How to adopt cloud services, securely

In “IDC Nordic Cloud Survey 2020” we learned that many organizations are facing challenges related to compliance, security and a lack of expertise in executing cloud transformations. These struggles are why a partner like TietoEVRY can be vital.

Making the most of the developing public cloud

Leading providers Google, Amazon and Microsoft have published close to 2 000 changes or new features on a yearly basis, and that number will only climb further in the upcoming years.  

On one hand, these changes can present risks, but on the other hand, they mean more efficient, secure and cost-optimized services. Many of these updates are improvements in core features, performance and security that sometimes even offer cost savings. For example, we recently learned about one cloud provider introducing a new set of virtual infrastructure based on more powerful hardware. Cheaper and more efficient infrastructure was just a click away for one of our customers – their migration from old to new hardware was painless. 

However, to work through all these changes, your organization needs the right processes in place – processes that enable evaluation and understanding of these changes and how they could affect already existing services. 

The building blocks for a secure foundation

The most important aspect is safeguarding the services built on public cloud platforms and maintaining control of your data. So where do you start? 

One important step is building a secure foundation which contains the following five building blocks:

• Network Security and Containment  
• Information Protection and Storage 
• Governance and Compliance 
• Identity and Access Management 
• Security Operations 

Many cloud providers have reference architectures that can be used as starting points, but they also have designs aimed to meet compliance needs such as PCI-DSS or NIST. The reference architectures cover all the above security elements, but only as part of the initial setup. Services deployed using a reference architecture might have security guardrails, but you still need to pay attention to the changes and security best practices for specific services or applications.

These example architectures can also be viewed as a starting point for any organization, as there is a “no-size fits all” design. Therefore, it is important to understand the different cloud services you can use to ensure security and governance.  
Among network security options, cloud providers have different services available that can be used to lock down and protect services, including DDoS protection features or even web application firewall services in addition to traditional firewall services. 

Because these networks are also completely virtualized, you can configure the network and security specifications as code. In some cases, the built-in functionality from the cloud providers is insufficient for certain compliance or security demands. In those cases, you might need to use third-party solutions to enhance functionality. 

What about protecting your data? 

Cloud providers all have services aimed at protecting data. By default, all data is physically encrypted within their datacenters. Beyond this, providers offer features that can even encrypt and classify data in-transit based upon conditions and patterns in the data. All data is configured for availability, which means data is replicated multiple times to ensure its availability despite a hard-drive failure, for example. 

Each cloud provider has different options for data redundancy across multiple data centers or geographical regions. For some services, such as IaaS or virtual machines, you can also use built-in backup functionality to backup virtual machines.

To meet governance and compliance standards, providers define organizational policies to ensure the following conditions are met:  

• Services are not exposed directly to the internet, internet but are instead behind pre-configured guardrails. 
• Services are not deployed into datacenter regions that have not been preapproved by the organization. 
• The required monitoring, backup, and security services are in place before offerings are released. 

These policies are useful to configure for data or services only to be delivered from a certain cloud provider, data center or region. They also ensure deployed services have properly configured governance, security and monitoring mechanisms.  
Many cloud providers also have a built-in mechanism that can be used to map an environment against security best-practices, such as the NIST or CIS framework, but also against certification standards such as PCI-DSS. Both options provide a secure score or security benchmark feature that can map an environment against the cloud provider’s own best practices as well.

Identity and Access Management 

Identity and access management might be the most important element, as this also applies to end-users with access to certain parts of the cloud platform and SaaS-based services that the organization can access. 

Microsoft states that >99.9% of compromised accounts that use Microsoft identity service did not have multifactor authentication enabled. This feature is obviously important to enable both users and administrators with elevated access to the cloud platform. The providers also have different features that can offer more granular access through context-aware access as well as features that can provide least-privileged access or privileged access as needed.

Many of the cloud-based identity providers are moving towards new authentication methods such as passwordless authentication using a security key to provide both passwordless and multi-factor mechanisms.

Security Operations 

The final aspect is security operations. While the cloud offers many security mechanisms, they must still be managed as an integrated eco-system. There are a few tips to remember here:

1. Configure logging for all changes made to the cloud platform(s), user authentication, changes and service logs. While some services have built-in logging, logs are not collected into centralized repositories by default. The cloud providers have mechanisms in place to collect logs centrally, but this still requires configuration.
2. Use the data collected to build predefined monitoring and alerting metrics, for example, in monitoring changes made by an administrator or end-user logging in from an unknown location or device. These logs can be integrated with the cloud provider automation framework to automatically remediate the situation. If a virtual machine is communicating with suspicious services, log data can be combined with an automation runbook to either isolate the virtual machine or lock down the firewall to stop the traffic.
3. Utilize different security posture APIs that provide alerts from the different security mechanisms within the platform. These APIs should be integrated into existing monitoring or ITSM platforms to ensure incidents are addressed. 

More and more organizations are now starting or in the middle of cloud transformations – and thus building new services using cloud-native tooling and more a DevOps-based approach. We believe that the same principle should be applied to maintaining control of the cloud environment – meaning a code-based approach for governance and security is essential. This allows more agility in making changes and provides documentation on what security mechanisms are in place in the current environment.

Also, your organization should continuously evaluate new security features from cloud vendors to see how they can provide better overall security for your cloud transformation.

To illustrate just how fast changes happen, consider the new capabilities introduced by the biggest providers:

• Microsoft has introduced a new DLP feature for endpoint devices. 
• Amazon released a new network firewall service. 
• Google’s new Voucher service can be used to secure container supply chains. 

But what new features are on the horizon? Which will be able to really help your business? And which ones will just be bells and whistles? Sometimes, you need an experienced partner to lead the way. TietoEVRY has led organizations of practically every size to the cloud, and yours could be next.