Implementing strong and effective security for developing and deploying cloud solutions is a complex process. Cloud solution security architectures must be built progressively, with additional layers of advanced security functions built on initial foundational capabilities.
In this first of a 3-part blog series on securing cloud solutions, we examine the 4 foundational capabilities of effective development and deployment processes and provide best practices to implement them for your growing cloud enterprise.
Harden Platform-as-a-Service (PaaS) configurations
Security-hardened platform configurations become increasingly critical as enterprises mature and transition from Infrastructure-as-a-Service (IaaS) to PaaS infrastructures.
Efforts should address both immediate fortification and future capabilities by fostering design and implementation teams skilled in configuring relevant PaaS services, as they are adopted. Teams must ensure platform services are secure and reusable across all new solutions. Harden PaaS service configurations by applying the following best practices:
•
Prepare cloud risk assessments for every planned and deployed service in advance. Services should be:
○
Configured for flexibility as new solutions may utilize services differently
○
Reviewed whenever deploying services for a new solution or new modification/release
○
Evaluated for effectiveness against functional needs and anticipated changes to those needs over time (in terms of both choice of service and existing configurations)
•
Identify all available security parameters that can reduce risks to using each service. Evaluating both individual services and related cloud configurations is critical as CSP services evolve, new services are configured and deployed, and solution requirements and designs change.
•
Remember to include how (and how much) services will be used when specifying security configuration requirements. There are no one-size-fits-all solutions, and different configurations may require bespoke adjustments as processes and usage volumes evolve.
Automate deployment processes to reduce the risk of configuration errors
“Automation” is the systematic reuse and propagation of well-defined, standardized, and secured solution configurations. Cloud security efficiencies are driven by automated processes.
Any services, processes, or resource types with repeatable and reusable designs should be evaluated and automated where possible. Adhere to the following automation best practices to reduce risk:
•
Develop and manage design and code security using deployment templates. Once optimized, reusable secure-by-design architectures should be stored to accelerate (e.g., Infrastructure-as-Code, configuration via Service Catalog, etc.) deployment in the future.
•
Evaluate and secure deployments in testing environments before proceeding with user acceptance and then production. Note that any adjustments and/or iterative releases should also be run through these environments prior to implementing into production.
•
Adopt an “automate everything” culture for security. Maximize automation to prevent human error from introducing CloudOps misconfigurations.
•
Strive for the ultimate goal of zero human administration in production environments, completely eliminating misconfigurations and illegitimate post-deployment access.
Secure CI/CD chains with frequent code security reviews
Poor Continuous Integration/Continuous Deployment (CI/CD) security can lead to overextension and inconsistent application security throughout the pipeline. CI/CD chains can be secured with regular code reviews, automation, and best practices, including:
•
Secure CI/CD chains at all levels (processes, services, objects, and code).
•
Utilize tools (e.g. Checkmarx, TFSec) to centralize CI/CD oversight and control across multiple solution developments and deployments.
•
Entrench well-integrated DevSecOps skills and culture within DevOps cycles. Integration should encompass all related processes, tools, and expertise, including skills in agile teams with security champions and progressive training.
•
Foster a culture that leverages tools to augment cloud security skills – not to replace them. Automation can only amplify the skills of the existing team, and human oversight is required to supervise and calibrate cloud security processes.
Automate compliance assessments and remediations
Well-secured cloud enterprises and solution development architectures will expand rapidly. Compliance and remediation processes should be automated as much as possible to stay ahead of growth.
Establish this final foundational capability with best practices promoting automated compliance assessments and remediations, such as:
•
Leverage Cloud-Native CSP services to monitor logs and trigger compliance alerts.
•
Create dedicated accounts and leverage best-in-class provider subscriptions for log management and security treatments.
•
Augment data capture, consolidation, and analysis capabilities with specialists and third-party cloud platform tools.
•
Implement automated remediation for selected non-complex patterns (e.g. PaaS public exposition – human action is not required for simple one-click remediations).
Establishing automated compliance and remediation capabilities should be subject to review to ensure comprehensive coverage across all deployed solutions. Accelerated compliance assessments and responses will execute simpler remediations quickly, leaving human administrators to focus on major breaches.
Although best practices are effective guidelines to cloud solution fortification, the exact implementation processes required will vary significantly from enterprise to enterprise. Consult a Wavestone specialist today for detailed guidance to optimizing your unique cloud security effectively.
This is the first in our 3-part blog series on securing cloud solutions. Stay tuned for Part 2 on advanced IAM considerations, publishing here on Thursday, October 12!
Talk to a Wavestone expert for bespoke advisory on safeguarding cloud solutions effectively with best practices tailored to your unique business needs.
Keith Worfolk
Principal Consultant
Keith is a client-focused IT executive, innovation expert, and trusted industry advisor with a consistent record of delivering visionary enterprise and Cloud solutions, platforms (IaaS, PaaS, and SaaS), and BI/analytics and AI/ML solutions via secure, scalable architectures for growing organizations.
6 Operational and Strategic Benefits of GenAI-Driven Tech Procurement
Nov 30, 2023
The procurement of technology services stands at a fascinating crossroads, with the introduction of generative AI marking a transformative shift in how organizations approach this critical function. Read our blog for 6 key operational and strategic capabilities enabled by GenAI-driven tech procurement.
Navigating Complex Procurement: 5 Challenges and Best Practices
Nov 23, 2023
Effective procurement drives efficiency, cost savings, and supply chain reliability, and comes with its fair share of complex challenges. Overcoming them requires a multifaceted approach integrating strategic thinking, innovative solutions, collaboration, and proactive risk management. Read our blog for a detailed examination of 5 major procurement challenges and top-line strategies for success.
Have a Question? Just Ask
Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.