Sunday, November 21, 2021

Understanding The Differences Of Cyber Hygiene In The Cloud & On Prem

 


Yet once again, one of the biggest buzzwords to be thrown out there in our world of Cyber is “Hygiene”.  Actually, I don’t think this term actually started to gain root until when everybody started to work from home, when of course, security was a huge mess. 

But when we hear of this term, the images of people working directly at their computers or perhaps even going to the office to access stuff, in a safe and secure manner (really? LOL).

But Cyber Hygiene is actually an all-encompassing term which embraces all forms of both digital and physical assets.  Long story short, it simply refers to the fact that you are abiding by the security policies of your company, and trying your best in not becoming a victim.  But this term can also apply to the Cloud as well, and how safely you access stuff. 

For example, suppose you are trying to access a VM in Microsoft Azure to gain access to some shared resources.  In this regard, are you still following your company’s security policy?  Hopefully you are.  But keep in mind that as the near 99% Remote Workforce is now going to be with us for a long time, Cyber Hygiene in the Cloud is going to become a key issues. 

Here are some quick ways in which it can be addressed:

1)     Determine exactly what you have in the Cloud:

With the COVID-19 pandemic, many businesses in Corporate America have a made a total, 100% transition to the Cloud, whether it is the AWS or Azure.  Of course, there are still some that are reluctant to make the transition over, and some prefer a mixed approach where some assets stain the Cloud and some stay On Premises.  But no matter what you are using, take inventory of all of the assets that you have deployed to the Cloud.  All those controls that you have deployed On Premises now have to be moved over to the Cloud as well.  Remember, the GDPR and the CCPA just doesn’t look for stuff On Premises – they look to make sure that all appropriate and needed controls are also deployed on your Private or Public Cloud as well.  To keep things efficient, try to use the same methodology that you use On Prem for the Cloud as well as when it comes to asset categorization and risk level.

2)     Determine the effectiveness of those controls:

Although the same sort of controls will be required for the Cloud as to what you had On Premises, you still need to make sure that they are working the intended way either in AWS or Azure.  Although the controls should work fine, there still may be some adjustments that are needed.  One good approach is create a sandbox environment first, and test those controls there first before you move them into the production environment in your Cloud Infrastructure.  A good framework to help keep all of your controls would be to use what is known as the “Cloud Controls Matrix” that is available free from the Cloud Security Alliance.  You can download it at this link:

https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/

3)     The transition to the Cloud:

Suppose you have an On Premises Server and have migrated that over to the AWS or Azure.  Once that process has been done, your new VM could be set up differently, and the way you access stuff in it could also change as well.  In fact, you may not even move everything over, depending upon how old your data is what the exact purpose of the new VM is.  So, whenever you have made the move over completely, take stock of what each new VM is actually doing.  For example, is one just being used to serve the company Intranet, and the other is a database server?  Of course, all of them will need protection via the controls, perhaps not all of them will have to be so strictly enforced.  Perhaps the server with the company pages does not need to have as many controls associated with it as the VM which houses the database server?  The reason for this is that although there is a plethora of benefits with a Cloud based structure, you are always going to be charged with how much resources you are using, technically known as “consumption”.  These costs can add up quickly, so you need to allocate resources accordingly.

4)     Keep everybody informed:

It is important to note that as you get deeper into this process, all key stakeholders, especially your employees need to kept informed of what is going on.  Of course, you do not want to give out all of the details, but employees will feel much more empowered and motivated to maintain a strong level of Cyber Hygiene, whether it is remote, On Premises, or in the Cloud.  You also need to remind that the same security policies apply in all kinds of environment.

My Thoughts On This

Remember, moving to the Cloud is not an easy task, especially if you have a large organization.  It should be noted that it should be done in phases, especially when it comes to moving the controls over.  It is always best to hire a solid, reputable Cloud Services Provider (CSP) that can pretty much do all of this for you, as they will have the experience. 

Best of all, they can continue to oversee your new Cloud environment after the migration has been completed, and all of the security aspects of it as well.

In this regard, many CSPs are now focusing these services onto the SMB market exclusively . . . this making it much more affordable.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...