Essential cloud security practices

Welcome to my second article about cloud security strategy. This series of articles gives an high level overview how to implement a cloud security strategy. After the first article of this series presented a structured way how to implement a cloud security strategy, this article is about the first step in this structured approach: establishing essential security practices.

Security in the cloud starts with applying the most important security practices to the people, process, and technology elements of your system. Additionally, some architectural decisions are foundational and are very difficult to change later so should be carefully applied.

Whether you're already operating in the cloud or you're planning for future adoption, it is recommended that you segment your implementation efforts into the three essential building blocks: people, processes and technology - consisting of 9 essential security practices (in addition to meeting any explicit regulatory compliance requirements).

People

Educate teams about the cloud security journey - The teams must be educated regarding threats, shared responsibilities and role/responsibility changes with the shift into the cloud. In addition information about the why, who and how of the secure journey into the cloud needs to be made transparent to relevant stakeholders.

Educate teams on cloud security technology - Ensure your teams have time set aside for technical education on securing cloud resources including cloud security technology, recommended configurations and best practices and where to learn technical details.

Processes

Assign accountability for cloud security decisions - choosing who is responsible for security decisions is crucial otherwise this decisions will not be made.

Adjust your incident response processes for the cloud - you will not have time to plan for a crisis during a crisis. Incident response designed for on-premises will not be sufficient in a cloud environment - prepare your organization.

Establish security posture management - modern cloud environments enabling continuous monitoring of security risks as well as integrated SIEM (security information and event management) for the whole infrastructure. To realize value from these new possibilities requires to assign responsibility.

Technology

Require passwordless or multifactor authentication - require all critical admins to use passwordless or multi-factor authentication. Passwords are not sufficient anymore to protect user accounts.

Integrate native firewall and network security - simplification of systems ad data against network attacks by integrating Azure Firewall, Azure web app firewall (WAF), and distributed denial of service (DDoS) mitigations into your network security approach.

Use identity-based access control instead of keys - enable Azure AD identities or similar solutions instead of key-based authentication when possible. Identity-based authentication overcomes many of conventional security challenges with mature capabilities. The capabilities include secret rotation, lifecycle management, administrative delegation, and more.

Establish a single unified security strategy - in order to have clear guardrails for the implementation of cloud security measures a strategy is essential to provide clear orientation for the many options and settings. For the start concentrate on the following three assets: network security, identity security and application security.

Summary - Cloud security is a complex topic. To get started a strategy and clear segmentation of implementation efforts is mandatory: people, processes and technology. Otherwise there is a high risk to get lost in the (almost) endless security possibilities of modern cloud infrastructures, resulting in a unstructured cloud security strategy implementation approach.