By Craig Atkins, Managing Director, 1-Fix Limited.
Migration to the cloud has been accelerated by Covid-19 due to its flexibility, speed and reliability when done right. However, under current circumstances and during rapid transition, businesses often fail to implement suitable security processes despite the many unique issues that cloud adoption brings.
There are some key considerations that you can use to guide your planning and strategies whether you are responsible for a single cloud platform or managing the entire corporate cloud project.
Zero Trust as a concept and in reality
As a concept, Zero Trust is like the strategy governments and military use to secure data. This involves layers of access levels that are worked upwards i.e. trust no one and give access to no one. In reality, Zero Trust is more complex, but as a concept it puts much more onus on ensuring the user is who they say they are and then allowing them just enough access to do what they need – nothing more.
When compared to more traditional models such as VPN access to a private cloud/corporate network – which typically gives anyone with access to the client a fairly flat and unrestricted access to whatever is on the other side – the Zero Trust model is much tighter. When implemented to its full extent, Zero Trust should hamper the ability for a network intruder to hop from system to system or platform to platform – a process known as lateral movement.
The implementation of Zero Trust is a huge undertaking, but do not worry if you have not got the budget or implementation time at the moment, you can still utilise some of the key concepts to secure your current cloud environment to a better standard.
Authentication is more than a password
A good identity management solution is an essential part of understanding who is accessing your services. A simple username and password for login to the cloud services simply is not good enough for authentication. Multi factor authentication (MFA) is a must-have when utilising a service that requires user passwords, as it reduces the risk of password leakage, re-use or simple phishing attacks.
However, any MFA implementation that utilises public telephony networks or cellular networks are, by the public nature of these services, open to exploitation. For this reason, SMS and telephone call-based MFA options should be discounted unless they are the only option available with the cloud services you are using.
If you can link up your systems to provide a single sign-on option using an identity provider such as Azure AD, Google, Duo or Okta then this not only streamlines the user login experience but increases security by allowing you to tightly control app access and with the user not requiring their password as often it limits the phishing footprint of your systems.
The importance of permissions
Setting time aside to review the permissions of your cloud platforms is crucial. Consider the following permissions:
- General access to the platform
- Role based permissions for functions within the platform
- User creation / super-user
- Password re-set
Ensure whoever is responsible for your cloud security has a clearly defined process for allowing alterations to the permissions, as well as a review process regularly scheduled to ensure that any elevated accounts are dropped back to their regular permissions once the need for elevation has passed.
If you are accessing company resources via VPN – perhaps to a private cloud, or your own internal hosting – then lock down the access to as little of the network as possible via the VPN. Ideally the VPN should just provide access to the IP addresses and ports required to access your services, although this may not be possible depending on your technology stack and network design. Perhaps time to refresh things?
Consider access restrictions
It is worth considering location-based access restrictions compared to just Zero Trust which focusses on the user. IP based access restrictions can be bypassed by a determined hacker, or someone already inside your network, but it will drastically reduce the number of probes, brute force attacks, and speculative hackers as they will be immediately blocked. The big downside here is that this does then require remote working staff to access the corporate network via VPN before they are then able to access the cloud services that you have restricted access to.
As a hybrid approach, many cloud identity providers allow you to define networks and then apply security rules around this. For example, you could define a rule that when a cloud service is accessed from the office the user does not need to provide MFA verification to log-in, but if they are accessing from an unknown location then they must authenticate every time.
Geo-IP blocking, while a very old practice, may still be applicable here too. If your accounts department are based in one country and do not access the accounting platform from other locations when on leave then there is no harm in restricting access to the accounting platform to the country where your staff are based. Once again, a targeted hacker will simply use a VPN to bypass a geo-restriction, but you are just reducing the exposure footprint a little further by putting these restrictions in place.
Central logs for security and compliance
Gathering logs centrally into a single source when using multiple cloud platforms or SaaS applications allows you to review the overall security of your platform, trace an attack and ensures you have the logs for compliance rather than relying on third parties. It also makes it much simpler to set-up your own security operations centre (SOC) or outsource this.
Ask the right questions
Make sure you and your team ask your cloud or SaaS vendors the difficult questions. Do not take their word that they are doing the basics right, like taking production environment backups. Ensure you test them and their ability by asking them to restore production data. It is better to find out today that the production backups are not running, than in 6 months’ time when trying to recover from an incident.
SaaS requires us as customers to trust implicitly that our vendors are doing the core stuff properly, but we should not utilize blind faith in our suppliers when committing to a cloud solution. Trust is earned.