Whether its Office 365, Box or Salesforce, or whether you run all your workloads in the cloud on AWS, Azure or GCP- do you know how to keep your data secure in the cloud?
Cloud service vendors will tell you what tools are available to help you secure your share of responsibilities, but there are common tools and best practices that you should consider no matter where your data is.
Data is Data
Most important of all is to make sure that your Cloud workloads and data are treated exactly the same as your on-premises data. It falls under the same policies, has the same classifications and means exactly the same to your business regardless of where it is and so it should be treated no differently.
Wherever possible if your standard suite of tools can stretch to the cloud then it makes your life a little simpler, but the following are some key security factors to help you keep your data, and your business secure in the Cloud.
Multi-Factor Authentication (or MFA for short) acts as an extra layer of security. Instead of relying on just a username, password, or PIN to secure access to business applications and resources, implementing MFA adds an extra layer of authentication before access is granted to your Cloud data.
Cloud Vendors such as Microsoft, AWS and Google offer their own native MFA solutions, and access to these may well depend on your subscription tier or consumed service so check your terms. Otherwise, third party MFA solutions such as RSA or DUO will integrate with a multitude of cloud services to give you more options.
Don’t assume that your data in the Cloud is backed up- it often isn’t. Primary or secondary ‘off-site’ copies of data can be a great way to store and present data, but don’t fall into the trap of thinking that if it’s in the cloud then it’s bulletproof. It’s still susceptible to Ransomware, corruption, human error and everything else as data held on a server or laptop. Back it up. Think about why you might need to recover either a single file or an entire dataset or application and make sure you have the appropriate tools and policies in place to suitably recover data when you need it.
If Cloud storage is your storage of choice for backups of data held elsewhere, ensure its kept ‘offline’- so not actively connected to other systems under normal operation- to reduce the risk of any widespread corruption or ransomware affecting backup data copies. Also remember to restrict access to the backup data- you don’t want to be the next headline when your business critical data shows up on a Shodan search of publicly accessible S3 buckets
To keep your data secure and maintain integrity of security policies, you need to not only make sure that your data is not accessible by the general public but you also need to make sure that internally, your users only have access to what they need to have access to in order to do their job.
Identity and Access Management (IAM) solutions give you control over users and permissions as a single source of truth for your entire infrastructure- cloud included. Whereas third party IAM solutions can stretch to the cloud, cloud providers also provide their own IAM solutions for you to leverage. Included as standard with AWS and available with certain subscription tiers of GCP and Azure, IAM gives you fine-grained control over access to resources that can be linked to existing on-premises identity management solutions such as Microsoft Active Directory.
IAM adds additional layers of access control, as well as authenticating and authorising user access to specified resources, additional constraints such as access windows, restricting access from certain networks and geographical location or only if you have MFA enabled can also be used to help control not only what users can see, but where they can see it from and when.
Logging and Auditing
Enable logging. Often as easy as ticking a box, logging access and actions and being able to audit- and provide evidence of doing such- is not only essential for standards such as ISO 27001, but can be essential in analysing potential and actual security breaches in your cloud resources.
Again, Cloud providers have their own offerings, Azure has Sentinel (which can be used to monitor other clouds and workloads, not just Azure and Office 365), AWS has CloudTrail and GCP has Cloud Audit Logs.
Auditable event logs can be a lifesaver but Sentinel in particular goes above and beyond, offering AI-powered proactive monitoring of your resources to protect against known security threats. Functionality of all of these offerings can vary with subscription tier, so check what yours offers you.
Cloud Security Challenges
‘Cloud’ isn’t a scary word, but the mention of it in a boardroom will send shivers down the spines of many business execs. Securing the Cloud does have some challenges, but done right, and done securely, your business could start to reap the benefits that leveraging a cloud service can afford.
The first challenge is that your perimeter- the fortified wall built to repel attack and protect your business- is gone. Secondly, how can you introduce the productivity and flexibility that comes with a BYOD policy without succumbing to the lack of visibility and control that is Shadow IT?
Basically, how can you get back that warm fuzzy feeling your perimeter gave you with Cloud?
About Secure Access Service Edge (SASE)
The Secure Access Service Edge framework aims to fill the void that was once your perimeter. SASE is based on the principle that in today’s Cloud-enabled workplace, you may not know or care where your resources and data are- you just want to know that wherever they are, they are secured.
A veritable treasure-trove of acronyms, SASE brings together multiple technologies to build a core set of network and security capabilities, including:
- Software-Defined Wide-Area Networking (SD-WAN) to enable policy-based, link-agnostic access to your business resources from any number of locations globally, no matter where they are
- Secure Web Gateway (SWG) to apply usage policies and protect users against web-based threats, no matter from where the access is initiated
- Cloud Access Security Broker (CASB) to enforce security policies and to enable control and monitoring of access to cloud-based services (particularly SaaS), from any device, corporate or personal, through a CASB Proxy
- Zero-Trust Network Access (ZTNA) to act as your ‘software-defined’ perimeter, delivering secure access to corporate resources that is never implicit, and without ever having to expose them to the internet at large
- Firewall as a Service (FWaaS) is then the secret sauce, delivering virtualised next-gen firewall capabilities such as Intrusion Prevention and Detection (IPS/IDS), URL Filtering, Advanced malware and threat protection, and access controls- protecting all your resources, wherever they are.
Individually the SASE components can help you stay secure in the cloud, and you also have other options available to tackle the cloud security challenges individually. Implementing a full-SASE solution could be a lengthy and complex journey, so prioritise your business’ needs and start from there.
Using the cloud providers’ native toolsets are often a great place to start, and third party IAM, MFA Mobile Device Management (MDM) tools are available and come highly recommended. Tools like Microsoft Intune integrate well with existing environments and offer a wide-range of functionality that can enable you to be more confident in making the leap to the cloud.
As with everything security related however, it’s a risk vs productivity vs cost calculation that your business will need to conduct. There are resources to help you in this process, as always the NCSC offers helpful guidance or take a security partner with you on your journey to the Cloud- to help avoid the hazards and make sure you’re on track to reach your destination safely.