Cloud Security Best Practices for All Business Types

One of the biggest benefits of migrating your business to the cloud is the security aspect. The cloud is far more secure than anything you could ever provide yourself, hidden behind layers of security and microsegmentation that keeps sensitive data separate from other data and behind ports that are only explicitly opened and secure by default because the cloud’s level of security is hard to emulate. While it’s possible to achieve a semblance of this security in a traditional data center, cloud providers can do it for you in a far more cost effective manner. That said, hackers still target cloud providers, they still attempt to breach businesses utilizing the cloud and gain information they can leverage against you. So how effective is cloud security, really?

Cloud providers like AWS, Microsoft Azure and Google Cloud deal with hacks on a daily basis. As recently as a month ago, there was a massive DDoS attack against AWS specifically. They managed to stop the attack, but cloud security is on the rise because of attacks like that one. Cloud providers strive to ensure the security and safety of your sensitive and proprietary information, so they are constantly watching for threats and fighting against them.

While the provider does their part, you have to do your part for your business. There are components of cloud security that everyone should put into place, no matter who your provider is.

The number one component to have in place is a strong password and IAM controls. Don’t use the root account. Keep your password at a very long length, the more characters in a password, the longer it takes for a hacker to break. It’s not about what the characters are, if they’re capital or symbols, it’s about the sheer number of characters in your password. Length is a huge factor in whether a hacker breaks into your account or not. This is especially important on the root account. On top of that, utilizing MFA or 2FA as an added protection is a good idea.

With IAM controls, do not give accounts to people who don’t need them. When you do give account access, only grant permissions absolutely necessary for someone to do their job. Do not grant permissions to unnecessary areas, and don’t give programming access and console access and secret access keys all to one person, unless they actually need it.

The second component to have in place is monitoring. Everything in the cloud is infrastructure as code, which means you can do everything lighting fast, and you can do a lot of damage at the same lighting speed. The only way to know that something is not normal is to monitor with an audit trail, which goes along with IAM controls because you can monitor who is logging in, who is spinning up servers and running services, you can see which account is performing certain actions. If you don’t do that, it’s incredibly easy for someone to gain access and start implementing things inside the infrastructure. Especially if you have a weak password on your root account.

To go along with this, ensure budget monitoring and alerts are set up as well. Many people don’t realize that cloud providers have zones all over the world. Most people don’t go into their account to see what is happening in other zones they don’t use on a consistent basis, so they may not realize until the bill comes that someone has placed a crpyto mining operation in a zone across the globe inside their account. That $250K bill is going to hurt when you normally spend $500 a month. You have to know what is normal before you know what is abnormal, and you can’t know what normal is without monitoring.

The third cloud security component you must put in place is removing unused or un-needed items from your account. Basically, if you make a mess in your account, clean it up. If you’re not using it, get rid of it. If you experiment with something and decide to go a different route, clean it up. If you open up ports because something isn’t working and then you get it working, close those ports. If you make a bucket public because you can’t reach what you need and then you don’t need public access anymore, clean it up. It is common for people to shoot themselves in the foot in the cloud. They put holes in security groups, they publicly expose things to get them working, they’re working with new things and testing things and setting up environments. But people forget to remove things, which is where weaknesses happen and breaches occur.

One of the most common things that pops up on a security scan in the cloud is around security groups. Scans reveal that SSH ports or other critical ports are exposed to random IP addresses, IP addresses which are usually marked with people’s names. A lot of the time, those people are no longer an employee of the company. The scan will also reveal dozens of accounts for people who no longer work at the company, but their accounts are still active, they still have access keys and weak passwords. Those things create a larger surface area for hackers, they are easy access points. So if you don’t use it, it fails or you no longer need it, clean it up.

The number one way to ensure that unauthorized cloud services are not needed by end users is to have an audit trail turned on and to have monitoring and alerts turned on. This will allow you to stop bad things when you seem them and to clean them up. If there’s only a handful of people managing the cloud environment because you’re a small company, it’s going to be really obvious if something new pops up. But if there are an additional 25 accounts for people who no longer work for you, it becomes more difficult to track. Catching a breach at the point of entry is key, and the best way to do that is through monitoring. Know what is normal, set proper IAM controls and clean up messes. Doing these things will ensure your cloud experience is as smooth as possible.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY