Five Ways to Secure Access to Web Workloads

Torsten George

Secure Access to Cloud Workloads

Organizations are increasingly moving their workloads to the cloud to achieve greater agility, flexibility, and cost savings. That’s a major reason why worldwide spending on public cloud services and infrastructure is projected to increase by more than 100% over the next five years, from $229 billion in 2019 to nearly $500 billion in 2023, according to IDC.

As big as these numbers seem, the reality is cloud adoption could be even bigger if more organizations were less hesitant to embark on the cloud journey because of security concerns.

These fears are understandable. With so many organizations now pouring so much data into their cloud environments, the bad guys have made the cloud a top priority and are targeting cloud workloads and infrastructure to get their hands on all that data.

Cyber adversaries have long moved beyond the network layer when mapping out their attack vectors. The easiest way for an attacker to gain access to data is by compromising an end user’s identity and credentials. The holy grail for bad actors are privileged credentials, which have broad access to systems and therefore provide the intruder with “the keys to the kingdom,” allowing them to potentially gain access to the entire network and sensitive data.

Secure Access to Cloud Workloads

By leveraging a “trusted” identity, a hacker can operate undetected and exfiltrate sensitive data sets without raising any red flags. As a result, it’s not surprising that most of today’s cyber-attacks are front ended by credential harvesting campaigns that leverage the use of password sniffers, phishing campaigns, and Malware attacks. In short: cyber-attackers no longer “hack” in, they log in.

To limit exposure to attacks, organizations need to rethink their enterprise security strategies and consider moving to an identity-centric approach based on a Zero Trust model: never trust, always verify, employ least privilege. This approach should be implemented throughout the organization, as well as extended to the organization’s partners, and outsourced IT.

Zero Trust delivers more than hard benefits. It also gives businesses the confidence to enhance customer and partner experiences, empower the mobile workforce, and secure devops environments. The bottom line is that Zero Trust gives organizations the ability to embrace the cloud while reducing risk across the modern, hybrid enterprise.

Here are five Zero Trust best practices for protecting your cloud environments and stopping privileged access abuse, today’s leading cause of data breaches.

1. Don’t reinvent the wheel

Yes, the public cloud resides outside the traditional network perimeter, but it does not require a unique security model. It’s time to debunk the myth that the public cloud demands a brand-new security approach. The reality is that conventional security and compliance concepts that you’ve traditionally applied to your On-Premises environment are still perfectly valid in the cloud.
For Instance, roles and responsibilities remain the same whether your data resides on-premises or in the cloud, so extend your existing directory to the cloud. Implement a common security infrastructure that covers both on-premises and cloud resources.

2. Learn to love multi-factor authentication

To better protect your cloud environment and thwart in-progress attacks, it’s necessary to implement and enforce multi-factor authentication (MFA) during the credential check-out process. Additionally, configure MFA to prompt for an authentication code after entering the checked-out password on the cloud service provider login page. “MFA Everywhere” is a best practice to defend against brute force attacks directly at the cloud service provider management console.

3. Avoid identity sprawl that expands your attack surface

Rather than relying on the access keys of your local cloud provider, use centralized identities and enable federated login. Federation allows you to grant an existing user within your enterprise directory the appropriate access rights to any cloud service provider. With identity federation, you avoid identity sprawl, having to provision and manage disparate identity silos, and dealing with identity duplication or synchronization that can leave holes open to exploitation.

Also, since shared accounts are highly privileged accounts, the best practice is simply not to share them, or to use them sparingly. Ensure 100% accountability by having users log in with their individual accounts and elevate privilege as required. Manage entitlements from a central directory, mapping roles and groups to cloud provider roles. You can further ensure accountability by using administrator accounts for emergency access only, vaulting the account password and rotating the password frequently.

4. Restrict access rights and always monitor user sessions

Grant users just enough privilege to complete the task at hand. Determine what users need to do and then create roles that let them perform only those tasks. To take it a step further, enable the configuration of dynamic privileges based on context (such as an IT trouble ticket) to enforce “just enough, just in time” privilege, while still leaving “break glass” capabilities in place for emergencies.

Another key step is to log and monitor both authorized and unauthorized user sessions on your cloud provider instances. With a documented record (including a DVR-like recording) of all actions performed, audit logs can not only be used in forensic analysis to find exactly the issue, but also to attribute specific actions to a specific user.

5. Don’t rely solely on your cloud service provider for protection

It’s you, the customer, who has the main responsibility for protecting privileged access to data in the cloud, not the service provider. A large financial institution recently learned this lesson the hard way. When moving to the cloud, organizations need to appreciate the fact that cloud security is a responsibility they share with their cloud service provider.

Leading providers like AWS, Microsoft Azure, and Google Cloud Platform are typically securing the core infrastructure and services as part of their shared responsibilities. But, when it comes to securing operating systems, platforms, and data, that responsibility lies squarely in the hands of customers.

Organizations that overlook this simple fact face a much higher likelihood of succumbing to cyber-attacks. Take control of your organization’s cloud future with Zero Trust.

By Torsten George

Mark Barrenechea

Information is at the Heart of Your Business

Information Business Even though digital information is evolving at a rapid pace, the world is still document-centric. Documents, whether created by a human or generated ...
Thomas Franklin

Future of Stock Markets : Raising Capital Through ICO is 10x cheaper and 20x easier

Future of Stock Markets: Raising Capital Through ICO How blockchain will replace the stock markets as we know them today. Welcome to the future. It’s ...
Kokumai

How to Enhance Security of Digital Identity

Enhance Security of Digital Identity Introduction The subject of this article is a fragile digital identity built with a weak password, which makes a grave ...
Mark Rochester

Why Remote Migrations are Essential for Business Continuity

Remote Business Continuity We are approaching a banner year for the cloud. The COVID-19 pandemic has highlighted the importance of cloud technology to enable resilience ...
Aruna Headshot

Top Four Predictions in 2020 for Unified Collaboration

Predictions in 2020 The year 2020 promises to usher in significant new developments in collaboration and communication. It’s part of an unending climb, moving higher ...
Aruna Headshot

2019 Predictions for Innovating, Transforming and Enabling Workplace Transformation

My Predictions for 2019 As we think of the top Collaboration trends for the coming year, we should start by taking a look back at ...
The Sticky Note.png