11 exercises to ensure your enterprise is 'cloud fit'
A cloud environment is like the human body. It can be viewed in different "states"and is a continuously evolving and adapting entity that requires constant vigilance in order to ensure it’s operating at its optimal state. That optimal state can be achieved through fitness, and when it comes to the cloud, getting fit is one of the best ways to eliminate vulnerabilities and threats that could cause damage. We're not necessarily talking about the equivalent of benching 500 pounds or running a marathon. Rather, there are some basic, but critical, steps that an enterprise can and should take in order to be fit and prepared to keep data safe from bad actors.
It's impossible to know where the next attack on your cloud will originate, but you should have a solid awareness of the different components of your cloud stack and how to manage them. In the context of the structure of your cloud, it helps to break them down according to the parts of the cloud that, by design, allow access, process data, and/or perform any type of collaboration, communication, and transaction.
If that seems like it covers every corner and surface area of your cloud, it does. Preparing for hacks and intrusions is a full-time effort; like the workings of the body, security never stops. The cloud is flexible and supports an organization's efforts at agility, and these are among the many reasons why so many enterprises are choosing a cloud-first approach in their technology and business practices. But, that flexibility has to be balanced with rigorous attention to potential risk.
There are 11 "exercises" that you can do to help guide you towards being a fitter cloud user. These steps are meant to minimize the impact of human error when it happens (and it ALWAYS happens) and encourage a more defensive mindset within your organization. By coupling these steps with security automation, you will create the necessary security posture that can ward off hacking attempts before bad actors can find a hole.
Here’s a quick rundown of the steps we propose in your organization’s effort to get "cloud fit":
- Exercise #1 -- Disable Root Account API Access Key: Because of the change in root user use recommendations and the addition of IAM in AWS, it is recommended that you disable, or even better, delete the AWS root API access keys.
- Exercise #2 -- Enable MFA Tokens Everywhere: AWS recommends multi-factor authentication, and as a fairly simple thing to implement, it should be required of all users, both inside and outside your organization.
- Exercise #3 -- Reduce IAM Users with Admin Rights: How much access does a user or application need in order to perform the task? What is the risk if the key is lost or compromised? Make sure you provide access just to those who need it.
- Exercise #4 -- Use Roles for EC2: AM credentials frequently get compromised, and we know this can be avoided when IAM roles are created for EC2.
- Exercise #5 -- Least Privilege: Get a handle on management of access to applications, buckets, services, and other aspects of your cloud infrastructure so access is given only to those who absolutely need it.
- Exercise #6 -- Rotate all the Keys Regularly: Per AWS best practices, credentials, passwords and API Access Keys should all be rotated on a regular basis. If a credential is compromised, this limits the amount of time that a key is valid.
- Exercise #7: -- Use IAM Roles with STS AssumeRole: Ensure user adoption while enforcing strict IAM management and usage policies.
- Exercise #8 -- Use AutoScaling to Dampen DDoS Effects: A more effective solution for absorbing and managing DDoS attacks: AutoScaling.
- Exercise #9 -- Do Not Allow 0.0.0.0/0 Unless You Mean It: This helps block unwanted traffic and manage the threat surface.
- Exercise #10 -- Watch World-Readable and Listable S3 Bucket Policies: Be judicious about how you create and manage your S3 policies, which is especially timely in light of these recent headline-gathering issues from Verizon, WWE, and Dow Jones.
- Exercise #11 -- CloudTrail and Encryption: Enable AWS CloudTrail to enable logs.
No one lowers their cholesterol with one trip to the gym. Fitness is a continuous goal, not a unique state. And if you follow through with these exercises, you'll find that your enterprise and all the layers of your cloud will truly become stronger, more resilient, and less vulnerable.
Image Credit: BLACKDAY/Shutterstock
John Martinez is VP of Customer Solutions for Evident.io and ensures all customers and partners can achieve their cloud security and compliance goals. John has in-depth experience guiding development teams to AWS and other cloud platforms. He assists them in streamlining creation of cloud applications, optimizing AWS resource usage, and ensures that their AWS infrastructures are properly protected. John specializes in DevOps, automation and continuous solutions.