How can you protect your cloud environment from hackers, and what are the key points to consider? We’ve put together some practical tips to enhance your cloud security.
A core part of cloud security is limiting the resources that are visible to the outside world – in other words, the internet. Leave doors wide open and your services will more than likely attract the attention of hackers. It’s time to prepare for a security breach.
The “bad guys” use automation to snoop around, so they don't really lack the resources or time needed to steal your data and then turn a quick profit by selling it to the highest bidder on the darknet. So, you need to do a scan to verify what you are exposing to the internet –something that is often overlooked, leading to some embarrassing newspaper headlines. Doing a pen test or red team exercise isn’t a bad idea either.
There are lots of tools for scanning, and some cloud-native tools do an OK job. Just remember to scan your systems regularly so you always know what’s happening. The same rule of thumb that applies to traditional IT security applies in the cloud: you are only as secure as your weakest link. We, humans, are usually the weakest link in any security system because social engineering can circumvent lots of security protocols. Fewer humans equal fewer problems so, as far as you can, you should replace manual steps with automation.
1. Secure your key management, when automating infrastructure. There should be no human-readable keys; instead, a service account should be the only way to access the infrastructure.
2. Enable multifactor authentication because it doesn’t require any additional steps or complicated configuration work and it will eliminate a lot of possible negative outcomes.
3. Read and write access rights in storage need to be examined meticulously to ensure they are secure. Overlooking is one of the most common reasons data gets stolen. This applies to databases too. A recent high-profile example of such a breach is the Microsoft Azure Cosmos DB leak where customers’ private keys were leaked. This vulnerability went unnoticed for a long period of time.
4. Make sure your applications are not directly visible to the outside world by protecting them with an application gateway (Azure), Cloud Load Balancing (Google Cloud Platform), or an Application Load Balancer (Amazon Web Services). This makes it easier to manage the traffic coming to your service and makes it possible to block potentially malicious traffic.
5. Keep it simple. When building cloud infra, complexity is your enemy. This is because when you don't know what you’re doing you tend to implement unnecessarily complex solutions that have a higher chance of being misconfigured, which can lead to potential attacks. In cloud terms, this is common sense, and skilled cloud engineers can be a huge asset in this regard.
6. Train your users properly. As already mentioned, we humans are often the weakest link in the chain. Phishing and configuration errors are common causes of security breaches, and you can mitigate risk by training your staff well and keeping them up to date.
A lot of cloud security articles focus on the technical aspects, which are of course important, but I like to talk about the human factor, as social engineering and plain old silly mistakes are often the cause of those “oopsie” moments. People are a company’s greatest asset, but if they are not treated right or not trained to do their job properly, they are also its weakest link.
Building a cloud team that can lay a solid foundation and automation stack is a must for any company that is looking to stay safe and stay relevant.
Toni works as a Lead Cloud Advisor and leads the security squad focused SAP security on the cloud. He has over 25 years' of experience in the field of ICT, experience ranging from running an agile team to evangelizing a cloud native way of working for corporations around the globe. Toni describes him as a jack-of-all-trades but now with a focus on cloud technologies and how to use them fully.