Evaluating the Effectiveness of Your Cloud Security Program


4.10.19
By Kurt Hagerman, CxO Advisor, Coalfire

You’re in the cloud, but do you know what your security exposure is? You may not realize it, but you’re already using the cloud – likely in more ways than you know. Many security professionals don’t think their cloud environments would pass compliance audits if they occurred today. As cloud adoption grows and cloud services become more numerous and complex, you need to understand how to safely operate in the cloud and leverage available cloud services and applications.

While the security mission is the same, how you implement security in the cloud is different from what you’re used to. Legacy security models and tools don’t work in today’s cloud environment, and yet many organizations continue to use them. A cloud security health check provides insight into your current cloud usage and security posture across your cloud use cases. It can help you quantify the ways you’re leveraging cloud services and applications, as well as identify critical gaps in security processes and controls, leaving you with a road map based on best practices to guide you in shoring up the security of your cloud usage.

Cloud governance

Establishing a position and policies for using cloud services is the first step to ensuring that your organization is in control of cloud usage. It’s important to conduct interviews with your key stakeholders to determine what your organization’s policies are for the use, selection and ownership of cloud services. Business unit-leadership should be queried about their use of cloud-based applications, too, and your risk management and security awareness programs should be assessed.

Identity and access management (IAM)

Properly managing and controlling access to cloud services are critical to ensuring data security.

You should review your access control policies and use of centralized (federation, single sign-on) and multifactor authentication for remote and privileged access. Also pay close attention to your management of cloud service access.

Data protection

This area is often misunderstood regarding who is responsible for the security of your data in cloud applications and services. It’s important to look at the use of data encryption, both in-transit and at-rest, as well as what steps you’ve taken to ensure that data is not transferred outside your organization’s control without adequate protection.

Infrastructure security

This area focuses on specific security controls you have in place to protect any cloud environments your organization has implemented and includes network security; configuration, vulnerability, and threat management; malware/crimeware protection; and security event logging, monitoring and notification. In this area, you need to review:

  • Network security: segmentation, IDS/IPS, web application firewalls, denial of service (DoS) protection
  • Configuration, vulnerability and threat management: configuration consistency and change monitoring, participation in threat and vulnerability sharing programs, and vulnerability management including scanning and patching
  • Malware/crimeware protection: deployment of host-based intrusion detection system (IDS) and malware protection to systems that require them
  • Logging and monitoring: Log collection from your systems, applications, security tools and cloud services, event correlation, alerting and notification (SIEM), and security automation

Application Security / Secure Development/Resilience/Security Testing

For in-house developed applications, be sure you have implemented a systems development life cycle (SDLC) that includes secure coding techniques, static and dynamic scanning of your code, and secure code deployment. And evaluate your incident response, data backup and high availability processes.

Also, review your internal and external auditing and penetration testing (system, network and application) efforts.

Businesses are embracing the cloud at a rate that outpaces their ability to secure it. But becoming a cloud-enabled organization doesn’t just mean securing data and meeting compliance and governance requirements. As you deploy more apps in the cloud and cloud adoption grows, you need to monitor your cloud security maturity on a regular basis to ensure you’re maximizing the productivity and cost benefits of cloud services.


More AEHIS News