Adi Polak
Posted on March 11, 2020
This is not a far fetch scenario; this actually happens to many cloud users; Experienced and newcomers.
Here are some Pro Tips for you for using the cloud in a more secure and responsible way:
ProTip 1: Define quotas for your subscription:
Something went wrong, and someone managed to access your machines. They are trying to use it for doing bad stuff. Don't get me wrong, cryptocurrencies are not necessarily bad, but it's bad if you pay for someone else coins without getting any value out of it. Make sure to define quotas for your subscription.
You most likely won't leave a blank check at the restaurant, then why would you do it with the cloud? be aware of the costs! Set quotas!
ProTip 2: Use key vault for storing passwords and credentials:
What is a Key Vault? let's look at Microsoft Azure definition:
" Key Vault is a cloud-hosted management service that allows users to encrypt keys and small secrets by using keys that are protected by hardware security modules (HSMs). Small secrets are data less than 10 KB like passwords and .PFX files."
ProTip 3: Make sure no one is storing password and credentials in their code:
Use tools like Security Analysis as part of your CI/CD (continuous integration/continuous deployment) process. These tools will alert and fail the build if credentials are stored in plaintext. Failing the build in this scenario is a good thing that will increase security awareness and poster cautious behavior in your R&D.
ProTip 4: Define RBAC - Role-Based Access Control:
Try to avoid as much as possible of defining services with Admin control. Nevertheless, try to avoid as much as possible creating code that uses admin control. Someone might be able to access your machine and leverage that code. Itβs not always possible to avoid providing admin control but should be something we aim for. Learn more about the various roles that can be defined on Azure here.
This is a shortlist of consideration one should take when onboarding and planning the journey to the cloud. Security should be taken very seriously as it impacts the business directly. Make sure to poster awareness by enforcing tools, spark conversations in the team and mention it during code reviews.
Remember this: Not everyone needs to be a security expert. BUT! your environment security is as strong as the weakest link in the chain.
π€ What are your best practices for creating a more secure cloud environment? Share in comments!
Have concerns? would you like to share feedback? send me a private message on twitter.
Want to learn more! here is a 5 hours free course that you can greatly benefit from.
Posted on March 11, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.