Things that the attacker won't care about:
- whether you have a dedicated infosec team
- their certification level
- your budget for security
- your roadmap and project plan for addressing security issues
- you compliance status and audit reports
- vendors and products you are using
Start with very basic, use opensource if needed, build upon this layer by layer.
Always ask yourself: how I’m protected now? , what could be improved now? What if I’m attacked now?
Many say that security is not a state but a process. True, but just a process itself is not a security as well.
These things are not new and obvious. But in the Cloud, they become even more important:
- your infrastructure is always connected and always reachable from anywhere on the planet
- it takes only one compromised credential, few minutes and several API calls to nuke everything in your account.
What are your incident response SLA times?
- Cloud gives you scalability, but it gives the same scalability to the attacker. Spin 10000 instances to crunch some numbers and attack you? for sure!
- infrastructure as code empowers you, but so true for the attacker - he can reuse templates and patterns for attack infrastructure
- data exfiltration speed now is not limited to your ISP bandwidth, but pretty much extremely fast, unlimited and will end up in your cloud bill.
But, at the same time, the cloud offers endless opportunities to build security on the impossible for on-prem levels, with endless cloud services, templates and unlimited capacity. Build smart, stay secure.