Cloud security guidance

Goals

Your security approach should be tailored to be cloud-native, leveraging managed services for common challenges.

• Capitalize on the shared responsibility model, favor serverless and PaaS options, while minimizing reliance on IaaS.
• Develop a clear understanding of your responsibilities and those that can be shared with your cloud provider.
• Utilize managed services to address known problems.
• Identify cloud-native alternatives to traditional approaches.
• Avoid using cloud services that do not fulfill your requirements simply because they are part of your chosen platform.
• Refer to the lift-and-shift guidance when a cloud-native approach is not feasible.

Context

Relying on a cloud platform as a mere extension of a traditional data center often results in security breaches. Adapting your security strategy to utilize managed services effectively can protect against common issues, such as static website hosting, security monitoring, and network traffic controls, often referred to as a cloud-native approach. Identify cloud-native solutions rather than reverting to traditional methods.

If your cloud platform offers diverse services, and if these vary in security quality or characteristics, consider employing technical controls to limit service access. Ensure the processes for allowing new service implementations are user-friendly to prevent reliance on unmanaged alternatives like shadow IT.

Further Reading

• Lift and Shift Guidance

Goals

Robust authentication should secure access to your cloud platform for all users, including developers, administrators, and finance personnel accessing billing data:

• Utilize single sign-on (SSO) for streamlined account and credential management.
• Adopt modern authentication practices, including blocking weak passwords, enforcing multi-factor authentication (MFA), preventing identity sharing, and monitoring authentication events.
• Integrate your platform’s authentication mechanism with personnel management processes.
• Ensure external users also use equally robust authentication.
• Prioritize securing accounts of administrator users.
• Limit all-powerful identity usage to emergency access scenarios.
• Maintain updated contact information for users to facilitate incident response.

Goals

Ensure effective authentication of service identities to facilitate the application of access controls.

• Use your cloud provider’s service identity functionality instead of allowing user identities for workloads or automation.
• Assign unique service identities for each use case, such as individual microservices or administrative tasks.
• Ensure that service identity credentials are generated as high-entropy cryptographic secrets, not merely passwords.
• Allow your cloud provider to manage service identity credentials.
• Prefer using managed integrations when interfacing with external services instead of handling authentication directly.

Goals

Establish granular access controls that limit user and service identities to only the data and services they require, focused on usability alongside the principle of least privilege.

• Ensure access control configurations are clear and assessable.
• Implement the principle of least privilege in access controls.
• Utilize ‘just in time’ administration to limit administrator user privileges.
• Assign permissions to named groups rather than individuals.
• Regularly identify and remove unnecessary permissions.
• Utilize workspaces to simplify access control configurations.
• Restrict access to sensitive data and services to authorized customer administrators and automation only.
• Ensure comprehensive visibility of all external data sharing, continually aligning policies with your expectations.

Access control principles are elaborated upon in the NCSC’s secure system administration guidance.

Goals

Leverage automation as the core of your security strategy. Employ a variety of automation techniques to detect and alert on, or block unwanted changes, encompassing:

• Setting up guardrails to prevent undesired changes.
• Implementing autonomous checks for prevention, detection, alerting, and remediation of issues.
• Using infrastructure as code for non-experimental deployments.
• Conducting automated analyses to ensure accuracy and security of code and configurations prior to deployment.

Context

Your cloud provider’s guardrails and any personal checks should handle most of your security operations. Guarantee that any policies undertaking direct actions have a low false positive rate and provide clear communication. In cases of unavoidable high false positive rates, solutions should trigger alerts, guiding subsequent investigations before taking any actions.

Utilize your cloud provider’s built-in guardrails to halt undesirable actions from occurring proactively, such as exposing data storage externally. Employ automation to alert unusual configurations that occur seldomly, and shouldn’t face guardrails but require monitoring, like structural changes in the organization (refer to action 6. Creating an Organizational Structure for more information).

Set up alerts when resources deviate from organizational policies, such as when they’re established without tagging, as per action 9. Developing Observability. Additionally, you could automate the deletion of resources that persist policy-violating for prolonged periods.

Prefer native tools provided by your cloud provider for automated analysis of configurations and code, rather than deploying third-party products in an IaaS setup, which may offer enhanced robustness against attacks and improve defenses between deployments.

Goals

Organizational resource structure significantly influences management efficiency regarding access to cloud resources.

• Design a clear organizational structure that indicates where resources should reside and who has access to them.
• Ensure your structure safeguards crucial workspaces, such as production environments.
• Integrate your guardrails with your organizational layout to enforce consistent controls.
• Use automation to adapt your organizational structure over time.
• Evaluate whether security controls ought to apply universally or just within segments of the organizational structure.

Context

Every organization has a unique structure; hence, strategizing an intuitive layout for your users is paramount. Facilitate straightforward access to resources, differentiating needs based on their purpose—keeping billing resources distinct from engineering resources and internet-exposed services separate from internal operations.

Consider changing your organizational structure in response to mergers, acquisitions, or evolving needs. Assess whether you must migrate workspaces or reconstruct them using infrastructure as code, leveraging migration tools your cloud provider supplies. Additionally, tailor your strategy to conform with your cloud provider’s preferred methodologies for smooth tool utilization.

Security controls can typically apply to your entire organization or specific segments. In each case, evaluate the objective behind the control and whether universal application is warranted—monitoring should extend across your organization, yet stricter measures might be required for particularly sensitive sections. Also, contemplate applying foundational controls at the workspace level, defaulting to each workspace and easing removal where necessary.

Listen to your users; if they’re finding it challenging to locate resources or managing access proves difficult, an organizational structure reevaluation may be necessary.

Goals

Workspaces serve as a primary tool for resource management and access control within cloud environments. A balance must be struck between granularity and workspace quantity; optimize workspace utility throughout their lifecycle.

• Facilitate self-service, uncomplicated creation of new workspaces.
• Implement technical controls (like guardrails) to ensure workspace configurations are secure by default upon creation.
• Annotate workspaces for improved monitoring related to access controls, including data sensitivity indicators.
• Tag workspaces with external-facing services or those sharing data externally.
• Limit workspace resources to a single project, product, or component to maintain security while ensuring usability.
• Identify and eliminate unused workspaces.
• Restrict access to sensitive workspaces to administrators and automation only.
• Consistently deploy sensitive workspaces utilizing infrastructure as code.

Context

Workspaces facilitate a superb model of logical separation. It’s crucial that workspace generation is user-friendly to prevent resource creations in inappropriate workspaces. When a workspace is established, it should come equipped with appropriate configurations that ensure security. This includes initiating guardrails, security monitoring, and essential security functionalities.

Moreover, use workspaces to simplify access controls while upholding the principle of least privilege. Monitor inter-workspace access to prevent unnecessary privileges among workloads from one workspace over others. Refrain from linking networks between workspaces without appropriate controls.

Each workspace should be marked based on whether it handles sensitive data, has external-facing services, or permits external sharing. This will help to regulate and scrutinize access more stringently for these workspaces compared to standard ones. Ensure that regular reviews affirm the relevance of these annotations and reevaluate permissions when no longer required.

Creating workspaces for experimental testing is common. Limitations may be less stringent in these settings but clearly restrict external interactions. Maintain defenses against excessive risk to sensitive data and services during trials, ensuring they do not morph into environments for sensitive work over time. Deploy sensitive workspaces with infrastructure as code to guarantee predictability and prevent unauthorized access.

Goals

As cloud platforms operate as networked systems, it is critical to safeguard networked services against both external and internal threats.

• Regulate access between networked services such that each can only reach the services and data it requires.
• Control access to untrusted networks (including the internet) for incoming and outgoing traffic.
• Apply defenses against prevalent network protocol attacks, particularly from untrusted sources.
• Replace outdated management protocols or bolster them with modern authentication solutions, recognizing their use as high-risk accesses.

Context

Two prevalent strategies for cloud network security include micro-segmentation and zero trust approaches. Micro-segmentation uses extensive micro-networks to limite access, whereas zero trust networking leverages identity-based access controls at the application level. Whichever strategy is pursued, it’s vital to consistently apply the principle of least privilege to access network services, as encapsulated in action 4. Implementing Access Controls.

Networked service protection may require mitigation strategies from both application-layer attacks and lower-tier threats. Your cloud provider may offer defense mechanisms against common attacks like denial of service or HTTP request smuggling—capitalize on these resources.

Legacy management protocols such as RDP and SSH frequently contribute to breaches due to limited support for contemporary authentication practices and the broad privileges they often grant. Use cloud-native alternatives when possible or protect these protocols from untrusted networks, preferably through an integrated administration proxy service. When that isn’t feasible, consider traditional methods like a VPN, yet treat their usage as high-risk accesses.

Further Reading

• Zero Trust Architecture Principles
• Using TLS to Protect Data
• Cyber Security Design Principles

Goals

Create and sustain visibility into your cloud resources, tracking their changes over time and monitoring for potential issues while aggregating security-relevant events.

• Ensure you can visualize and analyze a comprehensive inventory of your cloud resources and their configurations.
• Utilize resource tagging to manage metadata effectively.
• Establish logging mechanisms for activity collection, aggregation, and retention, particularly focusing on security-related incidents.
• Ensure that security logs remain tamper-proof and that access to these logs is limited to necessary personnel.
• Implement mechanisms for security monitoring across the cloud platform.

Context

Resource tagging can effectively help record metadata such as owner information, project associations, and data sensitivity levels. This data can aid in addressing issues and phasing out unnecessary resources. You should use automation to trigger alerts when resources are created or edited, failing to adhere to tagging requirements, as indicated in action 5. Automating Security Enforcement. Additionally, tags can support contextual information in automated checks.

Logs serve multiple purposes. Understand the distinction between operational logs and those that are security-related. Operational logs do not necessitate stringent protection, as over-protection could impede their utility.

Security logs are pivotal for investigating incidents and contain raw data crucial for security monitoring. They should encompass signals and cloud provider activity logs from all utilized services. Ensure that all activity logs corresponding to any resource can be integrated, regardless of their source.

Maintain logs for sufficient duration to facilitate incident inquiries, which may extend months post-event. Ensure valuable logs are preserved at minimum for six months. Retain varying lengths based on cost, storage availability, and the significance of each data type.

Your security monitoring should encompass platform alterations, ongoing usage scrutiny, and the aggregation and actioning of events from your cloud provider, ensuring actions can be linked back to specific identities. The security monitoring features inherent within the cloud platform can often access information unavailable through other methods, typically enhancing efforts over relying solely on activity logs. Refer to your provider for insights on the most security-impactful logs.

For further guidance on effective protective monitoring, consider Transaction Monitoring for Online Services.

Further Reading

• Introduction to Logging for Security Purposes
• What Exactly Should We Be Logging?
• Asset Management
• Logging and Monitoring

Goals

An incident response strategy is crucial for cybersecurity. Integrate your cloud platform within your overall incident response planning framework.

• Acknowledge and act on alerts from your cloud provider.
• Provide your cloud provider with up-to-date emergency contact information.
• Ensure critical data backup practices and ‘infrastructure as code’ documentation are in place.
• Create an account recovery process with your cloud provider in advance.
• Clarify incident management objectives and outline the most effective strategies to achieve them in the cloud.
• Determine the actions you will execute, the actions required from your cloud provider, and any necessary communications you may need to send them.

For additional insights, delve into our Incident Management Guidance.

Context

Your cloud provider is often well-equipped to identify common problems, misconfigurations, and threats. Prompt notification to you is necessary for you to respond successfully. Alerts should encompass both those that can be automated and those requiring manual intervention. Ensure the emergency contact level is current, utilizing shared groups to facilitate communication.

Your objectives for incident management may differ across cloud environments—for instance, you could prioritize forensic detail collection for issue identification versus rapid recovery through environment destruction and recreation using infrastructure as code. Advance preparation is vital for your objectives, documenting them within playbooks as outlined in our Incident Management Guidance.

As part of your incident strategy, put together a disaster recovery plan encompassing data recovery from backups and the recreation of your cloud environment utilizing backed up infrastructure as code documents. Routinely verify the recoverability and completeness of your backed-up data.

Further Reading

• 10 Steps to Cyber Security
• Effective Steps to Cyber Exercise Creation

Goals

Cloud platforms handle various secrets, from database passwords to API keys for external services. Maintain a cohesive approach towards secret protection, leveraging the secrets management capabilities provided by your cloud platform.

• Minimize secret usage whenever possible by resorting to managed integrations instead.
• Follow a well-documented and consistent secrets management procedure, adhering to best practices your cloud provider recommends.
• Prefer utilizing a cloud provider-operated secrets management service.
• Choose a management strategy that simplifies secret changes over time.
• Employ robust security monitoring around secrets, including alerts for abnormal behavior.
• Utilize automated alerts to identify secret disclosures, including cloud credentials, and trigger incident responses.

Context

Cloud services incorporate functionalities for secrets management. Where feasible, utilize a managed service responsible for safeguarding secrets, ensuring user-friendly secret updates. If such options are unavailable, adhere to your cloud provider’s prescribed practices for secrets management.

Your monitoring surrounding secret access should focus on identifying anomalies. This may entail a user accessing secrets typically designated for automation or instances where a singular identity accesses multiple secrets. Develop response protocols for suspicious activity surrounding a secret, including rapid secret modification and invalidating older versions.

Goals

As detailed in Principle 14: Secure Use of the Service, the cloud platform must be designed for security, aiding you in fulfilling your security obligations. Whether the cloud provider or yourself manages most configurations, ensure the security of data stored and processed in the cloud platform.

• Safeguard data at rest by employing your cloud provider’s data protection frameworks.
• Ensure data is secure during transit.
• Engage services with suitable separation technologies.
• Oversee how your cloud provider accesses your data.
• Be informed about where your data is stored and processed.
• Store and process cloud data only as necessary, implementing retention policies for timely deletion.

Context

Maintain confidence in the encryption of data both at rest and during transit, as outlined in our guidance on Choosing and Configuring a KMS for Secure Key Management. Your cloud provider may ensure data protection at these stages by default, or you may need to implement encryption through automation, as noted in action 5. Automating Security Enforcement. For further insights on encryption at rest, review Cloud Security Principle 2.3.

Utilize effective separation technologies to shield workloads from other cloud platform activities, ensuring proper logical, compute, networking, and storage separation as outlined in our Technically Enforced Separation Guidance. Design systems ensuring strong separation from your workloads, as well as between your workloads and those of other customers.

While it remains important to refrain from constructing systems designed to defend against your cloud provider, managing how personnel from your cloud provider access your data is nevertheless useful. Both raw data and derivative information should undergo strict access controls, requiring explicit, time-bound permissions on a case-by-case basis along with authoritative audit information. Occasionally, you may need to alter configurations to activate this functionality.

It’s critical to have a clear understanding of where your data is held and who has access to it. Utilize guardrails to ensure compliance with:

• Storage, processing, and management country specifications.
• Applicable legal jurisdiction(s) governing your data.
• Your cloud provider’s entitlements concerning access and data utilization.
• Legal scenarios where your data may be accessed without consent.
• How your data protection strategy impacts compliance with UK law.

Data breaches often result from preserving unnecessary data within breached systems. To mitigate the impact of potential compromises, avoid storing non-essential data in the cloud and apply retention policies ensuring prompt deletion once data is of no further use.

Goals

Post-configuration of your cloud platform to align with your needs, it’s imperative to maintain its security over time by adapting to platform changes, industry trends, and your evolving threat landscape. This should involve:

• Conducting periodic automated configuration tests to confirm correctness.
• Regularly reviewing your configuration against organizational objectives.
• Reassessing the security integrity of the platform’s design and controls routinely.
• Establishing and continually refining best practices and solutions for common issues.
• Staying informed about new security functionalities, capabilities, and best practices from your cloud provider.
• Incorporating security configuration assessments into your penetration testing strategy.
• Communicating critical changes to your personnel, especially customer administrators, regarding new best practices.

Context

Cloud platforms often present complex systems, requiring consistency in your configuration alignment over time. This includes verifying that logs remain collectible and accessible for security-related inquiries. Refer to our NCSC blog post on What Exactly Should We Be Logging? for guidance in answering security-relevant questions. Ensure robust testing of your security monitoring systems to confirm they accurately detect and respond to significant incidents and potential attacks, such as recognizing emergency accesses. Periodically assess the functionality of your disaster recovery protocols for efficacy, including testing that deployments can resume to fresh setups using infrastructure as code, alongside verifying data recovery from backups.

Ensure that your configuration continues to meet operational needs; for example, confirm that your organizational layout supports effective access control, as indicated in action 6. Creating an Organizational Structure. Identify any workspaces lacking critical security capabilities that newer workspaces would ordinarily have in place and apply necessary security features wherever feasible.

Monitor changes in your guardrails continually as new capabilities become available. Harness automation to identify resources potentially affected by guardrail modifications to take necessary actions.

Configuration oversights lead to data breaches within cloud environments, and these issues are typically straightforward to detect through penetration tests. Note that performing penetration tests directly on the cloud service itself seldom offers value and may be constrained by the service’s terms of use.

Continuously evolving cloud platforms regularly introduce new features, necessitating ongoing attention to stay abreast of and incorporate essential new security improvements.

Further Reading

• Effective Steps to Cyber Exercise Creation