Many medium sized organisations have by now successfully migrated their less complicated use cases to cloud services. These include email and SaaS as well as line of business applications that were already containerised or virtualised.
However, the incentives and pressures to continue cloud adoption keep growing: to provide seamless customer experience, savings, anywhere access, to exit legacy and keep up with giant competitors or small challengers. Harder nuts to crack like rehosting ERP and refactoring monolithic apps are now in scope for some.
Cloud security architecture is the activity that supports these business strategies being translated into secure design decisions at all layers. Many small to medium businesses will not have someone with this role description but the competency is now a must-have at critical junctures or on an enduring basis, whether among their platform team, Security function or from a supplier. The following are some insights from our recent cloud security and architecture engagements.
Approaches to reduce cloud-based security risks
A full switchover to Zero Trust and a SaaS based ecosystem is not a possibility for many medium sized companies from the points of view of project cost and technical debt. What then are the feasible options for sensible and incremental improvement in cloud security architecture?
What hasn’t worked is opportunistic and entirely devolved adoption of cloud. This has certainly yielded tactical benefits but also strategic complexity and lack of governance. Nor does merely re-using the on-premises security architecture in a virtual form in the cloud realise its benefits and opportunities. Lasting security principles remain, but cloud customers lose access to the security control of lower layers of the stack, and culturally speaking, failure and destruction are more manageable.
What does work?
First, organisations are updating their standards for commodity cloud usage, after recognising it is here to stay, for hosting or as SaaS. Still, there is a way to go: 40% of businessess’ security policies still do not mention the cloud, as shown in the UK Government’s 2020 Cyber Security Breaches Survey (https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020).
Second, having a plan to address the security vulnerabilities from misconfiguration. The vector by which both bad actors and breaches materialise is often misconfiguration, which is more serious and common in medium organisations than in large ones: misconfiguration errors are up to twice as frequent in SMBs than in large organisations. (Verizon Data Breach Report 2020, https://enterprise.verizon.com/resources/reports/2020/2020-data-breach-investigations-report.pdf, p.81). This can be addressed in a number of ways:
- By integrating security in cloud design and operations.
This can be done either procedurally through policy, programme management and architectural design boards or dynamically through Security as or in Code.
This entails more disciplined provisioning of subscriptions and accounts (a shared goal with the finance team). Through establishing a centralised account hierarchy, enterprise scale policies can be applied and a cost-effective central zone for shared security services provided. From that hub, segmentation can be logically applied.
This activity is a second level of design from simply architecting secure workloads in the cloud, it is the secure design of your cloud itself. The Cloud Security Alliance describes how this ‘meta-structure’ deserves attention. (https://cloudsecurityalliance.org/blog/2020/11/09/what-is-cloud-security-how-is-it-different-from-traditional-on-premises-network-security/)
- For the workloads themselves, setting patterns.
These will differ from on-premises reference architectures. The advantage they bring is to set guardrails and a known good baseline from which exceptions may be approved. It is also scalable: you can approve once and apply many, as you would a VM or container image.
Although the cloud services providers have their own well-architected frameworks, multi-cloud is a reality for many organisations. Security requirements such as least privilege, encryption and secure access can be abstracted to an effective vendor-agnostic pattern. Provider-specific standards can then be templated through Infrastructure as Code or through mandating an available pattern (e.g. Azure blueprints, CIS Benchmarks).
Much cloud traffic bypasses the core network without being routed and inspected and shadow cloud usage means services may be running unknown to most of IT and management.
For known and discovered resources, logging and monitoring is available through API or the native posture management service in the portal. The management plane is especially worth monitoring since it is remotely accessible. Devops colleagues may already have application monitoring agents and daemonsets in use. However a more powerful Cloud Security Workload Protection tool could be appropriate; the advantage of these is outlined in a Gartner report (https://www.gartner.com/smarterwithgartner/gartner-top-9-security-and-risk-trends-for-2020).
Third, by seeking targeted professional help.
Given the present challenges in finding talent and the specialist skills, it could be cost effective to have a systems integrator set the organisation off on the right footing (those topics above). However, configuration drift will set in and the environment will change iteratively. Periodic reassessments and continuous compliance tools can find the symptoms but investing in prevention through security architecture and engineering should reduce the amount of security firefighting.
Rather than big-budget overhauls, many organisations of 50-250 staff or <£50m turnover need a more incremental and affordable approach to securing their cloud transformation. Cloud security architecture can mitigate the very real risks they face by applying both established and cloud-specific principles. This can be done through patterns and governance that balance top-down control from a security perspective with helpful security artefacts and services for the developers and operators.
Mark Shawyer is one of the Senior Security Consultants and a Cloud Security Architect.
Bridewell consultants hold industry recognised qualifications and have experience of designing security architectures to enable business.
Our service offers organisations the chance to engage professionals who
- understand the importance of balancing the requirements of the business.
- with the need to reduce risk to the organisation.
This will ultimately deliver an architecture that will be of long term benefit to the organisation.
Our methodologies cover the early phase of a project lifecycle from requirements gathering to design and through to build and run. We can utilise either general security architects or technical specialists who have experience of designing and building detailed solutions, for example identity and access management solutions and cryptographic solutions.