Five Ways to Secure Access to Web Workloads

Torsten George

Secure Access to Cloud Workloads

Organizations are increasingly moving their workloads to the cloud to achieve greater agility, flexibility, and cost savings. That’s a major reason why worldwide spending on public cloud services and infrastructure is projected to increase by more than 100% over the next five years, from $229 billion in 2019 to nearly $500 billion in 2023, according to IDC.

As big as these numbers seem, the reality is cloud adoption could be even bigger if more organizations were less hesitant to embark on the cloud journey because of security concerns.

These fears are understandable. With so many organizations now pouring so much data into their cloud environments, the bad guys have made the cloud a top priority and are targeting cloud workloads and infrastructure to get their hands on all that data.

Cyber adversaries have long moved beyond the network layer when mapping out their attack vectors. The easiest way for an attacker to gain access to data is by compromising an end user’s identity and credentials. The holy grail for bad actors are privileged credentials, which have broad access to systems and therefore provide the intruder with “the keys to the kingdom,” allowing them to potentially gain access to the entire network and sensitive data.

Secure Access to Cloud Workloads

By leveraging a “trusted” identity, a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by credential harvesting campaigns that leverage the use of password sniffers, phishing campaigns, and Malware attacks. In short: cyber-attackers no longer “hack” in, they log in.

To limit exposure to attacks, organizations need to rethink their enterprise security strategies and consider moving to an identity-centric approach based on a Zero Trust model: never trust, always verify, employ least privilege. This approach should be implemented throughout the organization, as well as extended to the organization’s partners, and outsourced IT.

Zero Trust delivers more than hard benefits. It also gives businesses the confidence to enhance customer and partner experiences, empower the mobile workforce, and secure devops environments. The bottom line is that Zero Trust gives organizations the ability to embrace the cloud while reducing risk across the modern, hybrid enterprise.

Here are five Zero Trust best practices for protecting your cloud environments and stopping privileged access abuse, today’s leading cause of data breaches.

1. Don’t reinvent the wheel

Yes, the public cloud resides outside the traditional network perimeter, but it does not require a unique security model. It’s time to debunk the myth that the public cloud demands a brand-new security approach. The reality is that conventional security and compliance concepts that you’ve traditionally applied to your On-Premises environment are still perfectly valid in the cloud.
For Instance, roles and responsibilities remain the same whether your data resides on-premises or in the cloud, so extend your existing directory to the cloud. Implement a common security infrastructure that covers both on-premises and cloud resources.

2. Learn to love multi-factor authentication

To better protect your cloud environment and thwart in-progress attacks, it’s necessary to implement and enforce multi-factor authentication (MFA) during the credential check-out process. Additionally, configure MFA to prompt for an authentication code after entering the checked-out password on the cloud service provider login page. “MFA Everywhere” is a best practice to defend against brute force attacks directly at the cloud service provider management console.

3. Avoid identity sprawl that expands your attack surface

Rather than relying on the access keys of your local cloud provider, use centralized identities and enable federated login. Federation allows you to grant an existing user within your enterprise directory the appropriate access rights to any cloud service provider. With identity federation, you avoid identity sprawl, having to provision and manage disparate identity silos, and dealing with identity duplication or synchronization that can leave holes open to exploitation.

Also, since shared accounts are highly privileged accounts, the best practice is simply not to share them, or to use them sparingly. Ensure 100% accountability by having users log in with their individual accounts and elevate privilege as required. Manage entitlements from a central directory, mapping roles and groups to cloud provider roles. You can further ensure accountability by using administrator accounts for emergency access only, vaulting the account password and rotating the password frequently.

4. Restrict access rights and always monitor user sessions

Grant users just enough privilege to complete the task at hand. Determine what users need to do and then create roles that let them perform only those tasks. To take it a step further, enable the configuration of dynamic privileges based on context (such as an IT trouble ticket) to enforce “just enough, just in time” privilege, while still leaving “break glass” capabilities in place for emergencies.

Another key step is to log and monitor both authorized and unauthorized user sessions on your cloud provider instances. With a documented record (including a DVR-like recording) of all actions performed, audit logs can not only be used in forensic analysis to find exactly the issue, but also to attribute specific actions to a specific user.

5. Don’t rely solely on your cloud service provider for protection

It’s you, the customer, who has the main responsibility for protecting privileged access to data in the cloud, not the service provider. A large financial institution recently learned this lesson the hard way. When moving to the cloud, organizations need to appreciate the fact that cloud security is a responsibility they share with their cloud service provider.

Leading providers like AWS, Microsoft Azure, and Google Cloud Platform are typically securing the core infrastructure and services as part of their shared responsibilities. But, when it comes to securing operating systems, platforms, and data, that responsibility lies squarely in the hands of customers.

Organizations that overlook this simple fact face a much higher likelihood of succumbing to cyber-attacks. Take control of your organization’s cloud future with Zero Trust.

By Torsten George

Bruce Guptill

How CFOs and CIOs See Finance Management Priorities

Cloud and the Finance-IT Effectiveness Gap IT leaders today tend to be much better aligned with business and operational leaders and business goals than they ...
Patrick Joggerst

Why Platforms Matter as UCaaS Adoption Continues to Soar

UCaaS Adoption Continues to Soar Industry analysts agree – the unified communications-as-a-Service (UCaaS) market will continue to grow by leaps and bounds in 2020 and ...
Chandani Patel

Design Practices: AWS IoT Solutions

AWS IoT Solutions Internet of Things (IoT) presents an unparalleled opportunity for every industry to address their business challenges. With the proliferation of devices, one ...
Mark Casey Apcela

How to Optimize Your Office 365 Performance with Network Peering

Optimize Performance with Network Peering Microsoft Office 365 usage has grown significantly in recent years. More than 56 percent of organizations all around the world ...
Mark Barrenechea

Information is at the Heart of Your Business

Information Business Even though digital information is evolving at a rapid pace, the world is still document-centric. Documents, whether created by a human or generated ...
Aarti Parikh

Serverless Multi-Tier Architecture on AWS

Serverless Multi-Tier Architecture Multi-tier Architecture Multi-tier Architecture is also known as n-tier architecture. In such architecture, an application is developed and distributed in more than ...
Kevin Ovalle Anderson Frank

How cloud-based business management can help an SMB go global

Global SMB Business Management Most companies today are familiar with the cloud; using software-as-a-service (SaaS) apps and customer relationship management (CRM) for years. However, many ...
Kokumai

History, Current Status and Future Scenarios of Expanded Password System

Future Scenarios of Expanded Password System Passwords are so hard to manage that some people are urging the removal of passwords from digital identity altogether. What ...
Hamza Seqqat

The Benefits of Virtualizing SD-WAN and Security

Benefits of Virtualizing SD-WAN As more companies adopt SD-WAN technology to enhance the agility of their networking architecture, they must give strong consideration to how ...
Kaylamatthews

What You Need to Know – IoT and Real-Time Operating Systems

Real-Time Operating Systems A real-time operating system, or real-time OS, appears to execute tasks while using a single processing core simultaneously.  However, what's really happening ...