All three major public cloud providers (AWS, Azure and GCP) now have at least a decade long experience under their belts and we can be fairly positive that cloud computing, in any of its forms (hybrid and private included) is here to stay.
Although we can’t be sure what will come next, one thing is certain – the cloud gave us three things that data centers never could – elasticity, scalability and transformation of CAPEX into OPEX, which in today’s modern world means a lot to businesses, both startups and enterprises.
Another thing that the cloud also gave us and which remains a popular topic of offline and online conversations is security. Many IT experts still claim that cloud isn’t as secure as the data center, but is it really the cloud that isn’t secure or is it us not utilizing the cloud as we should and compromising the security of our data in the process?Is it really the cloud that isn’t secure or is it us not utilizing the cloud as we should and compromising the security of our data in the process? Click To Tweet
To properly answer this question in 2019, we’re giving you an overview of the top security trends which you should consider if you’re running workloads in public cloud(s). In this article, we’ll focus mostly on AWS and its services, but the general concepts apply to all public cloud providers.
- DevOps and the Rise of DevSecOps
Is your company already following DevOps methodology? Most companies will answer this question positively. But what about DevSecOps? Do you put security in the middle of all of your DevOps processes?
If not, then you should consider it, because security should be automated as well. From the moment git commit happens, there should be security mechanisms in all stages of your CI/CD pipelines, from build to test to deployment in all environments.
Scan your code, protect your artifact repositories from unauthorized use and malware, use immutable infrastructure or Kubernetes clusters for microservices deployment, and be sure every component is patched, secured with the least amount of required privileges and audited. The costs of improper DevSecOps implementations can be huge and potentially irreversible once something happens.
- Network protection might not be enough these days
Virtual private cloud (VPC) is a managed service that all public cloud providers offered years ago, and it’s a great way of isolating your cloud resources from public access, and establishing proper network segmentation in the cloud.
With the help of network ACLs (subnet level firewalls) and security groups (instance level firewalls), you can group your resources into logical groups and provide access on a per instance basis. But is this network security mechanism enough today? For most companies it is, but there are additional cloud services/technologies you might want to consider to further improve the network security of your cloud workloads:
WAF – Web application firewall sits between the Internet and your application and inspects all the traffic that flows to your VPC. Implementing proper WAF policies can prevent SQL injection, man-in-the-middle or cross-site scripting attacks, and can improve your security by forcing specific geolocation settings.
DDoS managed solutions – AWS offers Shield, which, in its standard version, is already deployed in your VPC upon creation. The advanced version can offer you more granular support and enhanced detection, but comes with a price tag.
VPC flow logs – Flow logs allow you to capture all the information about IP traffic inside, but also coming in and out of your VPC. Those logs can then further be analyzed with tools such as AWS Athena or ELK stack.
- Cloud compliance enablers
Regulatory standards are important for modern cloud companies. Besides the usual legal obligations your company must fulfill, compliance standards such as GDPR, PCI-DSS or HIPAA are forcing cloud companies to adhere to a certain set of requirements in order to protect customer data securely in the cloud.
Depending on the industry, your organization might need to ensure compliance to a certain standard in order to do any business at all. Even if that’s not the case, following compliance standards is a great way to make your business sustainable, reputable and trustworthy, which can help you maintain trust of your customers in the long run.
Today, public cloud providers offer you numerous tools to automate the compliance processes, easing the life of your security team, by replacing manual controls, checklists and manual engineering work. If you’re using AWS, check the following compliance-related tools: AWS GuardDuty, AWS Artifact, AWS Config, AWS CloudTrail, AWS SecurityHub.
- Shift from instances to containers
Microservice architecture is probably the most popular software development technique these days, since it allows developers to frequently release their code in smaller chunks and see the benefits right away. It also allows companies to provide users new versions of applications on a daily basis, making businesses oriented towards customers and their needs.
To make all of this possible, we needed a kind of technology that empowers developers to be able to deliver software in a uniform, scalable and fast manner, and all of it was accomplished by Docker containers, which are slowly replacing virtual machine and cloud instances on public cloud providers.
Since modern cloud companies have hundreds and thousands of microservices running in Docker containers, the need for an orchestration tool to run all of those containers quickly appeared.
Kubernetes, an open source software developed by Google and Cloud Native Computing Foundation emerged as the industry standard, and is now available as a managed service on all three major public cloud providers.
Managed K8s clusters offer you auto-upgrade, auto-scaling, out-of-the-box management of IP addresses and high availability. Also, being a managed service on most public clouds, Kubernetes is already compliant with major compliance standards such as GDPR or PCI-DSS.
If you use GKE, Google Cloud’s managed Kubernetes, Google even offers to scan your containers for security vulnerabilities, free of charge. All of these management features give you the security of the shelf, so you can focus on your software development needs.
- Protect your identity
The IAM (Identity & Access Management) layer is a pillar of cloud security for every modern company. Most of the major breaches, like the recent one that happened at Capital One, come as a consequence of the misconfigured IAM access, or compromised access credentials and keys.
For this reason, implementing IAM security through industry best practices should be your primary concern when designing a cloud environment. Follow the least privilege rule when creating and assigning IAM policies, organize users into groups, enable IAM access keys only to groups that really need them (and rotate them on a 3-6 month basis) and always enforce 2-factor authentication.
Once all the best practices are in place, deploy them to your AWS account using configuration management tools such as AWS CloudFormation or Terraform instead of manually.
In this article, we tried to pinpoint some of the most notable cloud security trends that are of vital importance to modern cloud companies. You can use these points as blueprints to design or improve your cloud environment, but remember that enforcing them is only the first step in having a secure and compliant cloud infrastructure.