CLOUD SECURITY - SECURING CLOUD STRATEGIES

Securing Cloud Strategies

Organisations in Singapore and around the world have adopted cloud computing as a key enabler of their digital transformation journey which was accelerated due to COVID-19 pandemic. Cloud computing offers various attractive benefits to organisations from IT maintenance cost reduction, system scalability and innovation enabling capabilities yet introduces cybersecurity and compliance challenges that to be addressed. With many high-profile breaches and leaks of sensitive data related to insecure cloud setup reported in recently months, companies are forced to re-evaluate their cloud readiness, architecture, and security.

The following five areas should be considered by organisations to better prevent future cloud data leaks:

  1. Responsibility
    In some cases, a “shared responsibility model” is not well defined between companies and partners in their cloud ecosystems, causing loopholes in business processes that eventually lead to security incidents in the cloud. In its simplest terms, the cloud shared responsibility model denotes that CSPs are responsible for the security of the cloud and customers are responsible for securing the data they put in the cloud. Depending on the type of deployment—IaaS, PaaS, or SaaS—customer responsibilities will be determined. To build a shared responsibility model, organizations and vendors must clearly define each entity’s responsibilities, work together to establish — and constantly update — business processes to minimize loopholes, and create mechanisms to help quickly identify and respond to cloud-related incidents in a collaborative way.

  2. Visibility
    Having visibility over data and IT asset are the basic cyber hygiene and the only advantage of cyber security defenders against hackers. However, many companies have limited visibility into what applications are running in their cloud, what data they have there, and who has access to the data and applications. Organisations could consider existing technical solution such as a Cloud Access Security Broker (CASB) that can help increase your visibility into cloud activities. They can provide visibility into user actions and resource activities, and more importantly, what services are running and what data is at risk. Companies can track who did what, from where, and when it happened. Companies should consider gaining a greater understanding of their cloud environment using a cloud discovery tool; apply continuous monitoring and automation to discover the provisioning and de-provisioning of cloud resources; and locate where key assets are in the cloud and identify potential legal, compliance and privacy requirements.

  3. Governance
    Business processes, policies and standards are yet to be designed to support the rapidly growing cloud landscape, taking into consideration the myriad industry, data privacy, and other requirements. The Personal Data Protection Act (PDPA), for example, introduces new and significant requirements such as breach notification. Various data privacy regulations also require data localization or restrict data transfer to certain jurisdictions. Security and its operating model should grow at the speed of business. The nature of the cloud dictates that each platform has to be treated differently to enable effective security and doing so effectively and at scale across multiple cloud providers. Cloud service provider-specific processes and policies should be built and the corresponding implementation and operations patterns should be defined. Companies should implement a strategic, enterprise-wide approach to overseeing, managing and securing vital data and how to do so in a multi-cloud environment.

  4. Secure Design
    Security should be a conversation starting at the design phase. Building a cloud land zone which is defined as a configured environment with a standard set of secured cloud infrastructure, policies, best practices, guidelines, and centrally managed services plays big role. Having a defined secure landing zone could also help application teams get to cloud faster and security embedded.

    The following are key design elements to be considered for a secure landing zone

    • Multi-account approach to provide the highest level of resource and security isolation
    • Fine grain Role Based Access Control to support least privilege, separation of duties and data abstraction
    • Data protection utilizing encryption services provided by cloud vendors
    • Cyber-attack readiness taking advantages of cloud native services protecting common attacks on workloads
    • Centralized security monitoring for early detection and quick response

  5. Automation
    Given the speed and elasticity of cloud operations, it is no longer possible to manually secure the cloud separately from DevOps. Companies should automate the deployment and operations aspects of the cloud, especially DevOps, by automating core security tasks, including secure orchestration and provisioning, vulnerability management, patch management, continuous integration and deployment, the security helpdesk, and security metrics generation and reporting. With these steps, organizations can not only improve their cloud security, but help create a more resilient data system that can create competitive advantages in an increasingly digital world.

Biography



Huynh Thien Tam

Tam is a cyber-security advisor with multiple years of experience on advising organisations across industries in Singapore and APAC region on cyber-security matters. Tam is currently a Managing Director of PwC's Cybersecurity practice in Singapore. Tam holds Offensive Security Certified Professional (OSCP), CREST Registered Penetration Tester and Certified Information Systems Security Professional (CISSP), GIAC Certified Forensic Examiner (GCFE) and GIAC Certified Forensic Analyst (GCFA). He gathered several hacking competition awards, reported zero-day vulnerabilities and spoke at various security events in the region.