Safeguarding cloud-based applications and data is still new and complex. The industry continues to experience breaches, exposing customer records numbering in the hundreds of millions.
But, there are security measures that can be put in place to prevent this. An effective way to tackle cloud security is to break down security concerns into manageable parts and organize them based on areas of abstraction. This approach enables you to understand what’s needed and helps you prioritize your efforts accordingly. A framework you can follow is seen in the figure below, which has been adapted from the Open Systems Interconnection model (OSI model).
How can you use this framework to take charge of your cloud security and develop a strong, multifaceted strategy that appropriately safeguards your digital assets? Let’s take a closer look.
The 7-layered defense against cybersecurity risks
For cloud security, there are seven layers you need to address to protect your organization. The seven hierarchical layers are arranged herein the shape of a pyramid (see Fig. 1), with the foundation for cloud security at the bottom. Identifying and implementing solutions at each layer is essential to creating a strong defense against intruders and cyber risks.
- Data. The data layer requires applying relevant defenses for database, content and messaging security. This includes encrypting data at rest and in transit; using secure transit methods like VPNs; implementing data lifecycle management; controlling secrets like security keys; and deploying a security and information management (SIEM) solution for real-time alerts, logs, reporting, and compliance. However, it’s important to remember that data security relies on measures taken in all the other security layers.
- Applications. Securing your applications depends on addressing three critical areas: access control, vulnerability management, and monitoring. Access control best practices include giving role-based rights in an enterprise and logging every access for traceability. For vulnerabilities, adopt automated tools to scan programming code, and harden all of your applications against the top 10 Open Web Application Security Project (OWASP) risks.Monitoring should combine traditional policy-based models with today’s AI-enabled user and entity behavior analytics (UEBA) tools for faster anomaly detection. Such approaches can also quarantine suspicious connections and alert the appropriate staff member when human remediation is necessary. Penetration testing (pen test), an authorized simulated cyberattack, should also be performed to evaluate the security of the applications.
- Host (Provider’s) Network. Ask your provider to supply robust modern infrastructure solutions, security methods and breach remediation, with AI-enabled detection as part of the mix. Beyond the contractual obligations that you negotiate, insist on validation processes that ensure your provider is completing all necessary security, configuration and upgrade tasks on time. Be certain to require detailed reporting on every test attack, to help you uncover any insufficiencies. Additionally, deploy malware protection for devices that access your host’s systems, regardless of whether they’re a desktop or mobile solution. Pen testing at this layer is also required.
- Enterprise Network. Your firm is responsible for security “in” the cloud, which also means the transport systems that move data between your internal network and your provider’s infrastructure. In practice, it means addressing items such as firewalls, operating systems, configurations, segmentation, traffic encryption, server encryption, messaging protection, data integrity checks, and attack prevention. You’ll also need to conduct periodic pen tests to evaluate defenses and uncover any new security gaps.
- Perimeter. As ‘perimeter’ now encompasses both cloud-based and on-site infrastructure, many insurers are adopting a “zero-trust” approach. That’s because 60 percent of hacking incidents still exploit stolen credentials, according to Verizon’s latest data breach report, making even your most trusted credentials inherently untrustworthy. In a nutshell, zero-trust is a software-defined method where nothing and no one is given access until an advanced verification process is completed. Zero-trust typically includes identifying and protecting your most critical assets, across all enterprise solutions, as this is a smaller sub-set of all assets. To do so, additional layers of inspection and enforcement are implemented to prevent threat infiltration and asset exfiltration.
- Physical Access. One of the two foundational layers, physical access is vital to supporting all your cybersecurity approaches. In addition to traditional mechanisms, like door locks, badges, cameras, and security guards, leading organizations are also deploying security robots to roam indoor and outdoor spaces. Such bots can detect credentials as well as send live HD streaming video to uncover and document suspicious behavior as it unfolds. With moving to the cloud, this layer of security is no longer your responsibility; it is the responsibility of your cloud provider to ensure that physical access to your assets is protected.
- Policies, Procedures & Awareness. Perhaps the most overlooked security measure is also the most fundamental. Although it’s critical to know how to detect and respond to threats, it’s equally important to detail how employees can avoid scams, the steps required if a person believes that a mistake has been made, and what everyone should do if a breach is detected. A key aspect of this process is ongoing employee education that includes providing incentives for reporting suspicious activities - whether it’s an email phishing attempt or a fellow employee acting outside of the norm.
How do I get started?
A good first step to creating an effective strategy for securing your seven layers is by developing a comprehensive governance model. Strong cybersecurity governance is comprised of the following:
- Security at all layers
- Principle of least privilege
- Secured systems
- Security best practices automation
With appropriate governance as a building block, you can protect data and systems across all seven security layers while delivering business value through risk assessments and mitigation strategies. To get started, check out the related blog, Cloud Security: Concerns to address and 5 critical steps for protecting your assets, for critical insights and tips.
Learn more about how we can help you with your cloud enablement by visiting our Digital & Cloud Services practice.