Cloud Security for Newly Distributed Engineering Teams
Employers across the U.S. and around the world are rapidly shifting to a mandatory work-from-home (WFH) arrangement to help slow the spread of the coronavirus (COVID-19). Even for organizations already operating with team members working from home, this shift is likely causing disruption.
But for those abruptly jolted into this new reality, the move is highly disruptive. Operational and security protocols will need updates based on new access patterns from employees who previously worked at the office. And team members are experiencing additional pressures at home. They’re understandably stressed and on edge, and mistakes will be made.
The reality is that a lot of things are in flux right now at every organization. At Fugue, we’ve always been remote-friendly, but many on our team prefer to work from the office. We’ve been operating under a mandatory work-from-home policy for two weeks now, and we know it can be disruptive. Every engineering team is undergoing rapid change to deal with this crisis.
Newly remote teams managing cloud-based workloads should take simple but critical steps now to ensure the security of their cloud environments and protect cloud-based data. And if your team has already been distributed across different locations, you might be better prepared. But employee usage patterns are still being disrupted, and access policies and security guidelines that currently exist may not be sufficient now.
Don’t run afoul of your compliance standards and security best practices during this transition. For organizations operating in the cloud, cloud security is now a critical business continuity concern. Here are some tips and strategies to keep in mind.
1. Device Security
If your team already uses secured laptops and computers at home for work, you can probably skip to the next recommendation. But for those teams who use computers at work and now find themselves forced to use their personal or home computers to manage and update cloud environments, these need to be secured.
Ensure corporate devices are under corporate control. With modern public cloud services, we can manage and protect the physical devices (e.g., a stolen phone) used by our distributed teams. Use a mobile device management (MDM) tool such as Microsoft Intune. Compared to the recent past, these solutions are much more user friendly on both administrators and end users.
Disk encryption. Ensure all devices that are used for work have disk encryption turned on.
Strict password requirements and screen locking. Personal and home devices now being used for work need to have the same password protocols applied. Use a service like 1Password or LastPass. Make sure team members are locking their screens and set policies that encrypt (brick) the device, making it unusable after a defined amount of attempted logins. This mitigates brute force attacks.
Antivirus and device hygiene. Make sure to extend your organization's antivirus solution to any other devices that employees are using while working from home. Adopt or clarify policies regarding the use of personal devices to access company data or accounts, and prohibit it if you can’t ensure their security.
2. Access Policies
Access patterns are changing now that employees are fully working from home. Are the access policies you had before good enough now? Recognize that mistakes are common in normal times, and these aren’t normal times.
Formalize your access policies. If you don’t already have a formalized access policy for your cloud environments, now’s the time to create one.
Use Virtual Private Networks (VPNs). Use VPNs to enforce secure communications to critical network spaces (e.g., AWS VPC or Azure VNET). Make sure your access policy covers team members' use of insecure networks. Make VPN access available or required so that the team can access company resources even if they are on a less trusted Wifi network.
Enforce security group rules. This is quite possibly the number one cause of cloud misconfiguration (i.e., “drift”). Team members may be prone to creating new security group rules or IP whitelists so that they can access shared team resources in the cloud. Consider how you will audit changes to these configurations and confirm they are not putting virtual machines or other cloud infrastructure at risk. Oversee the creation bastion hosts and lock down source IP ranges. Monitor for unrestricted SSH access (e.g., 0.0.0.0/0 on Port 22).
Identity and Access Management (IAM). In the public cloud (e.g., AWS; Azure; GCP), IAM acts as a pervasive network, guarding resources from unauthorized use and providing secure access for approved use. Exploitation of IAM can lead to catastrophic results, including the compromise of entire cloud accounts. Follow the principle of least privilege. Make IAM changes according to your standard change management process.
Leverage privileged identity and session management tools. Cloud provider tools such as Azure AD Privileged Identity Management (PIM) or commercial tools such as CyberArk help you harden access patterns, particularly for elevated (i.e., admin) sessions to AWS or Azure environments. These tools:
- * Provide just-in-time privileged access to Azure AD and Azure resources
- * Assign time-bound access to resources using start and end dates
- * Require approval to activate privileged roles
- * Enforce multi-factor authentication to activate any role
- * Use justification to understand why users activate
- * Get notifications when privileged roles are activated
- * Conduct access reviews to ensure users still need roles
- * Download audit history for internal or external audit
- * Consult compliance standards such as SOC2.
Enforce Multi-Factor Authentication (MFA). Use MFA for all cloud and SaaS solutions your team uses. A good rule of thumb is if it offers MFA or SSO you should use it.
Enable Single Sign On (SSO). Enable SSO support for access to your cloud environments (e.g., AWS; Azure; GCP) from your identity provider. This makes it much easier (and safer) to administrate distributed teams, particularly when a team member leaves.
Practice good cloud hygiene. Delete unused user accounts and clean up unused services (i.e. orphaned infrastructure). You’ll reduce your cloud bill alongside your threat surface.
Don’t share root access keys to your cloud account! This may seem obvious to most, but we’re going to put it here anyway.
At times like these when there are many changes happening at once, it is important to have documented processes in place to guide your team. Make sure your team's good practices don't go out the window as their lives are being disrupted.
Code reviews. Leverage teleconference tools to conduct peer reviews of code and configuration checks. With a newly distributed team, peer reviews may take on increased importance. Consider requiring more than one person to review pull requests in your code repository before merges are executed.
Expand the use of your internal ticketing system. Remote team members are going to need changes to their devices and cloud environments. Use a ticketing tool (e.g., Freshdesk; ServiceNow) for both customer and internal tech tickets. Anyone can open a ticket from any internet connected device to get a request moving, and all requests and actions are tracked.
Formalize informal practices. Everyone hates meetings, but when transitioning to a distributed team operation, consider formalizing some things that were conducted informally “in the hallway.” For example, conduct a monthly 30-minute online meeting to review your AWS or Azure accounts to identify orphaned resources that are incurring cost and introducing security vulnerabilities. Having a small number of useful, scheduled meetings may help team cohesion as the team gets used to being more distributed than in the past.
Embrace asynchronous communications. Tools like Slack and email will play a bigger role in day-to-day team collaboration as face-to-face conversations go by the wayside for now. Embrace asynchronous modes of communication and work as a team to identify how to make the best use of the communication tools you have available.
Don't shy away from voice calls! Engineers often prefer chat, but with less direct social interaction, sometimes a conscious choice to opt for a voice conversation can be more effective and efficient. If a 30-minute slack conversation could be a five-minute call, pick up the phone.
Turn on your camera! Fight the feelings of isolation by turning on your video during voice calls. Everyone loves a friendly face.
4. Visibility and Control
Implementing effective security processes and procedures is great, but humans are imperfect, and it’s unrealistic to expect everyone on your team to perfectly follow policy at all times.
That’s even more the case when it comes to cloud security, because the threat surface is complex and dynamic, and the rulesets can be expansive. Automation is needed to help manage this problem. Manual reviews and checklists won’t cut it, especially when processes and access patterns are in flux as your company adapts to new routines.
Get continuous visibility into cloud state. Set up notifications so you know when configuration changes are made to security-critical resources (e.g., IAM; security groups; object storage; databases) and quickly identify and remediate dangerous misconfigurations when they occur.
Device visibility. Use endpoint configuration tools like Jamf or SCCM to help manage and secure the machines that your team members are using for work.
Review and update your software deployment processes. Look for opportunities to make more use of infrastructure-as-code for critical assets so that there are few, if any, manual actions taken to manage cloud accounts.
Use policy-as-code. You can save time, eliminate errors, and strengthen your security posture by automation using policy-as-code. Open Policy Agent is an open source standard for policy-as-code that can be used for a wide variety of use cases, including infrastructure-as-code validation (with Regula), and validating the running configuration state of your cloud infrastructure (the free Fugue Developer service). Trust your team, but verify using policy-as-code!
5. Support your Team
There’s quite a bit of great advice online about happy and effective distributed team environments (this post from GitLab is excellent). By going remote, you’re necessarily introducing additional operational burdens, but recognize that your team members are likely taking on additional burdens at home as well. Reach out and listen to them.
We can't stress this one enough: Rituals are still extremely important in a remote setting, especially during transitions. Here are some strategies we’ve found helpful for creating a team environment when no one is physically in the same space.
- * Schedule regular video conference meetings for social engagement and “Ask Us Anything” sessions where team members can ask questions of management. Solicit feedback from everyone, not just those who talk more often.
- * Host regular games via Slack on Friday afternoons before everyone heads off for the weekend. Give Pictionary a try.
- * Host regular “showcase” video calls to let team members show the rest of the team what they’ve been working on, or perhaps workshops on various topics to help everyone learn from each other.
- * Set up Slack channels for non-work related topics. The #cats-and-dogs and #music channels are popular at Fugue.
- * Set a routine when working from home, and stick to it. Take regular walks. Cook your lunches (and share recipes and cooking tips with your teammates).
- * Set your working hours on your calendar. Your calendar app can let you establish when you're working and when you're not. Setting boundaries for yourself and other people isn't rude, it's necessary.
With vigilance, communication, and understanding, your team can effectively manage this transition and maintain security. And let’s take care of each other.
Special thanks to Dave Williams from New Light Technologies (NLT) for collaborating with us on this post. NLT is a professional services integrator of Fugue that provides cloud hosting and consulting services to a diverse set of clients
About the Author
Drew Wright is a co-Founder and the VP of Content for Fugue. Prior to co-founding Fugue, he was the founder and CEO of Grasshop, Prior to Grasshop, he provided digital strategy for a wide range of clients as a freelancer, following six years at FleishmanHillard and Burson-Marsteller.
When not focused on Fugue, Drew is an active musician performing in and around the Washington, D.C. area. He received his MBA from The George Washington University School of Business.