Future Of Cloud - Secure Infrastructure By Default

Introduction

As part of the the Future of Cloud series we presented how we can reduce drift and provision infrastructure with confidence with the concept of “Signed Infrastructure”.

In this article we propose how we can increase the security posture of cloud services.

Current State

With the increased adoption of cloud, we see a lot of companies deploy their services using automation and incorporate security into the infrastructure by using Security Scanners for IaC, enabling cloud security posture management(CSPM) solutions etc.

The secure configuration of cloud services can be complex depending on the service used and use case. Since the security landscape is ever changing and new threats are emerging all the time, it can be quite difficult to keep up.

Let's say we would like to deploy a 3 tier web application for a payment processing company. We need to adhere to PCI/DSS to provide the payment processing services to the customer. This can be quite challenging.

Apart from adhering to PCI/DSS we would need to adhere to GDPR or similar standard for user data privacy protection.

We probably need to implement security at different layers, including IAM, Network, Data Security etc.

To detect the insecure configuration of cloud services we use services like CSPM and enable a security framework .

Most CSPM services provide gaps on compliance based on pre configured rules, but this is only a detective aspect of security. We still need to fix the misconfiguration of Cloud Services to achieve the level of compliance needed.

Someone can argue that we can use security scanners to check IaC at the provisioning stage but these scanners are not fully feature rich for all the services we deploy.

Proposal

To solve the above issues, the Cloud Vendors should provide a feature where we can enable Secure Infrastructure by Default for an Organization or Organization Unit/Folder/Management Group or Account/Subscription/Project Or Service. With this feature the Cloud Customer should be able to select the Data Location, Security Framework etc. We shall be able to select multiple frameworks too.

Example, Let's say we want to deploy a PCI application, then If we select an account at creation time to be PCI compliant, all the services in that Account should be PCI compliant with default security configuration.

In another example, say If we select compliance as PCI for this cluster, the cluster should have all the IAM, network policies, network segmentation enabled by default which are PCI compliant.

The following diagram shows how we can use this service if provided.

‍

At the moment google cloud is providing a similar solution called Assured Workloads . We think this an amazing step towards full cloud security journey but it doesn't  have all the features, not all security frameworks are not supported in this service and regions too.

We would like all the cloud providers to provide this feature as Default.