How to integrate cloud security into your SSI

How to integrate cloud security best practices into your SSI

Every organization that develops or integrates software needs a software security initiative (SSI)—that has been true for years. Security is, or ought to be, as important as function and features.

What is also true now, given that the large majority of organizations have already migrated or are planning to migrate some or all of their applications, storage, and workloads to the cloud, is that cloud security needs to be integrated into that SSI.

After all, the threats and risks are as great, or even greater, in an environment where, as Synopsys product marketing manager Steven Cohen put it last year, “the cloud interfaces with just about every application and corresponding infrastructure stack in existence.”

The list of possible vulnerabilities that are common to both on-premises and cloud environments is well-known, but worth repeating. It includes weak identity, credential, and access management, insecure APIs, insufficient due diligence, lack of encryption, and malicious insiders.

Vulnerabilities specific to the cloud exist largely because using a cloud services provider (CSP) means you’re not the only customer. It means shared tenancy, multiple users on the same stack, and shared technology vulnerabilities.

All of which makes for a very large, very attractive attack surface for hackers and can enable the usual list of very bad things: data breaches and data loss, account hijacking, advanced persistent threats (APTs), abuse and nefarious use of cloud services, denial of service, and ransomware.

But you can make the cloud a much safer place by making cloud security best practices part of your SSI. And there are roadmaps to help you do it.

How to start securing your cloud

Cohen, who has researched building security into cloud migration of workloads, has offered a number of recommendations for cloud security best practices.

For starters, it is crucial to “integrate application security testing and other vulnerability scanning capabilities into the deployment cycle, including scanning containers if they are used,” he said. In other words, find and fix vulnerabilities in applications before they are up and running in the cloud.

There are multiple tools available to do so—a veritable alphabet soup of acronyms, including SCA (software composition analysis), SAST (static application security testing), DAST (dynamic application security testing), and IAST (interactive application security testing).

It should also be mandatory, for those using a public cloud, to use a leading IaaS (infrastructure as a service) provider to improve the security protection of public cloud workloads.

Because, as Cohen notes, the results are worth it: “Through 2020, workloads that exploit public cloud IaaS capabilities to improve security protection will suffer at least 60% fewer security incidents than those in traditional data centers,” he said.

Security in the cloud will also improve from a strong DevSecOps culture. Cohen said many organizations “engineer their own platform-as-a-service (PaaS) stacks to provide a layer of abstraction between their applications and public IaaS offerings. This essentially allows them to retain control and independence while reaping the benefits of cloud economics.”

Cloud security best practices

Beyond those basics, here is a useful list of cloud security best practices your SSI should include.

  • Configuration. CSPs have platform-layer controls. Your organization must use them and make sure you have configured them correctly to secure workloads.
  • Strong IAM. Identity and access management provides a crucial layer of security on-premises. It’s just as crucial in the cloud, where CSPs offer IAM services that you can integrate with your existing systems.
  • Automation. This is especially where you need a strong DevSecOps culture. Automation can cut the cost of implementing security programs. Applications can “take advantage of cloud APIs to resolve issues automatically and return to full production status without requiring manual effort,” Cohen said. This doesn’t eliminate the need for humans—design and security assessments still require security experts. But “large CSPs, such as Amazon, Microsoft, and Google, are bringing native security services into their platforms to meet this need.”
  • Microsegmentation. This means grouping nodes in cloud environments by logical function, to improve security. The benefit is obvious: If hackers breach one area, that doesn’t mean they have breached them all.
  • Secure APIs. Application program interfaces are useful for multiple good things—improved efficiency, agility, orchestration, and consolidation of products and tools. But they can also be a security nightmare. Wireless giant T-Mobile and even the recent RSA security conference were both hacked thanks to “leaky” APIs. It is crucial to vet them properly. “Assigning a broad range of permissions to an API creates the potential for an attack to have a large impact on an organization’s applications, data, and assets,” Cohen said.

Finally, keep in mind that you can do all that and still be vulnerable if you ignore one of the most basic fundamentals of security: Keep up-to-date. Know what you’re running, and keep track of reported vulnerabilities and patches.

Cloud security starts with software security

In the end, cloud security best practices aren’t much different from any security best practices. Cohen said the statistics make it clear: The overwhelming majority of security breakdowns won’t be the CSP’s fault; they’ll be the result of organizations failing to patch and update.

“Through 2020, 95% of cloud security failures will be the customer’s fault,” he said. “And 99% of vulnerabilities exploited will continue to be ones known of by security and IT professionals for at least one year.”

Migrating to the cloud? You need a roadmap.
We can help you integrate cloud security into your SSI.
Taylor Armerding

Posted by

Taylor Armerding

Taylor Armerding

Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.

More from Cloud Security