A Step-by-Step Guide to Cloud Security Best Practices

Phase 1: Understand cloud usage and risk

The first phase of cloud computing security is focused on understanding your current state and assessing risk. Using cloud security solutions that allow for cloud monitoring, you can accomplish the following steps:

1. Step 1: Identify sensitive or regulated data.
   Your largest area of risk is loss or theft of data that will result in regulatory penalties, or loss of intellectual property. Data classification engines can categorize your data so you can fully assess this risk.
2. Step 2: Understand how sensitive data is being accessed and shared. Sensitive data can be held securely in the cloud, but you have to monitor who accesses it and where it goes. Assess the permissions on files and folders in your cloud environment, along with access context like user roles, user location, and device type.
3. Step 3: Discover shadow IT (unknown cloud use).
   Most people do not ask their IT team before signing up for a cloud storage account or converting a PDF online. Use your web proxy, firewall, or SIEM logs to discover what cloud services are being used that you don’t know about, then run an assessment of their risk profile.
4. Step 4: Audit configurations for infrastructure-as-a-service (IaaS) such as AWS or Azure.
   Your IaaS environments contain dozens of critical settings, many of which can create an exploitable weakness if misconfigured. Start by auditing your configurations for identity and access management, network configuration, and encryption.
5. Step 5: Uncover malicious user behavior.
   Both careless employees and third-party attackers can exhibit behavior that indicates malicious use of cloud data. User behavior analytics (UBA) can monitor for anomalies and mitigate both internal and external data loss.

Phase 2: Protect your cloud

Once you understand your cloud security risk posture, you can strategically apply protection to your cloud services according to their level of risk. There are several cloud security technologies that can help you accomplish the following best practices:

1. Step 1: Apply data protection policies.
   With your data now classified as sensitive or regulated, you can assign policies that govern what data can be stored in the cloud, quarantine or remove sensitive data found in the cloud, and coach users if they make a mistake and break one of your policies.
2. Step 2: Encrypt sensitive data with your own keys.
   Encryption available within a cloud service will protect your data from outside parties, but the cloud service provider will still have access to your encryption keys. Instead, encrypt your data using your own keys, so you fully control access. Users can still work with the data without interruption.
3. Step 3: Set limitations on how data is shared.
   From the moment data enters the cloud, enforce your access control policies across one or multiple services. Start with actions like setting users or groups to viewer or editor and controlling what information can be shared externally through shared links.
4. Step 4: Stop data from moving to unmanaged devices you don’t know about.
   Cloud services provide access from anywhere with an internet connection, but access from unmanaged devices like a personal phone creates a blind spot for your security posture. Block downloads to unmanaged devices by requiring device security verification before downloading.
5. Step 5: Apply advanced malware protection to infrastructure-as-a-service (IaaS) such as AWS or Azure.
   In IaaS environments, you’re responsible for the security of your operating systems, applications, and network traffic. Antimalware technology can be applied to the OS and virtual network to protect your infrastructure. Deploy application whitelisting and memory exploit prevention for single-purpose workloads and machine-learning based protection for general purpose workloads and file stores.

Phase 3: Respond to cloud security issues

As your cloud services are being accessed and used, there will be incidents requiring either automated or guided response on a regular basis, just like any other IT environment. Follow these best practices to begin your cloud security incident response practice:

1. Step 1: Require additional verification for high-risk access scenarios.
   If a user is accessing sensitive data in a cloud service from a new device, for example, automatically require two-factor authentication to prove their identity.
2. Step 2: Adjust cloud access policies as new services come up.
   You can’t predict every cloud service that will be accessed, but you can automatically update web access policies, such as those enforced by a secure web gateway, with information about the risk profile of a cloud service to block access or present a warning message. Accomplish this through integration of a cloud risk database with your secure web gateway or firewall.
3. Step 3: Remove malware from a cloud service.
   It is possible for malware to compromise a shared folder that syncs automatically with a cloud storage service, replicating the malware in the cloud without user action. Scan your files in cloud storage with anti-malware to avoid ransomware or data theft attacks.

As cloud services evolve, so do the challenges and threats you face by using them. Always stay on top of cloud provider feature updates that involve security, so you can adjust your policies accordingly. Security providers will adjust their threat intelligence and machine learning models to keep up as well. In the phases and best practices above, several key technologies can be used to accomplish each step, often working in conjunction with the native security features from cloud providers.

1. Cloud Access Security Broker (CASB):
   Protects data in the cloud through data loss prevention, access control, and user behavior analytics. CASB is additionally used to monitor IaaS configurations and discover shadow IT.
2. Cloud Workload Protection:
   Discovers workloads and containers, applies malware protection, and simplifies security management across IaaS environments.
3. Virtual Network Security:
   Scans network traffic moving in between the virtual instances held in IaaS environments, along with their entry and exit points.