Benefits and risks of cloud environments
Cloud services offer a variety of IT and security benefits that include but are not limited to:
- Increased speed for quick deployments
- Cost reduction on equipment maintenance
- Scalability
- Efficient backup and resilience solutions
- Mobility (access from any location)
However, the benefits of cloud solutions come with IT and cybersecurity risks. The increased complexity of cloud software or infrastructure as a service contributes to IT and cybersecurity challenges. Some of those challenges include:
- Inadequate cloud solution management skills
- Misconfigurations due to a lack of or inconsistent development processes
- Assigning ownership and responsibility of security controls
- Compliance with industry and regulatory standards
- Limitations of cloud security controls
Evaluating cloud security controls
Many organizations need help understanding and addressing their cloud security challenges and associated risks. Undergoing an independent cloud security controls evaluation performed either internally or by a qualified consulting firm is an excellent, proactive step. Such an evaluation of cloud security controls should review the design of policy and procedure requirements as well as the effectiveness of configured security controls.
Common IT and cybersecurity control frameworks that apply to cloud environments that should be considered during an evaluation include:
- The National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF)
- The Center for Internet Security (CIS) Critical Security Controls
- The International Organization for Standardization (ISO) frameworks ISO/IEC 27001 and 27002
Additionally, on May 12, 2021, President Biden issued Executive Order 14028, initiating the Secure Cloud Business Applications (SCuBA) project to be spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA). The objective of the SCuBA project was to establish a consistent, effective, modern, and manageable way to perform continual evaluations to verify security controls and configurations.
CISA achieved this goal when it released two initial cloud guidance documents that will help organizations implement cloud security and resilience practices. These guidelines can be used for the evaluation of cloud security controls. Organizations can use SCuBA Technical Reference Architecture (TRA) to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero-trust frameworks. To help identify visibility data that can be used to mitigate threats, determine which products and services can provide that visibility data, and identify potential visibility gaps, organizations can refer to the Extensible Visibility Reference Framework (eVRF) Guidebook.
Strengthening cloud security controls
As organizations move more of their operations and data to cloud solutions, administrators need to understand the tools they have at their disposal to help harden and secure their cloud environments. Administrators should implement a configuration management program to set policy requirements to automatically configure, enforce, and report the status of cloud security controls and information systems hosted within cloud environments.
Cloud platforms such as Microsoft Azure™ and Amazon Web Services™ (AWS) also offer security configuration guides and cloud security control reporting solutions to help organizations determine their overall compliance with industry or regulatory security standards.
The following tools can help organizations assess the security posture of their cloud environments:
Given that the shift in workplace arrangements has occurred in a relatively short period of time, every organization operating in the cloud should take the time to document a configuration management plan that includes procedures to periodically evaluate its security standards. This plan is critical because cloud security controls are consistently evolving as new security features are released by cloud vendors. Documenting configured cloud security control standards is also necessary for maintaining consistency across cloud environments and hosted information systems.
Security controls to strengthen cloud environments might consist of account restrictions (such as separation of duties, least privilege, and need-to-know), multifactor authentication, complex password controls, reduced administrative accounts, strong encryption for data at rest and in transit, and geoblocking devices and access outside of approved locations.
Continual evaluations of cloud security controls are critical for staying current with security best practices. The implementation of a continuous monitoring strategy aids organizations by keeping up to date with the release of new cloud security controls. Strategies include:
- Monitoring new product and software releases from cloud providers, typically via email
- Periodically evaluating best-practice configurations and benchmarks released by authoritative vendors such as CISA and CIS
- Integrating security control evaluations for new or major enhancements within the project management office
The future is here
Cloud computing is the future of organizational infrastructure. With strong cloud security controls in place, organizations can reap the benefits of this technology while keeping their data safe.