22 Best Practices for Cloud Security

Most organizations use at least one type of cloud service to improve business operations. In some cases, companies use Infrastructure-as-a-Service (IaaS) models, where the vendor hosts, maintains, and updates the underlying infrastructure. In other cases, development teams use Platform-as-a-Service (PaaS) providers so they can build, develop, test, and deploy applications more rapidly and cost-effectively. Most small or mid-size businesses integrate Software-as-a-Service (SaaS) applications like customer relationship management (CRM) platforms to enhance productivity.

Every new connection to and within the organization’s cloud environment increases the attack surface, creating new data breach risks. Organizations can improve their cloud security by implementing some best practices.

1. Understand the shared security responsibility model (SSRM).

Under the Shared Security Responsibility Model (SSRM), the cloud service provider (CSP) manages the security of the cloud, like the underlying hardware supporting its product. The customer is responsible for security within the cloud environment, like access to resources or application configurations.

For example, the CSP maintains the security of the cloud, including but not limited to:

• Compute processes
• Datacenter housing the cloud’s servers
• Databases used by the CSP to support the customer
• Networks that the CSP uses to support its own hardware and infrastructure

Meanwhile, the customer maintains security within the cloud, including but not limited to:

• Databases storing its customers’ data
• Granting users access to resources
• Device operating systems, firmware, and software
• Encrypting data in transit and at rest

2. Understand legal requirements.

Most organizations need to comply with various data protection laws and cybersecurity hygiene requirements like:

• Health Insurance Portability and Accountability Act (HIPAA)
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Payment Card Industry Data Security Standard (PCI DSS)

Organizational cloud security controls should align with applicable compliance requirements, including implementing security controls across functions like:

• Identity and Access Management (IAM)
• Endpoint security
• Network security
• Data security, like encryption
• Application security, including configurations and API connectivity

3. Identify sensitive data.

Security should focus on protecting sensitive data and personally identifiable information (PII) stored, transmitted, or processed within the organization’s cloud environment. Some examples of sensitive data include:

• Name
• Date of birth
• Social security number
• Credit card information
• Bank account information
• Intellectual property

4. Engage in a risk assessment.

After identifying sensitive data that requires protection, the organization should identify people and technologies that store, manage, or process sensitive data, like:

• Users/employees
• Devices
• Databases
• Applications
• Networks

The risk assessment reviews the likelihood that a data breach will occur and the potential impact that it would have on business operations. High risk assets and users should be prioritized when implementing controls and monitoring security.

5. Establish application and interface security policies and procedures.

Based on the risk assessment, the organization should establish, implement, communicate, and evaluate policies and procedures for securing applications. These policies and procedures should guide the technical and operational metrics for application security, including:

• Defining and implementing the software development life cycle (SDLC) process
• Using automated application security testing tools
• Automating application deployment processes
• Defining vulnerability remediation processes

6. Establish business continuity management policy and procedures.

When organizations rely on CSPs for business operations, they need to have plans that respond to service outages. To mitigate the financial impact that a cloud outage has on business operations, the organization should:

• Determine business disruption and risk criteria
• Identify strategies to reduce impact
• Test business continuity and operational resilience plans at least annually
• Periodically backup data stored in the cloud

7. Identify change management processes.

The change management processes define the activities that manage risks arising from applying changes to organizational assets:

• Applications
• Systems
• Infrastructure
• Configurations

The change management processes apply to anyone – internal or external – managing assets. These processes should include:

• Restricting unauthorized changes to assets
• Detecting changes that deviate from established baselines
• Managing exceptions
• Rolling back changes to a previously known good state

8. Encrypt data at rest and in transit.

Since encryption makes data unusable to anyone without the decryption key, it provides a critical layer of security and privacy protection. As part of cloud security, organizations should:

• Define and implement cryptographic, encryption, and key management roles and responsibilities
• Use cryptographic libraries certified to approved standards
• Use appropriate encryption algorithms based on data classification, risks, and encryption technology usability
• Implement and enforce an encryption and key management risk program

9. Implement and enforce data lifecycle management policy.

As part of managing data security and privacy, the organization should have documented policies and procedures for classifying, protecting, and handling data throughout its lifecycle. These should include activities like:

• Secure data disposal
• Maintaining a data inventory
• Data classification
• Data flow documentation
• Data ownership and stewardship
• Developing systems according to data protection by design and default best practices
• Data retention and deletion policies

10. Implement and enforce a strong password policy.

In cloud deployments, identity and access management (IAM) are critical controls. Since IAM controls who gains access to resources and how they use that access, having a strong password policy acts as an initial security layer. The password policy should define:

• The minimum number of characters
• The types of characters to use, like letters, numbers, or special characters
• Requirements for acceptability, like requiring capital and/or lowercase letters

11. Implement and enforce the principle of least privilege.

The principle of least privilege limits user access to only the access necessary to complete their job functions. Organizations should use role-based access controls (RBAC) to define these privileges and match them with human resources records.

12. Implement and enforce multi-factor authentication (MFA).

Increasingly, attackers use credential-based attacks and stolen credentials to gain unauthorized access to cloud environments. With MFA, users answer challenge questions before being authorized to resources. The process includes two or more of the following:

• Something people know, like a password or passphrase
• Something people have, like a token or authentication app on a smartphone
• Something people are, like FaceID or fingerprints

13. Segment networks.

Network segmentation is the process of placing high-risk assets on dedicated IP ranges or subnets. By placing critical assets on a separate network, organizations can place additional monitoring around these assets and mitigate risks that attackers will move laterally across a network. When establishing these controls, organizations should consider:

• Documenting data flows to and from business-critical applications
• Using Virtual Local Area Networks (VLANs) to create smaller groups of subnetworks within the same domain
• Using firewall rules to deny risky traffic and set allow lists for approved connections
• Using Software-Defined Networking (SDN) segmentation that uses Application Programming Interfaces (APIs) to manage data traffic

14. Monitor network traffic.

When using a cloud environment, network connectivity and security are critical. For example, attackers using bots for Distributed Denial of Service (DDoS) attacks can interrupt business operations by overwhelming the network. Organizations should identify normal network activity and implement defense-in-depth network security strategies to mitigate risks like:

• Communications with an attacker’s command and control (C2) server
• High volumes of requests that overwhelm the network
• Malicious uploads to endpoints

15. Establish and enforce interoperability and portability policies and procedures.

Interoperability and portability policies and procedures define requirements for:

• Communications between application interfaces
• Information processing interoperability
• Application development portability
• Information or Data exchange, usage, portability, integrity, and persistence.

16. Implement a web application firewall (WAF).

Software-as-a-service (SaaS) applications are fundamental to modern business operations. A WAF shields critical and customer-facing applications by controlling traffic between them and the public internet. By implementing a WAF, organizations can mitigate risks from:

• Network attacks like DDoS
• Application-layer attacks, like SQL injection and cross-site scripting (XXS) attack
• Application vulnerabilities, like OWASP Top 10 Threats

17. Identify and secure application programming interfaces (APIs).

APIs enable applications to share data, making them a key attack target. Many organizations lack visibility into their API landscape, creating risks and leaving the attack vector unmanaged. As part of managing cloud security, organizations should:

• Continuously discover external APIs and their hosting environments
• Identify API vulnerabilities
• Categories vulnerabilities by risk level and hosting provider type
• Prioritize vulnerability remediation activities based on risk profile

18. Implement secure configurations.

Device and application default configurations can increase security risk. When trying to secure a cloud environment, organizations should implement secure configurations and monitor for unauthorized changes that can happen accidentally or purposefully over time. Some suggestions for implementing secure configurations include:

• Removing and disabling unnecessary user accounts
• Changing default or guessable passwords to align with the organization’s password policy
• Removing or disabling unnecessary software
• Removing or disabling unnecessary functions, especially ones that have auto-run features that allow file execution

19. Monitor endpoint security.

Malware and ransomware can infect devices and then spread across an organization’s networks, compromising the entire cloud environment. To mitigate these risks, organizations should:

• Proactively protect employees and connected devices at the DNS layer
• Install anti-virus software or use endpoint detection and response (EDR) tools to identify malicious code
• Monitor for abnormal device activity, like unknown files or registries
• Scan networks to detect operating system, software, and firmware vulnerabilities that attackers can use to gain unauthorized access
• Install security updates as soon as possible

20. Implement logging and monitor logs.

Logs contain information about the activities happening across an environment. Organizations should identify and monitor security-related events within applications and the underlying infrastructure. This process should include:

• Defining a system to generate alerts
• Assigning responsibility for responding to alerts
• Monitoring security audit logs to detect abnormal activities
• Ensuring audit records contain relevant security information

21. Establish, implement, and test incident response plans.

Security teams use the incident response plan to help:

• Detect incidents
• Investigate alerts
• Contain threats
• Eradicate threats
• Recover systems to a previously known safe state
• Discuss lessons learned to identify strengths and areas of improvement

To test the effectiveness of their incident response plan, organizations can engage in tabletop exercises that simulate an attack, giving their teams experience with the existing processes and identifying potential improvements before a real security incident occurs.

22. Establish SSRM supply chain management policy.

Cloud environments consist of highly interconnected third-party vendor products and services. As threat actors increasingly seek to exploit third-party vendor vulnerabilities, organizations need to implement appropriate vendor risk management strategies, including service agreements that define:

• Scope, characteristics, and location of business relationship and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third-party assessment
• Service termination
• Interoperability and portability requirements
• Data privacy

Further, organizations should have processes for periodically reviewing vendor:

• Security policies and procedures
• Security audits
• Supply chain partners’ IT governance and policies

Protect applications and reduce DDoS risk with UltraSecure.

Vercara’s UltraSecure offers small and mid-sized businesses cloud security tools that mitigate risks without impacting performance. With UltraSecure, companies can implement cloud security technical best practices, including secure and reliable DNS, managed DDoS protection, an easy-to-use cloud WAF, and recursive DNS security.

Vercara’s budget-friendly suite of solutions combined with award-winning 24x7x365 customer service enables small and mid-sized businesses to build enterprise-level cloud security programs.

To learn more about how UltraSecure can help you improve your cloud security posture, read our solution sheet.