The cloud offers companies real value. That much is indisputable. Access and direct business operations from anywhere. Share and collaborate on documents with built-in version control. Reduce your physical IT architecture requirements.
But while it’s definitely possible to exist securely on the cloud, as with any IT environment, it takes work and a comprehensive security approach to get there when you’re faced with a variety of security threats:
- Data breaches
- Poor identity and access management
- Insecure interfaces and system vulnerabilities
- Shared technology vulnerabilities
- Advanced persistent threats
- Non-malicious data loss
We recommend a four-pronged approach to producing a secure, cloud-friendly IT department.
Security Design Assessment
The first thing you need to do is check your security design — and if you don’t have it written up, get to work on that. How will the cloud service fit into your security design? Does the design mandate specific features a cloud service provider must deliver, or would the reality of a cloud-based approach require changes in your design?
The assessment itself must be capable of identifying security gaps in your existing system, the gaps that may exist in the cloud system, and show a way forward. You’ll need to consider the possible vulnerabilities of the system and its interfaces given that you won’t have this technology in-house under your control. Understanding who should have access to what and how their access is protected is also key. If you’re hosting your data remotely, you’ll also need to consider the possibility of a breach or loss beyond your control and have a plan for damage mitigation and data recovery.
Is everything set up correctly? With myriad services available, even platforms as monolithic as Microsoft and Azure can be complicate to configure securely. Your configuration assessment is a chance to map your implementation against the design to ensure your security intentions are reflected in practice. A hole in your configuration could be the entry point for an advanced persistent threat. If they have a chance to establish a foothold, they could covertly extend their access over time and disrupt operations or take control.
This is also a prime place for a shared technology issue to creep in. Cloud services are able to offer benefits due to the scales they operate at, but it’s possible that some technologies they’re using were never intended for a multi-tenant environment. If you’re one of many on a platform that’s not built for that capability, be aware that you may be at risk. Have an expert review all your configurations and get the understanding you need to ask a service provider the right questions.
Cloud Controls Baseline Assurance
Regulations are in place to lift everyone up to a secure baseline. Complying to regulations is a task that differs by industry, geographic region, and the type of data you’re handling. Between NIST CSF, NIST800.53, ISO27001, and PCI standards, there are a lot of letters to consider. You’ll need to understand how your Microsoft Cloud Technologies live up to these standards, as well as and other cloud service providers you use.
Failing to meet requirements could mean an upfront fine, but the standards are in place to make IT more secure, and that does mean that meeting them isn’t a guarantee that an intruder will be locked out, if you are falling short, it should tell you that there are some serious security risks to take care of.
Pentest and Vulnerability Testing
The last part of evaluating your security should be a Pentest and Vulnerability Test. This will simulate the kinds of threats you’re trying to protect against by working vulnerabilities and testing the limits of your security. You may get an idea of how much damage a rogue account could cause before it’s caught, or the scale of a data breach made possible through a software exploit.
These ethical hacking methods are the measure of how good your security is. While, again, nothing is a 100 per cent guarantee as attackers discover new exploits and human error in your users is always a concern, it will offer a level of assurance that you’ve done your due diligence, have adopted best practices, and are compliant with relevant regulations.
Where to start?
If you’re at a loss, or don’t have the in-house expertise to be confident in a security evaluation either of your existing systems, or a new approach your trying to adopt, you can read more about how CrucialLogics takes you through the entire process and reach out to us here, or check out how our CIO Advisory services can amplify your effectivity.