Cloud management and building a secure cloud environment is critical to ensuring your business has a strong security posture, but this is easier said than done. In the past, when the data center was fully within your control and you only had a single server to be concerned about, it was already challenging to uphold strong security posture management. Fast forward to the world of cloud, where we don’t have physical control over our data centers, the challenge grows a lot greater. Luckily, there is good news. Just because you don’t have physical control over your data center, doesn’t mean you can’t secure it.
So, the burning question is, what should and can we do to build a secure cloud. Even if your security posture is strong today, there is no guarantee it will be tomorrow. Hackers are always looking to get around the new defenses being implemented, so you need to stay a step ahead. Otherwise, the hackers will make their way in and may cause devastating consequences to the business. To prevent an attack from occurring in your business requires careful planning, using tactics such as the Deming Cycle of Plan-Do-Check-Act, which is an iterative four-step management method used in business for the control and continuous improvement.
“For convenience, some CISOs may think that inexperienced people coming from on-premises culture can be cloud administrators. This is an error. Cloud management has no room for amateurs.” say Douglas Bernardini, Cloud Cpecialist
Not so easy, huh? Luckily, Microsoft Azure AWS and GCP have created several white papers on the Well-Architected Framework to explain cloud architectural design principals that can help guide you through the process. For example, in the case of an Amazon S3 bucket, you need to remember to disallow public read access, ensure logging is enabled, use customer-provided keys to ensure encryption is on, and so on.
With so many cloud services and resources, it can be a lot to remember what to do and what configurations should be there. However, as you can see from the links to the articles on infrastructure configuration, Trend Micro has lots of information about what should be done to build cloud architecture to best practice levels. The Trend Micro Cloud One™ – Conformity Knowledge Base contains 1,000 best practice articles to help you understand each cloud best practice, how to audit, and how to remediate the misconfiguration.
Automation is an essential step to minimize the risk of a breach, always scanning and providing feedback to stay ahead of the hackers. For anyone building in the cloud, having an automated tool that continuously scans your cloud infrastructure for misconfigurations is a thing of beauty, as it can ensure you are always complying with those 1,000 best practices without the heavy lifting. If you would like to be relieved from manually checking for adherence to well-architected design principals, sign up for a free trial of Conformity. Or, if you’d to see how well-architected your infrastructure is, check out the free guided public cloud risk self-assessment to get personalized results in minutes.
Conformity and its Knowledge Base are based on the AWS and Azure Well-Architected Frameworks, which are defined by six pillars:
Each of these pillars has its own set of design principals, which are extremely useful for evaluating your architecture and determining if you have implemented design principles that allow you to scale over time.
Starting with the Operational Excellence pillar, creating the most effective and efficient cloud infrastructure is a natural goal. So, when creating or changing the infrastructure, it is critical to follow the path of best practices outlined in the AWS Operational Excellence pillar.
1. Running workloads in the most efficient way possible.
2. Understanding your efficiency to be able to improve processes and procedures on an ongoing basis.
The five design principles within the Operational Excellence pillar
To achieve these objectives, there are five critical design principles can be utilized:
Perform operations as code, so you can apply engineering principles to your entire cloud environment. Applications, infrastructure, and so on, can all be defined as code and updated as code.
Make frequent, small, reversible changes, as opposed to large changes that make it difficult to determine the cause of the failure—if one were to occur. It also requires development and operations teams to be prepared to reverse the change that was just made in the event of a failure.
Refine operations procedures frequently by reviewing them with the entire team to ensure everyone is familiar with them and determine if they can be updated.
Anticipate failure to ensure that the sources of future failures are found and removed. A pre-mortem exercise should be conducted to determine how things can go wrong to be prepared..
Learn from all operational failures and share them across all teams. This allows teams to evolve and continue to increase procedures and skills.
CI/CD is good, but to ensure operational excellence, there must be proper controls on the process and procedures for building and deploying software, which include a plan for failure. It is always best to plan for the worst, and hope for the best, so if there is a failure, we will be ready for it.
With data storage and processing in the cloud, especially in today’s regulatory environment, it is critical to ensure we build security into our environment from the beginning.
There are several critical design principles that strengthen our ability to keep our data and business secure, however, here are the seven recommended based on the Security pillar:
There are several security tools that enable us to fulfill on the design principles, above. AWS has broken security into five areas that we should configure in the cloud:
What is essential to remember is that security of a cloud ecosystem is a split responsibility. AWS and Azure have defined where responsibility lies with them versus where it lies with the consumer. It is good to review the AWS and/or Azure shared responsibility models to ensure you are upholding your end of the deal.
Reliability is important to think about for any IT-related system. IT must provide the services users and customers need, when they need it. This involves understanding the level of availability that your business requires from any given system.
When it comes to the Reliability pillar, just like the others, AWS has defined critical design principles:
With availability being at the core of this pillar, it is good to understand its definition. AWS defines availability as:
Moving right along, the fourth pillar, Performance Efficiency, focuses on your ability to use computing resources as efficiently as possible and maintain that efficiency as the demands from the business change and technologies evolve.
In order to fulfill the pillar of Performance Efficiency, the following design principles should be adhered to:
Justifying business spending on any given service is no cake walk. Cloud does not change that. In fact, it could be more difficult to justify because it changes the way businesses look at their IT cost. Traditionally, IT is a capital expenditure, meaning, equipment is purchased based on the prediction that the equipment will be used for the next three to five years.
With cloud services, money is spent as an operational expenditure, which means that money is spent on the services needed/used each month. There are many choices when configuring and building cloud environments that make a difference in your bottom line, therefore, it is important to strike a balance between money spent on services and what you actually use.
To help you make the most informed decision, let’s take a look at the design principles for Cost Optimization:
The newest Well-Architected Framework Pillar focuses on environmental impact; this may seem odd considering you’re building in the cloud, an intangible environment. However, since you’re using energy to build your cloud workloads, you’re negatively impacting the environment via indirect emissions. The Sustainability pillar helps you understand the impact of services used, how they’re typically accounted for, and the follow-on impacts to your organization’s own emissions counting. By adhering to the design principles, you can build architectures that maximize efficiency and minimize waste—a win-win for cloud builders and their organizations.
Cloud services provide so many advantages to so many different types of businesses, however these advantages are coupled with the fear of change. The technology available today is simply amazing and it is hard to imagine what we will have in the future. It is possible to design and engineer a secure infrastructure that allows businesses to take advantage of the cloud and evolving technology, while still protect data. Taking into consideration the services needed, locations of the end users, data security requirements, and budget management. Attention and care will allow your business to utilize the cloud in the more efficient, secure, and cost-effective manner. So explore, evolve, and push the technology boundaries for successful business management!
https://www.trendmicro.com/en_no/devops/20/l/well-architected-framework-guide.html
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |