The phone call from the panicked customer came to Brett Gillett early on a Saturday morning: The just-received monthly bill from Amazon’s AWS service was five times the company’s average charge. Why?
As Gillett, founder of Curious Orbit Cloud Consulting, an Oakville, Ont., firm that specializes in AWS advisory services, told the Trend Micro CloudSec cloud security conference in Toronto Wednesday it was a matter of bad password management.
“They broke a couple of rules. They [developers] were using the root AWS account,” which can’t be controlled with access rights. It isn’t clear whether it was an insider or a hacker, but someone used the access to create a new AWS instance in a different region and installed bitcoin mining infrastructure. It racked up lots of processing power, hence the high bill from Amazon.
“That’s the Darwin Award” for the worst mistake he’s come across, Gillett said.
“Never use long-term access keys” in a cloud environment, he warned the audience, regardless of corporate policies, because if an employee loses a laptop whoever finds it has full access to everything.
That was one of the lessons Gillett and James Peek, a consultant at Sourced Group , a cloud advisory firm with offices in Toronto, Singapore and Australia, gave during a session at the conference.
Here’s a few more:
–Companies don’t think about how the cloud differs from an on-premise environment, said Peek: How do you protect a dynamic compute environment when an instance may last only four minutes? The IT security team has to evaluate its toolset. “If you treat something like it’s on-premise then it’s going to act like its on-premise, and you’re not going to get the agility and scalability you want from the cloud.” One of the biggest misconceptions, he added, is the nature of routing in public cloud and how ties back to the on-premise environment.
–Don’t have long-term access keys in a public cloud environment, says Gillett. And make sure third-party vendors and partners understand that. “We have a rule: If you ask me for my access keys, we’re going to the next provider that’s going to allow us to use temporary credentials.”
That, he agreed, is also a good way to see if a partner understands good cloud security policies.
— “A solid access identity and access management strategy (IAM) is critical” for successful cloud security, said Peek. Some sort of identity federation and single sign-on capabilities is needed. And for most applications “the principle of least privilege is more important than ever.”
Why? He’s seen an attacker get administrator access from a non-production server.
–Make sure IAM policies are well defined, said Gillett, but there’s no need to re-invent the wheel. If you already have a password policy, extend it to the cloud. And make sure you use automation everywhere you can to push security standards to the cloud. Don’t spend time managing identities rather than managing services for customers.
–More on identity management: Asked what he things about multi-factor authentication, Peek replied: “Every human should have MFA.” And either disable sensitive/critical API calls – remember, he said, in the cloud networking is only an API call away — or enforce MFA on the network layer. Meanwhile, root account credentials “need to be locked in a safe,” with two people needed to unlock it — and an alert gets sent to a senior administrator when someone logs into that account.
–Data is the most important thing an organization has, so a cloud strategy has to be based on having a data classification policy, said Gillett. It allows you to rule out things that can never leave the corporate environment. “We find a lot of organizations don’t have it, or think they have it and haven’t updated it and years. Use it to decide if you need client-side encryption, server-side encryption, or if AWS manage those keys. AWS and Azure have services that can help develop data classification.
–Use encryption everywhere, said Peek. “There’s very few reasons why we don’t need to encrypt everything.” Using a cloud provider to manage the keys will simplify oversight.
–If using AWS, enable Cloud Trail for auditing, said Peek. In an interview he expanded: Create a central ‘Compliance’ subscription, and use that for centralizing all the logs from your platform (including CloudTrail). In your Master account, create Service Control Policies (SCPs) that disable API actions against CloudTrail (such as turning it off). CloudTrail will continue to log into your Compliance subscription.
The Center for Internet Security’s AWS Foundations Benchmarks provides some events you can start looking for to create actionable alerts on.
— Companies new to cloud computing should start by creating a ‘cloud security centre of excellence’, which will allow the organization to move faster to the cloud, said Gillett. “Find those people (in your org) who are continuous learners. Those are going to be the ones who will help you be successful regardless of which platform you end up on.”
“Automate everything you possibly can,” said Gillett, because people make mistakes. Continuously educate cloud team members and build a ‘blame-free environment,’ especially if you’re just adopting cloud “You’ve got to give your internal teams an opportunity to learn, that’s where the cloud centre of excellence becomes the focal point.”
It may be obvious, but don’t make your first cloud app “the crown jewels,” said Peek. Moderator Doug Cahill, senior analyst at the Enterprise Strategy Group agreed: Put up an application you can be successful at early and gain momentum.
Finally, if you’re beginning your journey don’t start with multiple cloud providers, said Peek. Cloud is hard, two clouds are harder. “Don’t do two things half-assed, do one thing whole-assed and you’ll be in a better place.”