DEV Community

Cover image for Cloud Security for Newly Disctributed Enginerring Teams
Mike Tyson of the Cloud
Mike Tyson of the Cloud

Posted on

Cloud Security for Newly Disctributed Enginerring Teams

Security is the most important concern when you’re thinking about adopting a cloud solution and for your cloud deployments. I absolutely needed to challenge Brainboard on how it could help you solve this concern.

Here are some basic rules to have in mind to set up efficient guardrails:

3 Keys to Understand Cloud Security

Cloud computing is an environment where things are constantly changing, yet the goals of security rest the same: make sure systems work as intended, and only as intended. Therefore, many base concepts need to be redefined:

Perimeter: Every cloud environment is in essence a trust network. Security policies should therefore always be focused on identity and access management, i.e. on hardening authorization for suspect accounts— both user identities and specific assets requiring protection should be subject to careful scrutiny. Traditional security measures like firewalls fail in a cloud environment, as they only focus on the perimeter, while the real risks come from inside the network.
Scalability: The cloud security framework should therefore leverage the dynamic and adaptive nature of a cloud infrastructure. Existing solutions are static in nature and fail to take into account this evolution. Therefore, we suggest you to adopt an adaptive cloud security framework that is more aware of the infrastructure dynamism. Able to deal and adapt with its evolution and policies in real time.
Monitoring: the landscape threat is constantly evolving as rapidly as new cloud resources are made available and new attack vectors are found. The added complexity of dynamic systems is a liability: security breaches can evolve, are harder to spot, and breaches are more sophisticated. Attacks evolve with more sophistication, making it difficult to stay up to date and report on what you know is happening.

What does it take to secure your cloud?

Securing your cloud is a long term goal that needs constant monitoring and optimisation.

Here are a few key points that would keep you in the loop:

  • Build your organization with the right capability and capacity: In order to build great team rituals, joining forces between engineers is key to securing your architectures, environment, and peers. In short, all engineers working under one roof (Brainboard is a great example of solution to use).
  • Define cloud security standards and implement technical security controls: Creating encryption, both in transit or at rest, is a best practice challenged by P&G and stays common for entreprise-level infrastructure.
  • Security controls are defined and centrally implemented by the Cloud team: Best practices include self-provisioning scripts with security control built-in and, automation on configuration management.
  • Implement intelligent operations: Best practices include: Monitoring and observability over the IaC Reporting and analytics over your team effort Event Management Self-healing and automation, thanks to Kubernetes and/or docker.

How to Achieve Cloud Security?

Cloud Security DevSecOps - DevSecOps stands for development, security, and operations. It's an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle.

Securing your infrastructure is not implemented post-deployment. It is incorporated into the design. ‘Secure by Design’ is a great rule to remember.

Here is a checklist worth your time:

  • Preventive and detective solutions: to reduce security control drifts, thanks to RBAC, micro segmentation, Privilege Access Management or multifactor Authentication, especially at infrastructure and application level.
  • Define security controls for each PaaS service before use thanks to WAF and API Gateways
  • DevSecOps: Integration of security tools with CI/CD thanks to DDOS & bot protections.
  • Comprehensive Security Architecture reviews of applications with higher data classifications.
  • Logging and monitoring thanks to VDI and Identity Aware Access to applications and resources.

Importance of The Least Privilege Access

Why is the Principle of The Least Privilege Access is important in the Cloud?
Many reasons, but mainly because:

It reduces the overall attack surface in the Cloud
It increases Regulatory Compliance
It limits the damage that can results from accidents, errors, or compromised credentials
Least Privilege Access

Best practices for implementing The Least Privilege Access in the Cloud:

  1. Discover and classify your sensitive data
  2. Implement Role-Based Access Control (RBAC)
  3. Identify and Remove inactive user accounts
  4. Use clouds native tools or features that helps in creating the least privilege access

Brainboard & Cloud Security

At Brainboard, we’ve implemented and are constantly improving all the best practices for you to implement them within your infrastructure. Map out processes and best practices to identify and mitigate risks, visualize dependencies & vulnerabilities and improve training and onboarding.

Try it here →

(free until you’re ready to Deploy)

Conclusion

Each infrastructure or application has its own security posture, growth rates and threat landscape, depending on multiple factors. Thus, there is no guidebook to follow but only best practices you can learn by doing them, at an individual level or within your team.

Image description

Top comments (0)