Defense in-Depth (DiD): Security Principle of the month: 

Defense-in-depth security strategy is, at the very least, should be important to all organisations and critical for financial, governmental and to any other company serving and storing sensitive data in the Cloud.

The best way to secure that data and generally protect our internal assets, is to deploy multiple defensive measures, as no single option is completely infallible. Multiple barriers may seem redundant, but that’s the point – should one layer fail, numerous others are immediately at the ready to thwart any danger. Cloud platforms allows us to build and use endless number of technologies and tools for multi-layering our protection. The 'sweet spot' will be to find a balance between operational/performance requirements, effective costs and the security vision, while maximising the value of each.

The guiding Principle is:

Both the CSP’s resources and the hosted environments, must be designed and operated to tackle, prevent and detect attacks against it

Here are few high-level key points to help us improve defense in-depth, in the spirit of the Principle:

Directive, Preventive, Detective, Responsive Principles:

• Establish governance, risk and compliance models

• Ensure adequate controls are in place for prevention (e.g. ‘IAM Border Line’ controls, code reviews, processes, AUP, meeting low-level security requirements, etc.) with detection capabilities (e.g. frequent scans by (non-CSP) baseliner tools against infrastructure configuration and activity, un-authorised substitution of Certificates and Public Keys, FW changes, behavioural analysis etc.)

• Implement, where possible, the 3 lines of defence methodology, along with responsive controls that drive remediation of potential deviations from security baselines

Scanning:

Deploy and run continuously or frequently the following, with appropriate alerting/ remediation capabilities in place:

• Malware protection

• Code scanning (Application and infrastructure code)

• Software Composition Analysis (for Open Source)

• Vulnerabilities scan

• Assets discovery

DNS Security:

• Secure DNS with specific requirements to the service in-use (e.g. AWS Route53/Azure DNS), strong IAM controls and ideally a ‘DNSSEC’ configuration

Native Cloud Services in-use:

• Review the proposed design or existing environments. Produce & maintain a specific (low-level) security requirement to each of the services in-use, based on each service’s capabilities, limitations and potential bugs/loopholes. Those requirements should be produced in the spirit of Domain Principles (i.e. IaaS, PaaS, SaaS etc.) and the organisation’s existing security Standards/Policies

*The "Security Principle Of The Month" posts are a series of short articles aim to help and guide the security SME, whether it's a Consultant who is reviewing a solution design proposal, or a DevSecOps engineer deploying a solution, by listing key points of various security controls which should be considered for the proposed solution or to an existing product/environment. This list should be used as a 'complementary' list to any other security controls and strategies already in use within solutions.

**Sources:

- (ISC)² CCSP certification exam materials

- 'AWS Certified Security Speciality' certification exam materials

- 'Azure Security Technologies certification exam materials

- NCSC (National Cyber Security Centre); Cloud Security Principles

- Broad projects experience

- Online information