Now well into its second decade of commercial availability, cloud computing has become near-ubiquitous, with roughly 95 percent of businesses reporting that they have a cloud strategy. While cloud providers are more secure than ever before, there are still risks to using any cloud service. Fortunately, they can be largely mitigated by following these cloud security best practices:
Protect Your Cloud Data
- Determine which data is the most sensitive. While applying the highest level of protection across the board would naturally be overkill, failing to protect the data that is sensitive puts your enterprise at risk of intellectual property loss or regulatory penalties. Therefore, the first priority should be to gain an understanding of what to protect through data discovery and classification, which is typically performed by a data classification engine. Aim for a comprehensive solution that locates and protects sensitive content on your network, endpoints, databases and in the cloud, while giving you the appropriate level of flexibility for your organization.
- How is this data being accessed and stored? While it’s true that sensitive data can be stored safely in the cloud, it certainly isn’t a foregone conclusion. According to the McAfee 2019 Cloud Adoption and Risk Report, 21 percent of all files in the cloud contain sensitive data—a sharp increase from the year before1. While much of this data lives in well-established enterprise cloud services such as Box, Salesforce and Office365, it’s important to realize that none of these services guarantees 100 percent safety. That’s why it’s important to examine the permissions and access context associated with data in your cloud environment and adjust appropriately. In some cases, you may need to remove or quarantine sensitive data already stored in the cloud.
- Who should be able to share it, and how? Sharing of sensitive data in the cloud has increased by more than 50% year over year.1 Regardless of how powerful your threat mitigation strategy is, the risks are far too high to take a reactive approach: access control policies should be established and enforced before data ever enters the cloud. Just as the number of employees who need the ability to edit a document is much smaller than the number who may need to view it, it is very likely that not everyone who needs to be able to access certain data needs the ability to share Defining groups and setting up privileges so that sharing is only enabled for those who require it can drastically limit the amount of data being shared externally.
- Don’t rely on cloud service encryption. Comprehensive encryption at the file level should be the basis of all your cloud security efforts. While the encryption offered within cloud services can safeguard your data from outside parties, it necessarily gives the cloud service provider access to your encryption keys. To fully control access, you’ll want to deploy stringent encryption solutions, using your own keys, before uploading data to the cloud.
Minimize Internal Cloud Security Threats
- Bring employee cloud usage out of the shadows. Just because you have a corporate cloud security strategy in place doesn’t mean that your employees aren’t utilizing the cloud on their own terms. From cloud storage accounts like Dropbox to online file conversion services, most people don’t consult with IT before accessing the cloud. To measure the potential risk of employee cloud use, you should first check your web proxy, firewall and SIEM logs to get a complete picture of which cloud services are being utilized, and then conduct an assessment of their value to the employee/organization versus their risk when deployed wholly or partially in the cloud. Also, keep in mind that shadow usage doesn’t just refer to known endpoints accessing unknown or unauthorized services—you’ll also need a strategy to stop data from moving from trusted cloud services to unmanaged devices you’re unaware of. Because cloud services can provide access from any device connected to the internet, unmanaged endpoints such as personal mobile devices create a hole in your security strategy. You can restrict downloads to unauthorized devices by making device security verification a prerequisite to downloading files.
- Create a “safe” list. While most of your employees are utilizing cloud services for above-the-board purposes, some of them will inadvertently find and use dubious cloud services. Of the 1,935 cloud services in use at the average organization, 173 of them rank as high-risk services.1 By knowing which services are being used at your company, you’ll be able to set policies 1.) Outlining what sorts of data are allowed in the cloud, 2.) Establishing a “safe” list of cloud applications that employees can utilize, and 3.) Explaining the cloud security best practices, precautions and tools required for secure utilization of these applications.
- Endpoints play a role, too. Most users access the cloud through web browsers, so deploying strong client security tools and ensuring that browsers are up-to-date and protected from browser exploits is a crucial component of cloud security. To fully protect your end-user devices, utilize advanced endpoint security such as firewall solutions, particularly if using IaaS or PaaS models.
- Look to the future. New cloud applications come online frequently, and the risk of cloud services evolves rapidly, making manual cloud security policies difficult to create and keep up to date. While you can’t predict every cloud service that will be accessed, you can automatically update web access policies with information about the risk profile of a cloud service in order to block access or present a warning message. Accomplish this through integration of closed-loop remediation (which enforces policies based on a service-wide risk rating or distinct cloud service attributes) with your secure web gateway or firewall. The system will automatically update and enforce policies without disrupting the existing environment.
- Guard against careless and malicious users. With organizations experiencing an average of 14.8 insider threat incidents per month—and 94.3 percent experiencing an average of at least one a month—it isn’t a matter of if you will encounter this sort of threat; it’s a matter of when. Threats of this nature include both unintentional exposure—such as accidentally disseminating a document containing sensitive data—as well as true malicious behavior, such as a salesperson downloading their full contact list before leaving to join a competitor. Careless employees and third-party attackers can both exhibit behavior suggesting malicious use of cloud data. Solutions leveraging both machine learning and behavioral analytics can monitor for anomalies and mitigate both internal and external data loss.
- Trust. But verify. Additional verification should be required for anyone using a new device to access sensitive data in the cloud. One suggestion is to automatically require two-factor authentication for any high-risk cloud access scenarios. Specialized cloud security solutions can introduce the requirement for users to authenticate with an additional identity factor in real time, leveraging existing identity providers and identity factors (such as a hard token, a mobile phone soft token, or text message) already familiar to end users.
Develop Strong Partnerships with Reputable Cloud Providers
- Regulatory compliance is still key. Regardless of how many essential business functions are shifted to the cloud, an enterprise can never outsource responsibility for compliance. Whether you’re required to comply with the California Consumer Privacy Act, PCI DSS, GDPR, HIPAA or other regulatory policies, you’ll want to choose a cloud architecture platform that will allow you to meet any regulatory standards that apply to your industry. From there, you’ll need to understand which aspects of compliance your provider will take care of, and which will remain under your purview. While many cloud service providers are certified for myriad industry and governmental regulations, it’s still your responsibility to build compliant applications and services on the cloud, and to maintain that compliance going forward. It’s important to note that previous contractual obligations or legal barriers may prohibit the use of cloud services on the grounds that doing so constitutes relinquishing control of that data.
- But brand compliance is important, too. Moving to the cloud doesn’t have to mean sacrificing your branding strategy. Develop a comprehensive plan to manage identities and authorizations with cloud services. Software services that comply with SAML, OpenID or other federation standards make it possible for you to extend your corporate identity management tools into the cloud.
- Look for trustworthy providers. Cloud service providers committed to accountability, transparency and meeting established standards will generally display certifications such as SAS 70 Type II or ISO 27001. Cloud service providers should make readily accessible documentation and reports, such as audit results and certifications, complete with details relevant to the assessment process. Audits should be independently conducted and based on existing standards. It is the responsibility of the cloud provider to continuously maintain certifications and to notify clients of any changes in status, but it’s the customer’s responsibility to understand the scope of standards used—some widely used standards do not assess security controls, and some auditing firms and auditors are more reliable than others.
- How are they protecting you? No cloud service provider offers 100 percent security. Over the past several years, many high profile CSPs have been targeted by hackers, including AWS, Azure, Google Drive, Apple iCloud, Dropbox, and others. It’s important to examine the provider’s data protection strategies and multitenant architecture, if relevant—if the provider’s own hardware or operating system are compromised, everything hosted within them is automatically at risk. For that reason, it’s important to use security tools and examine prior audits to find potential security gaps (and if the provider uses their own third-party providers, cloud security best practices suggest you examine their certifications and audits as well.) From there, you’ll be able to determine what security issues must be addressed on your end. For example, fewer than 1 in 10 providers encrypt data stored at rest, and even fewer support the ability for a customer to encrypt data using their own encryption keys.1 Finding providers that both offer comprehensive protection as well as the ability for users to bridge any gaps is crucial to maintaining a strong cloud security posture.
- Investigate cloud provider contracts and SLAs carefully. The cloud services contract is your only guarantee of service, and your primary recourse should something go wrong—so it is essential to fully review and understand all terms and conditions of your agreement, including any annexes, schedules and appendices. For example, a contract can make the difference between a company who takes responsibility for your data, and a company that takes ownership of your data. (Only 37.3 % of providers specify that customer data is owned by the customer. The rest either don’t legally specify who owns the data, creating a legal grey area—or, more egregiously, claim ownership of all uploaded data.1) Does the service offer visibility into security events and responses? Is it willing to provide monitoring tools or hooks into your corporate monitoring tools? Does it provide monthly reports on security events and responses? And what happens to your data if you terminate the service? (Keep in mind that only 13.3 percent of cloud providers delete user data immediately upon account termination. The rest keep data for up to a year, with some specifying they have a right to keep it indefinitely.) If you find parts of the contract objectionable, you can try to negotiate—but in the case where you’re told that certain terms are non-negotiable, it is up to you to determine whether the risk presented by accepting the terms as-is is an acceptable one to your business. If not, you’ll need to find alternate means of managing the risk, such as encryption or monitoring, or find another provider.
- What happens if something goes wrong? Since no two cloud service providers offer the same set of security controls—and again, no cloud provider delivers 100 percent security—developing an Incident Response (IR) plan is critical. Make sure the provider includes you and considers you a partner in creating such plans. Establish communication paths, roles and responsibilities with regard to an incident, and to run through the response and hand-offs ahead of time. SLAs should spell out the details of the data the cloud provider will provide in the case of an incident, how data will be handled during incidents to maintain availability, and guarantee the support necessary to effectively execute the enterprise IR plan at each stage. While continuous monitoring will offer the best chance at early detection, full-scale testing should be performed on at least an annual basis, with additional testing coinciding with major changes to the architecture.
- Protect your IaaS environments. When using IaaS environments such as AWS or Azure, you retain responsibility for the security of operating systems, applications, and network traffic. Advanced anti-malware technology should be applied to the OS and virtual network to protect your infrastructure. Deploy application whitelisting and memory exploit prevention for single-purpose workloads and machine learning-based protection for file stores and general-purpose workloads.
- Neutralize and remove malware from the cloud.Malware can infect cloud workloads through shared folders that sync automatically with cloud storage services, spreading malware from an infected user device to another user’s device. Use a cloud security solution program to scan the files you’ve stored in the cloud to avoid malware, ransomware or data theft attacks. If malware is detected on a workload host or in a cloud application, it can be quarantined or removed, safeguarding sensitive data from compromise and preventing corruption of data by ransomware.
- Audit your IaaS configurations regularly. The many critical settings in IaaS environments such as AWS or Azure can create exploitable weaknesses if misconfigured. Organizations have, on average, at least 14 misconfigured IaaS instances running at any given time, resulting in an average of nearly 2,300 misconfiguration incidents per month. Worse, greater than 1 in 20 AWS S3 buckets in use are misconfigured to be publicly readable.1 To avoid such potential for data loss, you’ll need to audit your configurations for identity and access management, network configuration, and encryption. McAfee offers a free Cloud Audit to help get you started.
- McAfee 2019 Cloud Adoption and Risk Report