logo

Introduction to Cloud Hardening

Storing sensitive data in the cloud greatly expands your attack surface area — and adversaries are seizing the opportunities that cloud adoption presents. In fact, a 2022 Netwrix survey found a 10% increase in attacks targeted at cloud infrastructure.

Cloud hardening is the process of reducing risk to your cloud systems by establishing and maintaining secure configurations and identifying and mitigating other vulnerabilities. Learn why cloud hardening is vital for both security and regulatory compliance, and the top threats in the cloud today. Then discover the steps to take to harden your cloud, regardless of your delivery model (IaaS, PaaS or SaaS) or cloud type (public, private or hybrid).

How Cloud Hardening Helps Boost Security

Cloud hardening involves securing your system’s configuration and settings to reduce IT vulnerabilities and the risk of compromise. One key step in hardening is to remove all non-essential components from systems. By removing non-essential programs, account functions, applications, ports, permissions and access, you provide fewer routes for attackers and malware to enter your cloud environment.

Keep in mind, however, that cloud hardening is not a one-time event — you need to constantly monitor for drift away from your security configurations, as well as regularly review and update your baselines as the threat landscape changes and best practices evolve.

Of course, cloud hardening is only part of a broader security strategy, which should also include implementing tools to promptly detect and respond to potential threats, and ensuring that systems can be quickly restored after an incident.

How Cloud Hardening Helps with Compliance

Governments worldwide have established regulations that include standards for data security — which apply regardless of where the data is hosted. Here are the most significant ones to know about:

  • HIPAA (Health Information Portability and Accountability) is a US standard for securing protected health information (PHI). The Security Rule and Privacy Rule sections dictate access measures and guidelines for electronic healthcare transactions, and require healthcare organizations to report security breaches.
  • PCI DSS (Payment Card Industry Data Security Standard) is designed to safeguard cardholder data. It includes requirements for multi-factor authentication (MFA) and data encryption, and requires covered organizations to conduct penetration testing for security improvement.
  • FERPA (Family Educational Rights and Privacy Act) addresses the privacy and security of student data, including personally identifiable information (PII). FERPA requirements cover topics such as the encryption, use, re-disclosure and destruction of data.
  • GDPR (General Data Protection Regulation) is a European Union standard that applies to organizations anywhere that store or process the information of EU residents. Its provisions address data storage, use, retention, access and more. 
  • SOX (Sarbanes-Oxley Act of 2002) helps safeguard the public from corporate wrongdoing by requiring all US public companies to mitigate the risk of fraudulent accounting and financial activities. Among other things, SOX details the obligations related to data integrity, auditing, access control and change control. 
  • FISMA (Federal Information Security Management Act) requires US federal government agencies to safeguard assets and information by creating, implementing and complying with a security plan, which must be reviewed annually. Moreover, the law requires covered agencies to use only data centers — including cloud providers — that comply with FISMA.
  • ISO 27017 is a subsection of ISO 27000 that provides guidelines regarding information security controls applicable to the provisioning and use of cloud services. It addresses topics such as shared roles and responsibilities, virtual machine hardening, and the alignment of security management for physical and virtual networks.

In addition to laws, organizations may have to (or choose to) adopt a cybersecurity control framework. In particular, CCM (Cloud Controls Matrix) covers critical aspects of cloud technology across 17 domains, such as application and interface security, audit and assurance, change control and configuration management, and threat and vulnerability management.

While an organization can be subject to multiple laws, most of them are rooted in the same core best practices, so the same security controls — such as cloud hardening — can help you achieve compliance with many mandates at once.

Top Public Cloud Security Threats

The cloud security threats that cybersecurity professionals are most concerned about, according to a 2022 survey, are: 

  • Misconfiguration of cloud platforms (62%)
  • Data exfiltration (51%)
  • Insecure APIs and other interfaces (52%)
  • Unauthorized access (50%)
  • Hijacking of services, accounts or traffic (44%)
  • External data sharing (39%)
  • Foreign state-sponsored cyberattacks (37%)

Hardening in Various Cloud Models

Cloud hardening is always recommended. However, the division of responsibility between your organization and the cloud services provider (CSP) for implementing it varies depending on the cloud model: IaaS, PaaS or SaaS.

Infrastructure as a Service (IaaS)

IaaS involves renting basic infrastructure components from a CSP, such as virtual machines on Azure or EC2, or EBS on AWS. With IaaS, cloud hardening is mostly in your hands. While the CSP)  will handle physical security and firmware updates, you are responsible for the configuration of your provisioned virtual components. In particular, you are responsible for:

  • Identity and data governance, including user access management and change control
  • Configuring and hardening operating systems
  • Data encryption
  • Application-level settings
  • Network access controls at both the network level and individual component level
  • Security testing
  • Auditing and logging

PaaS (Platform as a Service)

In the PaaS model, the organization controls the platform and execution resources to develop, test and deploy applications. Examples include Red Hat OpenShift, AWS Elastic Beanstalk and Google App Engine.

In this cloud operating model, the CSP is responsible for hardening the operating system, middleware and runtime environment as these are managed by the. However, your organization is still responsible for:

  • Identity and data governance, including user access management and change control
  • Client and endpoint protection
  • Network controls at the network level
  • Application-level settings
  • Security testing
  • Auditing and logging

SaaS (Software as a Service)

In the SaaS model, which includes Microsoft 365 and Salesforce, all components are managed by the CSP, which shifts even more responsibility to them. However, your organization’s responsibility is not insignificant; it includes configuring:

  • User accounts and access management rules
  • Application-level settings
  • Logging and auditing

Cloud Deployment Models

Your choice of cloud deployment model — private, public or hybrid — also impacts your cloud security planning.

Private Cloud

A private cloud serves a single organization, with services maintained on a private network. As a result, your organization has full control over the infrastructure. This deployment model offers extensive flexibility and opportunity for customization, but also requires more resources and expertise to manage and maintain it.

Because you are the owner, you have complete responsibility for the following:

  • Deploying and maintaining hardware and software
  • Ensuring the physical security of your infrastructure
  • Implementing appropriate security controls to protect against threats and attacks

Public Cloud

In a public cloud model, a CSP owns and operates all of the supporting infrastructure and software, and the services are delivered over the internet. Since a public cloud operates as a multi-tenant environment, it generally offers lower costs and better scalability than a private cloud. However, your organization has less control over the infrastructure and is dependent on the security measures implemented by the provider.

Accordingly, you need ensure the CSP’s security commitments and regulatory compliance align with your security and compliance needs. In particular, it’s up to you to:

  • Thoroughly investigate the provider’s security commitments
  • Read and understand the CSP’s auditing and regulatory compliance
  • Clearly understand the division of responsibilities.

Hybrid Cloud

A hybrid cloud is a combination of public and private clouds. Not surprisingly, it can therefore be the most complex to secure. In particular, on top of managing the security concerns for each type of cloud, you must ensure that consistent security policies are applied across all your clouds, and that any change to the security posture in one cloud is replicated to the other clouds. For instance, if there is a security change to an image used in your private cloud, is that change pushed out to the public cloud as well?

Recommendations for Cloud Hardening

Use CIS Benchmarks

To help organizations establish secure configurations, the Center of Internet Security (CIS) provides the CIS benchmarks. These security configuration guides cover a wide range of technologies, including operating systems, network devices, servers and desktop software — as well as cloud providers. By implement the CIS benchmarks, you can reduce configuration-based security vulnerabilities in your digital assets.

A great way to get started is to harden your organization’s server images using the CIS hardening guidelines or by purchasing CIS-hardened images from the AWS, Azure or Google Cloud marketplaces. Then integrate your antivirus, change detection and other security solutions, into the hardened images.

Implement Security Best Practices

To further harden your cloud environment against threats, implement the following practices:

  • Least privilege — Grant each server the minimum permissions and privileges necessary to perform its intended function. This helps to limit the damage that could be caused by malicious actors or accidental errors.
  • Least access — Restrict access to cloud servers from the network, and install only the required operating system components and applications on each instance. This will make it more difficult for malicious actors to gain access to sensitive information.
  • Configuration and change management Create a baseline server configuration and track all deviations from that baseline.
  • Log auditing — Configure each asset to generate and securely store log data about all access attempts and all changes.
  • Compliance audit and reporting — Implement appropriate security controls and ensure you can provide proof of compliance to auditors.
  • Vulnerability management— Regularly assess your cloud environments for vulnerabilities and apply security patches and updates promptly.
  • Network segmentation — Divide cloud environments into smaller, isolated segments to limit the potential impact of a security incident.
  • Encryption — Encrypt data at rest and data in transit to protect it from unauthorized access.

Conclusion

The benefits of cloud services are substantial, including cost savings, easy scalability and powerful functionality. But you must still ensure the security of your data and applications. Using the information above, you can help your organization better secure its cloud environments to drive business growth.

FAQs

1. How do you harden cloud infrastructure?

Secure system configurations and settings to reduce their vulnerability to compromise. Remove all non-essential software programs and utilities to reduce opportunities for attackers to breach your systems.

2. What are network hardening techniques?

Core security best practices include least access, least privilege, configuration management, change management, and auditing & logging.

3. What is host hardening in security?

Host hardening involves removal of non-essential components, programs, accounts, applications, services, ports, permission and access from a host to reduce its vulnerabilities. Host hardening can also include:

  • Turning off unnecessary network services and enforcing authentication for any that are retained.
  • Installing and configuring a host firewall.
  • Making applications available only to users who require them and only when they need them.
  • Having users operate under lower privileges and granting higher-level privileges only as required.
  • Regularly testing systems for weaknesses and remediating them.
  • Enforcing strong passwords and password rotation.
  • Automating regular security updates and upgrades.

4. What are the benefits of cloud hardening?

Cloud hardening offers a wide range of benefits, including:

  • Reducing the attack surface of your cloud infrastructure
  • Improving the overall security posture of your organization
  • Helping ensure compliance with regulations and standards
  • Minimizing the risk of data breaches and unauthorized access
  • Reducing the cost of security incidents and potential compliance fines
  • Improving the efficiency and performance of cloud-based systems

5. How often should cloud hardening be performed?

Cloud hardening should be performed regularly, as part of an ongoing security and compliance program. It’s important to regularly review and update your security configuration and practices to ensure that your cloud infrastructure remains secure.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.