In today's fast paced business environment organizations need to be agile and innovative to stay ahead of their competition. This requires a careful balancing act between risks and rewards. Identifying potential security threats to your cloud environment and establishing processes and procedures for addressing these threats should be a top priority for every organization.  

Common Cloud Security Challenges 

1. Legacy tools – many large organizations rely on enterprise grade tool platforms that allow them to easily manage on-premise resources. If the tooling does not keep up with developments in cloud computing, tools that were originally created for on-premise environments are often incompatible with cloud environments and virtualization. These incompatibilities lead to visibility and control gaps that expose organizations to risk from misconfigurations, vulnerabilities, data leaks, unnecessary privileged access, and compliance issues.  
2. Multi tenant cloud environments – multitenancy forms the backbone of many key benefits promised by cloud computing (i.e., lower cost, flexibility, scalability, etc.), but it also introduces concerns around data isolation and data privacy. 
3. Human error at scale – misconfigurations, vulnerabilities and other security issues can be rapidly deployed and proliferated amongst cloud resources potentially resulting in exposure of sensitive data or large-scale service outage. 
4. DevOps automation – like the previous issue a simple misconfiguration error or security flaw, such as leaving secrets in plain text, can lead to a broadly propagated vulnerability or exploitable flaw. 

This is by no means a complete list, but it should give readers an idea of the unique issues faced by cloud security teams.  

Cloud Security Strategy 

To mitigate these risks, organizations need a comprehensive security strategy that addresses their unique compliance, regulatory and security requirements. At a minimum, this strategy should consider: 

• Current and future cloud computing needs. 
• Current and future state of your application architecture(s). 
• Potential security risks. 
• Integration with exiting governance practices. 

With these items known and accounted for, the overall security governance strategy will, in turn, be supported by policies or policy initiatives. For each of the technical risks identified start to draft individual cloud policy statements. Each statement definition should include the following information: 

• Technical risk: a summary statement identifying the risk this policy will address. 
• Policy statement: a summary statement explaining the policy requirement 
• Technical options: actionable recommendations or other guidance IT teams and developers can use when implementing the policy. 

Sample Policy Implementation 

In the following example we will take a common security risk – exposing a public IP to a VNET - and walk through the process of defining a policy statement and implementing a solution. 

Assuming the risk assessment has already been completed and we are ready to define the policy. 

Articulate and document the technical risk 

• Technical risk: Creating or updating network configuration that exposes a public IP can lead to risk of data exposure or compromised cloud resource.  
• Policy statement: Governance tooling must audit and enforce network configuration requirements stating that no public IP will be exposed unless an exception is granted. 

• Technical options: In Azure, network activity can be monitored using Azure Network Watcher, and Azure Security Center can help identify security vulnerabilities. Azure Policy allows you to restrict the creation of public IP’s while provisioning network resources 

Implementing this policy as a governance-as-code solution, we can  

Using Azure ARM policy definition 

{ 

  "if": { 

    "anyOf": [ 

      { 

        "source": "action", 

        "like": "Microsoft.Network/publicIPAddresses/*" 

      } 

    ] 

  }, 

  "then": { 

    "effect": "deny" 

  } 

} 

Using Powershell 

# Subscription selection 

Login-AzureRmAccount 

$sub = "<subscription name>" 

Get-AzureRmSubscription -SubscriptionName $sub | Set-AzureRmContext 

# Get the resource group 

$rgname = "<resource group name>" 

$rg = Get-AzureRmResourceGroup -Name $rgname 

# Create the policy definition 

$definition = '{"if":{"anyOf":[{"source":"action","like":"Microsoft.Network/publicIPAddresses/*"}]},"then":{"effect":"deny"}}' 

$policydef = New-AzureRmPolicyDefinition -Name NoPubIPPolicyDefinition -Description 'No public IP addresses allowed' -Policy $definition 

# Assign the policy 

New-AzureRmPolicyAssignment -Name NoPublicIPPolicyAssignment -PolicyDefinition $policydef -Scope $rg.ResourceId 

With a soundly crafted cloud security strategy and clearly articulated policies, you can foster organizational innovation and support workforce productivity, while keeping your applications safe, and your data secure.  Whether you are starting from scratch or have an existing investment in security governance policies, InCycle is here to accelerate your organization’s adoption of governance best practices. 

To learn more about enterprise governance, download the Governance Playbook!