This blog post was contributed by Paul Friend, Security Account Director at The Missing Link. It was originally posted on his LinkedIn profile. You can view it here.
If anything, recent breaches have highlighted that even with many other security controls in place, cloud workloads, databases, API’s and SaaS Application security remain an issue for organisations. Why is this?
It certainly seems that there is a misunderstanding of our shared responsibility for security when it comes to cloud services and SaaS applications. Considering the adoption of cloud, recent breaches seem to indicate that organisations are ill-prepared to protect their cloud systems (and customer data) from compromise, often relying on legacy security controls to protect their modern workloads, containers, and SaaS applications or believing that their cloud service provider or third parties will take care of security.
Many organisations have no way to govern their external partners to ensure security best practices, compliance mandates, and corporate cyber policies are being followed.
Securing a modern cloud centric organisation requires controls across the User Plane, Control Plane, and the Data Plane:
1. User Plane - Protect the user or customer profile, for example by:
- Identifying and protecting high-risk individuals.
- Delivering security education for users and providing security guidance for customers.
- Using strong authentication, to ensure onboarded users are who they say they are.
- Deploying MFA and investigating passwordless options that suit your business or your customers.
- Managing the lifecycle of your user access to ensure the right person has access to the right resource, at the right time.
- Using behavioural analytics and insider threat technologies to ensure even legitimate insiders are using the systems as authorised.
2. Control Plane - Protect workloads, containers, and SaaS applications, for example by:
- Regularly assessing configurations of these cloud instances and applications against best practice and corporate policy to detect vulnerabilities and configuration drift.
- Regularly assessing your applications and workloads against your corporate and regulatory compliance standards.
- Deploying cloud-native security controls such as run-time protection for modern workloads such as containers and workloads as code.
- Integration of security controls with ticketing systems to track and streamline the remediation of misconfigurations.
3. Data Plane - Knowing where your crown jewels are and protecting them, for example by:
- Assessing where your most important data is so you can adequately protect it.
- Assessing data access configuration, ensuring the right users/roles have the right access & stop data exposures to the external world.
- Only keeping data that is absolutely necessary.
- Identify all third parties connected to your SaaS Platforms and create an approved/deny list.
- Continuously assessing custom platform code for vulnerabilities.
- Encryption of data where possible.
In summary, addressing the problem of cloud security does not need to be a complicated matter, it requires protecting our users from compromise, continuously assessing the security and compliance posture of our cloud services, and ensuring our SaaS applications are correctly configured to protect the data they process and store.
