Best practice tips for securing your cloud

Whether you are using cloud-based software-as-a-service applications, running email services from your Microsoft 365 tenant or storing data in Microsoft Azure, cloud is the new normal for most organisations.

The Grant McGregor team considers what that means for your cyber security approach.

The renewed focus on digitalisation and the hybrid working arrangements that have emerged from the pandemic period have accelerated most organisations’ journey towards cloud computing in one way or another.

Cloud is increasingly the de facto choice for applications and data these days. According to research by Gigamon, 43 percent of organisations are now making use of multiple public cloud and multiple private cloud instances. Some 89 percent are embracing a multi-cloud strategy.

Of course, this brings its own complexity and security challenges.

How common are cyber-attacks on cloud infrastructure?

Proofpoint’s The Human Factor 2023 report found that 94 percent of cloud tenants were targeted every month.

What’s more, worryingly, there is a gap between malicious cyber activity and business leaders’ perception of it. Gigamon has also found that half of the business IT leaders it surveyed were “confident” or “completely confident” they are sufficiently secure across their hybrid cloud infrastructure from on-premises to cloud. Yet of those, 90 percent admitted to having experienced a breach in the last 18 months.

The company says this is proof of a “significant disparity between how secure organisations believe their hybrid cloud infrastructure to be, and how protected their data truly is.”

How can you secure your clouds?

Of course, it is never “one size fits all” when it comes to cyber security. Different clouds will require different security approaches.

The risks and approaches will vary greatly between:

Software as a service, such as Salesforce or Microsoft 365
Cloud platforms, such as Microsoft Azure
Social clouds which your users may access, such as Instagram or TikTok

However, some of the controls will be the same. The UK’s National Cyber Security Centre (NCSC) points out that single-sign-on solutions (such as Microsoft Entra ID), multi-factor authentication, secure administration and the use of trustworthy devices (ensured through policies in your device management tools) will be essential principles of all your cloud security.

Earlier this year, it issued new cloud security guidance to encourage organisations to ensure they take a robust approach to cloud configuration – for both SaaS applications and cloud platforms. It has separated out its advice for each cloud model:

It emphasises that poor authentication and authorisation configuration is one of the most common sources of security issues in software-as-a-service apps.
For cloud platforms and the services on running on them, your focus must be on strong observability and using automation to implement a robust cyber security approach.

NCSC cloud security guidance

The NCSC cloud security guidance is built around 14 principles.

These are:

Principle 1: Data in transit protection
Your data should be adequately protected against tampering and eavesdropping as it transits networks inside and external to the cloud. This should be achieved using a combination of encryption, service authentication and network-level protections.
Principle 2: Asset protection and resilience
Your data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.
Principle 3: Separation between customers
A malicious or compromised customer of the service should not be able to access or affect the service or data of another. Effective security boundaries should be in place in the way your cloud provider runs code, stores data and manages the network.
Principle 4: Governance framework
Clearly stated, this should direct your provider’s management of the service and information within it.
Principle 5: Operational security
The service needs to be operated and managed securely in order to impede, detect or prevent attacks. This will be achieved through a combination of effective vulnerability management, protective monitoring, configuration & change management, and incident management.
Principle 6: Personnel security
Where service provider personnel have access to your data and systems, you need a high degree of confidence in their trustworthiness and the technical measures in place that audit and constrain the actions of those personnel.
Principle 7: Secure development
Cloud services should be designed, developed and deployed in a way that minimises and mitigates threats to their security. This will include a robust software development lifecycle.
Principle 8: Supply chain security
Your service provider should ensure that its supply chain meets the same security standards that the organisation sets for itself, especially where they have access to data.
Principle 9. Secure user management
The provider must prevent unauthorised access and alteration of your resources, applications and data, usually based on a role-based access model.
Principle 10: Identity and authentication
All access to service interfaces should be constrained to a securely authenticated and authorised identity (either a human user or a machine).
Principle 11: External interface protection
All external or less-trusted interfaces of the service should be identified and defended appropriately. This includes external APIs, web consoles and command line interfaces.
Principle 12: Secure service administration
The design, implementation, and management of the cloud service provider’s administration systems should follow enterprise good practice, recognising their high value to attackers.
Principle 13: Audit information and alerting for customers
You should be able to identify security incidents and should have the information necessary to find out how and when they occurred. This includes audit information and the issuance of security alerts when attempted attacks are detected.
Principle 14: Secure use of the service
Your cloud provider should make it easy for you to meet your data protection responsibilities. Services should be secure by design and by default.

The NCSC provides much greater detail into all these principles on its website. You should familiarise yourself with the detail so that you are confident discussing them with your cloud service provider.

However, while this advice is a fantastic starting point for shaping your organisation’s cyber security approach to software-as-a-service apps and platform-as-a-service and infrastructure-as-a-service cloud services, it does overlook one important cloud-based threat. Whether you class social networks as shadow IT or not, it is likely some of your users are accessing them via your organisational devices or, at least, the devices they are also using to access your cloud apps and services.

Gigamon has found that only 60 percent of global enterprises have banned the use of WhatsApp due to cyber-security concerns, although this figure does rise for other social networks. The survey found 100 percent of business IT leaders expressed concerns about TikTok and the Metaverse – although not all had blocked them.

Newer cloud services are even lower on the radar. The Gigamon survey found that only 24 percent of global enterprises have banned or are looking at banning Chat GPT. This is, perhaps, one overlooked area that should be considered within your overall cloud security strategy.

What next?

If you would like more information about any of the concerns, approaches or cyber-security principles discussed in this article, please reach out to our team.

Call us: 0808 164 4142

Message us: https://www.grantmcgregor.co.uk/contact-us

Monday, 27 November 2023