The document provides an overview of cloud security best practices for AWS, Azure and GCP workloads. It discusses where to start when migrating workloads to IaaS and PaaS environments, the importance of cloud workload protection platforms (CWPP) and cloud security posture management (CSPM). The document also outlines some fundamental security controls that should be addressed, such as vulnerability management and application security. It provides guidance on how to keep pace with new security tools from cloud providers and find what works best. Lastly, it discusses how cloud security controls are evolving and how to prepare for better implementation and compliance.
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Cloud Security Controls Best Practices for AWS, Azure and GCP
1. Cloud Security Controls Best
Practice
Advanced Guidance for AWS, Azure and GCP workloads
Sergio Loureiro
Feb 2020
2. Outpost24 at a glance
2
• Global HQ – Sweden
• Sales – BeNeLux, DACH,
Nordics, UK&I/France, US
• MSSP and Reseller partners
in additional locations
• Over 150 full time staff
3. Outpost24 experience in Cloud Security
• Founding Member of the Cloud Security Alliance (CSA) and co-author of
first guidelines for cloud security in 2009
• Founding Member of the CSA French chapter in 2012 and board member
in 2019
• Discovery of AWS first vulnerabilities and seminal paper in 2011
• First product in the AWS marketplace in 2012, AWS partner since 2012,
Azure Silver Partner
• 2 international patents on cloud security
3
4. Agenda
• Where to start when migrating to IaaS and PaaS?
• Why CWPP and CSPM are critical to cloud security?
• What are the fundamental controls security teams must address now?
• How to keep pace with new security tooling from cloud providers and finding
what works best for you?
• Where are cloud security controls heading and how to prepare for better
implementation and compliance?
4
5. 5
Where to start when migrating to IaaS and PaaS?
• Through 2023, at least 99% of cloud
security failures will be the
customer’s fault.
Gartner 2019
7. Cloud Maturity Adoption
7
Migration
Are you using cloud
services securely?
What is the risk?
Compliance
How to implement
best practices?
Show business
value
Multi-Cloud
How to manage
risk across different
providers?
Continuous
Continuous alerts
and continuous risk
assessment
8. Why CWPP and CSPM are critical to cloud security?
8
Image credit: Microsoft
CWPPCSPM
9. 9
What are the fundamental controls security teams must
address now?
• Cloud Security Posture Management
• Cloud configuration Assessment
• Cloud Workload Protection Platform
• Vulnerability Management
• Application security
• Anti-virus, HIDS/HIPS, etc
10. CSPM and CWPP Now
• CIS AWS benchmark
• CIS Azure benchmark
• CIS GCP benchmark
Cloud Security Posture Management
- > Add Configuration Management
Cloud Workload Protection Platforms
-> Integrate controls
Start with Identify
• System Management
• Vulnerability Assessment
• Awareness Training
10
11. What checks? = What is in the CIS benchmarks?
CIS AWS
• 49 checks
• IAM, Logging, Monitoring, Networking
CIS Azure
• 97 checks
• IAM, Security Center, Storage Accounts, SQL Services, Logging and Monitoring,
Networking, Virtual Machines, Other
13. How to prioritize CSPM findings?
• No CVSS
• CIS benchmarks are marked scored/not scored
• Azure Security Center has its own scoring
• Without contextualization it’s hard to do
• Ideally, tags will indicate the most critical systems and user tags to help prioritize
results
14. What is missing? AWS, Azure and GCP advanced services
• More than 100 services on AWS, Azure and GCP
• Start with foundational services (example of AWS):
• Networking: SGs, VPCs, NACLs, CloudFront
• Instances: EC2
• Storage: S3, EBS
• IAM: rights and connection to AD
15. Workloads: Mapping Cloud Controls to NIST CSF
15
Source: SANS How to Optimize
Security Operations in the Cloud
Through the Lens of the NIST
Framework - Feb 2019
18. Traditional Security is disrupted by Cloud
• Shared responsibility
• New layer of configuration (and misconfigurations)
• Elasticity and Agile
• Changing IPs for VMs
• License model
• Cloud Shadow IT
• New cloud services every week
• APIs for everything publicly accessible
18
19. More than 73% organizations are using
2 or more public cloud providers
• More attack surface
• Goal: Knowing the surface
• Harder to have visibility
• Goal: Single pane of glass
• Different services and tools
• Goal: Controls homogeneity
19
Plan for Multi-Cloud
Credit: SANS Cloud adoption survey 2019
20. Get full visibility on workloads and configuration
20
• For CWPP, extend existing tools
• Marketplace tools are available
• Check for deployment model (SaaS, agents, appliances)
• For CSPM, start with CIS benchmarks: AWS, Azure, GCP
• Do an assessment now!
21. 21
How to keep pace with new security tooling from cloud
providers and finding what works best for you?
AWS
- Security Groups (firewall)
- Trusted Advisor (high level)
- Inspector (assessment)
- Key Management Service
- Identity and Access Management
- Macie (DLP)
- GuardDuty (threat detection)
- Shield (DoS)
- WAF (WAF)
Azure
- Azure Security Center
- Security Groups (firewall)
- Key Vault
- Endpoint Protection
- VM agent
- …
25. • Business intelligence and data
analytics are great use cases for
Cloud adoption
25
Follow the Data
Credit: SANS Cloud adoption survey 2019
26. Extend to new cloud services – Off the beaten track
26
Goals:
• Keep up with the pace of innovation
• Be a business enabler while maintaining control
• Get your foundations right: IAM, Network, Application, Data Protection and Ops
Considerations:
• Not always possible to install agents, for example Serverless/FaaS
• Discover and implement best practices for every IaaS/PaaS service – today hundreds
• Sometimes no best practices available, providers tend to be slow with security
28. Handling Multi-
Cloud
Deployments
with a single
console
Migration of
Security
Controls to
Cloud
01
Achieving
compliance with
security
standards
02 03
Monitoring and
assessing risk in
continuous
mode
04
Use Cases and Requirements
28
Migration
Compliance
Multi-Cloud
Continuous
29. 4 Steps Guidance
29
Check requirements for data and
workloads in the cloud
Extend existing workload
security to the cloud (CWPP)
Address cloud configuration
assessment (CSPM)
Handle Hybrid and prepare for
Multi-Cloud
33. 33
1. Data Breaches
2. Misconfiguration and inadequate change
control
3. Lack of cloud security architecture and strategy
4. Insufficient identity, credential, access and key
management
5. Account hijacking
6. Insider threat
7. Insecure interfaces and APIs
8. Weak control plane
9. Metastructure and applistructure failures
10. Limited cloud usage visibility
11. Abuse and nefarious use of cloud services
Cloud Security is different