Cloud Security Series #1

What is a Cloud Security Posture?

Wonder what’s goes in Cloud Infrastructure Security? Years of experience helped me to put together this, quite comprehensive, list.

1. Access Control

– Establish Centralized Infrastructure Access (User Directory, SSO);
– Implement Role-Based / Permission-based Access Control;
– Leverage Principle of Least Privilege when establishing and authorizing access;

2. Administrative Tasks

– Block Unused Services, Resources, Regions;
– Deny Public Access to Everything (Network, Hosts, Workloads, Storage, Databases), Allow by Exception;
– Create and Manage a Set of Encryption Keys;

3. Data Encryption

– Encrypt Data at All Levels (Storage, Databases) – “At-Rest encryption”;
– Encrypt Data Transmission with SSL/TLS Certificates – “In-Transit encryption”;

4. Data Confidentiality

– Organize Secret Storage for all API Keys, Tokens, Passwords, etc (“Application Secrets”);
– Ensure Data Record Confidentiality (no PII/PHI in database records, application and service logs);

5. Data Backup and Recovery

– Establish Data Classification and Data Retention Policies;
– Establish Data Backup and Recovery Procedures;

6. Vulnerability Management System (“VMS”)

– Scan container images, applications, hosts for Vulnerabilities;
– Perform Regular Host and Container Security Patching and Version Upgrades;

7. Observability

– Implement Centralized Logging (from cloud services and applications);
– Configure Alerts on Critical and High Impact VMS Events;

8. Data Cleanliness and Integrity

– Implement Antivirus Scanning on container images, Hosts, Cloud Storage, User-generated content;
– Implement Data Integrity Monitoring (files and data records);
– Establish monitoring of Data Exfiltration and Data Tampering;

9. Network Security

– Implement Network Isolation of System Components (VLAN/VPC);
– Activate and Configure Network Firewall;
– Maximize Placement of Cloud Resources in Private Subnets;
– Restrict Access to Network Ports via Security Groups, NACL;
– Prohibit Remote Access from Broad Range Networks;
– Implement WAF and DDoS Protection on Web and Network Endpoints;

10. Maintenance Mode and Failover Protection

– Implement System Maintenance Mode Switch;
– Failover Protection: Set up Backup Environment and Implement Automatic Failover Switch.

See anything missing? 🕵‍♂️
How would you prioritize these items, and why? 🤔

Leave a Reply

Your email address will not be published. Required fields are marked *