11 Cloud Security Design Patterns
CIS Controls, CSA Enterprise Architecture Reference Guide, and CSA's Egregious 11
What Are Cloud Security Design Patterns?
Cloud security design patterns are standardised, proven approaches to addressing security and compliance challenges in cloud computing environments.
They provide architectural guidance
They help organisation implement best practices
Categories of Design Patterns
Vendor-neutral design patterns
The CCSP exam focus:
Security principles (CIS controls) published by the SANS Institute
Enterprise Architecture Reference (Cloud Security Alliance - CSA)
Vendor-specific design patterns
AWS Well-Architected Framework
Microsoft Azure Well-Architected Framework
Google Cloud Architecture Framework
CIS Controls versus CSA’s Enterprise Architecture Reference Guide
The Critical Security Controls (CIS Controls) and the Cloud Security Alliance’s (CSA) Enterprise Architecture Reference Guide are both important resources in the field of cybersecurity, but they serve different purposes and have distinct areas of focus.
Purpose
CIS Controls
The CIS controls are a set of 18 best practices and guidelines aimed at improving the overall security posture of an organisation’s IT systems and infrastructure.
They are intended to help organisations protect their data, networks, and systems from cybersecurity threats.
Enterprise Architecture Reference Guide
The CSA’s enterprise architecture reference guide is focused on helping organisations securely integrate and adopt cloud computing technologies within existing architectures.
It provides guidance on how to align cloud services with an organisation’s broader architectural framework.
Scope
CIS Controls
The CIS controls are broad and include a wide range of security measures that are applicable to both on-premises and cloud environments.
They address aspects, such as asset and vulnerability management, access control and data protection.
Enterprise Architecture Reference Guide
The CSA’s enterprise architecture reference guide has a narrower scope compared to the CIS controls.
It addresses considerations, such as cloud architecture, risk management, compliance and secure cloud adoption.
Applicability
CIS Controls
The CIS controls are intended for use in various computing environments, including traditional on-premises data centres and cloud-based infrastructure.
They provide a general framework for improving security across an organisation’s entire IT ecosystem.
Enterprise Architecture Reference Guide
The CSA’s guide is particularly relevant to organisations that are planning to or have already adopted cloud services.
It provides recommendations and strategies for ensuring that cloud solutions are seamlessly integrated into an organisation’s architecture while maintaining security and compliance.
CSA Egregious 11
The CSA Egregious 11 is a list of the top 11 cloud security threats and risks:
Data Breaches
Misconfiguration and Inadequate Change Control
Lack of Cloud Security Architecture and Strategy
Insufficient Identity, Credential, Access and Key Management
Account Hijacking
Insider Threat
Insecure Interfaces and APIs
Weak Control Plane
Metastructure and Applistructure Failures
Limited Cloud Usage Visibility
Abuse and Nefarious Use of Cloud Services
The list
Raises awareness
By highlighting these threats, organisations are better informed about potential vulnerabilities in their cloud environments.
Provides guidance
It offers a roadmap for organisations to understand, assess, and address these threats effectively.
Establish best practices
Each threat is accompanied by best practices and recommendations for migrating risks.
Aids in risk mitigation
By focusing on these risks, organisations can proactively take steps to minimise their exposure.
Helps in compliance
The Egregious 11 helps organisations align their cloud security practices with regulatory requirements.
Helps in education and training
It helps to understand the evolving threat landscape and the importance of cloud security.
Data Breaches
Description
A data breach refers to unauthorised access to sensitive data, leading to
Data exposure
Data loss
Data theft
The result could be the compromise of confidential information, including
Customer data
Intellectual property
Financial records
Data breaches can have severe consequences, including
Reputational damage
Regulatory fines
Legal liabilities
Controls
The CSA publishes the Cloud Controls Matrix (CCM), which provides a set of controls and guidelines for secure cloud computing. The Egregious 11 can be mapped to the controls within the CCM, showing how the identified threats relate to the specific security measures
The threat of data breaches relates to various CCM controls, such as
Data encryption
Data classification
Access controls
These controls are designed to protect sensitive data and prevent unauthorised access.
Misconfiguration and Inadequate Change Control
Description
Misconfiguration occurs when computing assets are setup incorrectly, often leaving them vulnerable to malicious activity.
Unsecured data storage elements
Excessive permissions
Default credentials and configs left unchanged
Standard security controls disabled
A leading cause of data breaches and could allow for
Deletion or modification of resources
Service disruption
An absence of effective change control is a common cause of misconfiguration in a cloud environment.
Controls
The threat aligns with configuration management and security assessment within the CCM.
Lack of Cloud Security Architecture and Strategy
Description
One of the biggest challenges during the migration of IT infrastructure to the public cloud is the implementation of appropriate security architecture to withstand cyberattacks.
Accenture inadvertently left a massive store of private data across 4 unsecured Amazon S3 buckets, exposing highly sensitive passwords and secret decryption keys - data that could have inflicted considerable damage on the company and its clients.
Proper security architecture and strategy are required elements for securely moving, deploying and operating in the cloud. A lack of security architecture & strategy could lead to
Financial loss
Reputational damage
Legal repercussions
Fines
Controls
Ensure security architecture aligns with business goals and objectives.
Develop and implement a security architecture framework.
Ensure your threat models are continuously updated.
Bring continuous monitoring into the overall security posture.
Insufficient Identity, Credential, Access and Key Management
Description
Identity, credential, access management systems include tools and policies that allow organisations to manage, monitor, and secure access to valuable resources. E.g., electronic files, computer systems, physical resources.
Security incidents and data breaches can occur due to
Inadequate protection of credentials.
Lack of regular automated rotation of cryptographic keys, passwords, and certificates.
Lack of scalable identity, credential and access management systems.
Failure to use multi factor authentication.
Failure to use strong passwords.
Malicious actors disguised as legitimate users, operators or developers can
Read, exfiltrate, modify or delete data.
Issue control plane and management functions.
Snoop on data in transit.
Release malicious software that appears to originate from a legitimate source.
Insufficient identity, credential, or key management can enable unauthorised access to data and potentially catastrophic damage to organisations or end-users.
Controls
Secure your accounts buy including 2-factor authentication and limit the use of the root account.
Practice the strictest identity and access controls for cloud users and identities.
Segregate and segment accounts, virtual private clouds (VPCs) and identity groups based on business needs and the principle of least privilege.
Rotate keys, remove unused credentials or access privileges.
Employ central, programmatic key management.
Account Hijacking
Description
Account hijacking is a threat in which malicious attackers gain access to and abuse accounts that are highly privileged or sensitive.The accounts with the highest risks are cloud service accounts or subscriptions.
Phishing attacks, exploitation of cloud-based systems, or stolen credentials can compromise these accounts.
Account and service hijacking implies full compromise - Full control of the account, its services and all the data within.
Business logic, function, data and applications reliant on the account services are at risk!
The AWS account of Code Spaces - a former code-hosting service company - was compromised when it failed to protect its administrative console with MFA.
Controls
Defence-in-depth and Identity and Access Management (IAM) controls are key in mitigating account hijacking.
Insider Threats
Description
Insider threat “is the potential for an individual who has or had authorised access to an organisation’s assets, to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organisation”.
Insiders do not have to penetrate firewalls, VPNs and other perimeter security defences.
Insiders operate within a company’s security circle of trust where they have direct access to networks, computer systems and sensitive company data.
Insider threats can result in the loss of proprietary information and intellectual property.
System downtime can negatively impact productivity.
Data loss or other customer harm can reduce confidence in company services.
Controls
Taking measures to minimise negligence can help mitigate the consequences of insider threats
Provide training to your security teams to properly install, configure, monitor computer systems, networks, mobile devices and backup devices.
Provide training to your regular employees
Inform them how to handle security risks, such as phishing, and protecting corporate data they carry outside the company.
Require usage of strong passwords and frequent password updates.
Inform employees of repercussions related to engaging in malicious activity.
Routinely audit servers in the cloud and on-premises, then correct any deviation from the secure baseline set across the organisation.
Ensure privileged access security systems and central servers are limited to a minimum number of employees.
These individuals should include those with the training to handle the administration of mission-critical servers.
Monitor access to all computer servers at any privilege level.
Insecure Interfaces and APIs
Description
Cloud Service Providers (CSPs) expose a set of software user interfaces (UIs) and APIs.
These allow customers to manage and interact with cloud services.
The security and availability of the all other cloud services are dependent on the security of these APIs.
These interfaces must be designed to be protected against both accidental and malicious attempts to circumvent the security policy.
Organisations must understand the security requirements around designing and presenting those interfaces to the Internet.
Poorly-designed APIs could lead to misuse or data breach.
Controls
Practice good API hygiene
Diligent oversight of items such as inventory, testing, auditing and protecting against abnormal activity.
Metastructure and Applistructure Failures
There are four layers of logical models of cloud computing
Infrastructure
It consists of the core components of a computing system - compute, network, storage.
Metastructure
The set of mechanisms that connects the infrastructure later to the applications and data.
It integrates the technology stack and enables management and configuration as well.
Applistructure
The layer where applications are deployed in the cloud platform.
It also contains the underlying services to build applications.
Infostructure
It is the layer where data and information reside.
Description
CSPs routinely reveal operations and security protections that are necessary to implement and protect their systems. API calls disclose this information, and the protections are incorporated in the metrastructure layer for the CSP.
The metastructure layer is considered the CSP/customer line of demarcation - also known as the waterline.
Poor API implementation by the CSP offers attackers an opportunity to disrupt cloud customers by interrupting confidentiality, integrity, or availability of the service.
To increase visibility to customers, CSPs have often revealed or allowed API interaction with security processes at the waterline.
Immature CSPs are often unsure of how to make APIs available to their customers, and to what extent.
APIs that allow customers to retrieve logs or audit system access, may include highly sensitive information.
Failures involving these features at the CSP-level can severely impact all service consumers.
Misconfigurations by the tenant could disrupt the user financially and operationally.
Controls
CSPs must offer visibility and expose mitigations to counteract the cloud’s inherent lack of transparency for tenants.
Cloud tenants should implement appropriate features and controls in cloud-native designs.
All CSPs should conduct penetration testing and provide findings to customers.
Limited Cloud Visibility
Description
Limited cloud visibility occurs when an organisation does not possess the ability to visualise and analyse whether cloud service use within the organisation is safe or malicious. This concept is broken down into two challenges:
Un-sanctioned app use
This occurs when employees are using cloud applications and resources without the specific permission and support of corporate IT and security.
This results in a self-support model called shadow-IT.
When insecure cloud services does not meet corporate guidelines, this behaviour is risky, especially when paired with sensitive corporate data.
Sanctioned app misuse
Organisations are often unable to analyse how their approved applications are being leveraged by insiders who use a sanctioned app. External threat actors target the service using methods such as:
Credential theft
SQL injection
DNS attacks, etc.
Lack of governance:
When employees are unfamiliar with or untrained on proper access and governance controls, it is common to see sensitive corporate data placed in public access locations instead of in private access locations.
Lack of awareness:
When data and services are in use without the knowledge of the company, they are, in essence, unable to control their intellectual property (IP). The employee has the data, not the company!
Lack of security:
When an employee incorrectly sets up a cloud service, it can become exploitable not only for the data that resides on it but for future data, as well.
Malware, botnets, cryptocurrency mining, etc., can compromise cloud containers - which puts organisational data, services, and finances at risk.
Controls
Mitigating these risks starts with the development of a complete cloud visibility effort from the highest to the lowest levels in the organisation (top-down).
Enforce a company-wide training on the accepted cloud usage policies and enforcement, thereof.
All non-approved cloud services must be reviewed by the cloud security architect or third-party risk management.
Invest in solutions such as Cloud Access Security Brokers (CASB), or SDGs (software-defined gateways), which
Analyse outbound activities
Help discover cloud usage, users who are at risk
Follow behaviour usage of employees with access credentials to identify anomalies or strange activities.
Invest in a web application firewall (WAF) to all inbound connections to your cloud services for
Suspicious trends
Malware
DDoS
Botnet risks
Select solutions that are specifically designed to monitor and control all of your key enterprise cloud applications and ensure suspicious behaviour can be mitigated.
Implement a zero-trust model across your organisation.
Abuse and Nefarious Use of Cloud Services
Description
Malicious actors may leverage cloud computing resources to target:
Users
Organisations
Other CSPs
Malicious attackers can also host malware on cloud services.The cloud services that host the malware can seem legitimate because the malware uses the CSP’s domain.
Cloud-hosted malware can use cloud-sharing tools as an attack vector to further propagate itself.
Other examples of misuse of cloud resources:
DDoS attacks
Email spam and phishing
Mining for digital currency
Hosting malicious or pirated content
If an attacker has compromised the management plane of a customer’s cloud infrastructure, the attacker can use the cloud service for illicit purposes while the customer foots the bill.
Controls
Enterprises should monitor their employee activity in the cloud, as traditional mechanisms are unable to mitigate the risks posed by cloud service usage.
Implement cloud data loss prevention (DLP) technologies to monitor and stop unauthorised data exfiltration.