Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Stephen P. Potter
Managing security in the cloud and throughout hybrid environments is a challenge with high stakes — customer data, sensitive information, access privileges, and other cloud-based assets are all at risk when an organization uses the cloud. Let’s explore some common cloud-based security concerns and learn how to keep your cloud environment secure.
Table of Contents:
Security in the cloud is the practice of keeping data, applications, and infrastructure safe within the cloud environment through tactics like access management and compliance.
There are some aspects of security in the cloud that the cloud service provider is responsible for — things like patches, the physical host and network where computing and storage takes place, and the overall security of the infrastructure.
Of course, this depends on the specific cloud service model(s) that are being used, such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software as a Service). Documents like the NIST SP 800-145 Cloud Computing Definition looking directly at one of AWS’s or Google’s Cloud Security model publications can help you understand where the specific line lays between CSP and users.
The bulk of security falls to organizations using the cloud — they are responsible for preventing unauthorized users from accessing sensitive data and the overall security strategy for their specific needs. For example, what happens when there is an outage? How are cloud-based data assets encrypted? What is the alert and response procedure if something does go wrong?
No organization will have the same cloud security policies as another — there will always be different compliance requirements and different infrastructure needs. But most companies will share the same frustrations and challenges as their IT teams work to keep user data, and data assets, safe within the cloud.
Where does a security in the cloud strategy fail? When do cracks appear in even the best-intentioned policy and implementation?
Cloud service providers (CSP) have their own regulatory requirements to keep up — but their customers are responsible for keeping the data and information that is stored within the cloud up to date with the latest regulations and requirements. With the cloud, this becomes an issue when audit time rolls around — it can be difficult to have visibility into everything that the cloud contains.
It doesn’t matter if the cloud customer is using IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software as a Service). Ultimately, the cloud provider has the greatest visibility over their own service and this can delay and disrupt audits unless you have a strong continuous compliance plan or alerts that can let you know when there is compliance drift.
The strength of using the cloud — it can be accessed from anywhere at any time — is also its greatest vulnerability to hackers who would love to infiltrate your systems and compromise or steal your data. A larger attack surface means that the cloud is vulnerable to malware and account takeovers through poorly secured ports. When cloud assets change and scale, traditional security tactics also need to change and scale along with it.
Security tactics have changed to meet modern security threats, which is why multi-later security practices are necessary. Since everything in the cloud is Software Defined Networking (SDN) where efficient network configuration directly improves monitoring and performance, tactics such as micro-segmentation become easier to implement.
In that same way, host-based firewalls can be easily set up and maintained using configuration management tools — ideally and securely management by an agent-based solution that creates an outbound connection versus an agentless solution that requires an inbound solution.
User privileges in the cloud can turn a small problem into a much larger one as companies scale and grow. This is where the ease of accessing a cloud environment becomes a weakness — adopting a “Zero Trust” policy requires that organizations look at all users and components of a cloud environment as a potential threat. The more users who have permission add, remove, delete, or even access data, the more risk is involved. Stealing critical data like corporate secrets, PII, or credit card data as an example, can be just as disruptive as adding or deleting data.
There are external forces that are always going to work against the cloud – outages to disparate parts of the organization, hackers who are trying to use cloud computing power to mine digital currency, audits that require visibility that the cloud does not have, and the internal threat of users who have too much access to cloud assets.
But — there are also some strong ways to make progress with your security in the cloud strategy. It doesn’t always have to be a losing game. We’ll start with a look at how an agent-based approach can assist with your cloud strategy.
Beyond agent-based, there are other considerations to help tackle the common security in the cloud struggles.
The first use of the term “Zero Trust” specific to cybersecurity started in 2010 by analyst Jogn Kindervag of Forrester Research — in his words, “never trust, always verify.” This philosophy is simple and powerful. In a cloud environment, you should assume that every access is a potential threat and that there is or will be a breach in progress. For some organizations, such as government organizations, Zero Trust isn’t just a “nice to have,” it’s mandatory.
From keeping your software up to date with the latest patches to staying continuously compliant by enforcing rules that are in line with requirements — why do all the manual heavy lifting when you can automate?
Every single user interaction is a risk within the cloud, whether malicious or unintentional because of human error. Automation reduces that risk profile by leveraging known tools that can be explicitly tested in a safe or sandbox environment to eliminate logic and human error.
From multi-factor authentication to JIT (just-in-time) access that prevents users from accessing data outside a specific period when they need it, strong IAM practices can help prevent future damage.
It’s also important to only give users or processes exactly the privilege that they need, and no more than that — which is where the Principle of Least Privilege (PoLP) comes in for access management. This principle encompasses the practice of limiting access for users, accounts, and processes that are absolutely necessary to perform the task that they are assigned to do. (PoLP) is applicable for any industry — not just highly regulated organizations.
Similarly, Role Based Access Controls (RBAC), segmenting resources, and even segmenting data allow for finer access control. This popular access control model is easy to understand — users are given roles with a set of permissions (“employee” or “administrator” for example), and then when they log into the system, the system checks their role and grants them the appropriate permissions.
There are so many pieces of cloud security that Puppet can help support — you don’t have to handle everything manually or on your own.
Let’s start with patching as an example, one of the strongest ways to stay on top of business-critical security updates. Puppet can help automate patching and take one less worry off your IT team’s plate. Puppet can also assist with the Principle of Least Privilege and Role-Based Access Control (RBAC) by orchestrating and automating tasks without providing direct access to the cloud systems.
What about staying continuously compliant? Puppet can ensure consistency across a cloud or hybrid infrastructure environment, no matter how much your company scales or changes. You can try out with Puppet Enterprise as a starting place for free, and see just how easy it is to automate within your cloud environment to protect your most important assets:
TRY PUPPET FOR CLOUD
Principal Sales Engineer, Puppet by Perforce
Stephen is a Principal Sales Engineer at Puppet by Perforce. His years of experience in the Puppet ecosystem and decades in IT operations include roles as sysadmin, engineer, and architect for Unix, Linux, Virtualization, and Cloud technologies.