Introduction
Cloud computing offers multiple benefits to a business. It adds technical performance, scale, cost-effectiveness, and elasticity that positively affects any organization’s operational growth. It is for these specific reasons that “92% of enterprises have a multi-cloud strategy, while 82 percent have a hybrid cloud strategy” according to Flexera 2021 State of the Cloud Report, and this number keeps on increasing. By 2025, the cloud computing market size value is expected to be worth USD 368.97 billion, according to a report by Grand View Research.
Implementing the cloud requires a careful understanding of infrastructure security as it pertains to public cloud adoption. For example, a good understanding of the “shared security responsibility model”, which effectively means that certain responsibilities fall on you as it relates to hosting applications, data, containers, and workloads in the cloud. Essentially, knowing your responsibilities and those of the cloud services providers reduces the risk of introducing vulnerabilities into your public, hybrid, and multi-cloud environments.
As such, security is a key pillar that needs careful attention when you move your workloads to the cloud. This will help you scale your business and IT needs in a secure and compliant cloud environment.
In this article, we’ll cover four basic security considerations to enable safe cloud migration practices and help organizations keep their cloud infrastructure safe and secure. Let’s begin.
Vestibulum lacinia arcu
Misconfiguration
Misconfigurations are common and preventable mistakes but can result in your cloud data being open to hackers and data thieves. Cloud misconfigurations happen in the absence of strong security measures for cloud data, which allows attackers to steal valuable information.
Examples of misconfiguration may include a user or team allowing unrestricted outbound access by accident, opening up a quad 0 rule 0.0.0.0/0 for ingress and egress, allowing SSH access to computing services, absence of infosec approvals, and/or developing infrastructure without automation. Hackers and data thieves can use such flaws in security to conduct brute force attacks or even launch a distributed denial-of-service (DDoS) attack that can adversely impact your applications running in the cloud.
In order to prevent misconfigurations from occurring, and keep data secure, organizations are recommended to:
- Implement a secure configuration management (SCM) program, which delineates key practices such as mitigating known security weaknesses using vulnerability assessments, evaluating authorized hardware and software configurations as well as automate the remediation process using security processes and controls.
- Invest in tools like OPA, Sonarqube, Gitleaks, Terrascan etc. which allow developers to write cleaner and safer code. These tools can be set up to be a part of your secops pipeline that can automate code scanning during the CI process enabling quality to be measured continuously over time.
- Scan for IAM (Identity and Access management) policies continually, which keeps systems and data secure and reduces inadvertent risk to applications and data access. As a result, organizations across industries are leveraging technology solutions to manage identities and privileges in their cloud environments. These AI-enabled solutions enable a centralized dashboard to track and control IAM permissions scattered across public clouds like AWS, Azure and GCP.
Distributed Denial of Service (DDoS) Attacks.
Distributed denial of service or DDoS attack is a major concern and security risk when it comes to a cloud environment, primarily for public-facing apps. It is thus important to designate a prevention plan before cloud migration. A DDoS attack is usually carried out by malicious hackers and targets resources or services in an attempt to render them unavailable by flooding system resources with heavy amounts of fake or virtual traffic.
Dealing with DDoS attacks can prove challenging, as it is difficult to distinguish between requests from legitimate users and those from the attacker. To make it worse, DDoS attacks are getting more sophisticated with time. There has been a staggering 50% increase in such attacks since 2019.
In Feb 2020, Amazon reported that AWS Shield detected and mitigated a 2.3 Tbps attack, which is one of the largest DDoS attacks recorded in modern history. . On June 21, Akamai reported that its IDS system mitigated a 418 Gbps attack on a bank that lasted less than 10 minutes. Akamai attack used many new IP addresses. Since 2018, there has been a 169% increase in the 100–200 Gbps range attacks, a 2500% increase in the 200–300 Gbps attacks and 3600% increase in the 300–400 Gbps. These increases point to just one key fact, that organizations moving to the cloud need to invest in strong IDS systems that can effectively detect and mitigate large DDoS attacks.
Organizations should invest in firewall security products and configure firewall rules to monitor and filter out malicious traffic. More importantly, they need to invest in a strong Intrusion Detection System (IDS). DDoS attacks can be mitigated by using connection verification methods and by preventing certain requests from reaching enterprise servers via IDS. IDS can also be configured to detect a threat and take corrective actions to prevent it.
Additionally organizations can blacklist suspicious IPs and regularly check for proxy server lists.
Accidental Exposure of Credentials
Phishers often use cloud-based applications and environments to initiate phishing attacks. Due to the growing use of cloud-based email services (G-Suite, MS 365, etc.) and collaboration tools (Google Drive, Dropbox, OneDrive, Github etc) employees receive phishing emails with links that seek credentials.
Organizations should leverage tools such as Gitleaks to scan their git repositories for sensitive data which should be private. GitLeaks lets you audit uncommitted code changes, scan pull/merge requests, do bulk scans, and also export JSON data for further analysis. It works on Windows, Linux, and Docker containers, or in a Go program.
Legal and Regulatory Compliance
Legal and regulatory compliance requirements are a principal consideration that needs to be taken into account before cloud migration. These requirements have to do with the data getting processed and stored or transmitted between different cloud and physical network environments. Different countries can have varying legal and regulatory compliance requirements regarding processing, storage, or transmission of data, and not adhering to these requirements can put your organization at risk of legal battles and litigation.
Thus, having the right legal and regulatory compliance strategy in place will help organizations avoid regulatory and statutory violations, stay compliant, and secure their infrastructure. Make sure you consult your legal team when formulating such a strategy, and/or taking the decision to migrate to the cloud. Moreover, it is recommended that the organizations should consult with industry experts to understand the legal implications and possible adaptation to new, stricter regulations.
Conclusion
While the above four are a few key security takeaways for large scale cloud migrations, there are many more detailed and exhaustive considerations tailored towards specific industries that organizations should seek professional advice on.
At Sincera, we have deep cloud security and implementation experience. We understand “your” share of the Shared Security Model and have advised and helped many organizations navigate this journey carefully in a secure and compliant manner. We can assess, analyze and help you build a complete cloud security plan that can secure the foundations of your cloud journey.
