• Cloud Security Part III

  • Security in the Cloud is a three part series about how to better protect your organization’s digital assets in the cloud. This is a continuation from part two of the series.

    Cloud Defenses

    Scan for Unauthorized Connections across Trusted Network Boundaries. This means having the appropriate logging, monitoring, and alerting in place. You also want to perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.

    Deny Communications with Known Malicious IP Addresses. This can be done manually, but that’s not a good approach. A better approach would be to use a next generation firewall which maintains an updated list, or and intrusion prevention system that maintains an updated list.

    Configure Monitoring Systems to Record Network Packets. Packet captures are gold during incident response. If you can afford the overhead and storage, then archive packet captures according to your log retention policies.

    Deploy Network-Based IDS Sensors and Deploy Network-Based Intrusion Prevention Systems. Having intrusion sensors and intrusion systems gives you insight into any unauthorized activity that might be taking place.

    Cloud Security Data Protection

    • Maintain an Inventory of Sensitive Information.
    • Remove Sensitive Data or Systems Not Regularly Accessed by Organization
    • Monitor and Detect Any Unauthorized Use of Encryption

    These activities might be a part of your overall cloud data governance program. You want to make sure that your critical data is properly identified and categorized based on your data governance policy.

    The second part of this is to apply the needed technical and administrative controls to protect your critical data in the cloud.

    Account Monitoring and Control

    Configure Centralized Point of Authentication. Having a centralized point of authentication enables account creation and account terminations to be timely and helps defend against potential unauthorized access by those no longer with the organization.

    Encrypt or Hash all Authentication Credentials. This protects the accounts in the event the password hashes are exposed in a breach. This also makes sure that root level or administrative accounts are unable to view the passwords for other accounts on the device or system.

    Encrypt Transmittal of Username and Authentication Credentials. This defends against an attacker obtaining the username and password by capturing network traffic.

    Incident Response and Management

    • Document Incident Response Procedures
    • Assign Job Titles and Duties for Incident Response
    • Designate Management Personnel to Support Incident Handling
    • Devise Organization-wide Standards for Reporting Incidents
    • Publish Information Regarding Reporting Computer Anomalies and Incidents
    • Create Incident Scoring and Prioritization Schema

    Incident response in the cloud will be different than an on premise incident. There will be different access procedures for cloud resources, vendors that might need to be contacted, and different internal analysts that subject matter experts in cloud environments.

    You will want to have your cloud based incident response program formalized before you move into the cloud environment.

    Cloud Security Penetration Tests

    Establish a Penetration Testing Program for your cloud based resources.

    Perform Periodic Red Team Exercises agains your cloud based resources to see if your defenders are able to detect, respond, and mitigate these attacks.

    Use Vulnerability Scanning and Penetration Testing Tools in Concert. Vulnerability scanning can find the low hanging fruit in your cloud environments. That approach frees up time and resources for the penetration testing team to emulate attacker activity that vulnerability scanning tools might miss.

    Control and Monitor Accounts Associated with Penetration Testing. This is important because an attacker gaining access to these account will be indistinguishable from your penetration testing team if you aren’t monitoring the use of these accounts.