Best Practices for Detecting Default Configuration Risks

Classify commonly used cloud services and their usage methods

Enterprises should classify the cloud resources within their Alibaba Cloud accounts. At the same time, investigate their usage methods. From a security perspective, the key factors to consider are:

• whether the cloud service is accessed through the public network or private network

• whether it is a shared resource or dedicated resource

• the data types and importance of the data used and stored by the cloud service.

This will help determine the risk recommendations in the subsequent security risk assessment based on the actual business scenarios. It is recommended that enterprises classify cloud resources using the following categories:

Choose security assessment standards

For security assessment of cloud platforms and cloud services, there are two levels of standards: benchmarks and policies. Policies are a set of detection methods to achieve a series of benchmarks. The security assessment policies for each cloud platform may vary, but they can follow the same set of benchmarks. This is also the choice for most multi-cloud customers. The following benchmark templates are recommended for enterprises to reference:

• ISO 27001

• Alibaba Cloud Security Best Practices

Usually, enterprises need to combine the recommended benchmark templates with their own business requirements in order to integrate and consolidate them. For example, the financial industry can add PCI DSS, GDPR, etc., on top of those benchmark templates, and integrate them into a unified standard for security assessment in the cloud environment.

Use tools to automate configuration risk detection and scanning

After determining the security assessment standards for the enterprise, a series of policies need to be used to detect whether the enterprise is using or enabling relevant security controls to meet the security benchmark requirements. Based on the detection results, an overall security assessment and recommendations for the cloud platform can be provided.

• Use the Security Center with the Overview function to detect the default configurations and security controls of the current Alibaba Cloud account.

• The check items in the Configuration Assessment list include Alibaba Cloud identity and permission management, cloud service configuration best practices, compliance detection policies, etc.

Use security score

It is recommended that enterprises use a quantitative Overview system to assess the overall security risks of cloud resources in a quantifiable way. The security scoring reflects the completeness of an enterprise's security controls based on the security assessment standards. In multi-account environments, the security scoring can also be used to better manage the secure use of cloud resources by business teams. After using the Security Center's Configuration Assessment function to complete the automated scanning, the system will generate a score based on the resources subscribed by the enterprise. The enterprise can view the details of each policy, associated assets, accounts, etc., based on the score.

For more details, refer to the Overview functionality of the Security Center.

Track risks and conduct regular assessments

Enterprises should conduct regular risk assessments of the cloud service environment because the lifecycle of cloud resources is usually shorter than traditional IDCs. Each resource change may introduce new security risks. Enterprises need to combine the above best practices to define a plan and schedule for regular assessments and use the security score to track the level of security risks of cloud services.