The digital transformation movement, accelerated by COVID-19, has made a hybrid environment of on-premise, public and/or private cloud, and SaaS environments the new norm. Businesses had to accelerate 2 to 4-year transformation projects into 2 to 6 months to accommodate for broad-based secure remote worker productivity. Gartner reports that cloud services growth in 2021 alone was 18.4%, and this growth appears to continue.
This level of infrastructure migration is massive and requires different security considerations than before. Still, IDG reports that 84% of those surveyed believe their cloud infrastructure is more secure or as secure as their on-premises infrastructure (as opposed to the 15% that feel on-premises is more secure). However, the customer is responsible for security in any public cloud environment, which creates challenges different from legacy security concerns.
Organizations are settling into their "new norms," and it's an excellent time to review the security architecture after shifting significant resources to a cloud environment. There are four considerations to consider when reviewing your public cloud risk profile:
Poorly designed or misconfigured access control is one of the most common threats to cloud security. Many instances of open S3 buckets and misconfigured security groups have allowed attackers access to company assets. A robust Identity and Access Management (IAM) framework is crucial, and all human users accounts must be linked to an overarching directory service for proper privilege provisioning and monitoring. Directory services logging must be configured to detect privilege changes and access activity. Look at user and access privileges to mitigate excessive access instances. Administration privileges must be justifiable, limited, and admin privileged escalation/de-escalation should be logged.
Authentication is a primary vector for attackers. User names and passwords are commonly sold on the dark web, and identity theft is now an everyday occurrence. As a result, authentication is an integral part of the overall IAM framework.
Multi-factor authentication (MFA) has been around since 1986, but only the larger companies adopted it because users found it a cumbersome irritant. Most people didn't understand digital attackers' actual risk to businesses, so small and medium-sized companies refrained from adopting it. However, MFA is becoming common, regardless of company size, and users accept the need. No amount of education about complex passwords can come close to the level of confidence you get with MFA.
Single Sign-On (SSO) is a great way to simplify and centralize authentication across disparate systems, easing administration and access activity logging. In addition, SSO improves identity protection because it strengthens identity security with MFA, reduces "password fatigue," and simplifies username/password management.
Data loss can occur by malicious data alteration, server outage, hard disk failure, human error, and insider theft. Therefore, every organization should have a data security program that includes a solid backup strategy and Data Loss Prevention (DLP) software tailored to the organization, and encryption.
Data protection starts with a solid backup strategy that includes frequency, strong access control for non-human accounts, and offline/off-prem storage. Next, a data plan must be established that identifies what data to back up and what should not. This data classification approach also leads to a solid DLP strategy.
DLP software includes email scanning to identify malicious attachments and prevents end-users from moving critical information outside the organization without authorization. In addition, data categorization and service rules are established to identify and ensure the proper treatment of different data classifications. This prevents the accidental release of critical information and resists malicious theft. Unfortunately, many organizations leave the discretion to send confidential data outside the organization. Still, they should strongly consider the automated tools that ensure an exception approval process is in place.
Data encryption is the only way an organization can ensure that their stolen IP and customer data aren't stolen and sold on the dark web. Data encryption solutions have improved significantly, and file-level encryption does not impose the performance burden it once did. Leveraging the data classification efforts established for DLP, also identify digital assets that should be encrypted.
Cloud environments require the same discipline in processes, policies, and controls as a traditional on-premises network. Automated cloud environment monitoring is crucial to understand and manage operational workflow, access activity, and security. The key to automated monitoring is consolidating information from throughout the environment into a single analysis hub. With the centralization of information, analysis can correlate seemingly unrelated events that would otherwise be lost because it's siloed within a single isolated platform. Relating end-point telemetry with threat feeds can uncover otherwise undetected attacks or mishandling of information. For example, relating access information with geolocation and data flows can identify unauthorized data exfiltration. A purpose-built, automated monitoring system with strong analytics as a central hub provides otherwise lost insights in an uncoordinated cybersecurity mesh framework.
The workplace changed radically due to the pandemic and the required digital transformation accommodating that change happened incredibly fast. As a result, there wasn't time to do the needed due diligence that we usually consider adequate because an almost complete remote workforce was the only option for business continuity. As a result, we've been scrambling to deploy technical capabilities, implement the proper controls, and establish appropriate governance. Now is the time to review what we've put in place to validate that risks are minimized, vulnerabilities have been isolated, and playbooks established to ensure proper treatment for acceptable risks.