How to Adapt Your Risk Management Strategy for the Cloud

Security has always been about accepting and managing risk. It’s not about becoming the most secure company; its goal is to protect against likely threats to your unique organization. But how do you know when a new risk crops up? And how can you stay on top of this in a rapidly changing cloud environment with more endpoints to monitor?

Fortunately, the cloud doesn’t just introduce new risks. It also offers new opportunities for successful risk management. And while managing risk in the cloud may seem overwhelming, it can actually become a lot more streamlined if you do it right. In this post, we’ll explain how risk management is different in the cloud and how you can adapt with a few simple shifts to your current approach.

Why Risk Management is Different in the Cloud

Just as you can’t apply all your on-premise security techniques to a cloud environment, risk management, too, has some nuances. The same guiding principles remain, but how it’s done will change.

First, it’s important to know what the shared responsibility model in the cloud is, if you don’t already. This is a topic we talk about at length because it’s very important to understand it accurately from a risk management perspective. Whether you’re running on Amazon Web Services, Microsoft Azure, or Google Cloud Platform, there are certain aspects of security (and risk) that the cloud provider will handle for you. As we explain in Assessing the State of the Shared Responsibility Model, your cloud provider is responsible for securing and mitigating risk to the cloud infrastructure. But they don’t handle everything. You are responsible for anything you do in the cloud — managing users, patching vulnerable servers, etc.

Awareness is key when it comes to risk management, so knowing exactly what you’re responsible for (users, files, applications, configurations, etc.) is key to mitigating risk in the cloud. From there, there are four ways to increase visibility in the cloud so you can appropriately manage risk.

1. Baseline Your Risk

You can’t know how secure you are or how much more secure you need to be without first knowing where you stand today. Baselines help you manage risks intelligently because they give you a reading on where you are so you can develop a roadmap going forward.

Auditing your configurations can be a good way to get started. This will show you what configuration choices are mitigating the most risk and which ones have opened you up to elevated risk.  Using a tool such as Threat Stack’s Configuration Auditing, you can view a risk score based on adherence to best practices including CIS and AWS benchmarks along with a link that takes you to directions for remediation. From there you can regularly schedule audits  to run automatically to ensure that your production environment is in the most secure operational state. 

In the cloud, where changes to applications, infrastructure, and services occur rapidly, a configuration audit can give you continuous insight and control to ensure that proper security settings have been selected and enabled.

(Note: For highlights from a recent Threat Stack survey, see Threat Stack Study Exposes Critical Security Misconfigurations at the bottom of this article.)

2. Centralize Workflows

The more disparate your teams and workflows are in the cloud, the harder it will be to gain visibility and manage risk. In an ideal world, you would know all of the tools, servers, users, and applications running in your cloud environment and what they are doing at any given moment. Otherwise, you’ll quickly find yourself hopping from tool to tool and system to system trying to watch for suspicious activity, patch related issues, and respond to incidents.

So the first step is to try to centralize your tools and workflows as much as you can. Whether it’s consolidating point solutions so you have fewer tools to manage, or integrating them so they work more closely together and can be easily managed, this will help you become more aware of what’s going on. And if you can begin to orchestrate workflows between these tools, that can also speed up your ability to catch issues and react to them.

3. Make Operations a Part of the Solution

Many operations teams today operate under continuous development and continuous integration methodologies. This means that at any given moment, new servers are being spun up, applications launched, and features released. Traditionally, this has posed quite a security challenge, but it doesn’t have to. In fact, operations can be part of the solution. Sitting at the helm of your IT infrastructure, your operations organization can play a critical role in managing and mitigating risk by embracing security best practices.

Implementing security monitoring at the host level, for example, allows your operations team to run at the same fast pace they always have, with the added assurance that nothing goes out without first being checked for vulnerabilities and continuously monitored for threats and attacks. With tighter integrations between security and ops and no additional overhead, that makes managing risk much easier — even at the speed of cloud. (For great tips on how to integrate security into an ops environment, take a look at The 5 Ingredients of a Successful SecOps Implementation.)

4. Real-Time Detection

Perhaps the most important aspect of managing risk in the cloud is being able to detect real threats in real time. The moment an intruder tries to make their way in or steal credentials, you should be in-the-know. Otherwise, you really can’t say you’re managing risk, can you?

Unfortunately today, it’s not a matter of if, but when, you’ll experience some form of security attack, so having eyes on every edge and corner of your cloud infrastructure, and being alerted the moment anomalous activity is detected, keeps you informed and able to take proactive action.

5. Automate, Automate, Automate!

To pull the previous four tips together, you should be leveraging automation. Automation helps you do more, and this is especially wise at a time when more endpoints need to be monitored, rapid changes are occurring, and you need to gain control. Automate auditing your configurations. Automate your workflows. Automate your SecOps (or whatever you choose to call it). And automate detection and alerting. In the cloud, this is really the only way to scale, both from a security and risk management perspective.

A Final Thought . . .

A great thing about the cloud is that it offers up a fresh opportunity for taking a new approach  when you’re defending your organization from attack. While it does require that you change your former approach, so long as you’re automating what you can and leveraging the right tools for the job, you’ll gain even more visibility and control than you had previously.

If you’re interested in learning how to adapt your risk management strategy for the cloud by bringing security into the DevOps equation, download a copy of The SecOps Playbook.

Threat Stack Study Exposes Critical Security Misconfigurations

A recent Threat Stack study found that 73% of companies have at least one critical security misconfiguration. By “critical”, we mean configuration lapses that enable an attacker to gain access directly to private services or the AWS console, or that could be used to mask criminal activity from monitoring technologies.

The analysis found a surprising number of well-documented security misconfigurations including the following:

  • In 73% of the companies analyzed, AWS Security Groups were configured to leave SSH wide open to the internet. This simple configuration error allows an attacker to attempt remote server access from anywhere, rendering traditional network controls like VPN and firewalls moot. In fact, Threat Stack observed SSH traffic from the internet using the root account, which could have severe security repercussions.
  • The well-recognized best practice of requiring multi-factor authentication (MFA) for AWS users was not being followed by 62% of companies analyzed, making brute force attacks that much simpler.
  • Even AWS-native security services, such as CloudTrail, were not being deployed universally (27%) across all regions.

“The most surprising part of these findings is that, for all the money that sophisticated enterprises spend on advanced security, a majority aren’t even taking full advantage of the basic security tools available to them as AWS users,” said Sam Bisbee, Threat Stack’s CTO.