The Cloud Security TL;DR: Quick-and-Dirty Best Practices

There are all kinds of cloud security best practices lists out there, but a recent online presentation put a new twist on such lists, lumping hybrid cloud security together with backup and recovery.

"Those things seem completely removed from each other," said security expert Brien Posey in an online summit presented by Virtualization & Cloud Review last week. "And in some way, it seems kind of odd to talk about them all together. But if you really stop and think about it, it's all about data protection. Backup falls under the data protection umbrella, and security. When you're implementing security in your hybrid cloud environment, what you're really doing is trying to protect your data. So everything falls under that data protection umbrella. And that's why we're discussing all of this from the same standpoint in the same event."

Data Protection Is the Most Popular Use Case for Hybrid Cloud
[Click on image for larger view.] Data Protection Is the Most Popular Use Case for Hybrid Cloud (source: NetApp).

Posey was speaking during his session of the Enterprise Hybrid Cloud 101 Summit, now available for on-demand viewing. His presentation in the three-session, half-day event was titled "Hybrid Cloud 102: Best Practices for Hybrid Cloud Security/Backup/Recovery."

The presentation from Posey, a 21-time Microsoft MVP and freelance tech author, was so chock-full of great cloud security nuggets that we had to boil everything down into digestible bites, kind of like a TL;DR (too long; didn't read) -- except for a live presentation. With that in mind, here are short summaries of what Posey had to say about just some of the many best practices he detailed in his one-hour presentation.

Address Interoperability Issues
High-level bullet points for this include:

  • Look for and address workloads that were cobbled together using band aid solutions before the hybrid cloud matured (it may improve performance, stability, and security).
  • Look for anything that you may be able to simplify (it may reduce your licensing costs).

"Addressing interoperability issues is one of the very first best practices with regard to hybrid cloud," Posey said. "It's important to go back and take a look at especially your longstanding cloud workloads, things that you've had up in the cloud for eight, 10, 12 years. And to just take a look at that and take a look at how they've been deployed and look at all of your settings and see if there's anything that needs to be done a little bit better. See if shortcuts were taken when that application was first deployed, or the security settings had been disabled just to make it work. Because now everything's had time to mature -- we live in a cloud-first world -- and so all those shortcuts that maybe had to be taken 10 or 15 years ago don't matter anymore, but yet a lot of that is still in place."

"So from a security perspective, that's one of the very first things that I would recommend doing is just looking at your longstanding cloud applications and how they're set up. And checking to see if the security settings and any back-end infrastructure you may have put in place is really necessary today."

Brien Posey, 21-time Microsoft MVP and freelance technology author

"So from a security perspective, that's one of the very first things that I would recommend doing is just looking at your longstanding cloud applications and how they're set up. And checking to see if the security settings and any back-end infrastructure you may have put in place is really necessary today. Because if you can eliminate some things and re-enable security settings, not only you can make the environment more secure, you could potentially in the process improve the performance in maybe even manage to bring down cost a little bit. So those are all good things."

Enable Security Automation and Real-Time Visibility
High-level bullet points for this include:

  • Security automation is important because it allows events to be dealt with quickly.
  • Security automation is not a substitute for security expertise.
  • Automation should never be used as an excuse for set-it-and-forget-it security.
  • You must periodically revisit your security automation to see if anything needs to be added, changed, updated, etc.
  • Workloads are dynamic and your security automation must address new and changing workloads.

"This one is really important, because there's an old saying that you can't secure anything that you can't monitor," Posey said. "So in other words, you have to be able to see it in order to be able to tell if it's secure enough. Sounds really simple, but it's important. Now, when it comes to security automation, it's a really good idea to put automated tools in place that will detect security events, and then take automated action, and do whatever happens to be appropriate in that particular situation."

Posey continued: "So there are a few things that I would recommend having caution about. First of all, security automation should never ever, ever be a substitute for security expertise. Because automation will only get you so far. An automated security engine might initially respond to an incident, but ultimately, there's probably going to be somebody on staff who's going to have to make some decisions about the incident. So you need to have somebody who's got a good working knowledge of security, rather than just depending purely on an automated security product.

"Another thing to consider is that automation for security should never be treated as set it and forget it. So what do I mean by set it and forget it? Well, what I'm really talking about here is one of those situations where somebody with maybe a minimal knowledge of IT security finds an article -- like some of the ones that I've written or some of the ones that others have written -- that has all these different security best practices right now. So they download that and they implement those 15 best practices. And certainly things are more secure after having done that. But that was never intended to be a comprehensive list of things to be done to secure an environment because every environment is different. But also, as I said at the very beginning of the presentation, best practices evolve over time. And sometimes those evolving best practices change radically over time. So you don't want to be put in a situation where an administrator goes in, they set up security, and then they never touch it again. Because even if they got everything, absolutely perfect, best practices change over time. So what's perfect today isn't going to isn't necessarily going to be perfect tomorrow."

Address Security Concerns
High-level bullet points for this include:

  • What is it that really keeps the stakeholders awake at night?
  • Is there something that could have been done better? Is there something that you can't monitor?
  • It's always cheaper and easier to address these sorts of issues before an incident occurs.

In discussing this, Posey referenced an article he had read in which security pros were asked about the one thing that they really focus on, or the number one question that they always think about.

"So the number one question that they always think about is, 'What have I missed?' You know, 'What is it in my environment that I could be doing better? Or that I've completely overlooked? And had this big, gaping security hole that I just don't even know about?'"

After explaining more about that, he continued in the context of budget constraints.

"Because pretty much everybody that I can think of off the top of my head, who has ever done network security, knows that they only have so much security budget to work with, and certainly want to spend that security budget as wisely as you possibly can, and get the best security for your budget dollar. But the thing is, there's rarely enough of a budget to do absolutely everything. So typically, there will be something that has to be left undone. No, I'm not talking about a huge gaping security hole. Hopefully most IT pros are more responsible than to allow something like that to remain, but I think most of us, if we were to really be honest with ourselves, we could think of at least one thing on our network security-wise that could be done better. So that's where I would recommend focusing future security efforts."

Exercise the Principle of Least Privilege
High-level bullet points for this include:

  • Least privilege is almost always discussed from the standpoint of user accounts.
  • The concept can also be extended to endpoints, IoT devices, service accounts, cloud tenant accounts, and applications.
  • Role Based Access Control can help, but it isn't a comprehensive solution by itself.
  • Watch out for problems arising from stacked privileges or outdated group memberships.

"Now, the idea of least privilege, that's something that IT pros talk about until they're blue in the face, myself included. I've given -- I couldn't even tell you how many of these presentations -- and for whatever reason, the concept of least privilege access always seems to come up. And I think the reason for that is that it's something that's really, really important. So privileged access, for anybody who's not familiar with the term, is the idea that a user shouldn't have access to anything more than the bare minimum that they need in order to get their job done. And there's a few different reasons for that. The main reason goes back to what I was talking about at the very beginning of the presentation, that simply put, a user can't sabotage or damage, a resource that they can't even access."

After extensive discussion about the above, he continued in the context of a ransomware infection that is going to spread throughout an organization's systems.

"Now, if you're exercising the principle of least user access, you're going to limit the blast radius, you're going to limit the amount of damage that this ransomware can do. I mean, yes, the ransomware is still going to do damage at that point, because anything that that user [who clicked a malicious link] has access to is potentially going to be compromised, all the ransomware has to do is find it. But if there's a folder or an application, or some other resource that the user just doesn't have rights to, well, the ransomware is not going to be able to touch that because it's operating under the same security context as the user who launched the ransomware. So the concept of least privilege access is super, super important with regard to keeping your environment secure. And as I mentioned earlier, it also helps with a disgruntled user who wants to go in and delete everything or steal data and sell it to your competition or something like that. So giving users the bare minimum amount of access that they need in order to do their jobs -- that's what lease privilege access is all about."

Ensure Regular Audit of Systems
High-level bullet points for this include:

  • Audits need to be regularly scheduled, otherwise they will slip through the cracks.
  • If you use an audit tool, make sure that it is actually doing what you need it to, and not giving you a false sense of security.
  • If you perform audits manually, make sure that you use a checklist and perform each audit in a standard way. Otherwise true historical comparisons are impossible.

For this best practice, Posey addressed scenarios for organizations that aren't in regulated industries, for which IT audits are regimented and specific to the industry.

"And, you know, I get it, the idea of an IT audit sounds awful," Posey said. "You know, I can't speak for anyone else. But I know me personally, I don't want some busybody coming into my network poking around and then telling me all of the things that I've done wrong security-wise. I mean, sure, it's important to know what you've done wrong, security-wise. But if you really stop and think about it, security is a trade-off. I've got friends who always said that, if you want to keep your data really, really secure, lock it up in a safe and drop the safe to the deepest part of the ocean -- nobody's going to get to the data. But of course, the problem with that is that the data is completely inaccessible to the people who need it. So security is a trade-off between keeping the data safe from the bad actors, but making it so that your users can use that data on an as-needed basis. So there's such a thing as having too much security, where the security actually becomes intrusive, and things like that. So if you just hire an auditing firm, they may not really know the nature of your business, and probably make all kinds of recommendations for things that might theoretically make your data more secure, but they're going to make your users lives a lot harder. So you've got to strike that balance between usability and security."

Posey later noted that a hardcore IT audit from an outside firm probably isn't in the best interest of a small business, but there are other measures to take.

"So there are a few different things that you can do if you want to audit your IT security but you don't want to subject yourself to an external auditing. One possibility is to go out on the internet and search for IT audit checklist or something like that. There are web sites out there that will give you a checklist of things that you should look for if you're doing a self audit of your IT environment. Now, these checklists might not apply specifically to your environment, but it can be a good starting point.

"Another possibility is to use an automated tool to go in and audit your environment, because there are tools out there that can just go in and search for security deficiencies and generate a report. So whatever you're doing, the important thing to do is to make sure that you're actually doing it and that you're doing it on a regular basis. And my advice would be to make sure that you formally schedule these security audits to happen. Because otherwise, it's way too easy to either forget about them, or to just say, 'Ah, we'll do it tomorrow' and you know, it never really gets done, or it's done super inconsistently, or something like that."

More Best Practices, and More Summits
The above best practices were only a sample. Other best practices Posey discussed in detail (along with high-level bullet points) include:

  • Secure All Endpoints:
    • This is a tall order, but is important nonetheless.
    • Endpoints are probably the second biggest vulnerability (behind the users themselves) for most organizations.
  • Use a Comprehensive Monitoring System:
    • You can't secure what you can't monitor.
    • Look for a single tool that can monitor all your on premises and cloud resources.
    • Make sure that the tool is extensible!
    • Verify that the tool gives you the ability to suppress certain types of alerts.
  • Keep Your Process Uniform Across the Cloud:
    • It sounds simple, but it's super important!
    • Uniform processes make workload migration easier as needs and costs change.
    • Uniformity also makes security MUCH easier.
    • Las Vegas table games adhere to this very concept.
    • Casino security also uses the concept of JDLR (just doesn't look right).
  • Assess Risks and Manage Treatment:
    • In a perfect world, security budgets are infinite.
    • In the real world, you may have to prioritize.
    • Identify your most mission critical workloads.
    • Identify your biggest potential vulnerabilities.
    • On the flip side, look for simple low budget / no budget things that you can do to improve security.
  • Encrypt Everything:
    • Encrypt all data at rest and in flight (whether it needs it or not).
    • Protect your encryption keys to the extreme!
    • Key loss = data loss.
  • Create a Backup and Disaster Recovery Strategy:
    • Be aware of the costs and bandwidth constraints.
    • Use data deduplication where it makes sense to do so.
    • Don't fall into the trap of relying solely on cloud backup.
    • Don't underestimate data egress fees.
    • Replicate data to other regions (if it makes sense to do so).
    • Make a concerted effort to seek out any single points of failure.

While Posey's presentation and two others in last week's summit are available on-demand, attending such events in person has advantages including the chance to ask specific questions of the expert presenters (in addition to the chance to win an attendee raffle for a drone, PC or other great gift).

With that in mind, here are some events coming up in the next few weeks that readers may be interested in:


Subscribe on YouTube