The Most Overlooked Cloud Security Protocols

Posted inCloud, Cloud Migration, Cyber Security, Security

Hiring an expert to help your business with cloud migration is a must. You need someone who understands the fundamental principles of how the cloud works and what services you need to have the greatest impact on your business. Even so, there are some commonly overlooked security best practices that every business should be employing, no matter the industry or size of the company. Here are some of the cloud security protocols you should be utilizing.

First, using groups or roles instead of assigning privileges to users. This also includes removing users when they no longer need access to a specific system. Identity Access Management controls are often overlooked, which also includes creating or giving people access keys that they don’t need or use. Not enforcing password strength falls under this category as well. Security protocols always involve the least privilege, the least availability, so ensuring that you aren’t giving unnecessary access to people who don’t need it is a big part of security. Don’t overlook this, having proper IAM controls is crucial.

Second is audit controls. Not turning these on will have a detrimental impact on your business. In AWS, this means turning on Cloud Trail and Cloud Watch in an account. In Azure it’s Monitor and Application Insights. Not using the alerts, or at least at a minimum collecting audit events, will have consequences. These services allow you to know who is doing what with your systems and gives you a way to trace it back to a potential insider threat or bad actor.

The third biggest sin in cloud security is not using security groups correctly. This means removing security group rules when someone leaves the company, limiting the number of security group rules that are there. For example, you need to access a system directly or you need to SSH into a system so you put your IP address in the security group and get access. But you forget to remove your IP address after the fact and three months later your IP belongs to someone else because you switched internet providers. Now someone, likely unknowingly, has access to your systems and servers.

Keeping security groups clean is one of the most overlooked and powerful cloud security protocols because it ensures that specific resources remain in private subnets and not available to the public or unknown IP addresses. Making it so you can’t get directly to theses resources is imperative, and it’s really obvious if you open them up to something that is public. Essentially, you have to go through another subnet to get to it, this is an added layer of protection.

Fourth, using network access control list (NACL) rules, which are really powerful. They allow you to create rules at the whole subnet or across multiple subnet levels. This is more akin to the traditional firewall, so you can set rules around blocking SSH into certain ports. You can dictate that if someone tries to SSH on a given port, the system just kills the connection.

The fifth overlooked security measure is making sure your S3 buckets aren’t exposed directly. Even if you want the information to be public, if you’re hosting a site through it, then it still needs to be reached indirectly. In AWS, this means hiding behind CloudFront. In Azure, it means using Azure CDN. This makes it so the world doesn’t have access to it, only certain cloud systems that host copies of what you want people to see.

The final most overlooked security measure is around budget monitoring. This may not seem like an actual security measure but monitoring what is being spent on your cloud account can be a first indicator of a problem. There are easy ways to set alerts around money being spent in the cloud, and budgets should be monitored at least month-to-month, if not more frequently.

A common attack vector for cloud accounts is to pop an account using one of the bad IAM controls mentioned above. Then the attacker spins up software that crypto-mines, spams or attacks other systems because the cloud has near infinite scale. The hacker steals compute from you, running up a bill, and then they hop out. Budget monitoring is akin to monitoring your credit card for fraud. Which is why setting alerts around spending is so important, and checking your account regularly to ensure nothing new is being purchased or used without authorization.

You also want to ensure that appropriate tagging is done to different systems. This way, when you see tools and services spin up, you know exactly what they are being used for. This can be mimicked, but you’re usually going to see that there’s something different about it. It’s bigger than normal or comes from a different location. And maybe it follows the same rules of how it was tagged, but you’ve never heard of it before.

All of these overlooked practices are basic, college level security practices. But because they are so simple, they are also easy to overlook. Don’t overlook these! Make sure you have proper security measures in place with proper alerting so you know when something bad is happening. Automate all of it so you don’t have to think about it, it just happens. When you bring in your expert to help with cloud migration, make sure they help set these services up for you and show you how to use them going forward.

Proactive measures are the best way to protect against any cyber attack. Ensure you have the right cloud security protocols in place to protect your business.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY