The security objectives of confidentiality, integrity, availability, authenticity, accountability, liability and privacy form the basis for IT security in general, and these same objectives apply when considering security in the cloud. In SaaS environments, there must be a shared responsibility: while the user, or customer, controls the data, the cloud service provides the application and, therefore, must apply the necessary application security measures.
• Security by design and source code analysis;
• Security and vulnerability testing;
• Secure deployment; and
• Protection against manipulation and threats during runtime.
Whatever the structure between the user/customer and cloud service provider, however, the following best practices should be followed in order to prevent and avoid malicious activity:
Utilize identity and access control tools, and know who has access to what data and when. When creating identity and access control policies, grant the minimum set of privileges needed and temporarily grant additional permissions when needed. Configure security groups to have the narrowest focus possible, and use reference security group IDs where possible.
Another common mistake is to leave data unencrypted on the cloud.Storing sensitive data in the cloud without putting in place appropriate controls to prevent access to server and protecting the data is irresponsible and can lead to devastating consequences.Encryption is a fail-safe—even if a security configuration fails and the data falls into the hands of an unauthorized party, the data cannot be used.
Create unique keys for each external service, and restrict access following the principle of least privilege. Make sure the keys don’t have broad permissions, as in the wrong hands, they can be used to access sensitive resources and data.
Practice security hygiene
Multi-factor authentication (MFA) provides an extra layer of protection on top of the username and password, making it harder for attackers to break in. MFA should be enabled to restrict access to the management consoles, dashboards, and privileged accounts.
Major cloud providers all offer some level of logging tools, so make sure to turn on security logging and monitoring to see unauthorized access attempts and other issues.
Organizations need to regularly assess the security of their cloud environments, and also that of their vendors, suppliers, and partners. At Seismic, we provide comprehensive cloud security solutions, working with your business to ensure that your critical data is safe and secure both within the cloud and within your organization.