Cloud Security Best Practices
When evaluating a cloud solution, whether it is private or public, systems administrators must conduct their due diligence in making sure their environment is ready for such a step.
Everyday, new types of secure cloud services are revolutionising user experiences in rich content delivery. This seamless experience creates a more sustainable environment and helps end-users have a better computing experience. Still, security will almost always be one of the biggest concerns of the IT business sector. Experience has shown that, no matter what technology or platform is implemented, securing that environment is a top priority. As data centers push their cloud infrastructure even further with solutions that include identity federation and single sign-on, the clear challenge and question becomes: How do we secure our cloud initiative?
The following are some industry tips and best practices when cloud security comes into the equation.
- Plan strategically: Since every environment is unique, very careful consideration must be given to how the corporate workloads are delivered to the end-user. By designing from the very beginning a solution which embraces security, and infrastructure will already be one step ahead in their cloud initiative. Taking a secure approach from the initial phase creates a solid foundation for entering into the cloud. By starting with security first, compliance conscious organisations are able to deploy both a resilient and audit-ready environment.
- Pick a partner wisely: Your partner’s ability to protect sensitive cloud-based data is crucial. There are many cloud providers to choose from. Some will offer private cloud solutions, while others will offer a combination of a public / hybrid cloud deployment alternatives. When evaluating a partner that will be set to deliver corporate ICT services via the cloud, make sure that partner has a foundation and heritage in both: IT infrastructure and security services. Verify that cloud-ready risk mitigation is part of the provider’s common security practice. Evaluate a partner that has proven experience integrating cloud-based IT resources, security, network services, as well as providing robust and strategic service-performance assurances.
- Identity Management: Every enterprise environment will likely have some sort of identity management system. This is to control user access to corporate data and computing resources. When looking to move to the cloud, identity management quickly becomes a security concern. One of the last things a systems administrator would want is a user who is forced to remember several sets of credentials. Cloud providers must either integrate the customer’s identity management system into their own infrastructure, using identity federation or single sign-on technology, or provide an identity management solution of their own. Without that, some environments have seen what is known as identity pools, where users have multiple sets of authoritative credentials they must use to access common workloads.
- Protecting corporate data: For an ICT organisation to be considered protected, data from one end-user must be properly segmented from that of another. That means that “data at rest” must be stored securely and “data in motion” must be able to securely move from one location to another without interruption. Good cloud partners have solutions like this in place to prevent data leaks or access by unauthorised third parties. As such, it’s important to clearly define roles and responsibilities to ensure that auditing, monitoring and testing cannot be circumvented even by privileged users unless otherwise authorised.
- Develop an active monitoring solution: Just like information within a data center – data in the cloud must be continuously monitored. If systems managers need live data to be pulled from a cloud environment, they must leverage an active monitoring solution. Performance bottlenecks, system instabilities or other issues must be caught actively to avoid any outages in services. Failure to constantly monitor the health of a cloud environment will result in poor performance, possible data leaks and, sometimes worst of all, an angry end-user. Organisations which are ready for the cloud must plan accordingly as to the monitoring and intervals required based on their data content. From there, it’s advised they implement manual or automated procedures to respond to related events that may occur in their cloud environment.
- Test regularly and establish environmental metrics: Whether deploying your own private cloud or using a cloud-ready partner, always make sure to test and regularly maintain your environment. When looking at a service provider, make sure they offer a solid Service Level Agreement (SLA) that should include metrics like: availability, notification of a breach, outage notification, service restoration, average time to resolve, and so on. Both in a provider relationship and in a private cloud solution, regular and actively testing should be included. By keeping an environment healthy and tested, we must remove quite a bit of risk associated with security or inadvertent data leaks.
Never Forget The Basics
Since security is always a concern for a conventional data center, it should be a top priority in any cloud initiative as well. Third-party organisations, such as the Cloud Security Alliance, regularly publish advice for securing a cloud deployment.
Always try to remember the following for securing SaaS, PaaS and IaaS environments:
- Strong authentication methods are always recommended. Two-factor, and even certificate-based authentication methods can be great. Remember, depending on the risk level of the services being offered, your security architecture will need to match those requirements.
- You must be able to manage user access across the board. User privileges will absolutely vary and you especially need to control the administration of privileged users for all supported authentication methods.
- Incorporate self-service and identity validation. You can deploy powerful tools which analyse lost and orphaned accounts across onsite and remote locations. And, they’ll look at admin accounts as well. You can allow users to request new services and even modify their own permissions (where it makes sense). The key is managing these permissions and creating user controls.
- Go beyond just enforcing strong passwords; even though that’s still important. Now, new technologies allow for deep interrogation of users, locations, devices, and even specific resource access points. Either way – ensure your users have secure methods of entry depending on the devices they’re using.
- Identity management and federation can help out a lot. Federated services can be a means of delegating authentication to the organisation that uses the SaaS application. Or, you can tie separate services using federation services to reduce authentication challenges. These are great ways to manage user identities in one spot.
As more data centers are pushed into the cloud, security will play an even greater role in maintaining data integrity. Even though the technology is still new, cloud-computing offers great benefits to those environments prepared to make the investment. Remember to make wise and well-researched decisions when evaluating cloud data center security options.