Introdução ao Cloud Hardening

Armazenar dados sensíveis na nuvem expande significativamente sua área de superfície de ataque — e os adversários estão aproveitando as oportunidades que a adoção da nuvem apresenta. De fato, uma 2022 Netwrix survey encontrou um aumento de 10% nos ataques direcionados à infraestrutura em nuvem.

O endurecimento da nuvem é o processo de reduzir o risco para seus sistemas em nuvem estabelecendo e mantendo configurações seguras e identificando e mitigando outras vulnerabilidades. Aprenda por que o endurecimento da nuvem é vital tanto para a segurança quanto para a conformidade regulatória, e as principais ameaças na nuvem hoje. Em seguida, descubra os passos a seguir para endurecer sua nuvem, independentemente do seu modelo de entrega (IaaS, PaaS ou SaaS) ou tipo de nuvem (pública, privada ou híbrida).

Como o Cloud Hardening Ajuda a Reforçar a Segurança

O endurecimento da nuvem envolve a segurança da configuração e das definições do seu sistema para reduzir as vulnerabilidades de TI e o risco de comprometimento. Um passo importante no endurecimento é remover todos os componentes não essenciais dos sistemas. Ao eliminar programas não essenciais, funções de contas, aplicações, portas, permissões e acessos, você fornece menos rotas para atacantes e malware entrarem no seu ambiente de nuvem.

Tenha em mente, no entanto, que o reforço de segurança na nuvem não é um evento único — você precisa monitorar constantemente qualquer desvio das suas configurações de segurança, bem como revisar e atualizar regularmente suas linhas de base à medida que a paisagem de ameaças muda e as melhores práticas evoluem.

Claro, o fortalecimento da nuvem é apenas parte de uma estratégia de segurança mais ampla, que também deve incluir a implementação de ferramentas para detectar e responder prontamente a ameaças potenciais, e garantir que os sistemas possam ser rapidamente restaurados após um incidente.

Como o Cloud Hardening Ajuda na Conformidade

Governos em todo o mundo estabeleceram regulamentações que incluem padrões para data security — que se aplicam independentemente de onde os dados estão hospedados. Aqui estão os mais significativos a conhecer:

• HIPAA (Health Information Portability and Accountability) é um padrão dos EUA para a segurança de informações de saúde protegidas (PHI). As seções da Security Rule e da Privacy Rule ditam medidas de acesso e diretrizes para transações eletrônicas de saúde, e exigem que as organizações de saúde relatem violações de segurança.
• PCI DSS (Payment Card Industry Data Security Standard) foi criado para proteger os dados dos titulares de cartões. Inclui requisitos para autenticação multifator (MFA) e criptografia de dados, e exige que as organizações cobertas realizem testes de penetração para melhoria da segurança.
• FERPA (Ato de Direitos Educacionais e Privacidade da Família) trata da privacidade e segurança dos dados dos estudantes, incluindo informações pessoais identificáveis (PII). Os requisitos da FERPA abrangem tópicos como a criptografia, uso, redivulgação e destruição de dados.
• GDPR (Regulamento Geral sobre a Proteção de Dados) é um padrão da União Europeia que se aplica a organizações em qualquer lugar que armazenem ou processem informações de residentes da UE. Suas disposições abordam armazenamento de dados, uso, retenção, acesso e mais. 
• SOX (Lei Sarbanes-Oxley de 2002) ajuda a proteger o público de atos ilícitos corporativos exigindo que todas as empresas públicas dos EUA mitiguem o risco de atividades contábeis e financeiras fraudulentas. Entre outras coisas, SOX detalha as obrigações relacionadas à integridade dos dados, auditoria, controle de acesso e controle de mudanças. 
• FISMA (Federal Information Security Management Act) exige que as agências governamentais federais dos EUA protejam ativos e informações criando, implementando e cumprindo com um plano de segurança, que deve ser revisado anualmente. Além disso, a lei exige que as agências cobertas utilizem apenas centros de dados — incluindo provedores de nuvem — que estejam em conformidade com a FISMA.
• ISO 27017 is a subsection of ISO 27000 that provides guidelines regarding information security controls applicable to the provisioning and use of cloud services. It addresses topics such as shared roles and responsibilities, virtual machine hardening, and the alignment of security management for physical and virtual networks.

In addition to laws, organizations may have to (or choose to) adopt a cybersecurity control framework. In particular, CCM (Cloud Controls Matrix) covers critical aspects of cloud technology across 17 domains, such as application and interface security, audit and assurance, change control and configuration management, and threat and vulnerability management.

While an organization can be subject to multiple laws, most of them are rooted in the same core best practices, so the same security controls — such as cloud hardening — can help you achieve compliance with many mandates at once.

Top Public Cloud Security Threats

The cloud security threats that cybersecurity professionals are most concerned about, according to a 2022 survey, are:

• Misconfiguration of cloud platforms (62%)
• Data exfiltration (51%)
• Insecure APIs and other interfaces (52%)
• Unauthorized access (50%)
• Hijacking of services, accounts or traffic (44%)
• External data sharing (39%)
• Foreign state-sponsored cyberattacks (37%)

Hardening in Various Cloud Models

Cloud hardening is always recommended. However, the division of responsibility between your organization and the cloud services provider (CSP) for implementing it varies depending on the cloud model: IaaS, PaaS or SaaS.

Infrastructure as a Service (IaaS)

IaaS involves renting basic infrastructure components from a CSP, such as virtual machines on Azure or EC2, or EBS on AWS. With IaaS, cloud hardening is mostly in your hands. While the CSP) will handle physical security and firmware updates, you are responsible for the configuration of your provisioned virtual components. In particular, you are responsible for:

• Identity and data governance, including user access management and change control
• Configuring and hardening operating systems
• Data encryption
• Application-level settings
• Network access controls at both the network level and individual component level
• Security testing
• Auditing and logging

PaaS (Platform as a Service)

In the PaaS model, the organization controls the platform and execution resources to develop, test and deploy applications. Examples include Red Hat OpenShift, AWS Elastic Beanstalk and Google App Engine.

In this cloud operating model, the CSP is responsible for hardening the operating system, middleware and runtime environment as these are managed by the. However, your organization is still responsible for:

• Identity and data governance, including user access management and change control
• Client and endpoint protection
• Network controls at the network level
• Application-level settings
• Security testing
• Auditing and logging

SaaS (Software as a Service)

In the SaaS model, which includes Microsoft 365 and Salesforce, all components are managed by the CSP, which shifts even more responsibility to them. However, your organization’s responsibility is not insignificant; it includes configuring:

• User accounts and access management rules
• Application-level settings
• Logging and auditing

Cloud Deployment Models

Your choice of cloud deployment model — private, public or hybrid — also impacts your cloud security planning.

Private Cloud

A private cloud serves a single organization, with services maintained on a private network. As a result, your organization has full control over the infrastructure. This deployment model offers extensive flexibility and opportunity for customization, but also requires more resources and expertise to manage and maintain it.

Because you are the owner, you have complete responsibility for the following:

• Deploying and maintaining hardware and software
• Ensuring the physical security of your infrastructure
• Implementing appropriate security controls to protect against threats and attacks

Public Cloud

In a public cloud model, a CSP owns and operates all of the supporting infrastructure and software, and the services are delivered over the internet. Since a public cloud operates as a multi-tenant environment, it generally offers lower costs and better scalability than a private cloud. However, your organization has less control over the infrastructure and is dependent on the security measures implemented by the provider.

Accordingly, you need ensure the CSP’s security commitments and regulatory compliance align with your security and compliance needs. In particular, it’s up to you to:

• Thoroughly investigate the provider’s security commitments
• Read and understand the CSP’s auditing and regulatory compliance
• Clearly understand the division of responsibilities.

Hybrid Cloud

A hybrid cloud is a combination of public and private clouds. Not surprisingly, it can therefore be the most complex to secure. In particular, on top of managing the security concerns for each type of cloud, you must ensure that consistent security policies are applied across all your clouds, and that any change to the security posture in one cloud is replicated to the other clouds. For instance, if there is a security change to an image used in your private cloud, is that change pushed out to the public cloud as well?

Recommendations for Cloud Hardening

Use CIS Benchmarks

To help organizations establish secure configurations, the Center of Internet Security (CIS) provides the CIS benchmarks. These security configuration guides cover a wide range of technologies, including operating systems, network devices, servers and desktop software — as well as cloud providers. By implement the CIS benchmarks, you can reduce configuration-based security vulnerabilities in your digital assets.

A great way to get started is to harden your organization’s server images using the CIS hardening guidelines or by purchasing CIS-hardened images from the AWS, Azure or Google Cloud marketplaces. Then integrate your antivirus, change detection and other security solutions, into the hardened images.

Implement Security Best Practices

To further harden your cloud environment against threats, implement the following practices:

• Least privilege — Grant each server the minimum permissions and privileges necessary to perform its intended function. This helps to limit the damage that could be caused by malicious actors or accidental errors.
• Least access — Restrict access to cloud servers from the network, and install only the required operating system components and applications on each instance. This will make it more difficult for malicious actors to gain access to sensitive information.
• Configuration and change management — Create a baseline server configuration and track all deviations from that baseline.
• Log auditing — Configure each asset to generate and securely store log data about all access attempts and all changes.
• Compliance audit and reporting — Implement appropriate security controls and ensure you can provide proof of compliance to auditors.
• Vulnerability management— Regularly assess your cloud environments for vulnerabilities and apply security patches and updates promptly.
• Network segmentation — Divide cloud environments into smaller, isolated segments to limit the potential impact of a security incident.
• Encryption — Encrypt data at rest and data in transit to protect it from unauthorized access.

Conclusion

The benefits of cloud services are substantial, including cost savings, easy scalability and powerful functionality. But you must still ensure the security of your data and applications. Using the information above, you can help your organization better secure its cloud environments to drive business growth.

FAQs

1. How do you harden cloud infrastructure?

Secure system configurations and settings to reduce their vulnerability to compromise. Remove all non-essential software programs and utilities to reduce opportunities for attackers to breach your systems.

2. What are network hardening techniques?

Core security best practices include least access, least privilege, configuration management, change management, and auditing & logging.

3. What is host hardening in security?

Host hardening involves removal of non-essential components, programs, accounts, applications, services, ports, permission and access from a host to reduce its vulnerabilities. Host hardening can also include:

• Turning off unnecessary network services and enforcing authentication for any that are retained.
• Installing and configuring a host firewall.
• Making applications available only to users who require them and only when they need them.
• Having users operate under lower privileges and granting higher-level privileges only as required.
• Regularly testing systems for weaknesses and remediating them.
• Enforcing strong passwords and password rotation.
• Automating regular security updates and upgrades.

4. What are the benefits of cloud hardening?

Cloud hardening offers a wide range of benefits, including:

• Reducing the attack surface of your cloud infrastructure
• Improving the overall security posture of your organization
• Helping ensure compliance with regulations and standards
• Minimizing the risk of data breaches and unauthorized access
• Reducing the cost of security incidents and potential compliance fines
• Improving the efficiency and performance of cloud-based systems

5. How often should cloud hardening be performed?

Cloud hardening should be performed regularly, as part of an ongoing security and compliance program. It’s important to regularly review and update your security configuration and practices to ensure that your cloud infrastructure remains secure.