One of the biggest benefits of migrating your business to the cloud is the security aspect. The cloud is far more secure than anything you could ever provide yourself, hidden behind layers of security and microsegmentation that keeps sensitive data separate from other data and behind ports that are only explicitly opened and secure by default because the cloud’s level of security is hard to emulate. While it’s possible to achieve a semblance of this security in a traditional data center, cloud providers can do it for you in a far more cost effective manner. That said, hackers still target cloud providers, they still attempt to breach businesses utilizing the cloud and gain information they can leverage against you. So how effective is cloud security, really?
Cloud providers like AWS, Microsoft Azure and Google Cloud deal with hacks on a daily basis. As recently as a month ago, there was a massive DDoS attack against AWS specifically. They managed to stop the attack, but cloud security is on the rise because of attacks like that one. Cloud providers strive to ensure the security and safety of your sensitive and proprietary information, so they are constantly watching for threats and fighting against them.
While the provider does their part, you have to do your part for your business. There are components of cloud security that everyone should put into place, no matter who your provider is.
The number one component to have in place is a strong password and IAM controls. Don’t use the root account. Keep your password at a very long length, the more characters in a password, the longer it takes for a hacker to break. It’s not about what the characters are, if they’re capital or symbols, it’s about the sheer number of characters in your password. Length is a huge factor in whether a hacker breaks into your account or not. This is especially important on the root account. On top of that, utilizing MFA or 2FA as an added protection is a good idea.
With IAM controls, do not give accounts to people who don’t need them. When you do give account access, only grant permissions absolutely necessary for someone to do their job. Do not grant permissions to unnecessary areas, and don’t give programming access and console access and secret access keys all to one person, unless they actually need it.
The second component to have in place is monitoring. Everything in the cloud is infrastructure as code, which means you can do everything lighting fast, and you can do a lot of damage at the same lighting speed. The only way to know that something is not normal is to monitor with an audit trail, which goes along with IAM controls because you can monitor who is logging in, who is spinning up servers and running services, you can see which account is performing certain actions. If you don’t do that, it’s incredibly easy for someone to gain access and start implementing things inside the infrastructure. Especially if you have a weak password on your root account.
To go along with this, ensure budget monitoring and alerts are set up as well. Many people don’t realize that cloud providers have zones all over the world. Most people don’t go into their account to see what is happening in other zones they don’t use on a consistent basis, so they may not realize until the bill comes that someone has placed a crpyto mining operation in a zone across the globe inside their account. That $250K bill is going to hurt when you normally spend $500 a month. You have to know what is normal before you know what is abnormal, and you can’t know what normal is without monitoring.
The third cloud security component you must put in place is removing unused or un-needed items from your account. Basically, if you make a mess in your account, clean it up. If you’re not using it, get rid of it. If you experiment with something and decide to go a different route, clean it up. If you open up ports because something isn’t working and then you get it working, close those ports. If you make a bucket public because you can’t reach what you need and then you don’t need public access anymore, clean it up. It is common for people to shoot themselves in the foot in the cloud. They put holes in security groups, they publicly expose things to get them working, they’re working with new things and testing things and setting up environments. But people forget to remove things, which is where weaknesses happen and breaches occur.
One of the most common things that pops up on a security scan in the cloud is around security groups. Scans reveal that SSH ports or other critical ports are exposed to random IP addresses, IP addresses which are usually marked with people’s names. A lot of the time, those people are no longer an employee of the company. The scan will also reveal dozens of accounts for people who no longer work at the company, but their accounts are still active, they still have access keys and weak passwords. Those things create a larger surface area for hackers, they are easy access points. So if you don’t use it, it fails or you no longer need it, clean it up.
The number one way to ensure that unauthorized cloud services are not needed by end users is to have an audit trail turned on and to have monitoring and alerts turned on. This will allow you to stop bad things when you seem them and to clean them up. If there’s only a handful of people managing the cloud environment because you’re a small company, it’s going to be really obvious if something new pops up. But if there are an additional 25 accounts for people who no longer work for you, it becomes more difficult to track. Catching a breach at the point of entry is key, and the best way to do that is through monitoring. Know what is normal, set proper IAM controls and clean up messes. Doing these things will ensure your cloud experience is as smooth as possible.