‘The Cloud’, sometimes known as cloud computing, refers to services and storage that are accessed through the internet as opposed to being stored on your own local computer or network. Many businesses these days choose to use the cloud over their on-premise systems thanks to its scalability, flexibility and reduced costs. However, the cloud comes with its own risks, and provides a whole new ‘attack surface’ for hackers to target.
The first step in using the cloud is to fully understand the model that meets your requirements and platform you are using as your cloud service. The three most common cloud services are AWS (Amazon Web Services), GCP (Google Cloud Platform), and Microsoft Azure. As you might expect, all three of these platforms are well trusted and have heavily invested in their security, so it comes down to weighing up the benefits of each one and choosing what works for your business. Don’t forget, as with many areas of cybersecurity, your safety cannot be guaranteed. So, what can you do to reduce your cloud attack surface?
1. Reduce publicly available assets
Allowing direct internet access for all services is one of the most common cybersecurity problems, and the risk is just as high (if not higher) when your workloads and data are in the cloud. Businesses should really think about what needs to be connected to the internet, and ensure that only required services are allowed to be connected while ensuring that they are monitored and secured. This helps to minimize your cloud attack surface by simply reducing how widely available sensitive data and workloads are on the cloud.
If you already use cloud services and you have never thought about this before, it is worth setting some time aside to go through your deployment model and reassess your security design based on the available data or workloads. This could take some time depending on your company size, but it is worth it considering the risk reduction it provides.
2. Think about who can access your data
Who has access to your business’s data when utilizing the cloud? Ideally, the answer is just you and your fellow employees. However, in reality we often forget to check who really has access to our data. Here are a few key things to think about when it comes to managing your cloud service’s access control:
Do any ex-employees have access? If yes, then it is worth coming up with a procedure to follow for the onboarding and offboarding of employees or project teams to ensure their access is revoked when they leave the company or project. Depending on your cloud type and model, employees’ access structure to your cloud workloads can be significantly different than that existing for the on-premises systems.
Do any ex-clients or ex-contractors have access? For various reasons you sometimes have to provide access to documents and systems for clients and contractors. Worryingly, they are often forgotten about and then left with access long after the work is finished and the relationship no longer exists, which creates the potential for a security breach.
Does everyone have the minimum privileges needed? Whether it’s an employee, customer, or contractor, everyone should have the bare minimum privileges required for them to do their work. The fewer people that have access, the less likely cloud data is stolen or workloads are compromised.
If you want to know more about Identity and Access Management (IAM), you can read our blog about it here.
3. Workload identification and separation
Whether you are fully in the cloud (private) or still using on-premises data centres along with the cloud (hybrid), your workloads must be identified and labelled based on their use and access requirements. Once you have identified the specific business needs for your workloads, the next step will be creating network access controls around them to increase security and limit the scope of any compromise. These access control rules can be very granular to provide greater security. The asset separation is especially important in securing your data against unauthorized access and preventing lateral movement in a Malware scenario.
Workload or asset separation is considered a best practice that will limit the attack surface in the cloud and gives you a greater control over your data and its security. Not only this, but identifying and separating workloads also helps with the Identity and Access Management, which is vital when thinking about who has access to your data.
At Euclid Security, we offer our services worldwide, performing our assessments remotely and when required, on site. Whether you are beginning to move your data to the cloud or have a current deployment, it is never too late to get the professional assistance that you need and deserve to reduce your cloud attack surface. Get in touch today for a no-obligation discussion.