Industry Insight
DAVID EGTS
Cloud security doesn’t end with the cloud provider
As government agencies increasingly move resources and activities to the cloud, companies have invested resources to ensure that their offerings are measurably more secure than they used to be. Even so, public clouds still pose a risk for agencies operating under strict pri- vacy, security and compliance regulations.
Despite the fact that many public cloud providers have teams dedicated to providing security at the software-as-a- service, platform-as-a-service or infrastructure-as-a-service layers, agency IT profes- sionals must play their part, too. Their teams must take responsibility for securing the last mile — the stretch between where the cloud provider’s responsibility ends and the agency’s responsibil- ity begins.
SaaS providers are respon- sible for securing their appli- cations, but it is up to federal IT professionals to set content permissions correctly. Those permissions will vary depend- ing on the agency, and they should be regularly checked and adjusted as necessary. Many SaaS providers let administrators control user sharing permissions so they can strike the desired balance of convenience and security.
Administrators should enforce the “principle of least privilege” by configuring SaaS tools so that read and
write permissions are granted only to those who need them. For example, employees who don’t have a good sense of the security settings of their web-based documents can end up exposing that content to a wide world beyond
their intended collaborators. Overly permissive read access privileges can give the wrong people access to sensitive information, as was the case last year when millions of Dow Jones customers’ infor- mation was compromised. Open write permissions can
and deployment pipelines, which will keep developers from being slowed by manual security processes every time they want to push application updates into production.
In addition, vendors should be required to be transparent about their container images’ state of security. Container health indexes, for example, provide daily and on-demand ratings of the security of Linux container images, en- abling administrators to judge which containers are safe to use and which have known
measures administrators
can take include turning off and possibly quarantining virtual machines no longer
in use, thereby preventing
an attacker from breaking into an unpatched, low-value cloud virtual machine and then moving laterally to more lucrative targets. Security- Enhanced Linux can enforce access controls and security policies, and identity manage- ment lets IT professionals consolidate, minimize and audit who has administrative access to their systems. And
Public cloud platforms can provide great benefits as long as IT administrators do their part to secure their environments.
give malicious users an op- portunity to create “fake con- tent” that causes legitimate users to become distrustful of what was originally valid content.
Linux containers have become increasingly popular due to their convenience and promise of greater speed and flexibility, but IT administrators should scan and remediate container images to ensure they don’t have known security flaws or diverge from an agency’s security baselines. Ide-
ally, DevOps techniques can automate security checking and remediation in develop- ers’ continuous integration
vulnerabilities.
Likewise, IaaS providers
are responsible for creating an efficient and secure virtual space for customers’ cloud virtual machines, but agency administrators must ensure that their guest operating systems are fully patched and compliant with security base- lines. A common platform
for scanning and remediat- ing physical, virtualized
and cloud virtual machines can eliminate the need for separate teams skilled in dif- ferent management software and offer a holistic view of
an agency’s security across systems.
Other important security
agencies should enforce mul- tifactor authentication.
Finally, IaaS environments must be automated as much as possible to reduce the potential for human error. Administrators can use dashboards and remote com- mand tools to easily monitor their automated infrastruc- tures and quickly fix security issues.
Public cloud platforms
can provide great benefits as long as IT administrators take some measure of responsibil- ity and do their part to secure their environments. •
— David Egts is chief tech- nologist in Red Hat’s Public Sector organization.
GCN FEBRUARY/MARCH 2018 • GCN.COM 33