Editor’s note: Varun Prasad, CISA, CISM, CIPM, PMP, CCSK, a cloud security and privacy assurance professional with BDO,recently visited with the @ISACA newsletter to share his insights on auditable security controls, vulnerability management, addressing security misconfigurations in the cloud, and more. The following is a transcript of our Q&A interview with Varun:
Why is it important for early-stage companies or, for that matter, all organizations to be aware of and implement controls per the requirements of security standards/frameworks?
In today’s world fraught with myriad security threats and the perennial risk of data breaches, there comes a pivotal moment in the journey of almost every company – a startup, an early-stage company that’s scaling up or even larger organizations – when they have to undergo an independent, external audit to obtain either an SOC 2 attestation report or the ISO 27001 certificate to demonstrate digital trust and the presence of a solid system of security controls around their product. When companies are looking to do business with enterprise customers or pitch to VCs, they are asked about their security credentials, and it often leaves them with less time to get their environment audit ready. It is important for engineering teams as they are building the platform to consider key security controls as a part of the system design. The consistent and effective implementation of these controls not only helps improve the cybersecurity posture of the platform but also aids in meeting the requirements of various compliance standards.
Which control area is the top focus of most security audits, and how should it be addressed?
Strong identity and access management (IAM) processes and practices are key to building a strong security posture. Also, since access management-related issues are often recognized as one of the top reasons for cybersecurity incidents, this control area is a focus for many security audits. It is recommended to implement a centralized IAM tool to administer and manage access to the various application components, including supporting tools and utilities and not granting access individually to different, disparate systems. It’s important to note that having a centralized IAM architecture not only helps to ease administrative, streamline access controls and to consistently apply policies, but also simplifies evidence collection and make audits more efficient.
It is always recommended to enforce MFA to access the application and underlying cloud infrastructure (where applicable) and follow the principle of least privileged access using granular RBAC – individuals are provisioned access to only specific resources with the permissions that is required to perform their tasks. The periodic review of user access needs to be done in a complete and timely manner. This would involve a review of the access roles or permissions assigned to every user for appropriateness. Any changes or removal of permissions must be documented and actioned on immediately.
A lot of companies store, process or handle the data of their customers. What are the key controls that should be in place to address related risks?
In addition to typical controls around access management and network security to protects databases in a way to reduce the attack surface, encryption of data at rest and in transit is important (unless the data classification based on the type of data does not warrant it). The team should identify all datastores within the cloud infrastructure where data could be stored, including data collected for customer/user analytics, observability data and backups, and verify that encryption is turned on for all of these datastores. Certain public cloud-based databases do not encrypt data by default, and it must be manually turned on (for a fee by the cloud service provider). Further, only approved TLS versions and digital certificates from an approved certificate authority should be utilized to encrypt data in transit. Encryption requirements should be considered during the initial system design as it will be complex to implement later.
Given the widespread proliferation of privacy regulations, it is good for companies to start following data privacy best practices like data minimization and right to forget. A process to identify and delete customer data from all datastores after they are no longer required or when requested by the customer should be in place.
There is a lot of confusion around what is to be done from a vulnerability management standpoint. What are the best practices?
It is a common misconception that vulnerability management is the responsibility of the cloud service provider and the users do not have to do anything. But cloud security is a shared responsibility, and it is the responsibility of companies using public cloud services to maintain and monitor the security of infrastructure and data hosted in the cloud. It is critical to implement a comprehensive vulnerability management program. This involves scanning of all assets deployed within the cloud frequently. Typically, companies use one of the many third-party vulnerability management services or tools in the market to scan their cloud infrastructure and provide reports with actionable insights.
Running these vulnerability scans on a scheduled basis is just one part of the equation. The other and more important piece is to review the scan reports, assess the risk of each identified vulnerability as it applies to their environments, and remediate the risks appropriately. From an audit perspective, there needs to be clear evidence that a remediation process was in place and followed after every scan. It is recommended to track each identified vulnerability in an issue-tracking tool, document the disposition and track until resolution.
It is also a best practice to engage an independent third-party provider at least annually to conduct a penetration test of the cloud environment. This helps provide confidence to senior management and external stakeholders of a strong security posture.
With security misconfigurations being one of the top cloud security risks, what precautions should be taken?
The most efficient and risk-aware approach to building infrastructure in the cloud is to automate the creation of the requisite infrastructure using the ‘infrastructure-as-a-code’ technique. This helps to reduce manual errors, shortens the deployment time and applies the desired security settings in a consistent manner. All resources within the cloud must adhere to a minimum-security baseline that comprises a standard set of security configurations. Companies could use a well-recognized standard, the CIS benchmarks, to build these baseline configurations. The infrastructure definition files must be created to include these baseline configurations to ensure the cloud infrastructure is built with requisite security controls at inception.
While change management in itself is a vast and complex topic and warrants a separate review, for the purposes of this discussion, it is important to note that all changes to the cloud infrastructure are to be formally approved (and documented) prior to being deployed. When infrastructure is maintained as code within a source code repository, the version control software can be configured to require at least one additional approval before the changes to the code are merged to the master branch.
What final thoughts would you like to share?
A lot of these security practices may already be followed, but often, they are found to be incomplete or inadequate to help companies get through an audit. The key is to document every activity, and it is best if this practice is deeply ingrained in the company’s culture. While what we’ve discussed here is by no means a comprehensive list, it puts companies well along the road of demonstrating strong security and compliance posture to help meet stakeholder requirements and enhance digital trust.