Today’s digital, on-demand age sees many organisations rely heavily on multiple cloud services for the day-to-day running of their operations. But the third-party nature of this functionality introduces additional security risks and, with bad actors ever-present to take advantage of porous network perimeters, cyber security professionals must ensure they are rigorous in safeguarding the enterprise.
The following offer key checkpoints for best practice to secure cloud-based applications.
Asset management and data flow
Understanding how assets are managed and where data flows within the organisation is critical. This knowledge makes it possible to identify gaps in the cyber security posture, and with that locate the attack vectors. Organisations can seek input from vendors to identify such gaps within their systems and use tools (such as CrowdStrike) to take action against vulnerabilities that emerge. To ensure there is a clear understanding of where things exist, this work includes identifying each asset present in the organisation, as well as the mapping of both structured and unstructured data.
Security policies and procedures
It only takes one weak link to make the organisation vulnerable to attack. This calls for robust enterprise-wide security policies and procedures, with measures applied consistently across the complete IT infrastructure, including public clouds, private clouds, and on-premises technology.
Cloud server configuration
Misconfigured cloud servers can expose data directly on the public internet and lead to compliance violations and breaches. Correct configuration requires input from cloud-specific experts, combined with close coordination with the cloud vendor.
Having established and met a secure baseline configuration for each cloud application, continuous monitoring in real-time using automated tools can help to detect and remediate misconfigurations before they lead to security incidents; regular audits also ensure these configurations remain secure and compliant with security standards and policies.
Access management
Ensuring that sensitive data can only be accessed by the people that need it is a core component of any organisation’s security posture. Users should have no more than the minimum level of access they require to perform their job function, a stipulation assisted by role-based access control (RBAC) which reduces the risk of excessive access rights. The trustworthiness of users, devices and applications should also be continuously verified before access is granted.
The cloud security landscape is constantly improving its security posture through identity access management (IAM) where security measures such as multifactor authentication (MFA) are applied, and audit logs are regularly checked to identify failed access attempts and detect intrusion.
Data encryption
Encrypting data using strong protocols makes any data unreadable should it be stolen or leaked in a cloud security breach. Encryption is therefore a key tool to keep data (particularly sensitive data) safe, whether it is in transit or at rest. Encryption is not new but it continues to evolve; as attacks become more complex, developing advanced encryption algorithms can play an important part in cyber risk management.
The zero-trust approach
Zero-trust architectures adopt the principle that no user, device or system should be trusted to access cloud-based applications and data until they have been verified. This ensures that only authorised people and technology can see or use sensitive data, reducing the likelihood that it will fall into the wrong hands.
Enterprise-wide education
Regardless of whether they are cloud-related, many cyber attacks occur due to human risk, which covers activities such as users falling victim to a phishing attack, unknowingly installing malware, using outdated systems and / or vulnerable devices, or practicing poor password hygiene. Combatting this requires ongoing security training throughout the enterprise; in addition to covering cloud security best practices, this should include regular phishing simulations to educate users on recognising and avoiding these increasingly sophisticated attacks, as well as exercises to drive home why data protection is so important for the whole organisation. Promoting a security culture within an enterprise also adds some layers of security by making it everyone’s responsibility.
Backup plans
Even the most meticulous security processes and preparations are not failsafe, meaning organisations need contingency plans in place. Data should be backed up to prevent it being lost or tampered with. In addition, a failover plan ensures that business continuity if one cloud service fails. A benefit of multi-cloud and hybrid cloud installations is that separate clouds can be used as backups, such as cloud data storage for an on-premise database.
CISOs and security practitioners are also aided by various toolsets for safe cloud deployment. Cloud security posture management (CSPM) tools for example can encrypt sensitive data, use geolocation controls to comply with data protection regulations, and conduct regular audits and penetration tests. And data loss prevention (DLP) tools monitor and control the movement of sensitive data across cloud environments; used in conjunction with the right policies they prevent unauthorised sharing or leakage of sensitive information.
At the same time, AI is – unsurprisingly – playing a bigger and bigger role across the board in cyber security operations. AI threat detection can significantly enhance security monitoring and incident mitigation; it can also predict and stop security issues before they happen.
Cloud-based operations have transformed the business environment but, as with most advanced technologies, they introduce additional risk. Adopting these applications so they deliver benefits without widening the attack surface for malicious actors requires expertise and commitment – easily within the reach of most organisations that already practise good cyber security hygiene.
Kashil JagmohanSingh is an application and cyber security consultant at Turnkey Consulting. His risk management expertise includes operating across the SAP Governance, Risk and Compliance (GRC) suite and working closely with clients to manage the cyber risk of global organisations. He is also experienced in vulnerability assessment, carrying out activities such as SAP environment scanning and red teaming. This his his first Think Tank contribution.