This is the first in a series of articles on the five pillars for actionable Azure security. This post contains the following sections:
- Five Pillars for Actionable Azure Security
- Managing an Actionable Cloud Security Framework
- Conclusions and next steps
- About Barracuda Networks
You can follow the entire series here.
The cloud is transformational – but the cloud is different. Companies migrating to the cloud quickly – and sometimes painfully – learn that translating their on-premises security framework to the cloud is more difficult than they presumed. Not all on-premises solutions will work the same if at all in the cloud, cloud infrastructures themselves contain numerous security services that need to be incorporated, and the very mechanisms behind operating securely in the cloud are different than traditional on-premises solutions.
Companies who have been successful in designing and deploying an actionable cloud security framework focus on five pillars, each of which is addressed in sequence as those customers migrate to and operate within a cloud ecosystem.
Five Pillars for Actionable Azure Security
Every vendor – as well as most consultants and most standards organization – have detailed their particular Cloud Security Framework. All of these are valid, but most constructed in a kind of vacuum. They either focus solely on that vendor’s products, or look at security in the same siloed approach that has hamstrung companies from the beginning when they turn to the cloud.'Actionable Cloud Security is a cycle... Organizations who follow this methodology will create a framework that supports their cloud strategies, and increases their security in the cloud.' ~@rkturner1Click To Tweet
Actionable Cloud Security is a cycle. It is sequential, it is proscriptive, and each pillar is ultimately dependent on those that precede it to make security truly actionable. NIST’s Cybersecurity Framework is a basis for many of the best practices embodied in actionable security, and taken to its next logical step it becomes a series of sequential pillars. Organizations who follow this methodology will create a framework that not only supports their cloud strategies, but actually increases their security in the cloud, and their ability to respond to how the cloud evolves.
These five pillars are:
- Identity and Access
- Detection Controls
- NetSec – Network Security
- Data Protection
- IR – Incident Response
Customers who achieve actionable cloud security approach leverage these pillars in a sequential manner – i.e., they ensure IAM requirements are understood and resolved before moving onto Detection Controls, etc. By understanding security this way, organizations can ensure they don’t miss key elements that can be overlooked when security is approached on a piecemeal basis.
Success in developing an actionable cloud security framework comes from understanding how this framework applies to a particular customer’s situation. The purpose of this discussion is to help develop an understanding of these pillars and how to approach them, so organizations can avoid the pitfalls and risks of an ad-hoc approach to cloud security.
In this blog series, we will dive into depth on each of the pillars introduced below.
Identity and Access (commonly known as Identity and access management, or IAM)
Since the cloud isn’t an on-premises solution, securing access is a natural starting point. Traditionally, customers look at identity management and access management from the standpoint of users. Users, which can be further categorized into groups, will also have associated roles, and permissions associated to these roles.
Even within similar organizations – example, a company may have multiple groups within a larger development organization, with different permissions associated both to the roles those users have and the groups to which they belong. It is not necessarily a linear relationship.
Within a cloud infrastructure, effective identity and access management (i.e., IAM) will allow IT administrators authorize who can take action on specific resources, and provide those administrators with visibility and control across that whole infrastructure. This can quickly get complex, with hundreds of organizations, workgroups, and projects. However, this also becomes the first “window” into who’s doing what.'As organizations look to leverage cloud services for transformation, they must be sure to understand those services in terms of how they are accessed and managed.' ~@rkturner1Click To Tweet
Similarly, companies in the cloud have come to understand that services can be subject to the same management schemes as users. This is an important construct when organizations look to leverage cloud services for transformation – those services need to be understood in terms of how they are accessed and managed.
Within the Azure infrastructure, the products and services found here need to be considered as part of an organization’s Identity and access pillar.
Azure Active Directory provides secure access to resources with Identity and access management. With this service, customers can integrate native services such as virtual machines, storage accounts, app services and many more. Additionally, Azure Active Directory provides access management for cloud and hybrid environments.
To develop an actionable IAM pillar, customers must:
- Enable single sign-on
- Enable multiple-factor verification for administrators and users
- Use role-based access controls and provide access as needed
- Lower exposure of privileged accounts
This next step or pillar relies on first being able to determine who is allowed access and to what – and then detecting anomalies. Typically, Detection Controls focus on intrusion, more commonly known as Intrusion Detection Systems (IDS). These are automated, and are designed to monitor and analyze network traffic, and to generate an alert in response to activity that either matches known malicious patterns or is anomalous. Some IDS controls go further: they will trigger automated processes that can include recording suspicious activity or scanning the computers involved to try to find signs of compromise.
An IDS differs from a firewall in that a firewall looks outwardly for intrusions to stop them from happening in the first place. IDS looks for both intrusions that have already occurred (or are actively occurring), and for attacks that originate from within the network.
Because an IDS is watching the actual network traffic flow, it not only permits a more timely response to an active compromise, it also offers the capability to identify devices that are in imminent danger of compromise. In layman’s terms, this means identifying devices – or resources – with similar access profiles as those where the intrusion took place. IDS controls obviously require some kind of feedback loop with a security provider, to learn the latest malicious activities and recognize them when detected.
Within the Azure infrastructure, the products and services found here need to be considered as part of an organization’s Detection Controls pillar.
To develop an actionable Detection Controls pillar, customers must:
- Deploy detective controls at Layer 4 to Layer 7 and protect applications
- Understand how IDS differs from Firewall protections
- Have a thorough understanding of all monitoring and logging activities that are performed as part of in-place detection systems
NetSec (Network Security)
Many organizations make the mistake of beginning their cloud security framework discussions around NetSec, as this was traditionally how they secured on-premises infrastructure, since all elements of the network were in-house and under direct IT control. Companies erroneously assume that because they are leveraging a cloud infrastructure, either they will be less secure than when they “owned” all those resources, or that they can simply mirror their on-premises network security controls in the cloud.
Again, the cloud is different. The Shared Security model under which all cloud ecosystems operate inherently guarantees security of the network – but can’t guarantee the security of the companies who are accessing it. Or put another way, organizations using the cloud need to put security measures in place that will ensure they are not the source of threats and compromises.
There is where Firewalls and WAFs in the cloud offer security at a different level. The controls and nomenclature may be the same as on-premises solutions, but the functions they provide are designed to operate in an infrastructure that is inherently fluid and off premises. Because resources are cloud-based, companies often turn to benchmark policies such as CIS Benchmarks that describe cloud-focused policies to detect security policy violations – situations which simply didn’t exist in an on-premises infrastructure.
Finally, an actionable NetSec pillar also needs to consider endpoint security – the “edge” of the cloud creates new vulnerabilities and as cloud infrastructures work more seamlessly with endpoints, security at the edge becomes increasingly important. Taken as a whole, this becomes the blueprint for the infrastructure for that organization.
In Azure, the Intelligent Cloud works integrally with the Intelligent Edge – and both need to be secured. Within the Azure infrastructure, the products and services identified here and here need to be considered as part of an organization’s NetSec pillar.
To develop an actionable NetSec pillar, customers must:
- Understand the policies and benchmarks that are appropriate to their business and organizations and the cloud
- Deploy solutions that translate those benchmarks into actionable results, such as firewalls or security monitors that look at the cloud
That data moves into and through the cloud might seem obvious, but it raises new security requirements. The very notions of data-in-motion and data-at-rest become blurred. As example, data protection for a network is often equated to backup, but this is overly simplistic. Data backup is a snapshot in time of selected, any, or all data in a cloud infrastructure. This is data at rest, and as such, it is only accurate at the point of the backup. When backups are deployed to rectify a compromise, i.e., a data restore, significant time may have elapsed between the date of the most recent backup and the data a restoration is initiated. All the data between those two times is essentially unprotected.
Recent legislation such as GDPR has forced security professionals to look beyond protection of data at rest, and address the much more difficult task of protection data in motion (i.e., data in transit). Data in motion is very often data moving out of the network, or between nodes, and as such can be vulnerable to malicious activity during the act of transport.
Encryption is the most popular method of protecting data both at rest and in transit, but it is not a total solution. Network security controls add another layer of protection, as do data policies. Data that has been classified as at-risk can have specific policies applied to it whenever such data is accessed or moved, ranging from alerts to full blocks against access or transit.
There are other data conditions which need to be considered as part of data protection as well. One of these is archiving. Even though archived email is clearly data-at-rest, it still needs to be considered within the overall protection scheme. Another consideration is ongoing threat scanning. Scans need to look at all data, not simply data in motion. It is very common to find emails with latent threats in trash or spam folders; recognizing that these contain latent threats is important to ensure that someone doesn’t inadvertently open them and trigger malware.
Within the Azure infrastructure, the products and services identified here need to be considered as part of an organization’s Data Protection pillar.
To develop an actionable Data Protection pillar, customers must:
- Have complete visibility of information and data stored in Azure
- Controlled versioning of data
- Protect data at all times
- Encrypt their data at all times
IR (Incident Response)
For a number of organizations, Incident Response (IR) is the first symptom of non-actionable cloud security framework. Often, incidents aren’t even identified until well after they have occurred, and damage has been done. In those cases, response quickly escalates to remediation, and there are numerous cautionary tales of companies being irreparably harmed by large and undetected breaches and incidents.
Within an actionable IR Framework, the notion of IR is more basic. Incidents are typically security failures or non-compliances that can be easily identified and rectified, with the intention of responding to the “incident” before there has been damage. Solutions that prevent incidents still may have the requirement to identify intentional malicious incidents, even if they were ultimately prevented for occurring.
IR can take many forms, from simple identification and rectification, or prevention, to changes in policies and strategies that avoid future similar incidents. Organizations that leverage actionable cloud frameworks as a basis to enforce security and workflow best practices can utilize IR as a way to identify where best practices aren’t being followed and why. In that way, IR becomes part of a continuous feedback loop to help keep an actionable cloud framework secure.
Within the Azure infrastructure, the products and services identified here need to be considered as part of an organization’s IR pillar:
To develop an actionable IR pillar, customers must:
- Unify IR strategy across the board – both cloud and on premise
- Detect and remediate on a continuous basis
- Leverage all available preventative tools which can prevent incidents
Managing an Actionable Cloud Security Framework
Earlier, we described an Actionable Cloud Security Framework as a loop, that feedback from one pillar feeds into the next, and the framework is continually being tuned and managed to comply with the best practices that were established as part of each pillar to keep the framework secure and compliant. In an era of heightened security risks and concerns, compliance is taking on new meanings, not simply as complying with specific mandated written policies, but with infrastructures that maintain data and security policies that support the mandates to which those organizations are trying to comply.
To that end, a class of products is emerging, as services that monitor and manage organizations’ security postures. Some of these products are as basic as “benchmark checkers” that will evaluate an organization’s cloud security policies against industry standards such as CIS. Others aggregate the control planes used in the various pillars into single “pane-of-glass” management tools. Azure Security Center and Azure Graph are examples of such products in Azure.
Other solutions take this a step further: they aggregate the information provided by management tools, they provide network and infrastructure rules based on industry standard benchmarks, and perform ongoing evaluations of organizations’ cloud infrastructures. These solutions are looking for non-compliance, i.e. situations in which deviations have occurred regarding policies and benchmarks. These products may offer an automated remediation feature, but of equal importance is the context into which they describe such deviations. A policy deviation could be the result of a new software routine being developed at the organization, which will require a new policy going forward – or that deviation could be a developer inadvertently (or maliciously) exposing the infrastructure to compromises and threats. Left unmonitored, this policy “drift” can quickly move an entire organization into serious non-compliance.
This newest class of actionable security tools can alert IT administrators to such policy violations, and can suspend their actions until the administrator has reviewed the violation and its intent. These products also allow administrators to zero-in on deviations that could be occurring in an infrastructure of hundreds of workgroups, projects, and user groups and determine their potential impact. Finally, these solutions often include a robust monitoring and logging capability, which is an obvious “must have” for organizations’ compliance to newer data production rules like GDPR.
Conclusions and Next Steps
IT organizations are typically staffed to keep their respective companies or users secure and productive and operate within a defined company framework. Even those with extensive security understanding and cloud experience are best served by partners whose focus is architecting security.'Even companies with extensive security understanding and cloud experience are best served by partners whose focus is architecting security.' ~@rkturner1Click To Tweet
Once an organization has completed the exercise of defining their five pillars toward actionable cloud security, and developed a strategy to close gaps they identify during this process, they can work with that partner to implement tools and processes they have identified as keys to their actionable Azure security framework. These partners can also ensure that hybrid frameworks don’t hamper cloud migrations and leverage, but instead remain integral parts of the organization’s overall security framework.
Those organizations are also then able to focus on the real value they intend to extract from the cloud: digital and operational transformation. Organizations who understand their IAM framework, for example, can feel secure leveraging Azure services such as ML (Machine Learning) or AI (artificial intelligence) to build new and transformational workloads without compromising their own security frameworks.
What are an organization’s next steps in this process? Besides identifying a partner or partners to should part of the burden and ensure those organizations aren’t bogged-down by developing this actionable cloud security framework, organizations should:
- Identify the key processes within each of these pillars that affect their business operations
- Identify information which organizations must initially gather to create these pillars (as example, the roles and permissions they need to extend across users and groups, or the definition of “at-risk” data, etc.)
- Identify “holes” in their existing security strategy and assess the criticality of each issue as well as which pillars it affects
- Identify both third party and native Azure services that can be leveraged to address security challenges
- Build-out a timeline during which organizations can deploy services, procedures, and policies and execute building their actionable cloud security framework
- Evaluate tools and services that will help keep their actionable cloud security frameworks secure – to proactively identify and remediate policy violations and preclude the policy “drift” that is inherent in any organization actively developing or deploying new versions and solutions.
With more than 1 million cloud-enabled products delivered since its inception, Barracuda Networks continues to disrupt the IT-security market with innovative solutions. We’re on a mission to protect customers, data and applications from today’s advanced threats by providing the most comprehensive and easy-to-use IT-security platform and backing it up with best-in-class customer support.
For Azure frameworks, Barracuda provides solutions that address common challenges that organizations encounter when building an actionable Azure Security Framework, including
- CloudGen Firewall – the industry’s first built-for-the-cloud network firewall, which combines SDWAN capabilities, virtually unlimited remote access, and all the security and management parameters with which IT organizations are familiar from their on-premises architectures – but built to provide security and visibility to and through Azure.
- CloudGen WAF – a highly-scalable web application firewall to provide Layer 7 security for web-facing applications, along with automated remediation and highly-granular rule sets that can be tailored by user and application.
- Cloud Security Guardian (CSG) – a service which operates across the control, management, and data places, that can configure and manage security controls and practices across an organization’s entire cloud architecture, and to detect non-compliance with these controls and remediate them to avoid risks and compromise.
Rich is the Product Marketing Manager, Information Management. He's been with Barracuda since the acquisition of C2C Systems in 2014. Rich specializes in cloud-deployed solutions, information management, and archiving systems. His experience includes extensive work on OEM opportunities and the legal community.
You can email Rich at firstname.lastname@example.org.