You’ve probably seen those quaint features in business publications like, “A Day in the Life of the CFO.” They always have some campy comments that try to make the person relatable (“…and at 9:34am, I finally get around to drinking that latte I got at Starbucks on the way in to work!”), but truly the whole thing is just an annoying ploy to make you feel inadequate. Who really gets up to ride their Peloton at 5:30am, reads the New York Times AND Wall Street Journal over kale-infused coffee at 7:45am, has a major fire drill that could possibly shut the company down at 11:22am, but then solves the problem and is home to coach their kids’ soccer team by 5:30pm?
The reality is that no matter how organized you are or how good your team is, your day can become a montage of nightmares before your car even hits the parking lot. For CISOs and those responsible for the security of data and technology resources in a company, there are days when unforeseen issues spiral out of control while you scramble to apply fixes, isolate your cloud environment, and prepare to remediate. That’s to say nothing of the communication and damage control you’ll need to implement as well.
When a CISO’s day goes sideways the repercussions are far beyond just getting home late for dinner. A data breach or a successful ransomware attack puts the entire company in jeopardy; as word trickles out, customers panic, the press has a field day, and nothing you do to fix it seems like enough. No one wants that.
Consider applying these policies and controls in your cloud environment so you and your organization can avoid the series of unfortunate events that may befall the CISO who is unprepared:
- Understand your cloud environment: A single cloud environment is usually made up of workloads and applications operating in a variety of different ways. Some have dependencies on integrations and data that is connected to through APIs and other means, while others function in a distributed, but independent fashion. Your cloud will have different accounts, maybe different cloud providers, even. User groups will be set up based upon geographic location or based on your org chart. The key will be for you to know what your architecture looks like so you can identify problem areas or other issues when you see them highlighted through continuous monitoring efforts. If a priority one issue arises in an account you have no awareness of, you won’t be able to frame any sort of incident response.
Knowledge of your cloud will help you understand when an open Amazon S3 bucket is a critical issue (as it usually is), or that it is intended to be open (for public-facing, transaction-based needs).
- Don’t rely on out-of-the-box configurations: AWS and Azure both come with default settings for the various components of their clouds, but since providers don’t know your environment or specific conditions, those settings can be inadequate to meet your security needs. Ensure your team reviews and edits settings and configurations for every resource in your cloud environment so it provides rigorous security and compliance, but remains agile in your approach to managing data and users.
- Treat Github with caution: Far too many instances of breached environments are the result of someone leaving keys or passwords in a publicly accessible Github repository. These are intended to be places for users to share and access development-related information and resources, but without the right policies in place, users can easily neglect to lock down privileged data.
- Have an incident response plan: A sure fire way to avoid a bad day is to always have an incident response plan in place, where all processes, participants, and outcomes are defined and understood. It begins with near real-time and always-on assessment of the security state of your cloud because you’ve invested in continuous cloud monitoring. So, right off the bat, you have visibility and are alerted immediately to issues. If there’s a misconfigured VM, you’ll know about it immediately through an alert delivered through automated alerts set up through Pagerduty, Slack, HipChat, or Splunk.
- Make compliance continuous: The idea of manually maintaining a compliant state for your cloud, and being able to keep detailed reports of it over time is a massive undertaking. Beyond just the sheer amount of work it would take to constantly check all the layers of your cloud stack and compare them with compliance controls, there’s also the opportunity cost. Instead, use your time more effectively by automating compliance and having continuous insight into the state of your compliance for things like NIST, HIPAA, PCI, and others. This will avoid a massive backlog of work that comes from doing period audits and will alert you to security vulnerabilities as they happen.
For conscientious security professionals who prefer to start and end their days without fire drills, here are some resources that will help you create, implement, and manage an effective security and compliance strategy for your cloud:
- Get cloud fit: This ebook is a collection of 11 cloud security best practices you can begin to implement immediately to strengthen your security posture.
- Create a defensive strategy: You’ll always have to be vigilant, and part of that process is using a full court press for your security and protecting your environment from things like ransomware.
- Build the best team: Finding cybersecurity experts is a major challenge; there aren’t enough qualified people readily available. But there are ways to assemble a strong team if you know where to look and how to train the right people. This ebook provides a gameplan for creating the team you need.
- Apply security automation: This white paper explores all facets of continuous security monitoring and compliance in the cloud to achieve the comprehensive visibility and control essential to your organization.
By making changes in how you manage your environment, and by adopting rigorous best practices, security automation, and creating the right mindset, you can rest assured your organization won’t fall victim to lapses of oversight and control. Then, you can have a day with a series of fortunate events.
*** This is a Security Bloggers Network syndicated blog from Cloud Sentry Blog authored by Patrick Flanders. Read the original post at: https://cloudsentry.evident.io/cisos-series-unfortunate-events/