Startup Cloud Security User Guide

As a cloud services solution, Alert logic integrates advanced 24x7 security tools to withstand threats and resolve compliance, as well as an advanced technology partner and security provider for AWS. This article comes from Stephen Coty, chief security officer at Alert Logic, who shares the best practices in cloud security. The following translations are shared by Stephen Coty:

Many years ago, I built a security and development company with huge dreams and little money. However, as I started building the necessary infrastructure and development platform, I quickly became aware of the cost problem. Of course, this happened in the early 21st century, when there was no cloud computing infrastructure, so if you want to have the infrastructure, you have to build your own, and then there's human resources, operations, finance, sales, and marketing, so I finally set up the infrastructure that the company needs and the team that maintains the infrastructure.

As a start-up, a basic task list is needed to build cloud computing. Today's cloud comes with a variety of self-service facilities and services that make many tasks easier. But even so, security is often considered afterwards. However, it is important to remember that cloud computing is an extension of a business network, whether or not it is known. Security vulnerabilities not only endanger the user's internal network, but also put the customer's data at risk.

Security threats to the public cloud

While the public cloud brings huge economic benefits, it is shared as a threat to any other infrastructure. Over the years, attack frequencies and the use of multiple malware are on the rise. As cloud event-related vulnerability scans, Web applications, and violent attacks increase, users need to understand the types of threats that affect the cloud, thus creating an appropriate depth security policy to protect the environment from malicious attacks.

Public security Model

In a public cloud, the key to securing is understanding the security model shared between users and service providers, such as the public cloud service provider Amazon AWS. Without this, it can be assumed that when a user is responsible for a particular security feature, the service provider is protecting the user.

For example, a service provider is responsible for all of the underlying services, such as computing power, storage, databases, and network services. At the network level, service providers are responsible for network segmentation, perimeter services, some DDoS and spoofing.

However, you-end users are responsible for network threat detection, reporting, and any incident response. At the host level, the user is responsible for access management, patch management, configuration hardening, security monitoring, and log analysis. Application Component 100% is the responsibility of the user. The following figure shows the classification of responsibilities between users and service providers:

Understanding the roles of users and cloud vendors not only helps users make the best decisions about the cloud infrastructure, but also ensures that once the network security policy is implemented, it protects your data efficiently and cheaply from cloud threats.

Cloud Security Best Practices

1. Protection Code

It is the user's responsibility to protect the code. First, make sure that security is part of the software development cycle (SDLC). To this end, the list is as follows:

• Verify that the code is continuously updated and that any plug-ins have the latest patches;

• Add latency to the code to prevent the victim from becoming a zombie network;

• Use encryption;

• Test all libraries and third-party dependencies;

• Focus on vulnerabilities of products in use;

• Finally, keep scanning the code after making any changes.

2. Create Access Management policy

First, determine what the assets are. Once you have identified the list, identify the assets that you need to access for roles and responsibilities. If it is possible to centralize authentication, use a priority model for authentication. AWS offers many options for authentication management.

3. Adopt the Patch Management method

Again, consider developing an important list of programs:

• Find out all the assets list;

• Identify standardization plans as far as possible;

• Study potential vulnerabilities, classification based on vulnerability and risk of possibility;

• Test on patch release if possible;

• Create a regular patch plan that includes Third-party products that need to be updated manually.

4. Log Management

Logging now benefits far more than compliance; has become a powerful security tool. Users can use log data to monitor malicious behavior and incident investigations. The trick to make logs an effective security tool is to monitor abnormal behavior 24x7.

AWS Cloudtrail has a groundbreaking proposal in this regard. With Cloudtrail, the user's security provider can monitor cloud instance access from Amazon's management environment. Everyone tends to watch and monitor their environment from the Internet, and they rarely want to monitor activities from the back end. This is Cloudtrail innovation and provides customers with a level of transparency that interacts with the AWS API.

5. Establishment of security kits

Users need to think of the cloud as a corporate network. Implement a defense-in-depth strategy that covers all responsibilities. Perform IP tables, Web application firewalls, antivirus software, intrusion detection, encryption, and log management. Explore security options and ensure that you have the right solution to your business.

6. Keep informed

Users must keep an understanding of the vulnerabilities that may exist in their environment, and here are some of the world's top research sites. This will help users get the latest messages for vulnerabilities, development, and propagation of sexual attacks:

http://www.securityfocus.com

http://www.exploit-db.com

http://seclists.org/fulldisclosure/

http://www.securitybloggersnetwork.com/

http://www.sans.org/

http://www.nist.gov/

7. Understanding of service providers

Finally, users need to know about security vendors and security products that share their security responsibilities. Ensure that the security policy is effective and can be effectively implemented through continuous testing.

The author of this article describes: Stephen Coty,alert Logic's chief security commissioner and members of Issa, Infragard and Htcia.