As various “as-a-service” applications have proliferated over the last few years, so have potential security vulnerabilities. These services are so easy to sign up for that employees usually don’t think twice about spinning up a virtual server or storing data in the cloud. What’s more, they don’t tell IT about it.
Here are five steps to make sure that the use of cloud technology is not compromising your organization’s security:
1) You can’t protect what you don’t know about. The first step is to discover all uses of cloud in your company. That can be challenging since many of these uses are “shadow IT,” but several methods exist to help. You can use a cloud access security broker (CASBs), which make widgets that serve as proxy web connections to detect activity between your network and outside cloud platforms, or you can put in accounting controls to detect corporate credit card charges for cloud services. The best approach, however, is the direct approach: Reach out and ask your employees about business cloud usage and needs. Rather than charging in as the “security police”, partner with them to find a better solution to their needs while working within corporate guidelines. For example, it’s not unusual for several business units to be using the cloud for storage. The company may be able to save money, not to mention improve security, by pooling resources and standardizing on one platform.
2) After completing your inventory, decide which cloud platforms should be designated as approved vendors. You don’t have to limit employees to just one cloud provider. Sometimes a particular business unit has requirements that make one cloud vendor more appropriate than another. The point is to tell employees which providers are OK to use. Communicate the policy clearly and frequently.
3) Distribute information about how users can secure and harden cloud platforms. Every vendor – Amazon, Microsoft, Google and others – has put out detailed information on how to secure their platforms. The challenge lies in how to get employees to follow those directions. For example, numerous AWS breaches have been caused by a user inadvertently toggling a switch from “private” to “public” on S3 buckets. However, every platform has its idiosyncrasies so make sure that IT, Information Security, and end-users are educated on the specific platforms that they are using.
4) Trust, but verify. Routinely capture and analyze cloud log data. Each vendor has its own program for extracting information - Amazon’s is called Guard Duty – that can help detect security problems. And make sure your logging solution (e.g., MDR, SIEM, MSSP) is getting those logs too.
5) Periodically test your organization. Conduct a penetration test that includes the cloud environment. You can even narrowly target specific platforms; in fact, BTB Security frequently conducts assessments to evaluate a client’s security within a specific cloud vendor, providing recommendations on how to improve it.
Gathering the information from your specific cloud providers is a good place to start to improve security. However, it’s also advisable to consult the publications of various standards bodies for overall cloud security practices. One source is the Cloud Security Alliance, a non-profit that promotes education on cloud security https://cloudsecurityalliance.org/. Another is NIST’s Cybersecurity Framework: https://www.nist.gov/industry-impacts/cybersecurity-framework. And for the federal government, there is FEDramp https://www.fedramp.gov/.
To learn more about improving your organization’s security, in the cloud and otherwise, visit www.btbsecurity.com.