Lured by the promise of scalability, cost benefits, innovation and business growth, organizations are rapidly embracing the cloud for their IT resources and processing. In fact, Gartner predicts that by 2025, 80 percent of enterprises will have shut down their traditional data center in favor of cloud, versus 10% today.
Organizations that adopt cloud quickly discover that security in the cloud requires entirely different approaches from data center security practices. A primary differentiator is the ease of access to mission critical IT resources.
The Cloud Means Ease of Access to IT Resources
In the cloud, everything is accessible via APIs, by anyone with the right credentials. Developers can rapidly deploy and modify cloud resources without the oversight that was common in the datacenter. Creating and changing environments so quickly can easily lead to configuration mistakes. To err is human, but misconfiguration - an open port, or an AWS S3 bucket with public access - are easily exploited by malicious actors to wreak havoc.
For security teams, this can seem like a nightmare. Some teams slowing down or gating the deployment process in order to certify the security and compliance of cloud resources. This approach is costly to organizations that likely migrated to cloud because of deployment speed and convenience. The good news is that with the right policies and processes in place, security teams can protect their cloud footprint while enabling development teams to innovate at the speed of cloud.
Permission Controls Help Prevent Unauthorized Access
The first is permission controls. Giving widespread access to employees and service accounts opens up an organization to risks. Apply the principle of least privilege by only giving users and service accounts the minimum set of permissions to perform their needed tasks. Permission controls provides access to those that need it to complete their job.
With Identity and Access Management (IAM) roles, administrators can protect resources by temporarily granting access to an account. An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do. However, a role does not have any credentials (password or access keys) associated with it, and is a more secure approach to managing access to cloud environments.
Logging Helps Find and Understand Problems
Along with checking permission controls, be sure to turn on logging, such as AWS CloudTrail, which will allow you to track changes made to your cloud resources and identify drift. Without appropriate logging, misconfiguration by employees go unnoticed, and also the attacker’s activities.
Continuously Audit Critical Cloud Resources
Finally, continuously audit critical cloud resources for misconfiguration. Ensuring that cloud resources stay compliant can be challenging. Implementing regular audits to check for signs of misconfiguration and to maintain security and compliance policy.
One more thing.
Fugue Risk Manager locks down the security of your critical cloud resources with self-healing infrastructure and gives you full compliance visibility and reporting across your entire cloud footprint. Sign up for a free compliance audit of your cloud environment today.