Vulnerabilities are commonly caused by the misconfiguration of cloud resources, with consequences being particularly severe when it comes to Identity and Access Management (IAM). Any breach of a user account or security principal can result in a malicious actor accessing multiple systems, or even your cloud account itself.
IAM is notoriously complex, and is noted in Verizon’s 2021 Data Breach Investigations Report as being responsible for 61% of analyzed breaches. The good news is a few simple steps can improve your security posture:
Practice the principle of least privilege: Grant only the minimum permissions necessary to complete a task. It is always easier to grant access than to take it away.
Create a password policy: Mandate complex passwords and regular password changes.
Store passwords securely: If you use a password manager, be sure to encrypt it and store it somewhere inaccessible to others.
Set up alerts on your IAM: Ensure you're notified of any change in policy.
Use Multi-Factor Authentication (MFA): Raise the bar of entry to your cloud assets with MFA.
Shadow IT is the use of your cloud assets without the approval or support of your IT department. There are several risks associated with this, including the financial impact of staff creating cloud workloads for personal use, data loss via unauthorized file-sharing services, and the use of unauthorized messaging services for communications. Some users may be motivated by frustration at in-house technology and look to familiar tools to improve productivity, while others are looking to leverage loopholes to spend their time on non-work activities, or even steal company data.
In all cases, control is key. Keeping the number of staff permitted to build new workloads to a minimum and creating policies to ensure every resource has an associated cost code help mitigate unauthorized expenditure. Creating policies to ensure all deployments meet corporate standards ensures rogue deployments cannot happen. Proxy services and HTTP header controls can be used to limit access to third-party cloud services and ensure data integrity. You might also considerCNAPP to keep your workloads secure throughout the lifecycle.
Lack of encryption
Data is a company’s most valuable asset. Underpinning customer confidence, and carrying the potential for regulatory breach and fines, data security should be a primary concern. With all popular cloud platforms offering encryption solutions at the click of a button, it’s incredible to think that 3,800 data breaches occurred in the first half of 2021. We need to concern ourselves with encrypting data in transit, as well as at rest, toavoid unknowingly giving third-party access to cloud data.
Encryption in transit for cloud services ensures a malicious user is prevented from accessing data as it moves between systems. This is covered in the cloud by use of secure protocols, most notably HTTPS. You should configure your systems and data stores to only be accessible via secure protocols and use firewalls to block insecure access methods.
Encryption at rest ensures that data stored on a disk or other storage medium is kept safe from anyone who should not be accessing it. Full disk encryption (FDE), utilizing AES256 for maximum security, is recommended for virtual machine disks. Transparent Data Encryption (TDE) is available to keep databases secure while in use.
Distributed Denial of Service (DDoS) attacks make cloud resources unavailable to users by flooding and overwhelming them with massive quantities of network traffic generated by many remote systems working in unison. These attacks can result in entire services being taken offline and rendered inaccessible to support staff.
Cloud providers all offer built-in tools to mitigate DDoS. These include edge-caching systems that serve content from multiple locations and network appliances that can intelligently monitor cloud services and sever communications if traffic matches a recognized pattern. Standard tools are provided as part of the cloud service and all you need do is switch them on. Additional security features to mitigate DDoS risks are available at additional cost, but these ultimately cost less than your platform vanishing right in front of you.
Application Programming Interfaces (APIs) are used to connect applications and services together, enabling data to be shared between systems without explicit user request or by creating custom applications. By design, APIs need to interact with other applications over the Internet. Although this is great for convenience and collaboration, it presents a security challenge for cloud computing.
Insecure APIs can be an easy point of attack for a malicious user, enabling DDoS attacks or undetected access to sensitive company or customer data. They are expected to be the most common attack vector in 2022.
The steps to secure APIs are like those used for IAM. You should use secure passwords or keys, store them appropriately, and use the principle of least-privilege. Additionally, the cloud providers offer services such as API gateways which can improve your API security posture, at an extra cost.
Resolve cloud vulnerabilities & improve cloud security
It is imperative that your organization updates its security position for the cloud and takes advantage of all the tools at its disposal. CSPs provide tools and guidance to secure your services right out of the box.
Set up your IAM policies before you provide anyone with access, and make sure you provide the minimum access required to new users. Create cloud policies to control what can be deployed in your cloud environment and configure alerts to notify you if those policies are changed. Encrypt all storage by default, and make sure all passwords and keys are stored securely and off-platform. Understand the shared responsibility model, and make sure you keep your side of the cloud security bargain. By following these best practices, you will have headed off most security vulnerabilities at the pass.