Eliminate Critical Risks in the Cloud

Uncover and remediate the critical severity issues in your cloud environments without drowning your team in alerts.

Cloud Security Best Practices

8 essential cloud security best practices that every organization should start with

6 minutes read

Cloud security: A refresher

Cloud security, often called cloud computing security, encompasses a broad range of policies, technologies, applications, and controls to protect data, applications, services, and the associated infrastructure of cloud computing. It falls under the umbrella of IT-related security terms, including network security, computer security, and, more generally, information security.

With our growing dependence on cloud services, safeguarding these systems is of utmost importance. Integrating cloud security throughout the software development lifecycle safeguards sensitive data and ensures the integrity and availability of services businesses and individuals depend on daily.

From the security perspective, the main components of cloud architecture are as follows:

  • Compute: This is the backbone of the cloud, providing the processing power required to run applications. It can adjust in size depending on the demand, guaranteeing cost efficiency and peak performance.

  • Storage: Cloud storage solutions offer a place to save data in the cloud, which can be accessed anytime, anywhere. It's crucial to ensure this data remains secure from unauthorized access or breaches.

  • Network: This component ensures connectivity between users, data, and applications. A secure network ensures that data in transit won’t be tampered with or eavesdropped on.

  • Identity and Access Management (IAM): IAM systems restrict access to cloud resources so only authorized users can make use of them. IAM security is a crucial component in safeguarding sensitive data and applications.

Cloud security and the shared responsibility model

Cloud security is a two-way street: it’s a combination effort between the cloud provider and the user. On the cloud provider side, the duties include ensuring the security of the infrastructure they operate and own, while it’s up to users to secure the data they put in the cloud and its access. This shared responsibility model provides that both parties play their part in maintaining a secure cloud environment.

What makes cloud security challenging?

The cloud has robust security features, but that doesn’t mean there aren’t challenges involved. Some of the common hurdles many organizations face include:

  • Constantly evolving cyber threats

  • Human error, which can lead to breaches and data loss

  • Misunderstanding of the shared responsibility model, leading to security gaps

  • Strict requirements to achieve and maintain compliance with regional or industry-specific regulations

  • Ensuring the security of third-party applications integrated with cloud services

The following section will explore best practices and recommendations to ensure a secure cloud environment in light of these challenges.

Best practices and recommendations to make the cloud more secure

The following practices and action items form a bedrock foundation for a secure cloud environment. By adhering to these recommendations, organizations can significantly reduce their risk profile and ensure a safer cloud experience. We recommend starting with these eight best practices:

  1. Enable MFA

  2. Follow the principle of least privilege

  3. Perform regular audits

  4. Keep your data encrypted

  5. Back up data on a regular basis

  6. Secure your APIs

  7. Keep up with patch management

  8. Harden your network security

1. Enable multi-factor authentication (MFA)

MFA requires a second method of authentication in addition to a password to access a resource. MFA emerged as a response to the limitations of password-only authentication, with an increasing number of cyberattacks targeting user credentials.

By adding another barrier to intruders, MFA reduces the chance that anyone without access permission will get through the door. Even if an attacker manages to get their hands on a user's password, they would still need the second factor (such as a one-time code sent to a phone) to gain access.

It’s highly recommended for admins and super admins of cloud accounts to leverage non-phishable factors, such as WebAuthN or YubiKeys, to further enhance security. Utilizing such advanced authentication methods ensures a robust defense against phishing attempts and other cyber threats.

MFA Overview in Azure Cloud (Source: Azure, click the image view the link)

Recommended actions:

  • Enable MFA for all cloud accounts, especially admin accounts

  • Inform users about the significance of MFA and offer guidance on how to utilize it

  • Regularly review and update MFA settings to stay up to date with new standards

2. Follow the least-privilege principle

The principle of least privilege (PoLP) is a concept in IT security that demands every user and process should have only the minimal access required to perform their functions. By adhering to PoLP, the potential damage from breaches or insider threats is minimized. Unauthorized data access or system changes become significantly more challenging. 

An example IAM policy can be defined as follows only to give listing access to a bucket: 

{
   "Version": "2012-10-17",
   "Statement": {
       "Sid": "ListObjectsInBucket",
       "Effect": "Allow",
       "Action": "s3:ListBucket",
       "Resource": "arn:aws:s3:::example-s3-bucket"
   }
}

Recommended Actions:

  • Review user roles and permissions regularly

  • Assign roles based on job functions

  • Regularly review machine identities

  • Promptly remove access for individuals who change roles or depart from the company.

  • Periodically review the business need for granting access to specific personas/roles

3. Perform regular audits

As cloud environments grow and change, configurations can drift from security best practices. Regular audits help identify and rectify these discrepancies. Audits ensure continuous compliance with security standards, reducing the risk of breaches due to misconfigurations.

AWS Audit Manager - Audit Overview (Source: AWS Blog, click the image view the link)

Recommended actions:

  • Schedule periodic security audits

  • Use automated tools to continuously monitor configurations

  • Address audit findings promptly and document changes

4. Keep your data encrypted

To prevent unauthorized access or data being intercepted, it's crucial to encrypt data both when it's stored and while it's being transferred. Through encryption, data remains confidential. So, even in the event of a breach, the data stays indecipherable without the decryption key.

Encryption for in-transit data in GCP (Source: GCP Docs, click the image view the link)

Recommended actions:

  • Encrypt data at rest using strong encryption standards

  • Ensure data in transit is encrypted using protocols like TLS

  • Frequently change encryption keys and ensure secure storage

5. Back up data on a regular basis

Regularly scheduled backups ensure that data can be restored with minimal disruption in the event of data loss, whether they take place because of an accidental deletion, a cyberattack, or a some other disruption to the system. 

With regular backups, organizations can quickly recover from data loss incidents, minimizing downtime and data unavailability.

Google Cloud Backup and DR Overview (Source: GCP Blog, click the image view the link)

Recommended actions:

  • Schedule regular backups for all critical data

  • Test your backup restoration processes periodically

  • Store backups in geographically separate locations for redundancy

6. Secure your APIs

APIs act as gateways to applications, which can make them appealing targets for cyberattacks. It’s crucial to ensure these APIs have proper authentication and authorization mechanisms, so malicious actors can't exploit them to gain unauthorized access or disrupt services.

Authorization Flow with Lambda in AWS (Source: AWS Blog, click the image view the link)

Recommended actions:

  • Implement strong authentication and authorization mechanisms for APIs

  • Regularly review and update API security configurations

  • Monitor API access logs for suspicious activities

  • Use OSS API security tools

7. Stay on top of patch management

Software vulnerabilities are a prime target for attackers. Regular updates and patches guarantee that recognized weak points are tackled. This reduces the attack surface by removing potential attack vectors.

OS patch management dashboard in GCP (Source: GCP Docs, click the image view the link)

Recommended actions:

  • Subscribe to vulnerability feeds for your software and services.

  • Implement a regular patching schedule.

  • Test patches before applying them using a staging environment.

8. Harden your network security

The network serves as a wall that’s built to keep out cyber threats. So any holes in that wall are going to produce risks. It’s up to you to find them and plug them up.

A robust network security posture, including firewalls, virtual private clouds (VPCs), and other tools, ensures that malicious traffic is kept at bay and only legitimate traffic can access your resources.

VPC with public and private subnets in two availability zones in AWS (Source: AWS Docs, click the image view the link)

Recommended actions:

  • Implement firewalls to filter out malicious traffic

  • Use Virtual Private Clouds (VPCs) to isolate resources

  • Regularly review and update network security rules

Going beyond the basics with Wiz

Wiz is a cloud security platform that helps organizations proactively identify, prioritize, and remediate risks across their cloud environments. Wiz provides a single pane of glass view of all cloud resources and their associated risks, including misconfigurations, vulnerabilities, malware, sensitive data, and identities.

Wiz can be used to implement many of the cloud security best practices discussed above and cover more advanced use cases by offering solutions in the areas of:

  • Visibility and control: Wiz provides a comprehensive view of all cloud resources and their associated risks, giving organizations the visibility they need to identify and address potential security issues.

  • Least privilege: Wiz can be used to enforce least privilege access to cloud resources, ensuring that users only have the access they need to perform their job duties.

  • Data security: Wiz can be used to identify and protect sensitive data in the cloud, including data that is stored in object storage buckets, databases, and other cloud services.

  • Threat detection and response: Wiz can be used to monitor for threats in the cloud and respond to incidents quickly and effectively.

Other security best practices you might be interested in:

Continue reading

Unpacking Data Security Policies

Wiz Experts Team

A data security policy is a document outlining an organization's guidelines, rules, and standards for managing and protecting sensitive data assets.

What is Data Risk Management?

Wiz Experts Team

Data risk management involves detecting, assessing, and remediating critical risks associated with data. We're talking about risks like exposure, misconfigurations, leakage, and a general lack of visibility.

8 Essential Cloud Governance Best Practices

Wiz Experts Team

Cloud governance best practices are guidelines and strategies designed to effectively manage and optimize cloud resources, ensure security, and align cloud operations with business objectives. In this post, we'll the discuss the essential best practices that every organization should consider.

What is Data Detection and Response?

Data detection and response (DDR) is a cybersecurity solution that uses real-time data monitoring, analysis, and automated response to protect sensitive data from sophisticated attacks that traditional security measures might miss, such as insider threats, advanced persistent threats (APTs), and supply chain attacks.