Addressing Cloud Security Risks: Part 1 - Misconfiguration

In this multi-part series, I explore the top five cloud security risks that I've seen early stage startups encounter, along with common causes and mitigation best practices. In a previous post, I covered Top 5 Cloud Security Risks for Startups - today, I'll address one of the key risks - misconfiguration.

Accountability / responsibility

• Understand the shared responsibility between you and the cloud service provider (CSP). Depending on the deployment model, the responsibility matrix will differ, but ignorance, misunderstandings, or wrong assumptions can lead to major blind spots. See these guides from AWS and Google Cloud.
• Understand your contractual and regulatory compliance obligations. This is not just applicable to CSP contracts, but also your own customer contracts, the jurisdictions that you operate in, and the data that you process. Both AWS and Google Cloud offer compliance resources to help you get started.
• Understand data residency and sovereignty requirements, if any. This was traditionally applicable to highly sensitive or regulated industries; newer data protection laws and regulations (like GDPR) may introduce regional requirements, but are generally applicable across industries.
• Understand security requirements of your customers and business partners. Supply chain attacks and breaches are getting increasingly common, and vendor risk management should be on your priority list.
• Finally, even if you use outsourced services, always remember that you can outsource responsibility, but you cannot outsource accountability.

Secure defaults

• Understand and implement cloud security best practices; AWS offers the Well-Architected framework, while Google Cloud offers a similar Architecture Framework for security, privacy, and compliance.
• Define and set up a secure landing zone (initial cloud environment). Use automation to deploy repeatable solution patterns. See AWS Control Tower or Google Cloud security foundations blueprint to help you get started.
• Define guardrails and organisation-wide restrictions using AWS service control policies, Google Cloud organization policies, and other similar controls.

Real-time visibility

• Configure your cloud environments to receive critical account-related and technical notifications e.g. set up Essential Contacts for Google Cloud. Subscribe to security bulletins and keep abreast of the latest vulnerabilities.
• Use cloud security posture management solutions like Google Cloud Security Command Center, AWS Security Hub, or other multi-cloud solutions for organization-wide security posture and real-time threat visibility.
• Integrate the alerts/findings from these solutions with existing security operations tools, ticketing and notification systems.

Automation (infrastructure-as-code / policy-as-code)

• Use infrastructure-as-code (e.g. Terraform) to provision cloud resources and configuration as far as possible. Both AWS and Google Cloud offer robust support for Terraform.
• If you want to take it a notch higher, you can use policy-as-code to define and deploy policies and rules, and track/remediate deviations along the way.
• Ideally, use workflows/pipelines for key tasks e.g. provisioning resources, assigning permissions, deploying workloads - in general, follow the simple "no humans in production" approach when possible.

If you found this post useful, feel free to read others in this series:

• Top 5 Cloud Security Risks for Startups
• Addressing Cloud Security Risks: Part 1 - Misconfiguration (this post)
• Addressing Cloud Security Risks: Part 2 - Credential Theft/Leakage
• Addressing Cloud Security Risks: Part 3 - Unauthorised Access
• Addressing Cloud Security Risks: Part 4 - Insecure Software Development & Deployment (coming soon)
• Addressing Cloud Security Risks: Part 5 - Sensitive Data Disclosure (coming soon)