By STS Cloud Security Practice lead, Tony Lutz
Availability
One of the cloud’s most touted features is its scalability- it is easy and fast to create universally available architectures. This can also help manage Denial of Service Attacks by external parties. By configuring your workloads to scale to meet demand, workloads can simply scale to continue meeting user demand while absorbing the Denial of Service Attack. Additionally, many public cloud providers offer tools to identify known bad actors and manage those attacks at the provider level, rather than impacting customer workloads. By leveraging these strategies, cloud workloads can be made more resilient to attacks and less likely to suffer performance degradation and outages.
Shared Responsibility Model
Patching and Security processes. Many cloud native and managed services support patching and updates behind the scenes. Be sure to identify user responsibilities clearly when considering a managed service and make sure those responsibilities are met. For example, many Serverless Function as a Service tools (like AWS Lambda and GCP Cloud Functions) do not require OS level patching, but any libraries used by the code will need to be kept up to date. By identifying user responsibilities for a managed service and ensuring those responsibilities are met, users can ensure their workloads stay up to date and compliant, minimizing risks.
Centralized Management
Public Cloud Service Providers offer a host of tools to reduce risk and provide visibility into your hosting environment. Investing in configuring these services early can save time and reduce risk in the long run. This can include customizing access control policies, standardizing networking and firewall standards, and securing audit logs away from user access. Once these controls are in place, incidents can be prevented, mitigated, and identified quickly, reducing risk of compromised systems.
Data Leakage
A Cloud Environment has greater potential for data leakage via Insider threat / human error than on-premises or data center environments. One of the Cloud’s benefits, quick and easy provisioning, can be a major opportunity for data leakage, if appropriate guard rails and user training are not in place. Observe the Principle of Least Privilege by making sure that individuals just have the access that they need to do their tasks, and not access to everything. This can reduce the risk of bad actors improperly accessing sensitive data.