No doubt enterprises have embraced the cloud, but how about optimizing their cloud security controls?
It seems that many enterprises are still not using the crucial tools offered by their cloud provider to ensure tracking, better control user access, and enhance security at every turn. To get the most out of your cloud services, you can’t afford to ignore your security controls. Use every one that’s available to make it as difficult as possible for every attacker to access your valuable data.
Here are the 7 cloud security controls you should be using.
1. Understand your responsibility.
Cloud services have varying levels of responsibility. However, with IaaS environments, providers may not always be responsible for ensuring their applications are protected and the data is securely transmitted and stored.
Sometimes an enterprise is entirely responsible for its AWS Elastic Compute Cloud (EC2), Amazon EBS, and Amazon Virtual Private Cloud (VPC) instances, as well as for OS configuration, applications management, and data protection.
To avoid security gaps, double-check with your IaaS providers to have a clear idea of who’s in charge of the individual cloud security controls.
2. Implement access control.
Enterprises’ difficulty with access control is illustrated by their tendency to make these two mistakes:
- Exposing their cloud storage contents to the public by accident
- Allowing Secure Shell (SSH) connections directly from the internet
In their May 2018 research, RedLock’s Cloud Security Intelligence (CSI) found that more than half (51%) of organizations have accidentally made the contents of their storage drive accessible to anyone with an internet connection.
Meanwhile, when Secure Shell (SSH) connections occur directly from the Internet, anyone who can figure out the server location can bypass the firewall and get to the data. Despite being one of the most secure protocols, SSH still comes with a huge risk when exposed to the entire Internet.
Effectively implement access controls by adopting the following practices:
- Use the access control tools provided by major cloud providers.
- Know who can access and when.
- Grant only the least number of privileges when creating identity and access control policies. Grant any additional permissions as needed.
- Narrow the focus of security groups and use reference security group IDs where you can.
3. Protect the data.
Data on the cloud also needs to be encrypted; however, failure to do so is a common mistake that enterprises are guilty of.
Storing sensitive data in the cloud should involve the appropriate controls to restrict access to a server and to secure the data.
Ideally, your organization should maintain control of the encryption keys, even though you may have to grant cloud service providers access to the keys.
To better protect your data, implement the encryption tools and management services offered by your cloud services provider.
4. Secure your credentials.
Since AWS access can be exposed on public websites, source code repositories, unprotected Kubernetes dashboards, and similar forums, adopt the following practices to keep your credentials from ending in the wrong hands:
- Ensure maximum protection for your AWS access keys and educate your developers on the consequences of leaked access keys in public forums.
- Create unique keys for individual external services and implement the principle of least privilege when granting access. Refrain from granting broad permissions to prevent access to sensitive resources and data by malicious actors. Assign specific privileges through specifically created IAM roles.
- Rotate the keys regularly so attackers are unable to intercept compromised keys and infiltrate cloud environments as privileged users.
- Disable any accounts that are not being used to remove any paths that attackers can compromise.
- Avoid using the root user account outside of creating a new user with assigned privileges. Then lock down the root account and use it only for specific account and service management tasks. Otherwise, provision users with the appropriate permissions.
Adding multifactor authentication (MFA) is an effective way to lock down a root account. MFA is an authentication scheme that requires multiple means of authentication by employing either three or all these factors:
- Knowledge (something you know): PIN, username and password, security question
- Possession (something you have): token, USB key, magic link, or smart card
- Inherence (something you are): biometrics—e.g., fingerprint, voice, palm veins, complex iris/retina patterns, behavior pattern, etc.
- Location (someplace you are): actual physical location determined through GPS tracking.
5. Maintain security hygiene.
Strive for in-depth defense to ensure that the failure of one control can’t compromise your cloud environments. Rather, your other security features should be able to protect your application, network, and data.
With multifactor authentication, you can have layered protection on top of the username and password, if you’re still using them. When enabled, MFA restricts access to the management consoles, dashboards, and privileged accounts.
To get layered protection and maximum convenience, go passwordless.
6. Get better visibility with logs.
Turn on security logging and monitoring, which is offered by major cloud providers, to be able to flag unauthorized access attempts and other suspicious activities, as well as see such information as follows:
- the identity of the API caller
- time of the call
- the caller’s source IP address
- the request parameters
- the response elements returned by your service
In addition, you can also use your cloud service’s logging and monitoring feature for change tracking, resource management, security analysis, and compliance audits.
7. Adopt a shift-left approach to security.
This approach incorporates security considerations early into the development process rather than in the final stages of development. Dan Flaherty, McAfee director of product marketing, urges enterprises to both monitor what they have in IaaS platforms and check all their code that’s going into the platform before it goes live.
Reinforce your cloud security controls with robust authentication.
Contact TraitWare today to learn more about our simplified, agile, cost-saving plug-and-play passwordless MFA solution.