January 29, 2020

Five Ways to Secure Access to Web Workloads

By Torsten George

Secure Access to Cloud Workloads Organizations are increasingly moving their workloads to the cloud to achieve greater agility, flexibility, and cost savings. That’s a major reason why worldwide spending on public cloud services and infrastructure is projected to increase by more than 100% over the next five years, from $229 billion in 2019 to nearly […]

Secure Access to Cloud Workloads

Organizations are increasingly moving their workloads to the cloud to achieve greater agility, flexibility, and cost savings. That’s a major reason why worldwide spending on public cloud services and infrastructure is projected to increase by more than 100% over the next five years, from $229 billion in 2019 to nearly $500 billion in 2023, according to IDC.

As big as these numbers seem, the reality is cloud adoption could be even bigger if more organizations were less hesitant to embark on the cloud journey because of security concerns.

These fears are understandable. With so many organizations now pouring so much data into their cloud environments, the bad guys have made the cloud a top priority and are targeting cloud workloads and infrastructure to get their hands on all that data.

Cyber adversaries have long moved beyond the network layer when mapping out their attack vectors. The easiest way for an attacker to gain access to data is by compromising an end user’s identity and credentials. The holy grail for bad actors are privileged credentials, which have broad access to systems and therefore provide the intruder with “the keys to the kingdom,” allowing them to potentially gain access to the entire network and sensitive data.

Secure Access to Cloud Workloads

By leveraging a “trusted” identity, a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by credential harvesting campaigns that leverage the use of password sniffers, phishing campaigns, and Malware attacks. In short: cyber-attackers no longer “hack” in, they log in.

To limit exposure to attacks, organizations need to rethink their enterprise security strategies and consider moving to an identity-centric approach based on a Zero Trust model: never trust, always verify, employ least privilege. This approach should be implemented throughout the organization, as well as extended to the organization’s partners, and outsourced IT.

Zero Trust delivers more than hard benefits. It also gives businesses the confidence to enhance customer and partner experiences, empower the mobile workforce, and secure devops environments. The bottom line is that Zero Trust gives organizations the ability to embrace the cloud while reducing risk across the modern, hybrid enterprise.

Here are five Zero Trust best practices for protecting your cloud environments and stopping privileged access abuse, today’s leading cause of data breaches.

1. Don’t reinvent the wheel

Yes, the public cloud resides outside the traditional network perimeter, but it does not require a unique security model. It’s time to debunk the myth that the public cloud demands a brand-new security approach. The reality is that conventional security and compliance concepts that you’ve traditionally applied to your On-Premises environment are still perfectly valid in the cloud.
For Instance, roles and responsibilities remain the same whether your data resides on-premises or in the cloud, so extend your existing directory to the cloud. Implement a common security infrastructure that covers both on-premises and cloud resources.

2. Learn to love multi-factor authentication

To better protect your cloud environment and thwart in-progress attacks, it’s necessary to implement and enforce multi-factor authentication (MFA) during the credential check-out process. Additionally, configure MFA to prompt for an authentication code after entering the checked-out password on the cloud service provider login page. “MFA Everywhere” is a best practice to defend against brute force attacks directly at the cloud service provider management console.

3. Avoid identity sprawl that expands your attack surface

Rather than relying on the access keys of your local cloud provider, use centralized identities and enable federated login. Federation allows you to grant an existing user within your enterprise directory the appropriate access rights to any cloud service provider. With identity federation, you avoid identity sprawl, having to provision and manage disparate identity silos, and dealing with identity duplication or synchronization that can leave holes open to exploitation.

Also, since shared accounts are highly privileged accounts, the best practice is simply not to share them, or to use them sparingly. Ensure 100% accountability by having users log in with their individual accounts and elevate privilege as required. Manage entitlements from a central directory, mapping roles and groups to cloud provider roles. You can further ensure accountability by using administrator accounts for emergency access only, vaulting the account password and rotating the password frequently.

4. Restrict access rights and always monitor user sessions

Grant users just enough privilege to complete the task at hand. Determine what users need to do and then create roles that let them perform only those tasks. To take it a step further, enable the configuration of dynamic privileges based on context (such as an IT trouble ticket) to enforce “just enough, just in time” privilege, while still leaving “break glass” capabilities in place for emergencies.

Another key step is to log and monitor both authorized and unauthorized user sessions on your cloud provider instances. With a documented record (including a DVR-like recording) of all actions performed, audit logs can not only be used in forensic analysis to find exactly the issue, but also to attribute specific actions to a specific user.

5. Don’t rely solely on your cloud service provider for protection

It’s you, the customer, who has the main responsibility for protecting privileged access to data in the cloud, not the service provider. A large financial institution recently learned this lesson the hard way. When moving to the cloud, organizations need to appreciate the fact that cloud security is a responsibility they share with their cloud service provider.

Leading providers like AWS, Microsoft Azure, and Google Cloud Platform are typically securing the core infrastructure and services as part of their shared responsibilities. But, when it comes to securing operating systems, platforms, and data, that responsibility lies squarely in the hands of customers.

Organizations that overlook this simple fact face a much higher likelihood of succumbing to cyber-attacks. Take control of your organization’s cloud future with Zero Trust.

By Torsten George

Torsten George

I am currently serving as product evangelist at Centrify, a leading provider of cloud-ready Zero Trust Privilege solutions. I am a marketing leader with more than 20 years of global experience in promoting software and network equipment products. I am a visionary with superb technology and market foresight as well as a pragmatic strategist with a passion for implementation.

Azure Free Tier vs. AWS Free Tier: Which Provides More Value?

Cloud computing has become a cornerstone for the digital transformation of businesses. From startups to [...]
Read more

Exploring SaaS Directories: The Path to Optimal Software Selection

Exploring the Landscape of SaaS Directories SaaS directories are vital in today’s digital age, serving [...]
Read more

A.I. is Not All It’s Cracked Up to Be…At Least Not Yet!

Exploring AI’s Potential: The Gap Between Aspiration and Reality Recently Samsung releases its new Galaxy [...]
Read more
Steve Prentice

Get Smarter – The Era of Microlearning 

The Era of Microlearning Becoming employable and then staying employable requires ongoing, up to date [...]
Read more

AI at the Gate: Navigating the Future of Cybersecurity with SonicWall’s Bobby Cornwell

Navigating the Future of Cybersecurity In the face of the digital age’s advancements, AI’s role [...]
Read more

5 Azure Cost Management Strategies

What Is Azure Cost Management? Azure cost management refers to the practices and processes that [...]
Read more

SPONSORS

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.