Elevating Cloud Security With Well-Architected Practices

January 31, 2024 Prashant Tyagi

cloud security architected

It’s said that life truly begins when you step out of your comfort zone. Living in California provides me with many options for hiking and trekking, a perfect backdrop for spending time with nature and enjoying it with friends and family. As a hiking and nature enthusiast, I have done many moderately challenging trails in and around the Bay Area – my comfort zone.

Last year, I decided I needed to get out of my comfort zone and do one of the most challenging hikes in the world, the trek to Everest Base Camp (EBC). Spanning 10 days and covering 80 miles through the scenic Himalayas, culminating at 18,000 feet – about half the cruising altitude of a commercial jet. Reaching the summit was incredibly uplifting and gave me a profound sense of accomplishment. However, the preparation and planning for the adventure provided long-standing benefits. Training for Everest propelled me into a disciplined physical routine and diet, adhering to best practices and guardrails since ensuring optimal fitness and enhancing my well-being.

Climbing the Cloud Transformation Mountain

There are parallels to my experience with the EBC hike in my career leading digital transformation and cloud initiatives for large enterprises and digital-native businesses. Organizations must constantly challenge their comfort zones, particularly when securing their application environments. As large enterprises complete their migration to the cloud and digital native businesses scale their offerings on the cloud, breaking away from their comfort zones by adhering to the well-architected frameworks published by their cloud providers, like AWS, Azure and GCP, becomes imperative. This urgency amplifies with the surge in cloud services and increased threats on cloud workloads due to the rise of artificial intelligence (AI). And this transformation should occur without slowing the pace of delivery.

All cloud providers abide by a shared responsibility model with organizations, making it their duty to adhere to the guardrails, ensuring the overall health of their cloud environments. Embracing solutions aligned with well-architected frameworks for security has been my strategic approach throughout this transformative time.

Key Guidelines for Securing Cloud Identities

When building secure and well-architected cloud environments, the following guidelines are essential for securing identities in the cloud:

1. The principle of least privilege (PoLP). Assign the minimum necessary permissions to users, processes and systems to perform their tasks, reducing the risk of unauthorized access. Implementing zero standing privileges (ZSP) and allocating just-in-time (JIT) access to roles scoped for least privilege ensures that only the required and essential permissions are granted to any user accessing cloud resources by console or command line interface (CLI) for the time allocated and enable non-human interactions through APIs (Application Programming Interface) securely.

2. Authentication and authorization. Implement strong authentication mechanisms, such as multi-factor authentication (MFA), and ensure proper authorization controls to manage access to cloud resources effectively. Platforms requiring MFA at login and supporting third-party IdPs to collaborate with existing SSO/MFA solutions can enforce the necessary authorization controls for cloud-native services.

3. Centralized identity management. Use a centralized identity management system for user authentication and authorization, facilitating better control and monitoring of access across your cloud environment. Leveraging a centralized identity management platform that integrates with third-party IdPs ensures complete identity lifecycle management and identity compliance mapping.

4. Credential management. Regularly rotate and manage credentials securely, avoiding hard-coded credentials and utilizing Identity and Access Management (IAM) roles whenever possible. Integrating privileged access management (PAM) capabilities for long-term credentials helps safeguard them.

5. Audit trails and monitoring. Implement robust logging and monitoring for all identity-related events, enabling timely detection and response to security incidents. Leveraging cloud log solutions and cloud monitoring capabilities allows recording and monitoring of user activity within web applications and cloud consoles.

6. Automated compliance checks. Employ automated tools and processes to regularly assess and ensure compliance with security best practices, IAM policies and configurations. Regular reviews of inactive identities, identities with unused privilege permissions, and those with standing privilege permissions are essential.

7. Secure DevOps practices. Integrate security measures into the DevOps pipeline, ensuring that identity and access controls are considered and tested throughout the development lifecycle. Organizations should secure access to a broad range of applications, including COTS, BOTS, automation platforms and CI/CD tools – running in hybrid, cloud-native and containerized environments.

A Disciplined Approach for Taking Your Organization’s Cloud Health to the Next Level

Adhering to these guardrails, organizations can elevate the health of their cloud environments and take them to a higher level of maturity, optimizing their cloud solutions for security. Like my personal fitness journey conquering the EBC hike, a disciplined approach to cloud health requires discipline to reach peak performance.

An integrated identity security strategy, enforcing least privilege and enabling Zero Trust, is the best line of defense against attacks in today’s threat landscape. To explore our research, based on a survey of how 1,500 cybersecurity professionals are looking at securing the cloud as part of a holistic, risk-based identity security strategy for thwarting attacks and increasing cyber resilience, check out our Identity Security Model report.

Prashant Tyagi leads cloud solutions GTM (Go to Market) technology strategy at CyberArk.

Previous Article
Redefining PAM to Secure OT and IoT Devices
Redefining PAM to Secure OT and IoT Devices

Left to their own devices, your organization’s devices can be a significant source of risk. Consider operat...

Next Article
GenAI’s Role in Upskilling to Close the Cybersecurity Skills Gap
GenAI’s Role in Upskilling to Close the Cybersecurity Skills Gap

The cybersecurity industry has a major people problem: it doesn’t have enough of them. The global shortage ...