Different cloud environments have different security needs. Here’s how to create a cloud-security scaffolding to strengthen protections while reducing manual support.
On-prem data centers, public cloud regions, edge: Agency cloud environments have grown highly complex. And that has significant implications for cybersecurity.
Each cloud provider defines its security model differently, and it’s up to your organization to understand the differences. While the cloud provider takes responsibility for securing elements of the infrastructure it abstracts away from you, every other aspect of the cloud is your responsibility. If there’s a configuration knob to adjust, you need to adjust it. And the security knobs—for services such as identity management and access management—are totally different for each cloud provider.
The result is frequent security misconfiguration. It’s worth noting that 85% of data breaches involve a human element, according to the 2021 Verizon Data Breach Investigations Report. And no small portion of breaches are caused by human error resulting from cloud misconfiguration.
For many organizations, cloud adoption is coinciding with the adoption of containers and other open-source cloud technologies such as Kubernetes. These technologies provide a strong framework not just for application and deployment consistency but also for building a common security scaffolding that’s portable anywhere with all the security knobs adjusted the way you want them.
Start With Good Security Hygiene
Cloud security begins with good security hygiene. Begin by documenting and maintaining a robust security policy. Cloud vendors provide adoption frameworks that offer guidance. For instance, AWS Landing Zone includes guidelines on issues such as account sharing and incident response.
You also should automate as much security and cloud management as possible, to reduce both human error and cost. That calls for starting with consistent APIs to make future automation straightforward.
Other important details to pay attention to include securing root accounts, controlling actions with least-privilege policies, data encryption and backups, networking policies, and implementing monitoring actions that don't turn into noise. Finally, implementing cost management policies can enable accounting teams to create feedback loops with developers to help understand cost spikes, which can be a leading indicator of account misuse.
Make an Open Source Platform Your Security Scaffolding
Of course, every public cloud deployment, whether it’s on IBM or Google, AWS or Microsoft Azure, by default has some security settings turned on. But these settings are unique to each environment. They don’t reflect the specific needs of each of your workloads and sets of users. And they don’t address the unique compliance requirements of government agencies.
As a result, your agency needs to configure security based on compliance and the risk acceptance for each workload. Yet most infrastructure teams lack the resources and expertise to get every setting right for every cloud provider. The large margin of error is a security incident waiting to happen. You need a better approach. One common approach is to build security scaffolding on top of a container platform.
The idea behind containers—and a key reason they’ve become popular—is that you can package up software code with all its dependencies and run it the same way in any environment. A container orchestrator takes this a step further, enabling multiple containers to run the same way across environments. Kubernetes is an attractive orchestrator because it’s not only open source but also at the epicenter of the cloud-native ecosystem.
Cloud providers offer managed Kubernetes solutions. But each provider’s Kubernetes platform involves custom hooks and integrations into services that aren’t portable outside their own services. So when it comes to security, you still have to configure each environment separately.
A better approach is an open-source, cloud-agnostic Kubernetes platform so that your security settings are portable across clouds. That enables you to build a security scaffolding on top of containers and Kubernetes so that configurations for things like account management, monitoring, logging, and incident response can be set once. Whether your workloads are running in multiple public clouds, a private cloud or even on-prem in virtual machines, you can adjust the security knobs once for all environments.
Ultimately, you get a true turnkey approach to configuring cloud security. The result is more consistent and automated cloud security, fewer security misconfigurations, and less time and cost spent on manual security management. You also reduce the risk of data breaches and better protect the data your organization relies on to fulfill its mission.
John Osborne is a Chief Architect of North America public sector for Red Hat and a former infrastructure lead at Space and Naval Warfare Systems Center.