Public Cloud based IaaS and Security Automation - Intro

 Sanjay Basu

With the recent Equifax breach and Accenture leaving customer data unencrypted on AWS S3, the security around the public cloud has again come to the forefront. The leading public cloud providers like AWS, Azure, GCP, IBM, and Oracle have a two-pronged strategy for securing their public Infrastructure-as-a-Service. These providers have segmented out cloud security into Security Controls of their underlying infrastructure and Security in the customer-managed environments running on top of their infrastructure. These CSPs are directly responsible for the Security of the Cloud. Additionally, for the Security in the Cloud, they provide guidance to the customers, in the form of best practices documentation, step-by-step "HowTo's", support contracts, and professional service engagements. 

Cloud Security Responsibility Model


Every customer whether small, medium, or enterprise should follow what I call the three laws or fundamental tenets of cloud security.

1. Protect sensitive data at rest and in transit with encryption, tokenization, and obfuscation.

2. Use multi-factor authentication with restrictive identity access management policies and least privilege by default for access.

3. Build a robust Incident Response plan with embedded Disaster Recovery and Business Continuity.

Every set of tenets or laws should have a zeroth law (sic). In this case, the zeroth law is

0. Automate everything!

I like to start with the NIST guidelines for the governance and security in private and public clouds documented in NIST 800-144 (http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf). For a standard security automation program across on-premise, private and public cloud. I build up from there and follow general guidelines from - The Security Content Automation Protocol (SCAP) website (https://scap.nist.gov/index.html)

I start with the following matrix of checklist

...... To be continued


Comments