When creating a cloud security program the strategy should start similar to your on-premise security program.
Start with this basic - not all inclusive list:
- Use least privilege concept for service accounts and users.
- Require MFA for remote access for all users and at minimum privileged users.
- Turn on logging and centralize those logs.
- Bring on-premise security agents to cloud where applicable.
- Use a deny by default firewall policy, along with allowing only necessary ports and services.
- Do not open access for database services to the internet. You would not do this in the datacenter
- If you do not have the talent in house to advise on best practices ask for help from experts in the field.
- Secure your web applications during the development lifecycle.
Align your cloud strategy around best practices. I highly recommend reading the AWS Well-Architected Framework even if you a using a different cloud provider.
From a security standpoint follow AWS’s recommended 6 design principals:
- Implement a strong identity foundation
- Enable traceability
- Apply security at all layers
- Automate security best practices
- Protect data in transit and at rest
- Prepare for security events
It is also highly recommended to put in either preventative or detective controls for monitoring of services that need protection from misconfigurations. For example tag your S3 buckets with a data classification. If a bucket is not labeled public, automatically restrict public access when a change is made and alert your Security Operations Team of this potential issue. This is a teachable moment for the technical team that attempted to make a change that is not inline with your security policies.
Lastly automate security everywhere that you can. This will greatly improve your security posture.
Track 2 - Securing the Cloud - Do Not Lift and Shift