QuickGuide: Cloud Security Recommendations

Know the infrastructure security of your provider or platform:

• In the shared security model, the provider (or whoever maintains the private cloud platform) has the burden of ensuring the underlying physical, abstraction, and orchestration layers of the cloud are secure.
• Review compliance certifications and attestations.
• Check industry-standard and industry-specific compliance certifications and attestations on a regular basis for having the assurance that your provider is following cloud infrastructure best-practices and regulations.

Network

• Prefer SDN when available.
• Use SDN capabilities for multiple virtual networks and multiple cloud accounts/segments to increase network isolation.
• Separate accounts and virtual networks dramatically limit blast radius compared to traditional data centers.
• Implement default deny with cloud firewalls.
• Apply cloud firewalls on a per-workload basis as opposed to a per-network basis.
• Always restrict traffic between workloads in the same virtual subnet using a cloud firewall (security group) policy whenever possible.
• Minimize dependency on virtual appliances that restrict elasticity or cause performance bottlenecks.

Compute/workload

• Leverage immutable workloads whenever possible.
• Disable remote access.
• Integrate security testing into image creation.
• Alarm with file integrity monitoring.
• Patch by updating images, not patching running instances.
• Choose security agents that are cloud-aware and minimize performance impact, if needed.
• Maintain security controls for long-running workloads, but use tools that are cloud aware.
• Store logs external to workloads.
• Understand and comply with cloud provider limitations on vulnerability assessments and penetration testing.