Security Best Practices in Public Clouds

This is the first blog in a series about security in global public clouds like Amazon Web Services (AWS) or Microsoft Azure.

Blog Series about Security in Public Clouds

As a Next Generation Service Provider, Swisscom wants to be your trusted partner. The security of the data to be processed is, therefore, a key issue. In a blog series starting today, we give insight into what points – especially regarding security – seem essential to us, when dealing with public clouds like Amazon Web Services (AWS) or Microsoft Azure. This blog series will consist of six blogs. Each blog will deal with a topic in depth.

The following additional blogs are already published:

Security Best Practices in Public Clouds

The following recommendations are intended to encourage you to deal with questions about cloud and security. We are convinced that these topics form a good basis to get started with a secure setup in public clouds.

1. Data protection

Protecting data starts with classification. Before moving documents, objects or workloads into a cloud, they must be classified. The desired level of protection can be derived from the classification.

Data needs at least to be protected in the following two states:

  • In transit: Data is in transit when being transferred between components, locations, or programs. For example, while transferred over a customer owned network, the internet or from on-premises to cloud and vice-versa using a dedicated link (Express Route or Direct Connect) or a VPN Connection. The use of encrypted protocols with appropriate configuration is state of the art.
  • At rest: Data at rest includes for example storage objects, containers and data that exist statically on physical media like SSDs, HDDs or even optical disks. Modern public clouds make it easy for customers to encrypt data at rest using an integrated key management service. This however requires unrestricted trust in the cloud provider. If higher security requirements are claimed, appropriate solutions should be looked for as early as in the design phase.

Also, anonymization, pseudonymization or tokenization could serve to protect the data.

2. Defense in Depth

Defense in Depth is the approach where several defense mechanisms are layered to protect valuable data and information of the customer. This approach should also be applied in the cloud. If one mechanism fails, another can step in to prevent an attack. Within modern public clouds such as Microsoft Azure and Amazon Web Services (AWS), a wide range of security measures exists to choose from.

The illustration below shows several layers where security should be applied.

  • Data: Encryption; Database Security; IRM
  • Application: Federation; Secure Software Development and Application Lifecycle
  • Host: standardized Platform O/S; Vulnerability Management; Log
  • Network / Perimeter: Transport Layer Security; Firewalling; DoS Prevention
  • Physical: (not in scope of a cloud customer) Fences; Walls; Guards; Badges
  • Policies, Procedures & Awareness: Data Classification; Password strengths; Usage policy

3. Automate – and keep people away from data and infrastructure

Automation is a well-known instrument to reduce manual tasks. Setting up infrastructure as code accelerates installation processes and results in an aligned environment.
Automation does not only affect timelines and productivity. From a security point of view, a reduction of human interaction reduces the risk of access, loss or modification. If dashboards and tools will replace manual tasks this keeps people away from directly accessing sensitive data.

4. Identity & Access Management

In the cloud, Identity and Access Management (IAM) are key components of the information security program. A well-defined program helps to ensure that only authorized and authenticated users can access data and resources. We consider the following key points essential:

  • Make use of role-based access control (RBAC) to assign permissions to users, groups, and applications. Make sure that access is given by the method of least privilege
  • Enable two-factor authentication
  • Take special care of privileged accounts
  • Access Keys need special attention as well. Developers need to be educated on how to use and protect them
  • Rotate credentials regularly and configure a password policy according to your needs
  • Monitor the actions that are performed in the account and log in detail

5. Make use of “Prevention” and “Detect and React” equally

Configuring only preventive security measures is no longer enough. Attackers of today have sophisticated tools and are insistent on getting access to your environment. Eventually, a way into your environment will be found. Assuming a breach helps to change focus and to find answers to questions about security in advance.

  • What precautions are needed so that an attack can be detected?
  • How to react to an attack or even a breach?
  • Define steps to recover from the attack

The public clouds of today offer several services to detect a possible breach. Extensive logging of API calls, IAM events, connection details, config and health details of your services are just a few clicks away. Even services which are enriched using Artificial Intelligence and Machine Learning are available: for example, Guard Duty on AWS or Advanced Threat Protection from Azure.

As crucial as collecting and aggregating logs, is to extract meaningful insights from the enormous volumes of log and events generated. This is one important pillar of a reliable designed application.

6. Be aware of your responsibilities

When outsourcing services onto a global public cloud, responsibility for security and compliance gets shared. The cloud provider like Azure or AWS is responsible for protecting the infrastructure the cloud runs on, against logical and physical threats. That includes hardware, software, networking, and facilities, shown in gray in the below picture.

The customer’s responsibility (shown in blue) depends on the services chosen. If, for example, a classical IaaS approach is chosen – including Virtual Servers and a Virtual Private Cloud – there is more to consider than if only a SaaS service is used.

Customers responsibilities include for example:

  • Protection (authentication, authorization, integrity and encryption) of customer data
  • Management of the guest operating system including updates and patches
  • Configuring Network Security Controls like firewalls
  • Defining baselines security for Services, Accounts and/or Subscription
  • Managing Users and Federation

Simply put, you can say:

  • The cloud provider is responsible for the “Security of the Cloud”.
  • The customer is responsible for the “Security in the Cloud”.

Further resources:

Swisscom has published whitepapers on cloud security in which security issues are dealt with in detail. These can be obtained as follows:

If you want to learn more about Swisscom’s portfolio and services on public cloud get in touch with us using the following links: