Good security takes effort. But it’s not impossible — far from it. The key to achieving better security is to focus on embedding the right types of thinking early on. Make good security hygiene as natural as muscle memory. And before you start to worry about budget, take note: There are many low-cost, relatively easy measures you can take that will have a big impact on your organization’s security posture.
Recently, we hosted a webinar to outline what some of these low-cost practices look like. We want to show you that it isn’t impossible to achieve security on a budget, especially if you focus on implementing it collaboratively with your teams and building a truly security-conscious culture.
Here’s where we think you should be focusing your energies to achieve big results for little or no cost.
You can listen to the full webinar and read our recap below.
Surprises Are For Birthdays
Everyone likes surprises, right? Well, not when it comes to security. We have a saying on our teams (and maybe you do too): “Surprises are for birthdays.” When it comes to security, the last thing we want is to be surprised. In practical terms, this has two meanings:
- Knowing is Better Than Not Knowing: Yes, it’s a pain to find out there’s a vulnerability on one of your systems that needs to be patched ASAP. But wouldn’t you rather be aware that there’s a hole before something bad comes crawling through it? We sure would.
- It’s Not If But When: Don’t stick your head in the sand and pretend like you’ll never get breached. In today’s fast-paced world, it’s not a matter of whether you’ll be hit with a breach but when. So your best bet is to ensure that you can mitigate surprises when they arrive. That way, even if you’re surprised by the what, you aren’t scrambling to respond.
Continuous security monitoring is the key to making sure you aren’t surprised when it comes to threats and vulnerabilities, and that if something does catch you off guard, you have the context to quickly make a decision, remediate and move forward.
Basic Hygiene Goes a Long Way
You might be focused on the big, scary headlines, worried about whether you need to invest a ton of money in security consulting or a comprehensive overhaul. Or you might be paranoid about malware and APTs, looking for point solutions to deal with those types of threats. We’re not going to say that these aren’t valid concerns, but they probably aren’t the lowest-hanging fruit for your organization, or the best place to start.
Instead, start by focusing on basic hygiene. It can go a long way toward ensuring you are as secure as possible, even before you’re ready to shell out the big bucks.
What do we mean by basic hygiene? We like to break it down into three major buckets. We’ll cover these below and go into some detail on the top twelve steps we think you should take first and foremost. They’re all relatively easy to execute and don’t require a huge budget.
Bucket 1: Cloud Environment
Is your cloud environment secure? How do you know? To get started, we suggest focusing on five major steps:
- Limit Privilege Access: Employ the principle of least privilege access to your entire cloud environment. If someone doesn’t need access to do their job, don’t give it to them.
- Use Multi-Factor Authentication: For everything. It’s one of the best ways to ensure that getting into your system isn’t as simple as stealing one employee’s weak password.
- Employ Roles for Integrations: If you are going to use any integrations with your cloud environment, be sure to use roles with those as well to ensure that no one has access that they shouldn’t have.
- Use CloudTrail: So many AWS customers aren’t taking advantage of this native security option. It’s true that you’ll probably need a tool to take full advantage, but don’t ignore it for this reason. It’s not difficult or expensive to set up, and it’s well worth the gains in security.
- Secure All the Things: This includes public and private subnets, SG layers, and all those other pesky areas of your cloud environment. Make sure they are secured, and that you understand what it takes to keep them that way.
Bucket 2: Infrastructure
Next, it’s time to take a look at your infrastructure:
- Destroy Human-Touched Instances: Did someone manually edit or reconfigure one of your instances? Burn it! There’s no reason to hang onto instances after they have been touched by humans. Better to start over.
- Build New Instances: Make it a best practice and rule to build instances as part of your
continuous integration and continuous deployment pipelines when you deploy software. New is always better than patched.
- Curate Base Images: Curating base images for system updates is absolutely key to maintaining security. Do this frequently and ruthlessly.
- Stay Current: Make sure you are staying current on all long-term supported or similar OS distributions. If you’re coming to end-of-life in a distribution, get your upgrade plan together and don’t kick the can down the road.
Bucket 3: Users and Workloads
Finally, get into the nitty-gritty of your users and workloads:
- Review Human and Service Accounts: Do this and do it constantly! If human or service accounts are no longer being used, they should be retired. This requires some vigilance, but it’s necessary to remaining secure.
- Isolate Service Accounts: Don’t share or reuse accounts, and always employ least privilege access principles here as well.
- Review What’s Logging In (and From Where): Be very critical of anything logging in from the WAN. This will help you reduce the chance of exposing an internal-only service to the entire internet.
Watch the Webinar for More Data and Real-World Examples
In the webinar, we go into more depth on all of these best practices, and we also share some data we unearthed by looking at real cloud environments, to give you a sense of where folks frequently go wrong. We even share some real-world examples of mistakes in action. You’d be amazed at how many organizations don’t follow the twelve best practices listed above. But it’s never too late to start making security part of the lifeblood of your organization. Focus on these low-cost (many are no-cost) changes, and you’ll be well on your way to dramatically improving your security posture.
For more information on how to start a cloud security program in your organization, download a free copy of our ebook: Jump Starting Cloud Security.