With today’s rapidly shifting threat landscape, organizations face a constantly changing environment, demanding that IT security groups proactively protect and monitor systems. As many workplaces have shifted to remote environments, IT teams are tasked with managing disparate technology platforms, personal devices, remote connectivity tools, boundaryless networks and cloud solutions.
In recent years, many companies have embarked on a multi-cloud journey where identity access and management (IAM) and architecture play a critical part in their compliance, cybersecurity and costs. Based on years of assessing, implementing and managing different clouds, RSM has identified the following areas where organizations could improve security if they approached the cloud journey with a different strategy.
4 Areas to Focus on to Defeat Emerging Threats in Cloud Security
- Cloud governance and risk management.
- Identity and access management (IAM).
1. Cloud Governance and Risk Management
Near the top of many organizations’ concerns is managing cybersecurity risks and effectively demonstrating regulatory compliance. Cloud governance is fundamental to securing cloud systems supporting business-critical processes and managing risks holistically. The following three pillars are key for your organization to manage risks and govern your cloud environments: cloud asset management strategy, data management strategy and continuous cybersecurity and compliance monitoring.
Cloud Asset Management
Every risk management strategy starts with understanding what you have and what you can do to mitigate risks while still operating the business and empowering the culture of the organization. You need to rethink asset inventory and management and incorporate your configuration management database (CMDB) in new cloud concepts. At a minimum, your organization needs to include the following in your asset inventory:
- Cloud provider — Understand what cloud providers your organization is using and their use cases.
- Cloud environments per provider — Each cloud provider managed and used in your organization can be composed of multiple cloud environments. So, you should analyze and categorize each one based on its use cases, criticality, resilience, security and regulatory requirements.
- Cloud services per environment — Each cloud environment is composed of services or workloads, and they can all have different owners or risks, use cases, data types, resources and access type (public-facing, restricted, internal, private, etc.)
Data management strategy
Once mature cloud asset management processes are established, a data and cybersecurity strategy is easier to implement, focusing on your organization’s crown jewels (i.e., business-critical systems). These systems support your critical functions and therefore store, transmit or process critical data. Your organization must understand your data and how it flows and apply controls to reduce the likelihood of leakage, compromise or fines by regulatory bodies.
Misconfiguring cloud and security functions influences data confidentiality, integrity and availability. By using different techniques, attackers can look for these vulnerabilities to gain access to data and internal company networks or carry out further attacks against your company and third parties. Implementing a continuous monitoring process to identify misconfigurations and vulnerabilities on cloud workloads reduces the likelihood of compromise. Often, organizations implement continuous monitoring in cloud environments while applying the secure-by-design model before deploying any workload (“shift security left”). By using these two concepts, your organization can increase the maturity of your environments faster and reduce security, regulatory or resilience risks.
2. Identity and Access Management (IAM)
IAM is a critical component of any organizational security strategy. Identity is the constant interface with your organization’s resources and is a primary target for cybersecurity threats. Traditional network boundaries gradually dissolving thanks to the cloud’s growth, the remote workforce, and digital technologies. As a result, identity and access have become the first line of defense and an increasingly critical security necessity for organizations. Foundational security requirements like single sign-on (SSO), multi-factor authentication (MFA), individual user accounts, and password and key rotation of application identities are must-have configurations critical to manage cyber risk and compliance. Implementing these foundational requirements is only the beginning of your organization’s cloud journey.
Managing corporate, application, client and vendor identities in the cloud and their interactions with other environments is where the real complexity starts. Often, organizations use legacy on-premises systems to manage employee and internal system identities, but also use cloud-native tools to manage clients, vendors and internal systems and groups connecting to cloud services to meet business goals.
Identity governance and administration (IGA) can help here, however. IGA underpins secure and efficient technology and business operations, providing users, devices and processes with appropriate access to conduct daily operations. Crucial components of effective IGA include maintaining accountability for access-related decisions and the timely addressing of changes in responsibilities. The identity governance program is responsible for defining what constitutes an organizational identity and the relevant governance processes, workflows and certifications to protect access integrity. You should align the program with your organization’s needs and also incorporate the relevant regulatory and standards compliance requirements.
Finally, controlled, privileged access remains one of the strongest preventive measures to significantly slow an attacker’s advance on your technology environment. In a world of ransomware as a service, limiting access to accounts that control the “keys to the kingdom” removes one of the most successful tools in the hacker’s kit, putting a significant barrier in the way of their progress. These individuals usually take the path of least resistance and will often move on to another target when challenged. Privileged access management (PAM) helps to improve your internal security posture and is also an effective way to control third-party access into your environment — another popular attack vector for adversaries.
Remember, though, that all of the tools in the world won’t help if your “unhappy path” can give access to unauthorized individuals. This path generally takes the form of social engineering and convincing a support person to provide a password reset or other authentication method that an attacker can use to take over an account. Ensure that your support processes are secure by design and followed every time. Identity validation for call centers, support desks and other similar parts of your organization that have the power to reset passwords or otherwise provide access is one of the first routes an attacker will seek to exploit.
Architecture is the definition and review of decisions, with particular focus on systems communication, IAM, secrets management and data classification. It is the cornerstone of cloud governance, risk management, security, cost-management and resilience. A secure architecture enables your company to have a controlled and well-managed cloud.
Often, organizations cannot implement efficiently all resilience, cybersecurity or regulatory requirements in the cloud without a good supporting secure architecture. As mentioned in the governance and risk management section, focusing first on your crown jewels is important to comply with your cybersecurity and regulatory requirements. To that end, implementing a zero-trust architecture enables your organization to segment systems and meet regulatory, technology and cyber risks in a cost-efficient way. Organizations often accomplish zero-trust architectures by designing and implementing a landing zone or secure enclave strategy that relies on the topics mentioned earlier to segment workloads, data and identities appropriately.
One of the biggest benefits of using cloud environments is enabling cyber security, agility and scalability with automation. Automation allows IT and cybersecurity teams to transition from routine tasks and devote more time and resources to strategic initiatives that create competitive advantages for your organization. IT and cybersecurity groups transition from support-focused to business enablers, with agility and innovation as their focus. With automation and a security-by-design culture, your company can focus on competing, meeting your business objectives and managing fast-moving major initiatives.
Automation begins before your team deploys a new cloud workload. With automation reducing security and compliance risks, your team can address most issues prior to deployment in production and throughout the life cycle of the product or process. The other advantage of a security-by-design and an automation-first approach is that a security and configuration baseline is created in production environments. This enables monitoring solutions to create alerts for any anomalous changes and remediate security or configuration issues automatically.
Securing the Cloud
The cloud has become an integral part of nearly every organization’s technology and business strategy. As it becomes even more ingrained across the business, however, your security strategy must evolve to keep pace with potential exposures and evolving threats. By increasing the focus on these four key areas, you can establish a cloud foundation that increases confidence in security and enables you to dedicate more resources to pursuing overall business goals.