To create a solid security for your servers, data, and applications hosted in the cloud, you must adhere to the following security guiding principles:
Perimeter Security
The first line of defense against attacks is perimeter security. Creating private networks to restrict visibility into computing environment is one of them. Micro-segmentation which isolates applications and data with a hardened configuration is another one. Creating a strong abstraction layer from hardware and virtualization environment will also strengthen perimeter security.
Continuous Encryption
There shouldn’t be any more reason why data traversing the network (public or private) and data stored on storage arrays shouldn’t be encrypted. Even the popular Google Chrome browser started to flag unencrypted websites to alert users. Leverage cheap computing power, secure key management, and the Public Key Infrastructure to achieve data-in-transit and data-at-rest encryption.
Effective Incident Response
Attacks to your servers, data, and applications in the cloud will definitely occur. It’s just a question of “when” will it happen. An effective incident response program – using automated and manual response – ready to be invoked once an attack occurs will lessen the pain of the breach.
Continuous Monitoring
Continuous and robust monitoring of your data, applications, and security tools and on-time alerting when security breach happens is a must. In addition, easy integration of third party monitoring capabilities will also help in achieving sound monitoring system.
Resilient Operations
The infrastructure should be capable of withstanding attack. For instance, you should maintain data and applications availability by mitigating DDoS attacks. The applications should continually function in the presence of ongoing attack. In addition, there should be minimal degradation of performance as a result of environmental failures. Employing high availability, redundancy, and disaster recovery strategy will help achieve resilient operations.
Highly Granular Access Control
Organizations need to make sure that their employees and customers can access the resources and data they need, at the right time, from wherever they are. Conversely they need to make sure that bad actors are denied access as well. They should have a strong cryptographic Identity and Access Management (AIM). They should leverage managed Public Key Infrastructure service to authenticate users, restrict access to confidential information and verify the ownership of sensitive documents.
Secure Applications Development
Integrate security automation into DevOps practices (or DevSecOps), ensuring security is baked in, not bolted on.
Governance, Risk Management, Compliance
Finally, a great cloud security program should be properly governed, for instance, by having visibility of configurations. Risks should be managed by readily identifying gaps or other weakness. Lastly, your security program should have broad regulatory and compliance certifications.