What’s a Security Posture?
Wonder what’s goes in Cloud Infrastructure Security? Years of experience helped me to put together this, quite comprehensive, list.
1. Access Control
– Establish Centralized Infrastructure Access (User Directory, SSO);
– Implement Role-Based / Permission-based Access Control;
– Leverage Principle of Least Privilege when establishing and authorizing access;
2. Administrative Tasks
– Block Unused Services, Resources, Regions;
– Deny Public Access to Everything (Network, Hosts, Workloads, Storage, Databases), Allow by Exception;
– Create and Manage a Set of Encryption Keys;
3. Data Encryption
– Encrypt Data at All Levels (Storage, Databases) – “At-Rest encryption”;
– Encrypt Data Transmission with SSL/TLS Certificates – “In-Transit encryption”;
4. Data Confidentiality
– Organize Secret Storage for all API Keys, Tokens, Passwords, etc (“Application Secrets”);
– Ensure Data Record Confidentiality (no PII/PHI in database records, application and service logs);
5. Data Backup and Recovery
– Establish Data Classification and Data Retention Policies;
– Establish Data Backup and Recovery Procedures;
6. Vulnerability Management System (“VMS”)
– Scan container images, applications, hosts for Vulnerabilities;
– Perform Regular Host and Container Security Patching and Version Upgrades;
7. Observability
– Implement Centralized Logging (from cloud services and applications);
– Configure Alerts on Critical and High Impact VMS Events;
8. Data Cleanliness and Integrity
– Implement Antivirus Scanning on container images, Hosts, Cloud Storage, User-generated content;
– Implement Data Integrity Monitoring (files and data records);
– Establish monitoring of Data Exfiltration and Data Tampering;
9. Network Security
– Implement Network Isolation of System Components (VLAN/VPC);
– Activate and Configure Network Firewall;
– Maximize Placement of Cloud Resources in Private Subnets;
– Restrict Access to Network Ports via Security Groups, NACL;
– Prohibit Remote Access from Broad Range Networks;
– Implement WAF and DDoS Protection on Web and Network Endpoints;
10. Maintenance Mode and Failover Protection
– Implement System Maintenance Mode Switch;
– Failover Protection: Set up Backup Environment and Implement Automatic Failover Switch.
See anything missing? 🕵♂️
How would you prioritize these items, and why? 🤔
Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.