The highly admired statistician and management consultant, W. Edwards Deming, once said, “In God we trust. All others bring data.” It provides apt context for cloud security where it is critical to always know the status of your security posture and measure it against previous performance, and with the foresight to aim at rigorous goals.
The cloud presents a unique environment in which to pull metrics and determine success or failure. For example, you may open an S3 bucket in your environment, configure it, and supply it with rigorous access controls. But then maybe that bucket gets accessed by an admin who doesn’t know about these controls and inadvertently removes the credentials, or perhaps posts them to a Github repository for future reference by his team.
Thankfully there are tools and frameworks to help you measure your cloud so your organization’s and customer’s data is protected. While the flexible nature of the cloud precludes a specified silver bullet checklist, organizations can be astute about how they pursue cloud security measurement with these steps:
Identify all your cloud activity and access
Some organizations have centrally controlled IT environments while others are distributed. Many companies offer liberal admin rights at all levels across the organization in order to facilitate DevOps processes and expedite testing; many groups give developers authorization to create new buckets and virtual databases as needed. If you don’t have a snapshot of your entire cloud landscape and where activity exists, you need to first do that if you want to measure activity and performance.
It’s important not just to know where services and resources exist, but who manages them, the purposes they’re used for, admin rights for them, and what (if any) security policies by which they abide.
Understand your current security policies
While cloud security is complex, don’t worry if you’ve been operating just on AWS or Azure out-of-the-box configurations. As best practices, they take a reasonable approach to things like least privilege for access, resource configurations, and handling third-party assets like APIs.
This step is not meant to be comprehensive. Rather, it’s intended as a way to level-set so you know roughly where you are so you can predict how far you have to go. If you have strict policies (and they’re being followed), then you’re probably in a state where you can accurately measure progress. But if you’ve been loose in your governance then you may need to initiate some structure as you move forward.
Apply necessary measurement
Fortunately there are a variety of cloud-specific security and compliance frameworks that give you policies and guidelines for how to construct your security posture.
For example, the CIS AWS Foundations Benchmark, developed by the Center for Internet Security, can help you remove the guesswork because it provides a cost effective and commonly accepted path to deploy and assess your AWS security measures with confidence. The CIS benchmarks represent consensus-based security best practices for organizations of all types—government, business, and industry.
For organizations doing business with the federal government, the NIST Cybersecurity Framework and related standards like NIST 800-53 and NIST 800-171 offer comprehensive frameworks that strictly lay the foundation and ongoing compliance for strict security policies.
Initiate continuous security automation
Continuous awareness and knowledge of what’s happening in your cloud environment is critical. It’s also humanly impossible to do manually. Using a tool that automates the continuous monitoring of your environment provides visibility into all your security controls and policies, and provides both a scorecard and a built-in measuring instrument so you can identify problem areas, track successes, and report on overall security performance when needed to fulfill SLAs and KPIs.
Organizations need to rely on the automation advantages offered by continuous tools that align with AWS and Azure controls, and for specific types of controls and signatures like those found in standards like NIST, PCI, HIPAA, and others.
Continuous measurement
With the enormity of deployments in the cloud, it isn’t unusual for organizations to have millions of data points that need to be evaluated. After implementing a strategy like we’ve outlined here, you can begin to get a handle on all your cloud data in real time and rely on a sound infrastructure to rapidly isolate any security variation or deviation from known states. The key is that this needs to be continuous; the advantages are both that you identify issues when they occur, and you can begin to track your success (and failures) over time. Knowing this will help you apply the right level of attention to areas where vulnerabilities exist.
Deming is also credited for having said, “A rule should suit the purpose.” Cloud security will always be governed by rules – those created within your organization, by standards bodies, by the government, or any of a number of groups who aim to make people and data safer. Heeding Deming’s advice means that measuring against those rules will help you define your purpose and identify the goals you need to hit.