Sonrai’s Public Cloud Security Principles
As Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP) have exploded, the complexity of securing your data in public clouds has also exploded. While networking controls remain essential, these controls are insufficient in the new world of public cloud. Working with customers, Sonrai Security has developed our “Public Cloud Security Principles” to help guide your path for public cloud security.
Agile development, auto-scaling, continuous development, microservices based apps, serverless functions, and containers render network controls insufficient. Identity and data are the linchpin control points for cloud-native security.
Imagine, six thousand instances, three thousand containers, thousands of serverless functions, sixty agile teams, hundreds of cloud accounts and one hundred million data objects. In your ephemeral public cloud, you must continuously know what can access what and what is accessing what.
Public cloud account owners have exceptional powers to circumvent controls, instantiate compute and delete vast swaths of your infrastructure. In the old-world admins cannot delete your data centers, but in public cloud, they can.
Excessive privilege and auto-escalation are not uncommon across a plethora of developer ID’s and roles. Complicating matters, ACL’s, group inline policies, user inline policies, role inline policies, assumed roles, switched roles, federation and managed policies determine rights.
You should use a third-party key vault and ensure cloud-provider employees cannot see your keys. Given the limitation of network controls, maniacal vigilance is required to ensure keys are rotated and not stored across cloud accounts without stringent access policy.
You have expunged all internet gateways from your accounts and installed security groups. You think nothing in your cloud will communicate to the internet and nothing from the internet can get in. However, someone with an access key or console login can still access your storage or database services from a coffee shop, and make them public.
Public cloud resource tags are bloated and inconsistently used. Data classification is haphazard. However, effective tagging, classification, and tracking are possible to an extent inconceivable in old data-center worlds. Effectiveness here reimagines security.
Providers made creating public buckets harder, but developers still create public objects even though the bucket isn’t. More concerning, crown-jewel data is now pouring into a plethora of databases and cloud services like RDS, CosmosDB, Atlas, MongoDB, CouchDB, Elasticache and many more.
Your public clouds contain third-party key management, database, and other middleware services. Your company will leverage multiple cloud platform providers. Cloud provider identity models are impenetrably complex and tooling disjointed, biased and ever-changing.
Security teams want dashboards, compliance mandates and incidents a SOAR platform will consume. DevOps teams need speed, APIs and Slack channels. Your new security program and underlying security platforms must satisfy both simultaneously.