Wiz
AcademyCloud security basics and best practices

Cloud security basics and best practices

Shifting from on-prem to the cloud can open up significant possibilities for your organization. The cloud is economical, easily scalable, and can be accessible to users across your company. Along with the growth and flexibility it provides, moving to the cloud can also expose your organization to cyber security threats. It is essential that as your organization grows on the cloud, you also strive to protect your cloud-based environments, applications, and data.

Wiz Experts Team

Cloud security vs. on-prem security

The security threats businesses contend with today can affect workloads hosted both on-prem and in the cloud. A Distributed Denial of Service (DDoS) attack can take on-prem applications offline just as well as it can target a cloud-based environment. If attackers bypass your data access controls, ransomware and malware can strike data hosted on your servers or managed in cloud services like AWS S3. 

While the types of attacks aren’t fundamentally different in the cloud, workloads hosted there are subject to unique security challenges:

Complexity

Compared to on-prem, where it’s likely that your tech stack is more straightforward, cloud environments typically carry more significant security risks. Cloud environments tend to be more complex. You may run virtual machines alongside containers and serverless functions, even adding an orchestration layer like Kubernetes. 

Exposure to the Internet

Since cloud environments rely on the Internet to connect workloads to users, applications and data running in the cloud generally have wider exposure to the Internet than workloads hosted on-prem. It’s possible to use resources like Virtual Private Clouds (VPCs) or network ingress filtering to isolate workloads from the Internet, but default configurations in the cloud usually leave Internet connectivity on.

Borderless cloud networks

Similarly, you can’t define network boundaries in the cloud in the way you can on-prem. Although you can create isolation between your cloud environment and the Internet, you'll still need to leave some connections open for administrators to access your cloud environment. This differs from an on-prem environment where you could completely isolate data behind a firewall and enable access only through a local intranet.

Complex and fragmented access controls

In an on-prem environment, systems like Active Directory and OpenLDAP typically manage user identities and permissions. Managing access controls in the cloud is more difficult because there is no central access control system that applies across all cloud environments.

Instead, you can define a variety of different access control policies using each vendor’s Identity and Access Management (IAM) system, which varies between clouds. Juggling multiple IAM systems increases the risk of configuration errors or oversights that open the door to attack.

Stricter compliance controls

In some cases, businesses may be subject to compliance rules that impose special security requirements over data or applications hosted in the cloud, but not those that run on-premises. For example, cloud data centers located in a different country than on-prem servers may need to comply with that country’s local data privacy laws.

Limited control and visibility

For on-prem workloads, there is no limit on how much data you can gather to detect and monitor security breaches because you have total control over your infrastructure and hosting environments. The amount of network monitoring data available in the cloud is limited to what your cloud provider offers, leaving you with less visibility. For example, in serverless compute services like AWS Lambda, you can’t view operating system logs or collect low-level kernel monitoring data using a framework like eBPF.

Best practices for optimizing cloud security

Security challenges shouldn’t prevent you from using the cloud. If you adhere to standard best practices for securing cloud workloads, you can enjoy its flexibility without compromising security.

Scan IAM configurations

To protect against the risk of access control misconfigurations, you should scan your cloud IAM policies using tools that automatically detect problems, such as controls that allow anyone to view sensitive cloud-based data.

Tag cloud resources

You can tag cloud resources like VMs and databases in most cloud environments by creating descriptive labels. From a security perspective, tagging is valuable because it helps you track which cloud workloads you have running. By extension, tags help to identify workloads that should be shut down, reducing your attack surface.

Establish strong cloud governance

You should define and enforce governance policies to minimize the risk that employees will create insecure cloud workloads that go unmonitored. Guidelines should stipulate who can create workloads and delineate a procedure for ensuring that those workloads are appropriately tagged and monitored. The goal is to avoid spinning up resources without your IT or security team’s knowledge and oversight.

Don’t settle for security defaults

Default security policies are often not secure. Typically, newly created cloud workloads are configured with default policies that define access control and networking. You can go further by allowing only specific users to interact with a virtual machine and create resources like VPCs to restrict network access to workloads that don’t require direct interfaces with the Internet.‍

Make your cloud flexible and secure

The cloud is flexible and powerful, which is why most businesses use cloud services today. If you settle for default security configurations and tools, however, your cloud isn’t necessarily secure. To ensure that you can safely take full advantage of cloud computing, invest in practices that harden your cloud environment against security risks.

Continue Reading

Azure security tools your organization should consider

While Microsoft Azure can provide growth and flexibility, moving to the cloud can expose your organization to cyber security threats. Keeping Azure workloads secure requires deploying the right security tools. Azure is subject to a variety of risks, so you need multiple tools to keep your environment secure. Although no one tool provides end-to-end security on its own, each does its part to help you maintain a strong security posture for Azure-based workloads.

What is a Cloud Access Security Broker (CASB)?

CASBs play a critical role in providing visibility into how businesses use the cloud. They enforce security and governance rules to mitigate the risk that cloud services or SaaS apps could become weak links in an organization’s security posture. Without a CASB, you may not know which applications, services, and data your business has exposed in cloud environments. How would you know if those resources are secure if you don’t know they exist?

What is Cloud Security Posture Management (CSPM)?

In modern cloud environments, security monitoring and periodic audits won’t suffice for detecting threats before they turn into breaches. Instead, to achieve an environment that is as secure as possible, you need Cloud Security Posture Management, or CSPM. CSPM lays the foundation for minimizing the number of risks that exist within your clouds. CSPM tools help to automate cloud security, keeping cloud environments secure even as they grow larger and more complex.

What are cloud services?

Whether you’ve gone fully cloud-native in your application design or you’re running monolithic applications in the cloud, cloud services form the foundation for most application deployment strategies today. Understanding how cloud services work, and how to keep them secure, is essential for virtually every modern organization.

Understanding AWS Security Groups

One of the fundamental challenges you face with a cloud computing service like AWS is that you can’t implement all of the security controls that would be available to you on-premises, since you don’t have access to the physical infrastructure that powers your cloud environment. For example, you can’t set up the same types of network firewalls, because you don’t control your cloud provider’s network infrastructure. What you can do, however, is take advantage of solutions like AWS Security Groups, a powerful framework for controlling which network traffic can flow to and from cloud-based virtual machines.