.
Microsoft recently conducted a cloud adoption study in the United Kingdom and determined that over 60% of the surveyed organizations were planning to utilize existing IT resources to facilitate the organizations’ move to the cloud due to the shortage of people with cloud skills. At the same time, many organizations are rushing to move to the cloud to realize potential business benefits, such as IT cost reductions, or to increase the organization’s agility. This combination of a skilled cloud labor shortage and an organization’s desire to increase cloud adoption creates a challenge for security teams because resources who are not cloud experts are suddenly under pressure to deliver a solution that they aren’t familiar with. This all-to-common scenario increases information security risks. Cloud providers are sensitive to this issue and have made a focused effort to provide solutions for IT and Security resources new to the cloud. For example, AWS provides security guidance to AWS customers in its whitepapers and security blog. Microsoft provides similar information in its Trust Center. The documents released by AWS and Microsoft can be a bit cumbersome to fully absorb, and make poor checklists because they are so detailed. Thankfully, the PDF-formatted whitepapers can be easily converted into a simple spreadsheet which lists the recommended security controls noted to provide a brief description of why that control is important. Armed with an easy-to-complete spreadsheet of security controls instead of a lengthy series of PDF files, security teams can have an easily digestible and structured conversation with each business unit that is moving applications or data to the cloud.
The results of these conversations will be beneficial to the organization’s security team’s mission; either the identification of gaps will drive security improvements within the cloud environment, or the conversation will show that the business has already implemented a satisfactory number of security controls to reduce the organization’s information security risk to a level that is appropriate to the business.
The Center for Internet Security (CIS) is the second source of security controls that could be beneficial to organizations as they move to the cloud. The CIS benchmarks are a free collection of recommended security best practices for various operating systems and applications. There is a published benchmark for AWS, but one has not yet been published for Microsoft Azure. Security teams can use a similar approach with the CIS benchmarks as was used with the AWS and Azure best practices whitepapers to develop a fit-gap assessment of the CIS benchmarks implemented within their organization’s cloud environment(s).
One important distinction between the AWS best practices and the CIS benchmarks is that the CIS benchmarks are more technical in nature. The CIS benchmarks lend themselves well to automation since they can be measured directly through the AWS CLI. There are some open source projects, such as Prowler, that have already automated the process of measuring an AWS environment against the CIS benchmarks. Organizations can download these types of open source tools, modify the code to check for the standards in use by their organization (if they elect not to use the provided CIS benchmark values in the code already) and then run the checks in an AWS environment on a recurring basis without a significant investment of time or labor. Taking the automation a step further, it is possible to integrate AWS services, such as Lambda and SNS, to continually monitor an environment and either take action to correct non-compliance or to alert security staff.
The use of automation to reduce the security team’s workload is an important consideration in a cloud environment since a benefit of cloud technology is to allow business units an element of “self-service” in which they can spin- up new servers or applications without significant involvement of traditional IT functions, including security. The global security skills shortage will exacerbate the problem of limited security talent is available to an organization’s business units as the business units continue to increase the size and scope of their cloud footprint. Security teams may need to increase their efficiency even more as cloud environments grow larger. Security teams can achieve higher levels of efficiency when they automate not only the detection of non-compliance but also the appropriate corrective action.
Traditional security frameworks, such as the CIS Critical Security Controls 20 (CSC20), are still relevant to cloud environments and security teams can find value measuring their cloud environment against the applicable controls. High-level concepts, such as how asset and software inventory is maintained, how systems are patched and measured for vulnerabilities, or how incident response and penetration testing is conducted, are all still valid objectives in a cloud environment. These and other topics can be used as conversation topics with business unit leaders so they can become more conversant with cloud risks that may impact the business units for which they are responsible. Security resources new to the cloud may have a slight learning curve to understand the vagaries of each cloud vendor, but for the most part, ‘why’ the concepts mitigate information security risk is common in both a traditional and cloud environment. For example, applying security patches removes potential vulnerabilities, which decreases information security risk, whether the system or application being patched is in the cloud or not.
The implementation of traditional security controls, the ‘how’, may be different depending on the types of cloud solutions being used. The differences between ‘how’ technology and security controls are implemented in a traditional data center and in the different types of cloud, such as SaaS, PaaS, or IaaS, is an opportunity for IT and Security leaders to work together.
Cloud is not a replacement for traditional IT and security concepts, but rather extends traditional concepts in new and interesting ways. It’s possible for IT and security resources who are new to the cloud to leverage a fit-gap approach against a cloud vendor’s documented best practices to reduce information security risk with a few quick wins and to demonstrate that they can keep pace with the business’ demands.