Security should never be a one-and-done proposition: It requires a continuous improvement mindset to keep you on top of security initiatives and to accommodate new issues as you detect them. Once your security program is up and running, you need to measure, evaluate, and modify it on an ongoing basis to maintain or improve your results. This doesn’t necessarily require a ton of time and effort; it simply requires a strategy.
So today, we want to take a look at what it takes to build an effective security program with continuous improvement at its core. In our view, there are three key pillars to continuous security improvement, and if you have been following along with our Starting Your Cloud Security Journey blog post series, then you’ll be well-acquainted with these concepts.
The Goal of Continuous Security Improvement
We’ve written before about the importance of not letting perfect security become the enemy of good security. But the goal of continuous security improvement is different from trying to be perfect: Continuous security improvement is a journey that is designed to keep you on top of security issues, to improve processes where possible, and to take into account new issues as they come up. This way, you never get complacent about security, and your security systems don’t get out of date.
Understanding this concept is particularly important when you are at an early stage of cloud security maturity: By building continuous improvement into your security mindset and practices from the outset, you are much more likely to stay on top of security as your organization evolves and scales.
Pillar One: Establish & Improve Against Your Baseline
The first step to any good security program is to understand where you stand now. To do that, you need to establish a baseline. Often when organizations first get started with cloud security, they feel overwhelmed or aren’t sure where to start. They may not have the visibility they need into their current status to know what it will take to improve their security posture.
That’s where baselining comes in. CERN Computer Security explains that a security baseline is “a set of basic security objectives which must be met by any given service or system.” In the world of security, a baseline compiled from industry best practices and benchmarks gives you something to measure your current cloud infrastructure against.
The Threat Stack Cloud Security Platform® (CSP) offers two approaches here:
- Configuration Auditing: This feature enables AWS customers to measure their AWS infrastructure against an accurate baseline. Specifically, it scans account configurations and compares them against best practices and policies for AWS and Center for Internet Security (CIS) benchmarks.
- CloudTrail Alerting: This feature allows users to receive automated alerts when changes are made to instances, security groups, S3 buckets, access keys, or other areas of your AWS infrastructure that could represent a threat or lead to non-compliance.
Threat Stack gives you a score to show how close you are to the baseline and shares next steps to improve your security. Following the continuous security mindset, it also allows you to set up automatic daily scans so you can see how your profile is improving and where you need to focus your efforts going forward. The key is to understand where you are now and what it will take to get yourself to the next level of security. And to repeat this process continually.
Recommendation for Continuous Improvement Against Your Baseline: Configuration Auditing will run automatically every day. Check the results on a regular periodic basis. Also, run a scan and check the results immediately after you make any AWS configuration changes that could impact security.
Pillar Two: Identify, Adopt, & Refine Best Practices
Once you have a baseline established, it’s time to adopt other practices that will strengthen your security posture. In our series, we covered three major best practices: Secrets Management, OS Updates and Package Management, and Incorporating AWS Best Practices Into Terraform Design.
While there are, of course, many other security best practices that you should pay attention to as well, these best practices are particularly well suited to companies that are at an early stage of cloud security maturity, and focusing on these three to start will help you make measurable and rapid improvement right off the bat with a reasonable level of effort and no or low expense. In a nutshell, here’s what you need to know about each:
First of all, what we mean by secrets is private, protected information (such as customer data or billing details) that you would not want to fall into the wrong hands. To keep this information safe, you need to follow strict best practices around the storage and sharing of:
- API keys
- Secure tokens
- Private keys
As we wrote in the first secrets management post in this series, you need to keep your secrets where they are easy to find but not easy to access. That means you should never store secrets in application code unencrypted (which is more common than you might think). There are two good ways to identify whether secrets are currently stored in your code (and we recommend using them in tandem):
In the post linked to above, we go into detail about how to use these tools to unearth poorly managed secrets and fix them. In the second secrets management post, we cover what to do after you uncover these mismanaged secrets and how to prevent information leaks. You can visit that post to get a technical run-down on best practices for secrets management.
OS Updates and Package Management
Next, we covered how to keep your operating systems up-to-date and manage packages securely. Why are these so important? Well, for one, the Verizon DIBR has shown that the most frequently exploited vulnerabilities are often months or even years old. They’re exploited so easily because people don’t patch their systems. As our CTO Sam Bisbee discovered the hard way (read: he lost a bet), most systems are not updated with anything near the appropriate frequency. So patching is a good place to begin your cloud security journey.
You don’t want to do this haphazardly, though; you want to follow a strategy that dictates your organization’s approach to patching. This can take one of two forms:
- Update immediately as released
- Update on a regular cadence
In the post, we cover the pros and cons of each approach in-depth and share some specific technologies you can use to manage your organization’s patching requirements. It’s up to you determine your organization’s risk tolerance, values, and resources and choose a patching strategy based on those factors. But the key point here is that you must have a strategy in place and ensure that it is followed.
Finally, we explained how to incorporate AWS security best practices into Terraform design at your organization. From our perspective, incorporating automation into your security workflow is a key aspect of ensuring that your cloud infrastructure is secure. In the post, we covered three areas of AWS security best practices and shared details about how to implement them using Terraform:
- Environment segregation by AWS account
- CloudTrail logging
- Traffic and system access controls
Visit the post here to get details about why we recommend starting with these three AWS best practices and how they will reinforce your security stance.
Recommendation for Continuous Improvement of Your Best Practices: Where appropriate, as in the Managing Secrets and OS Updates best practices, ensure that you are auditing your environment at regular intervals. Since Terraform is a tool to manage your environment, when you are writing Terraform, do your best to incorporate security practices into your code.
Pillar Three: Implement & Improve a Security Awareness Program
The final pillar we covered in our series is implementing a Security Awareness Program. Because the people in your organization are a big part of your security stance, it’s key that everyone is provided with ongoing training and education about security. In the post, we covered the 4 Cs of a strong security awareness program:
We also identified the “milestones” when you should ensure that security is brought to your employees’ attention: when they join, after an incident, and at regular intervals. The post goes into detail about what types of information to cover at those three junctures and why security awareness is vital to building a strong organizational culture.
Recommendation for Continuous Improvement of Your Security Awareness Program: It’s important that everyone from management on down take security seriously and make it an active part of their daily work. To make sure that security doesn’t become stale and get taken for granted, it’s a good idea to keep training materials and training sessions up to date and as interactive as possible. In addition, we recommend the use of a dedicated Security channel on Slack (or whatever tool you use) so security information can be passed to all employees in real time.
Final Words . . .
When it comes to security, the goal should be to get a little better every day. You can mature your security posture over time by measuring where you stand against a baseline, identifying areas for improvement, making changes, and repeating the process.
So while achieving security can feel overwhelming at times, adopting a mindset of continuous improvement will make the whole process more manageable. It will also keep your security systems and processes evolving so they’re always protecting you in the ever-evolving threat landscape.
Posts in the Starting Your Cloud Security Journey Blog Post Series
These posts are now available in the series:
- Threat Stack Blog Series: Starting Your Cloud Security Journey
- Planning Your Cloud Security Program
- How Securely Configured is Your AWS Environment?
- Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 1 — truffleHog & git-secrets
- Cloud Security Best Practices: Finding, Securing, & Managing Secrets, Part 2
- OS Updates and Package Management: Ubuntu Repo Management With Aptly and AWS S3
- Incorporating AWS Security Best Practices Into Terraform Design
- How to Implement a Security Awareness Program at Your Organization