Getting your cloud security architecture right in 5 Simple Steps
By Sreekanth Iyer, Executive Cloud Security Architect, IBM India Software Labs
Over the years, the role of the cloud has changed – it has matured. Today, cloud is the platform for innovation and business value. It offers simplified application development and delivery by providing infrastructure, platform and software services that are ready to use. Multi-cloud approach is becoming the new normal, while cloud’s shared-responsibility model, risk management and compliance are the key deciding factors for cloud adoption. Security is also a major concern while considering cloud adoption. To address this issue, getting the security architecture right is critical for any enterprise while moving to cloud platform. Here are five simple techniques to ensure you have the right cloud security architecture for your enterprise.
Define an effective control framework, driven by enterprise CISO teams
Any move to cloud needs an effective control framework, driven by enterprise CISO. The control framework has to assess and manage risk against the business goals. The strategic approach or framework requires implementation and extension of these controls to the cloud environment well within the IT budget. Continuous monitoring of threats, incidents, and the performance of controls using quantitative metrics is an essential mechanism for the enterprise to move to cloud securely. It is both the environment and controls which need to deliver the protection and security that meets the enterprise requirements to accelerate adoption of cloud with confidence.
Adopt a workload and data centric approach
Cloud security policies and requirements are increasingly driven by data classifications and type of workloads. You should consider your type of application, data sensitivity, importance of business process, and your user population to select the cloud deployment model that meets your needs. Conversely, some of the security capabilities and processes are driven based on your selection of the cloud.
Manage identity and access
This involves two aspects - managing identities and governing user access to cloud resources; and managing access to your cloud applications. The cloud users include your developers, administrators who consume infrastructure, platform or services from the cloud. Cloud Identity and Access Management (IAM) is required to manage the identity involved in privileged activities and tracking their deployment and operations activities, like those performed by cloud administrators. Multifactor authentication may be used to verify user’s identity. For managing user and customer access to your cloud applications; Single Sign On (SSO) and Social login and User Profile tracking capabilities can be leveraged as a service from the cloud. For enterprise users, the solution should authenticate through enterprise directory while the end users can “bring their own identity” like Facebook, Google or any social IDs to access the cloud applications. You may also need to define access control policies for the cloud resources and cloud services. For example-users should access the minimum privileges from the granted privileges to complete the task; also setting detailed context based access control policies for specific resources will help improve the overall security level in the enterprise.
Protect Infrastructure Data and Application
Secure Gateway and Connectivity between the cloud and the enterprise is a key component in enterprise’s cloud strategy. Security systems like those available in traditional data centres are also available on cloud, to provide both network protection and isolation. Enhanced systems like, micro-segmentation and capability driven network security groups have recently been introduced to provide workload-centric connectivity or isolation.
Another critical aspect is designing a secure dev-ops process that includes steps to identify and manage vulnerabilities in the VM, container and application code to prevent any attacks. The solution should cover techniques to encrypt data at rest (files, objects, storage) and in motion, steps on how to monitor data activity and to verify and audit data outsourced to the cloud. The encryption solution should be integrated with customer managed keys secured in a Hardware Security Module (HSM) to ensure complete control of your data in cloud.
Continuously monitoring each activity and event in the cloud is necessary for complete visibility of your cloud-based environments. Security and visibility can be enhanced in the virtual infrastructures by collecting and analyzing logs in real time across various components and services in the cloud. Visibility across virtualized stacks and IaaS, PaaS and SaaS clouds, gives a clear view of your enterprise cloud and insights into any associated risks while enabling the enterprise to better manage their audit and compliance processes.
These five measures will act as your seat belt and air bags in your security architecture and will help your enterprise accelerate in the cloud journey with confidence.