If your organization is like most, you’re likely using or considering cloud-hosted applications and infrastructure. Security in the cloud is just as important as security in on-premises IT environments, though it’s different in several important ways. There are many great organizations to help you understand cloud security and to recommend best practices – Cloud Security Alliance is a great example. In this article, I’ll highlight three good cloud security strategies you should start with.
1. Know your cloud security responsibilities
First, know what security and/or compliance mandates pertain to your applications and data. Recognize that these compliance requirements won’t go away as you move to the cloud. For example, if you move an application that falls under PCI to a public cloud provider, it still falls under PCI compliance. If you decide to move healthcare data with personally identifiable information (PII) to a hosting company, that data still comes under HIPAA control.
Second, know what you are responsible for with respect to shared security. Most cloud providers offer a shared security model. Typically the cloud provider is responsible for security of the cloud infrastructure itself. This typically includes physical data center security and basic computing resources. You, as the application user/owner, are typically responsible for security within the cloud—for example: user access, encryption and application layer security. Depending on the type of cloud provider (e.g., public cloud, private cloud, co-location) or even individual companies, the responsibilities can vary, so know what’s expected from you with each cloud provider you work with.
2. Be prepared to change your security tactics
While some organizations use cloud for the same purpose that they use on-premises physical infrastructure, other organizations use cloud in a more dynamic way and must change their security practices. For example, if you need to scan a dynamic cloud environment where systems are constantly being built up and torn down, a vulnerability scanner that requires a static set of IP addresses to scan won't be effective. Instead, you'll want to explore options like automatically deploying agents with new cloud systems and having those agents scan systems and report results back to a manager.
3. Treat your cloud application like every application you own
While it may sound counter to point #2, even though cloud is different, you should still treat your cloud applications like any other application you manage and secure. Cloud applications and infrastructure have much of the same control and configurability options as on-premises applications. Look for user control, two-factor authentication and other measures to come close to mirroring policies that you put in place for your internal applications.
Want more on this topic?
If you’re interested in this topic, we covered these areas and much more in a recent Tenable Network Security webcast with Paul Asadoorian and Jack Daniel from Tenable, and John Kindervag from Forrester Research. You can listen to the entire conversation in the on-demand recording, What to look for in a Cloud Vulnerability Management Solution.