Enterprises are accelerating the pace at which they are moving workload to cloud computing solutions. Cloud computing provides a greater cost, scale and speed advantage. However, cloud security remains a concern for enterprises. Especially since both Amazon’s AWS and Microsoft’s Azure follow a Shared Responsibility Model.
A Shared Responsibility Model is designed for the vendor to hold some responsibility for security while the client holds the remainder. For most models, including the two providers listed, the breakdown falls along a simple line. The provider handles security for their software and hardware/infrastructure, and the client is responsible for their data, access and encryption, and the operating system and network.
A cloud computing client still holds major responsibility for securing the aspects at the most risk for breaches. Stolen privileged credentials are the leading cause of breaches. Forrester found 80 percent of data breaches use privileged credentials, and 66 percent of companies rely on manual methods to managed accounts. So, if the vendor is not supplying cloud security for access and data what should an enterprise do to handle the risk?
Implement Zero Trust Privilege
Legacy Privilege Access Management (PAM) follows the approach of “trust but verify.” Unfortunately, in the modern landscape of IT security, trust but verify is no longer enough to ensure security. Instead, Zero Trust Privilege follows a “never trust, always verify, enforce least privilege” format to ensure security.
The most important aspect of this is the enforce lease privilege. Rather than giving system access based on what an individual might need, provide only the access the individual must have at the time needed. This will minimize the damage done by stolen privileged credentials.
Ensure accountability for cloud security
Shared privileged accounts are anonymous, and so is the action taken under those accounts. Set up user logins with their individual accounts and increase privilege as required.
Despite the pervasive myth, using an Infrastructure-as-a-Service (IaaS) does not require a unique security model. Standard best practices should apply for access and use of the IaaS as would exist for a traditional network. Roles and responsibilities for users remain the same, so use what is already in place to your benefit. For example, extend your Active Directory to the cloud to control assignments and grant permissions.
Applying a common security model will allow you to manage entitlements centrally from Active Directory, mapping roles and groups to cloud roles.
Use multi-factor authentication in the entire system
Multi-factor authentication will heighten cloud security of data and access by sidestepping in-progress attacks. MFA is a necessary aspect of security for service management, login and privilege escalation, and when checking out vaulted passwords. In the case of the root account, the password should be vaulted and used only in emergencies. Instead, use centralized identities and enable federated login.
For general privileged users, consistent application of password expiration is necessary. Also, transitioning to passphrases will strengthen defense against unauthorized access.
Audit and follow up
Above all else, auditing of the system is necessary. Auditing ensures cloud security is progressing as designed, and it will provide timely information in the case of a breach. The more auditing that occurs, the less costly a breach will be.
Ultimately, while a cloud vendor provides and secures infrastructure and software, enterprise data and access are still the responsibility of the enterprise. Stay consistent and up to date with all security protocols currently in place and transitioning to an IaaS will not offer any less security than a traditional network.
Give us a call today for more information on how MobileWare can strengthen your data security.