Cloud Security – What you Need to Know
Nazar Tymoshyk is a Security Consultant at SoftServe with over 14 years of experience in Information Security. Nazar has a Ph.D. in Information Security and is also the leader of OWASP Chapter Lviv. His Security Certifications include Certified Ethical Hacker (EC-Council), Zyxel Security Specialist, CIW Web Security Specialist, HP Fortify Security Technical Specialist, Cisco SMB Security Specialist, Certified Linux Professional, Certified Linux Engineer, and Microsoft Certified Technology Specialist. Also, Nazar is a regular contributor to SoftServe United blog.
Not to be facepalmed as a victim of “4$ mill on Intrusion Detection System – Employee puts customer data on Dropbox” fail, make sure your Cloud comes hand in hand with Security.
No time to explain, just follow these tips:
1. Use Identity and Access Management (IAM) to protect your resources.
Microsoft offers a perfect solution for your cloud, Azure Active Directory, which lets customers manage access to a load of cloud apps. It's strong side from a security standpoint is multi-factor authentication and monitoring of access. So, zero standing privileges grant endless love and care when it comes to access relying on lock box processes as Cerberus of customer data.
2. Consider password policies and multi-factor authentication.
Two is better than one, right? Well, security opts for more. Multi-factor authentication adds an extra step to basic log-in procedures. Also, make common passwords uncommon by generating random values when they are stored.
3. Protect guest operating systems. Patching and antivirus/antimalware protection will be your shield in the cruel game of business these days. Read more here.
4. Create limiting firewall policies.
Because a house with a fence is safer than the one with an open yard. Firewalls allow users to block harmful content, and in this way prevent an attack, as well as identify an attacker. Protect yourself from unwanted communications between deployments and let in only the “guests” you are glad to see.
5. Secure your applications using a host-based Intrusion Prevention System.
Apply an IDS/IPS solution to your cloud infrastructure. They both offer critical (but different) components to commercial cloud security. In a nutshell, IDS tracks the slightest signs of malicious activity and keeps record of it, while IPS works one step ahead by sending an alert and preventing the attempt of intrusion.
6. Monitor your instances.
Auditing and monitoring is more important than you may think. Check your systems on a regular, scheduled basis through centralized monitoring, correlation, and analysis systems to evaluate their security. No matter how cool your initial product seems, it has high chances of being attacked after. Or not – if you watch out.
7. Encrypt sensitive data.
If you want something to be safe and sound, hide it, mask it, don’t let others see you have something precious.
8. Conduct vulnerability assessments.
Just do it.
9. Don’t forget about Penetration Testing.
Detecting a critical bug shortly before a release may ruin the entire painstaking process of product development and the only way out will be to start everything from scratch. To avoid this, keep penetration testing at the top of your mind. No one takes security to their platform as seriously as Microsoft, so their Penetration Test Approval Form to check things out is a dime to long for.
Today, with security being a very sensitive topic, there are a number of useful resources for you to check out, starting from Azure Security best practices through OWASP security guidance to real-life experiences while working with cloud. Make sure that keeping your head in the cloud is well-protected from undesirable consequences.