Maksim Kabakou - Fotolia
When you secure a website running in the cloud, you follow a slightly different approach and use different security techniques than you would when securing one running in a traditional datacentre.
As more organisations move to the cloud, their information security teams have to adapt and secure those websites. These three fundamental shifts in thinking are important to building secure websites at cloud scale, while still fostering agility and innovation – two key business drivers for the cloud.
1. Use security mechanisms that understand the dynamism of the cloud
When you secure on-premise resources, you worry less about the process that created them. They exist – they are in your datacentre – and it is your job to secure them. You could organise assessments or security tests against a list of all your assets, regardless of how you came to own them.
In the cloud, resources are ephemeral and dynamic. Your website might launch 10 new application servers in response to peak demand. Those instances run for four hours and then they are terminated as demand drops off. To be confident those instances were secure during the four hours they were running, you look at how resources are created. What is the starting point? What hardens and configures the instance after it launches? Why is that pipeline for launching resources trustworthy?
As a security person, you need to know and secure the mechanisms that create resources. A security methodology that is driven by a database tracking all the things you own will work poorly in the cloud. Probing a range of IP addresses will not scale and will not handle the dynamism of your cloud.
Companies such as Alfresco, with its Prowler tool, dynamically explore the cloud looking for violations of well-known benchmarks, like the Cloud Infrastructure Security (CIS) Foundation Benchmark. Prowler is a tool you can run periodically to assess all your resources against the CIS benchmarks and report violations so that they can be addressed by the right team. It uses AWS application programming interfaces (APIs) to dynamically interrogate your environment, so that it does not rely on a static database of resources that might be out of date.
2. Turn on, analyse, and respond to infrastructure logs
You are probably already processing and analysing syslog on Linux, Windows events on Windows, web server logs and a variety of other logs.
In the cloud, you continue those practices. Your cloud infrastructure itself, however, also produces logs that must be analysed for misuse and abuse. This means that, in addition to the operating system activity you already monitor, you also need to monitor your cloud infrastructure itself, using cloud-native logs and tools.
Are authorised users attempting unauthorised actions? Are resources being launched with insecure configurations?
You have to incorporate data sources such as Amazon CloudTrail into your logging and auditing regime so that you have visibility into activity in your cloud. Securing your cloud requires you to understand the meaning of the logs you get from your infrastructure, and to respond to events logged by the infrastructure.
3. Use the cloud to protect the cloud
Preventative controls that limit users, instances and resources are an important part of securing your cloud and they need to be supplemented by detective and responsive controls.
You want to create detective and responsive security controls that identify non-compliance and correct it. In the cloud, you cannot create a list of every possible bad thing to prevent. You have to use techniques such as AWS Config Rules, AWS Lambda and Amazon CloudWatch Events to detect unusual or unauthorised behaviour, and take action automatically.
Humans watching dashboards and responding to alerts does not scale to the size and speed of the cloud. Using APIs and automation to respond to ordinary events frees up the humans in your cloud security teams so that they can focus on the exceptional and most important security alerts.
Companies such as Netflix, using their Chaos Engineering practices, invest a lot of effort in automatic responses to infrastructure changes.
Their tools, such as Chaos Monkey, deliberately introduce errors in production environments – stopping instances, breaking connectivity, etc. As a result, their security and operations teams have learned to automate detection and response to many ordinary failures. This lets them scale their operations while only alerting humans on truly exceptional events that need human intervention.
In summary, the dynamism of the cloud changes the way you approach securing your resources, and the cloud itself contributes to its own protection.
Read more from Computer Weekly’s Security Think Tank about improving web security
- Starter for 10 in the web security challenge.
- Web opportunities must be met with appropriate security controls.
- Secure your web applications without prejudice.
- Three areas of web security challenges.
- Risk assess all web connections to shore up security.
- Look at full security development lifecycle to reduce web threats.
- Security Think Tank: Approaches to effective web security.
- Security Think Tank: Web security down to good risk management.
- Web security guidelines from FS-ISAC.