Misconfigured control plane settings. In addition to IAM, the cloud control plane handles various configuration settings that, if improperly managed, could lead to exposure or increased threat surface. These could include administrative console access, weak authentication requirements, porous network access controls and exposed APIs.
Organizations can take many steps to successfully prepare for and mitigate cloud migration security challenges.
The most important first step in a cloud migration plan is to establish proper cloud governance. For day-to-day cloud engineering, oversight and administration, including change management, design a governance model with the following breakdown of teams:
To ensure cohesion across teams, form a cloud governance committee with representatives from all these areas, as well as dotted-line representation from legal, compliance, audit and technology leadership. Once a central cloud governance structure is in place, there are still some important steps to take.
Develop baseline security standards in collaboration with the governance team. At a minimum, the list should include cloud control plane configuration, IaC templates, cloud workload vulnerability posture, and assignment of DevOps and cloud infrastructure privileges.
Identities and role or privilege assignment are critical in the cloud, so dedicate an operational focus to this area.
Enable multifactor authentication for any privileged access to the cloud environment. This will help mitigate common brute-force attacks against administrative accounts.
All major cloud service providers offer logging services, such as AWS CloudTrail and Azure Monitor. Turn these on and send the logs to a centralized collector or service for analysis. Use logs to develop cloud behavior baselines and detect security events or incidents.
Organizations should continuously monitor everything from the cloud control plane to the current configurations of assets. As cloud deployments increase in number and complexity, a service that tracks configuration settings across numerous clouds or cloud accounts becomes invaluable to help detect misconfigurations that could cause security issues.