Cloud Security

As the world shifts to cloud computing, a paradigm change means it’s necessary to rethink security. The existing principles still apply in some way; however, they have a different context. Nuvolo Sicuro take well known security frameworks and standards such as CIS, AWS Well-Architected Framework & Azure Security Benchmark, but also apply real world experience to give them clarity and meaning. We also draw on the lessons from the legacy on-prem world, putting those to good use.


DevSecOps

The DevOps model by default does not consider security as an integral part of the methodology. In response the security indusutry has developed the concept of 'DevSecOps'. Each implementation of DevSecOps is bespoke to the development and operational landscape of the organisation but can be reflected through a number of key features. Application security is at the heart with the key objective of automating the security tooling as far as is practical. Other features such as threat modelling and continuous scanning also play a key part.


DevSecOps requires a paridigm shift to one of enablement.

Nuvolo Sicuro

DevSecOps requires a paridigm shift to one of enablement meaning that developers, delivery, and project functions should have the knowledge, confidence, and tools to identify and report security issues.


Data Security

Cloud technologies make it easier than ever to store data in a redundant, accessible way. However, there’s certain nuances that mean a slight administrative error could result in data being publicly exposed. How do you manage this risk? How best do you use Shared Access Signatures in Azure blob storage? What about publicly accessible S3 buckets? Tools like Shodan and LeakLocker make it simple for adversaries to find these common misconfigurations. And they’re all over the news.


Detection Controls

The golden rule of InfoSec still applies to the cloud; visibility is key. If you can’t see it, you can’t detect it. Suitable XDR, threat intelligence, CloudWatch/Sentinel/SIEM and firewall logs are examples of detection controls that can not only identify intrusion attempts but can also assist with the isolation of infected endpoints.


IAM

Least privilege, zero trust and segregation of duties. These are key principles of any solid IAM framework. As organisations shift to the cloud, an opportunity to “clean up” legacy, overly permissive privileges can be seen. No longer do we have to leave a very old system in a state of privilege disarray, in fear of breaking anything; only grant what the user (or administrator) needs to do their role.


Infrastructure and Network Security

Various challenges such as root passwords and general out of the box operating system configuration need to be addressed. A Windows 10 IaaS VM isn’t secure at the time of deployment. In fact, there’s a lot of margin for error; RDP or SSH services being exposed to the internet for convenience being an example. Your organisation’s perimeter boundaries are changing- the “edge” is no longer a DMZ firewall within a data centre.

cloud security