The use of cloud computing, either for virtualising infrastructures or applications, is quite combined with a misunderstanding of who is in charge for ensuring security, writes Dirk Schrader, Resident CISO (EMEA) / VP of Security Research at the data security product firm Netwrix.
There is no question that cloud adoption presents challenges to IT security teams as it adds an additional layer of complexity to any existing security architecture. Cloud providers such as Amazon, Google, and Microsoft do their best to mitigate the risk of successful external attack but safety of data is an organisation’s responsibility as well.
The Netwrix Cloud Security Survey found that organisations experienced an average of 2.8 security incidents in the cloud in the past 12 months. The top three incident types were phishing (40pc), ransomware (24pc) and accidental data leakage (17pc). That is said, wherever the sensitive data resides – on-premises or in the cloud – it is constantly at risk.
Cloud adoption brings its challenges to IT security team as it adds an additional layer of complexity to any existing security architecture. Cloud environments do not have an established physical security perimeter as they are primarily designed with ease of access and ease of deployment. With that in mind, system hardening is a great way to help reduce the amount of security vulnerabilities within a cloud.
What is system hardening?
System hardening is the process of securing a system’s setup to minimise IT risks and vulnerable configuration and software from being attacked. This can be achieved by clearing away all unnecessary account functions, ports, access permissions, networking connections, and applications which malware and attackers can use to access an IT environment.
With the numerous security guidelines that exist, the Centre for Internet Security Benchmarks (CIS) is the most recommended source of information when looking for free guidance on how to best configure a system securely within on-premises environments. In the same understanding, benchmarks for cloud computing resources are also available to help administrators and security professionals harden their cloud instances.
Additional security measures can then be added after the image has been hardened. This can be achieved by baking in the organisation’s defence software, such as a preferred AV and changing the detection solution. CIS-based hardening of virtual instances helps to run cost-effective, simple yet secure operations within the cloud and are compatible with major computing platforms including Oracle Cloud Marketplace, AWS, Google Cloud Platform, and Microsoft Azure. However, it is important to be proactive when looking for any possible gaps or vulnerabilities within the security posture and fixing them appropriately.
How to achieve system hardening in five steps
There are many different methods organisations can choose from to securely store their critical data within a cloud environment. However, a simple search for available online resources that are easy to follow and understand can be overwhelming. Fortunately, according to cloud providers, there are five steps which organisations can take instead while also helping to harden their instances:
1.Start by limiting users’ access from the instance and networks. This is done by only using the essential operating system (OS) applications and modules in order to control the host-based defence software
2.Limit user privileges by setting a minimum number of privileges to individual servers needed to allow it to operate
3.Establish a base level server configuration and monitor each server as an individual item. Then compare it against the tracked baseline at present to detect and alert to any abnormalities. Each individual server must be aligned to produce and hold the necessary audit and record data as securely as possible
4.Create a process which can demonstrate how to adjust the controls to the server’s base level configuration
5.Audit access and control all changes to elastic compute cloud (EC2) to ensure that only permitted changes are being made and to validate the reliability and resiliency of the server
Although the concept of system hardening may be quite unfamiliar to many, when used appropriately it can be greatly beneficial. Enhanced capabilities, cost effectiveness, and overall improved cybersecurity can all be achieved in just five steps listed above.
How system hardening can benefit an organisation
Organisations choosing to start any cloud hardening project should be aware of the full scope of benefits to take advantage of. One of these benefits is being able to pre-construct images in which the systems have originated from. These images can then ‘step up’ when either more permanent or temporary resources are needed. For those unsure of which image hardening guidelines to follow, the CIS is a good place to start when looking for advice and support ahead of a project. Alternatively, utilising an appropriate solution can rapidly configure systems to a preferred hardened state before the image is saved – making it ready for use at any time.
Another benefit of system hardening includes the ability to customise images of any management software, which can be enabled while preparing to monitor the systems after the image has already started. Organisations must be sure to explore what existing tools are available and are most suitable for their environment before deploying to the image in the customising stage. The added benefit of choosing the right tools is the ability to monitor and detect any posture abnormalities immediately while ensuring the image is following the hardening standards throughout the system’s life cycle.
Most importantly, system hardening greatly reduces the attack surface giving attackers fewer points of entry into a network. By tightening all loose ends, before attackers have the opportunity to exploit them, and securing the most vulnerable endpoints within the environment organisations are significantly at less risk. System hardening processes also make it far simpler for organisations to follow cybersecurity regulatory and compliance mandates. Therefore, it can drive up the overall return of investment for the organisation.
Cloud adoption is not an option anymore, it’s a must for most businesses. Organisations have to partially move their operations to the cloud to ensure their business activities. Urgent transition to remote work with the beginning of pandemic forced IT teams to ensure the bare security minimum of the cloud environment. Now, when people have become used to a cloud-based reality, it’s time to upgrade the security measures in place.
