Understanding Zero-Trust Cloud Server Security
24 October 2018
Tim Erlin, VP of Product Management and Strategy at Tripwire, explains the five foundational security controls critical to protecting the assets in the cloud and why a Zero-Trust model is a necessity when it comes to cloud security best practices
Speed is key in increasingly-busy IT departments. With agile development and deployment becoming a necessity, no one has weeks to spare for provisioning new servers and systems.
As a result, it’s now more common than ever to deploy servers in the cloud. It’s faster, less expensive, and there’s no red tape when it’s done right. With cloud deployments, however, come a wave of security risks and threats that need to be addressed—especially when critical assets are added to the equation.
Also of interest: Interview with CISO Thom Langford
Reliance on Virtual Servers Causes Delays
Applications used to run on physical servers. When they became too expensive, we found efficiency in virtualization. Why have one system running on one bare metal box when you could have 10 or more on a single hypervisor? Who would have thought you could simply push a button and have a server ready in minutes as opposed to weeks?
Well, it now takes weeks to get a virtual server. Who has time for that? Agile development teams can’t wait weeks for a server, let alone a virtual one. When peak business times hit and an increase in load is needed, there must be a better way.
Also of interest: Blockchain regulation - Quis custodiet ipsos custodes?
More Organizations Are Opting for Cloud Servers
Lo and behold, people started deploying virtual servers in the cloud. Why should we wait to deploy our own virtual instances when we can simply use a public cloud service? It’s brilliantly unbureaucratic and affordable.
But as security professionals, our goal is to protect the organization. So how can you protect your data from the additional risk introduced by cloud infrastructures? You have regulators to answer to, and you have a security posture to maintain in order to protect your customers.
Developers don’t necessarily lie awake at night thinking about cybersecurity. Their goal is to make a product their customers like and will use in the quickest amount of time possible. All too often, security is introduced as an after-thought, and frequently seen as an obstacle. So how can you maintain a strong cloud security posture without slowing your business down?
Also of interest: How can we manage shadow IT?
Your Top 5 Prioritized Security Controls for the Cloud
Foundational security principles remain the same even in the changing dynamics of the cloud. If we take a look at the Center for Internet Security Controls, we see that these same basic controls bridge cloud as well as on-premise security.
The key, however, is to understand the differences between cloud development and traditional on-premise development. In order to do that, let’s examine the first five of these controls:
Controls 1 & 2: Inventory and Control of Hardware and Software Assets
This is actually easier in the cloud than it is on-premise. There is no need to run discovery scans on the network. Simply match up the host lists via the API against what you think you have and you’re done. This can be automated in a log collection tool so that as soon as something does not line up, the team can be notified to act accordingly.
Control 3: Continuous Vulnerability Management
Traditional vulnerability assessment is done through scans. There are a few challenges here:
- Amazon, Microsoft, and Google don’t want their data centers being scanned by every single one of their customers all the time. That’s way too much network traffic.
- Sometimes cloud assets can only be up for a short period of time. If they miss the window, what do you do? How can an asset go by without being scanned?
- When an asset is first provisioned, its vulnerability state needs to be checked prior to it being allowed on the network. If the cloud team has to wait for credentials and a scan to be provisioned, it can take too long.
Control 4: Controlled Use of Administrative Privileges
The best approach is to adopt a zero trust model. Essentially, organizations using this model refuse to trust anything inside or outside the network outright. Such a model places the onus on IT and security teams to verify everything that’s trying to connect, especially anything seeking administrative privileges. Once trust has been established, the organization can grant access.
Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Every large organization is going to have a set of hardening standards, and it’s great that tools like Puppet and Chef can provision the systems with those hardening standards. But who is verifying and auditing them? We trust, but we also need to verify. Any good auditor will tell you that duties need to be compartmentalized for this verification step.
The other aspect of this is the nature of the development pipeline. Changes should only take place earlier on the pipeline and not on the production instance. If a change is detected on the production instance, it should be scrapped, and a new replacement system should come online.
Also of interest: Data breaches and the blame game
The Zero Trust Model is a New Cloud Security Necessity
The above guidance should be considered from within a zero trust model, meaning that no user should be allowed to access those systems. The only account that should be making changes is the provisioning tool like Puppet or Chef. Additionally, organizations should consider automating many facets of their model in order to improve its efficacy. So how can organizations meet these cloud security best practices?
Fortunately, this is where dedicated security solutions can help. Cloud-fluent security solutions can be deployed in a zero trust model to dynamically tell you how a system is configured, what the vulnerability risk is, and if something changed that shouldn’t have— all of this without manual user intervention.
Also of interest: Gone phishing… how to spot the scam
How This Works with Public Cloud Providers
You might be wondering: what about if something changes in an S3 bucket or Azure Blob? It’s way too easy to accidentally change the permissions and not know it even happened, after all. These configurations need to be monitored.
The beauty of advanced cyber security solutions is that as soon as a system comes online or goes away, the security posture gets verified. Information can be sent to multiple dashboards to which cloud teams are accustomed like Splunk and QRadar. Then when the system is torn down, it is automatically deprovisioned, with the data retained for audit purposes. If a change happens while that system is in production, the security team and cloud teams can be notified right away.
Lastly, you need to remember two principles when looking for a cloud security solution:
- Automation: Ensure that your security solutions can evolve with a move to the cloud. If your organization isn’t already doing something in the cloud, double check, because it probably is.
- Vendor consolidation: Some vendors handle cloud only, while some handle on-premise only. The key is going using a vendor that can handle both.
If your organization isn’t already using cloud servers, it probably will be soon. Get ahead of the security curve by making sure your security strategy aligns with the CIS Basic Controls and that you have a solution in place that can handle the complexity of implementing a zero trust model in the cloud.