The frenetic pace and growth of digital business impacts the way companies are using the cloud to reduce costs, increase agility, and deliver services faster. At the same time, news of security breaches are becoming commonplace, impacting the brand equity of organizations. Security is not only seen as a threat to cloud initiatives – it’s also an opportunity to adopt better and stronger security. With that in mind, here are four security best practices to consider while navigating your way through the cloud:
- Use separate tenants when it makes sense: At its core, cloud computing is about sharing IT resources more effectively. But sharing introduces potential security risks as one user (or tenant) may access another user’s resources or data. Controlling who has access to specific resources and also isolating those resources can be useful for preventing “bad actors” from gaining unauthorized access, and also drive more effective use of your cloud. For example, isolating workloads and user access can help ensure that your software engineering team doesn’t have access to your business or HR records. With Role-Based Access Control (RBAC), you can help drive your users to the most business appropriate cloud services based on their role. So, while a developer might want to use 15 reserved instances of AWS, the developer might be limited by business rules that permit only five instances in the corporate private cloud.
Organizations involved in brokering cloud services for users, especially those involving public clouds or external users, are strongly encouraged to build-in multi-tenancy from the start. By breaking up your cloud into separate tenants, you can isolate workloads and assign access to different network segments, helping to reduce the risk of unauthorized security access or resource sharing.
As an example, a company that provides private cloud solutions, uses BMC Cloud Lifecycle Management (CLM) multi-tenancy and RBAC capabilities to logically separate the business activities of its clients. Because the tenants are separated logically, the company can use intelligent placement to rapidly shift customer workloads from one system to another to maintain performance without compromising security. This provider uses CLM to manage physical and virtual systems together with public, virtual, and private clouds, on or off premises. Customers benefit by experiencing the speed and agility of the cloud with the same level of security, privacy, and reliability found in traditional IT environments and the cloud services provider enjoys better resource utilization and efficiency.
- Measure workloads for compliance against applicable standards. It’s important to deploy cloud workloads to meet regulatory standards (such as HIPAA, SOX, and PCI) that will help ensure security and integrity. Once deployed, you need processes and automation in place to periodically check that configurations haven’t drifted from their desired states. Establishing a level of compliance that’s built into the images and deployed is a good starting point. However, from the moment those images are captured and put into an image repository, they begin to grow stale. Once they are patched, the images need to be updated and replaced. In addition, standards change, new threats are identified, and remediation actions against those threats also change.
With CLM, all of the servers that are provisioned get registered for ongoing configuration management activities, including compliance management. By using declarative blueprints, you can specify policies for specific workloads. With integration to Remedy ITSM change management and CMDB, you can track who made changes to cloud resources to better ensure environmental compliance.
An investment research firm for example, uses BMC solutions to manage its cloud environments. The company uses blueprint technology to automate design, manage, and govern cloud environments while provisioning servers and patches. It also performs automated compliance checks for SOX and PCI DSS standards to alert staff of compliance issues.
- Use automation to remediate vulnerabilities quickly. It’s common knowledge that hackers tend to exploit vulnerabilities that have not yet been patched, even though a patch has been available. In fact, 80 percent of attacks exploit a known vulnerability. To be more secure in the cloud, you must tie operations more closely to security. By connecting the technology that these groups use, vulnerabilities can be found and patched quickly and automatically, which reduces risk. Your vulnerability scanning tool, for example, should be able to connect and merge vulnerability scan results into an actionable set of server targets. The vulnerabilities can be prioritized, tracked, and passed through change management approvals as they are remediated.
- Automate compliance audit reporting to prove compliance. Nearly every enterprise faces regulations that they must comply with, such as PCI-DSS, SOX, and HIPAA. However, providing an audit trail to demonstrate compliance can be completely manual and time consuming. The challenge is compounded by multi-cloud environments that span owned (private cloud) or rented (public cloud) assets.
Auditors expect organizations to have a verification function to produce evidence to demonstrate how they attain compliance. In many industries, these materials are required on a recurring basis, such as quarterly. Automation eliminates the extensive manual effort involved with producing an audit report and makes this data available on demand. For example, a large company that provides financial services to more than 20 million people worldwide uses BMC’s closed-loop compliance process and has slashed resolution times for compliance issues from days – or even weeks – to minutes. They also reduced the auditing preparation effort from six people working in a room for a week to one person spending just a few hours on this task.
IT is under constant pressure to be more flexible and respond quickly to business needs. As more activity moves to the cloud, this situation intensifies. That means IT must maintain a state of constant compliance that includes verifying, generating effective audits, and remediating vulnerabilities quickly.
Want to make your cloud more secure, smart, and reliable while delivering greater business agility? Watch this personalized demo about how BMC Cloud Lifecycle Management can help your organization.
- SOA Security Best Practices
- SecOps: BladeLogic Threat Director eliminates blind spots and remediates risks
- The real story behind security breaches: the SecOps Gap
- Simple Ways to secure your IT environment: MongoDB, default passwords, and general security
- Morningstar’s Cloud Transforms the Business