Why Cloud Configs Are IT’s Most Urgent Audit in 2021
Reading Time: 4 minutes

July of 2019 must have been a stressful month for Capital One’s IT team. During this fateful month an employee of the respected bank uncovered the massive ongoing theft of customer data, and though the exploit was a simple fix, damage to Capital One had been extensive. A misconfigured setting in its cloud was quietly exploited from 2005 to 2019 by one sneaky hacker, and the firm overnight found itself dealing with leaked financial data of over 100 million American and Canadian customers, up for sale to dark web buyers.

From a security perspective, the Capital One breach is a telling example of the power that companies have over our data, and their responsibility to remain compliant. It’s also reminiscent of 2019, when cloud misconfiguration breaches rose by 80%. A single configuration mishap – most likely no more than an employee forgetting to toggle an option in their cloud app or tweak an easy-to-miss setting – compromised millions of people across the continent for well over a decade. 

Another serious thought about Capital One’s breach is how relevant the tale still is for companies. In a press release about the incident, the bank shed light on how simple, common, and generally unremarkable attacks of this nature could be. Though this was likely to play down the idea that Capital One was unique in its weakness (and it isn’t), it also inadvertently sent up one of the first flares to an industry that is only now beginning to understand the devastation capable by cloud misconfiguration mistakes.

Misconfiguration: When the Vulnerability is You

After a year rampant with enterprise data breaches due to unsecured clouds, the industry’s bellwether – the Cloud Security Alliance – finally named Misconfiguration and Inadequate Change Control as 2021’s most dangerous IT threat. Misconfiguration happens when resources and computing assets are set up wrong or not at all, which sometimes creates gaps where hackers can get in and steal or inject data. In other words, the biggest authority on cloud security just admitted that human error is our biggest enemy.

Error in cloud resource management is quickly becoming a top priority for IT decision makers, with recent data showing that 62% of them see misconfiguration as their firm’s biggest compliance risk. This is hardly surprising, because many of these IT professionals likely don’t know if their configurations are airtight. A parallel survey of the industry illustrated that a worrisome majority of enterprise IT managers are unable to identify if misconfiguration or excessive access to cloud resources is occurring in their networks. This hits at the heart of the issue: The business world’s recent move to the cloud, and to remote work, has obstructed network visibility to the point of opacity.

Credit: Verizon, 2020

The acceleration of remote work thanks to COVID-19 puts a strain on computing resources and networks worldwide, and IT teams are still trying to catch up. An overwhelmed IT department, concentrating on spinning up new resources, providing access to onboarded users, and orchestrating a stack of security tools has little time to spare for configuration. But they must, and thankfully, doing so is easier than it once was.

A Quick Win for Configuration

One of the most common misconfiguration mistakes is simply to leave a piece of unencrypted data exposed to the internet. A hacker will typically stumble across it and realize that somewhere, the person responsible forgot to set up an authentication or authorization protocol required for access. From there, hackers have surprising lateral movement within the network, as chances are there is other information exposed in this way.

Configuration mishaps occur on an app-by-app basis, and will be unique to the company trying to solve them, because no two companies have the same hardware and software or business flows. For an average environment, for example, during a configuration audit IT may discover:

  • Network segments without dedicated access rules
  • Access permissions without assigned IdP roles
  • Misconfigured security ports for inbound and outbound
  • Multi-factor authentication is not enabled for a sensitive asset
  • SIEM encryption is untoggled

These would all have the potential to open a wide avenue into the network for hackers, and they also vary by application. For any company, a way to stay on top of all these configurations is to intimately understand the stack and to work within each product so that they are secure, and to repeat this process for each user and resource – which is not preferable. A better way is to layer a solution on top of your corporate resources in order to gain central visibility and control. If IT is given a single dashboard where they can manage access and traffic across resources, they will be equipped to react more quickly than Capital One did. 

Because misconfigurations are the “silent killer” of the remote work era, it’s crucial to be on high alert for any sign of them. Common misconfiguration errors happening in cloud resources often expand and advance the attacker workflow in real-time, so real-time threat monitoring is vital given the scale and breadth of cloud solutions. Equally important is the ability for a security product to integrate across on-prem and the cloud, so hybrid-cloud models can enjoy the same level of network omniscience. With cloud-friendly network security, companies can easily filter out the noise, gain instant control, and encourage rapid response when risks are detected.

Adoption of the cloud and reliance on applications rather than on-premises solutions is a healthy trend for companies, but too many of them neglect the Shared Responsibility Model for security when this is the case. Companies that want to take advantage of the cloud must do security due diligence on their end and take ownership of ideas that only they can control: things like user access, encryption, monitoring, configuration, and education. If they can manage this, cloud migrations can be done confidently and with continuity in mind.

Read More
solarwinds_breach
The SolarWinds Breach, And How to Avoid Falling Victim
Reading Time: 3 minutes

In case you haven’t been reading security news headlines recently, the IT security vendor space was shaken by the latest attack, which experts say is bigger than the famous Equifax breach. Thousands of global enterprises and government agencies may have been exploited by hackers via the Solarwinds Orion network monitoring solution.  

The security community is continuing to investigate the nuts and bolts of the attack. While some details have been announced, we want to briefly dig into how it occurred, who was affected, and what organizations should do to step up their security hygiene and avoid being breached in such a way. 

SolarWinds Orion Breach

The latest sign that 2020 was not going to go out quietly was when different sources from FireEye and Microsoft first disclosed that a highly advanced and sophisticated attack on SolarWinds had occurred. 

A group of state-backed Russian hackers exploited the SolarWinds Orion software via a malware attack, which allowed the cybercriminals to move within the network and create a backdoor into the system. This attack was followed up by creating a malicious update within the SolarWinds system, providing the attackers full visibility and mobility within the exploited victims’ systems. 

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on December 13th instructing that SolarWinds Orion network solutions have become exploited by malicious actors. On the same day, FireEye announced a detailed technical analysis of the backdoor created by the cybercriminals.

SolarWinds suggested that 18,000 of their 300,000 customers had possibly downloaded and installed the malware within their organizations. Many of SolarWind’s customers include different global Fortune 500 companies, the majority of the US-based telcos, and different branches of the US military. On top of these global organizations, other cybersecurity vendors such as FireEye and different US and UK government branches were potentially exploited in the attack.

Due to the impact of the SolarWinds breach, the security community will look back at this attack as one of the biggest breaches on the United States governments ever committed. 

How Does the Breach Affect You? 

While this breach demonstrates how far Russian state-backed attacks will go, most organizations need to think about the effect it will have on their businesses rather than who the attackers are.

First, every organization no matter its size should double-check and make sure that their SIEM solution is secure and up-to-date with the current threat landscape. While some people might refrain from putting their entire organization’s trust in a monitoring solution after reading about this attack, now is the time for stronger and more up-to-date alerts and auditing. 

These kinds of attacks should push your organization to better understand the status of their security, and if needed, to adopt the right solutions to patch up potential points of entry for hackers – literally. Patching is hugely important now as various solutions update in response to new threats, and the breach will push SIEM providers to investigate their solutions to see where they can be exploited.

Lessons to Learn From the SolarWinds Attack

While the details of the attacks are still being investigated and will continue for months, here are three takeaways that your organizations can think about to decrease the chances of becoming a victim.

Supply Chain Attacks Are Not Disappearing

Cybercriminals are increasing their attack efforts with more sophisticated attempts on organizations’ software supply chains, and the SolarWinds attack has forced everyone to pay attention. While your organization might believe it is secure, in reality, no one is. Ensure all communications are encrypted, and make good use of basic tools like 2FA.

Attackers Just Need One Entry Point

Cybercriminals are finding new ways to attack organizations and exploit their critical resources and networks. Hackers can easily exploit your organization from in-depth attacks or in some cases the simple theft of an employee’s password, but no matter how they get in they can still enjoy frightful lateral movement if the right access management precautions aren’t taken.

Vulnerabilities Take Time to Patch

As seen in different breaches, cybercriminals may not be detected for weeks or even months. People tend to think of data breaches as attackers quickly exploiting and deserting their victims within minutes. In reality, attackers often are lurking for years until a breach is found. To fight off unauthorized access from malicious actors your organization should prioritize monitoring and network visibility. 

Security Community as One

As a member of the cybersecurity vendor community, it’s tough to see a fellow vendor become the victim of a cyber attack. All cybersecurity vendors know we are working together to make the world a more secure place. At Perimeter 81, we strive to provide the most secure experience for our customers and partners, and take the SolarWinds breach very seriously As we look into 2021 we will innovate further and ensure even better network security in the upcoming year and on. 

Read More
Stopping the Hijackers Who Want Your Cloud
Reading Time: 3 minutes

The biggest threats facing cybersecurity always run parallel to the leading technology trends,  and are designed to exploit weaknesses in popular releases, products, and applications. Now that most critical workloads are on corporate clouds rather than in local servers, attack vectors are aimed directly at the cloud, from the most basic ransomwares and SQL scripting to the most complex configuration exploits.

Protecting cloud resources is a primary goal for modern IT, and unfortunately it has become much harder since the transition to remote work. An element of randomness has been injected into central cybersecurity processes lately, as employees from more locations and more devices suddenly bring cloud access outside the traditional perimeter. In this exposed environment it’s necessary to circle the wagons, and reinforce defenses against one of the thorniest risks around: cloud jacking.

With the Cloud Comes Responsibility

It’s true that cloud computing offers hordes of benefits to the average organization, including cut expenditures, on-demand resources, and productivity, but it’s also ripe for attack, since bulk amounts of data are stored in one place. This is why most public cloud providers have what’s called a shared responsibility model, meaning that the vendors are responsible for protecting infrastructure, while the subscriber is responsible for protecting their own data, supervising how access occurs, handling configuration and patching and more.

What this means is that customers are ultimately accountable if they’re cloud jacked – but how would this happen? The simple goal of this nefarious idea is to sneak into and compromise the admin account for some cloud resource – such as a critical SaaS platform or other third-party hosted application. Now that sensitive resources flow through the cloud, they have become the biggest targets for customer financial and identifying information, proprietary methodologies and algorithms, and other valuable assets.

The goal of a cloud hijacker is usually to use the resource for an unintended purpose (like cryptocurrency mining), to steal and sell corporate data, or to ransom vital systems and information back to the victim. To stop their clouds being commandeered, companies should know that the main avenue by which this occurs, is to misconfigure their cloud or internal system settings somewhere. 

Misconfiguration a Mega Threat

Misconfiguration is recognized by 68% of IT managers to be the biggest cloud threat of 2020. It is particularly dangerous because of how quietly it occurs; misconfiguration only happens when software or computing resources are set up wrong. There is no event to track, or sudden mishap that warns of an impending breach. Gaps in configuration leave accounts wide open to malicious activity, however, and other events that might lead to anything from service interruptions to total resource deletion or theft

Fighting misconfiguration is a matter of carefully choosing responsible and complementary cloud tools, and integrating them in a way that provides better visibility across various environments. Visibility also helps defend against other cloud threats such as code injection attacks, either directly into the underlying code or via third-party libraries, which can also be used by hijackers to spy on the network or make off with your data. 

To stop misconfiguration, scripting attacks, data snooping and other ways that hackers can gain access to cloud data, organizations have to start with being deliberate with the cloud service providers they choose. Go with providers that offer the most control and security guarantees, such as redundant internet connections, kill switches, and easy integration with your company’s ports and protocols. Security is therefore easier to deploy across all resources, and a stronger foundation for enforcement of specific tools and gaining visibility.

Seeing Through the Cloud

For companies that use legacy security solutions and try to get visibility into the cloud, it appears opaque. Users are faraway, and the finer details of their interactions with company data are hard to see. The first step to lighting up the cloud and gaining visibility – and therefore control over granular ideas like configuration – is to adopt cloud-based security tools that are integrable across all your environments. Start with a cloud-based firewall and a SIEM tool, for example, and then chip away at the low-hanging fruit such as authentication, and ensuring data is encrypted before going into the cloud.

For growing companies with more complex clouds, it also helps to know that solutions which unify these ideas into singular SaaS products now exist, in the form of a new concept termed SASE – or Secure Access Service Edge. SASE is essentially a bundle of networking and security tools that help IT teams visualize their networks and manage them from a single touchpoint. Getting to this point is becoming easier, and helping to smooth what used to be a bumpy path to the cloud for many companies. 

Read More
Why Enterprises Prize SASE
Reading Time: 3 minutes

It’s called SASE, or Secure Access Service Edge – but perhaps only for now. When the next analyst firm puts a label on it, the acronym will have competition, but the letters describing the newest concept in security could spell anything: it’s the solution behind them that matters. SASE was named first by Gartner to describe a new type of SaaS product that combines both security functions (such as the ability to deploy 2FA, firewalls, or traffic monitoring) with networking tools (micro-segmentation, access rules, VPNs) so that companies can streamline their consumption of these two crucial ideas.

Easier deployment of security across disparate cloud and local networks, and easier setup and management of said networks are just the icing on the cake. The revolutionary benefits of SASE go deeper, and entail tangible advantages that are inspiring enterprises in extraordinary numbers to adopt the solution – or at least to initiate a transformation in SASE’s general direction. In just a handful of years, SASE will have transformed the security landscape to be nearly unrecognizable.

You’re Why Your Firm is Considering SASE

Users like yourself might not intend to do damage or expose the network, but now that we connect to countless apps spanning the cloud, and with many more devices, we each present a unique risk. The skyrocketing prevalence of insider breaches, and not those occurring from the outside, are one primary reason why SASE is a future-focused tool. Since 2018, data breaches caused by insiders have risen by a whopping 47%, and 68% of firms cite this as their chief security concern. Consider also that it’s common for companies to conceal breaches caused by an insider and to not report them, so their consequences and frequency are worse than reported. 

SASE is inherently user-centric, meaning that the security and networking functions typically included in a SASE setup help IT teams to follow and restrict users through their network journey. This is better than giving them approval for unlimited access at the door, as we used to do. It might sound like a lot of work, but the tools provided by a SASE solution allow it to happen in a very scalable way.

Security That Gets Close Up to Users

We all know that network resources have varying sensitivities: The local server containing a proprietary algorithm is more sensitive and therefore should be restricted to more people than, say, a cloud-based Salesforce app. Perhaps only a few trusted developers and the CEO need access to the former, while several departments use the latter every day. Selective access to certain parts of the network used to require hardware and software together, plus lots of manual work from the IT team. SASE makes it easy from a single spot in the cloud.

The two features that underpin user-focused security, also known as Zero Trust security, are micro-segmentation and access management based on Identity Providers (IDP). IT can enforce user logins via a centralized IDP like Okta or Google, and then based on the user or their device, automatically apply relevant security to them. This might include a specific encryption protocol, a custom access profile for resources, 2FA, and much more. When a new part-time worker abroad is onboarded, IT can enter their administration panel, quickly assign the employee an IDP, and drag and drop it into a profile built to consider all the various data sensitivities relevant to remote contractors, limiting access accordingly.

SASE: Giving Small IT Squads Big Power

The benefits of SASE are highlighted when thinking about how much effort IT teams go through to close gaps in the network. Unification of two ideas close to the heart of any IT manager – networking and security – can bring the resources they are tasked with protecting under one roof and their job much easier. The cost savings are also mouth-watering for enterprise IT managers, who are able to trim their towering stacks, and get leaner and meaner than ever before. 

 

Read More
Law Firms: A Lucrative Hacker Target
Reading Time: 4 minutes

Compared to banks or tech companies, many might think that lawyers and law firms don’t rank highly on the list of top hacker targets. But experienced hackers know that successfully breaching a corporate law firm with high-profile clients would be a jackpot. Attorney client privilege means that lawyers can know things sensitive to their clients without being legally compelled to reveal them: Things that hackers can ransom or steal, like trade secrets, family matters, financial dealings and more. The bigger the client, the bigger the data trove.

Other legal concepts like chain of custody – that no third parties can even access digital evidence if it’s to be admissible – make it crucial to consider cybersecurity and access management for law firms. Data and client information must be kept safely out of reach yet still in the law’s possession for the legal process to work, after all. Cybersecurity is therefore becoming a hot new department in firms across the country, and top IT hires deploy a mix of technologies to protect clients and the law itself.

Reinforcing the Letter of the Law

The problem with attorney client privilege is that information told to one’s lawyer no longer stays in his or her head. The modern lawyer files it into the digital system used by the law firm to help organize cases, collaborate with associates, store documents and more. This means it’s hackable, and neglecting to secure systems like these means the risk of ending up like Grubman Shire Meiselas & Sacks – the high profile firm of stars like Madonna, Lady Gaga, and Robert DeNiro. Grubman was successfully targeted by hackers who ransomed 756 gigabytes of email addresses, phone numbers, contracts, and personal information of the firm’s A-list clientele earlier this year.

To avoid a reputation-crushing event such as this, law firms should secure their internal data storage and case management platforms with an array of technology that stops unauthorized access both from outside and inside. IT professionals tasked with protecting their firm will need to consider the following ideas if they want to minimize risk:

Segmentation of Client Data 

Sensitive client and case data must be segregated from other types of data, like information about lawyer salaries or office administration. Though it’s true this should also be kept away from hackers, it’s more important to identify which critical client data the firm keeps and where it’s kept. Whether it’s on local drives or a third party cloud, this type of data should never be stored in the same place as the less sensitive stuff, or else the result could be ruinous.

To be able to easily visualize pieces of the network, including places where data is stored and how these sources connect to the firm’s SaaS resources, the firm’s IT team should prioritize software-defined networking tools that more easily integrate into the variety of solutions in place at the average firm. This will enable them to micro-segment the network, and then with an accompanying access solution, create automatically-enforced rules that control exposure to client data.

Control Access with an Iron Fist

Not all employees of the law firm should have the same degree of access to data. Secretaries and associates, for example, shouldn’t enjoy the type of accessibility that the managing partner does. This concept can be enforced after the firm’s network is segmented into pieces based on sensitivity, but also relevancy. Few need access to whatever financial applications help streamline complicated billing processes, for example, so this would be one segment of the firm’s network that only relevant roles would have access to.

By implementing an Identity Provider and Single Sign-On solution to the firm’s IT bundle, network access rules have granular qualifiers such as role, device, and location to use when a new logon or access request occurs. If a hacker was to breach the network through a paralegal, for instance, then it’s unlikely they’d get very deep into the good stuff because the network would have already restricted this role’s access privileges. Another key idea is that this reduces the prevalence of insider attacks as much as those from outside.

Always-On Protection

All firm data should be encrypted while at rest and while in motion. Top encryption measures like SHA256, in whichever protocol most suits the network infrastructure, should be enforced by bottlenecking network access through a VPN client. This extends to using standard email communication as well, especially as this is the medium by which most sensitive information is sent from one place to another. A stronger and more secure method of communication is necessary, and that means encryption plus a host of other solutions like 2-factor authentication.

Lawyers and law firms also require a method of tracking down breaches or attacks after they’ve occurred, which will help lead to some restitution or at least recovery. Monitoring software that watches and records traffic moving across the network helps retrace your steps, and more easily reveals where weaknesses are – even if they need to be exploited to discover them. With proper network and security precautions in place, monitoring is almost never used in this way, but that’s how it should be.

Lawyers must also recognize that the host of digital and mobile tools and devices that help them do their jobs are also a threat if not handled correctly. Education of lawyers is crucial and so IT teams need to make it their job to motivate security hygiene from on high – if the board and managing partners want it so, then it will be so. This is how security must be handled for law firms to navigate the modern era confidently.

Read More
Business Continuity Plan Blog Post
Business Continuity Planning: 5 Actions CISOs Need to Take Now
Reading Time: 4 minutes

Organizations around the globe are engrossed in one of the major network revolutions of all time. The COVID-19 pandemic forced organizations to quickly adapt to different challenges over the past six months. With the sudden transition to working from home, organizations were required  to rethink their digital strategy in order to deal with the new normal.   

Remote work policies are changing the way we work. As new remote technology is introduced into the organization strategy, it’s important for the entire organization to understand the importance of how it affects their daily work routine. 

With the changes in technology and the location of the working environment, the organization’s management team needs to think about the different challenges facing them. One of the more important but less headline-grabbing threats that all businesses need to think about is their business continuity plans.

Business continuity is coming up with a plan for a company to deal with serious incidents and disasters in order to ensure the business can continue functioning within a reasonably short period. In the case of COVID-19, most organizations were unprepared for this unprecedented shift to remote work, something they had not previously considered and therefore not included in their business continuity plan. Too often we see business continuity plans to be over technical or high level for the casual employee which usually results in the lack of actual actionable items to implement. 

Now that we are currently over six months into the new reality and remote work is inevitable for the foreseeable future, organizations should be updating their BCPs. Chief Information Security Officers (CISO) and Chief Information Officers (CIO) have invested time and responsibility in the effectiveness of their business continuity plans. In today’s day and age, a cybersecurity strategy is an integral part of keeping businesses running while workers are remote. 

In order to gain insights into actions that CISOs can take to improve their organization’s business continuity plan, we spoke with experts who gave us their top tips. 

Be Involved In the Process But Delegate

Business continuity is an essential part of the survival planning for every business and organization. Too often it is erroneously assigned to the Information Security leader when in essence it is a business project and process that involves the key decision-makers in the C-Suite. Of course, a good CISO needs to be involved in the process, but should not own it.

“Any viable Business Continuity Plan must be tied and coordinated with a Disaster Recovery Plan. Essentially, a business must go on regardless of any type of interruption. If that requires manual systems to be brought up and be put into place, which is sometimes the case, then a good contingency plan to do this must be well-thought-out and everyone needs to know their part. Building a Business Continuity Team is the important first step and as it must include sponsors at the decision-making level. Additionally, the CISO, CIO, CFO, Legal, Human Resources, and Risk also need to be on this team.” – Richard Greenberg, Founder and CEO of Security Advisors LLC.

Make Sure Recovery Locations Are Useable

One of the biggest lessons people have learned during the pandemic is that business continuity planning needs to account for the fact that the recovery location(s) might also not be usable. The option of working from home was always viable but it was assumed by business continuity planners to be only a few employees and not the entire business. 

COVID totally put that idea out to pasture. The idea that everyone would have to work from home was a total game-changer. Organizations were caught without equipment to make WFH viable thus having to rely on bring your own device (BYOD) which brings a lot of potential risks as well as finding ways to minimize and manage those risks. Some had to re-engineer multi-factor authentication (MFA) to allow for use of Google and Microsoft Authenticator solutions by their employees. They found that their infrastructure was unable to scale, even in the cloud.” – Jeff Hall, Senior Manager of Auditwerx.

Don’t Forget Security

An effective business continuity plan enables employees to continue their work safely and effectively, no matter the circumstances. When working from home, cybersecurity should be one of the main aspects of the continuity plan. 

“To make security stringent your company should follow basic and advanced cybersecurity measures. Always prefer using a secure remote access solution as it provides you with security and privacy over the internet. Similarly, always encourage using systems issued for office work only. Additionally, make sure that your official documents are only shared with the restricted persons this way no irrelevant person will be able to open it even if it’s shared over email. “- Shahid Hanif CTO and Co-founder of Shufti Pro.

Educate Your Employees

Educating your employees about the new security protocols and technology being implemented is an integral part of business continuity. This requires more than just a single briefing, but instead, a regular and ongoing plan of educating employees. 

“With everyone working remotely, it’s a mistake to suggest that the business security only falls on the IT and security teams. Organizations should schedule a virtual security session to prepare employees with the new tools and protocols that the business has implemented. Additionally, security teams should educate employees about the different security risks and attacks that are on the rise with everyone working from home. By educating your staff you will be one step ahead of potential attacks and risks inside your organization.” – Sivan Tehila, Director of Solution Architecture of Perimeter 81.

Test Business Resiliency Capabilities

Given the new and possibly unique user requirements working from home under the current circumstances, are real-time operating systems and a recovery point objective and determined in a pre-COVID world still reasonable, logical, appropriate under the current operating conditions?

“By continuously testing your ability to recover critical business processes with your entire recovery team not being physically in the same location you will be more as a business. I suggest that you check if you can effectively coordinate your recovery team and individual assigned duties via communications tools such as Zoom and Webex. Additionally, you need to check if individual recovery team members have, at their home locations, sufficient Internet capacity to coordinate recovery activities (with multiple other company employees), while at the same time competing for local bandwidth with other in-home Internet capacity demands.” – Al Marcella, President of Business Automation Consultants.

Moving forward 

While COVID-19 will pass, the different actions and experiences can help businesses moving forward. With the right business continuity plan in place, you can provide transparency with your business in the case of recovery should another pandemic or emergency occur. The stronger the business continuity plan the fewer future headaches. 

Read More
Security Solutions Escort Banks Through the Cloud Shift
Reading Time: 4 minutes

Data is a commodity that has value just like any other: It can be used to pay for products and services (most free apps use your data in exchange for access), it can be bought and sold, and as we all know, it can change hands. Unfortunately, it doesn’t always fall into the right ones, and so for a bank – which is responsible for both our money and our priceless financial data – security is of the utmost importance.

As they say, “If it ain’t broke, don’t fix it.” So most banks having already found the right security approach for their legacy, closed off, and internal IT systems means that they are hesitant to embrace new technology – this might tip the scales in the favor of hackers. It might also make them more profitable, but upgrading infrastructure comes with new security complications that are a roadblock – because a data breach trumps any business advantage. Right now, cloud technology is in the epicenter of this dilemma.

Is the Cloud a Compromise?

If there are two sides of the fence, on one side is the cloud’s immense potential for bank customer service and competitiveness, and on the other, the need for significant investment and security due diligence that comes with any change to the status quo. The cloud can help banks diminish their core costs and overheads by eliminating hardware and the need to maintain it. It can also help to roll out new financial products and services to customers more quickly, and scale them inexpensively as demand waxes and wanes.

Despite these benefits the transition to the cloud is daunting, and outside of retail or commercial banks, it is happening at a snail’s pace. Of total spending on the cloud, banking accounts for only 10.6% in 2020, according to IDC. Reasons for hesitation include difficulties configuring cloud solutions to both work together and with legacy tools, which may create unanticipated (and intolerable) gaps in defense. Furthermore, banks may feel as if they lose control by offloading internal processes to third-party cloud providers, putting them at these providers’ mercy. Compliance is an obvious issue to be concerned about as well, and the extra degree of separation between banks and their cloud-based resources doesn’t inspire confidence at first.

This hesitation is more unfounded as time passes, however, because the cloud is changing quickly and so is the security surrounding it. For their part, banking perspectives on the issue are changing in tandem.

Lift, Shift, and Uplift

Banks can now be relatively confident that security will be tight as they embrace the cloud, since data isn’t the only thing that’s been commoditized; so has security. Cloud providers invest heavily in their defenses and for many industries, they offer greater safety out-of-the-box than customers can achieve with their own investment in IT. Banks appreciate these assurances, but still have enough at stake to need more. 

In their efforts to avoid a long and complicated process, reduce risk, and front load cloud benefits, executives sometimes see cloud adoption as an “all or nothing” idea. However, the “lift and shift” approach is getting more traction, as it moves parts of their infrastructure to the cloud in piecemeal fashion, based on the importance of the workload and other factors. Many banks are adopting this hybrid cloud model and taking their first baby steps into the 21st century, but if the piecemeal approach is going to be taken, their networks will get complicated quickly and will be in constant transformation. 

This requires a security solution that is more comprehensive than what providers offer, and one that can flex as the network perimeter shifts.

Elastic Security for an Extended Transformation

A bank requires a simple security solution that makes data protection easy, no matter how mix-and-match their infrastructure looks during the various stages of its cloud migration. While hybrid cloud models help banks meet the expectations of demanding and digitally adept customers, they also allow banks to keep sensitive processes internal, and to encourage data protection in diverse environments. Hybrid cloud security is also easier for banks to obtain these days, with SaaS security solutions that more easily integrate into both local and cloud environments.

Network as a Service products help IT professionals apply a plethora of security tools such as DNS filtering, Wi-Fi security, VPN encryption, and multi-factor authentication across the various resources that make up a bank’s network – no matter if it’s local server storage or a popular software consumed “as a Service”. The seamless level of integration covers more bases as the network slowly migrates to the cloud, but NaaS is also especially suited to the hybrid approach because it allows IT to segment the network and restrict access within it, not just into it.

Accordingly, just-migrated bank resources can enjoy multilayered security and yet also be inaccessible to only the roles (and devices) held by IT higher-ups, until they are confident that compliance is achieved. Security can be easily tuned to the changes made to a bank’s network throughout its cloud transformation, with scalable and secure access policies and a quilt of tools that will have any hacker think twice about attempting to get at its data. With time otherwise spent on maintenance, IT is freed up to pursue profit-seeking initiatives.

Security Ups Its Game for a Tough Customer

It takes a lot for banks to be confident in their security, but cloud advancements have extended to security ideas, and make upgrading infrastructure a win-win proposition. With confidence in the cloud’s compliance and safety, banks are able to morph in pursuit of better service, without concern for how customers or their data are affected. Now that this piece of the puzzle is finally in place, banks can go full speed ahead into the cloud, and soon, customers will feel the change in both better financial services and the gradual yet pronounced lack of big hacks hitting the headlines. It’s hard to estimate which will be more welcome.

Read More
FWaaS Prevents the Cloud from Going Up in Flames
Reading Time: 4 minutes

Firewalls are aptly named, because they stop the spread of flames beyond the wall, and help to preserve the building itself from falling down or burning to a crisp. The metaphor works just as well with malware defense as it does fire safety, but now that we’ve moved to the cloud en masse, “fire” can spread further and faster than ever. No longer are we protecting on-site resources. Our hardware and resources are thousands of miles away, and sometimes we don’t know if ignition has been sparked before it’s too late – for ourselves and the millions of others sharing the same cloud.

Firewall as a Service (FWaaS) has emerged to bring the concept of a firewall to the cloud, and among the other security tools that companies have relied on, it has been a helpful tool in escorting companies through a safe cloud transition free of malware and unauthorized access. But they haven’t always been as necessary as they are now. For compounding reasons, FWaaS is more than ever a mandatory component of the security toolkit in place for businesses of any size. 

Security’s Slow Cloud Transition

Resources moving to the cloud is a natural pursuit of more efficiency, which is a business staple. For organizations, it’s easier to consume storage and bandwidth as a service than it is to run the hardware supplying these things. For their part, cloud providers have also benefited immensely by switching from selling hardware to renting it over the internet. These are basic concepts to nearly everyone who has used computers in the last 20 years, but cloud computing is actually much older than we tend to realize, and this context is important to understanding the rise of FWaaS.

Though we like to think in terms of when we started uploading photos to iCloud or using Google Drive, cloud computing actually began way back in the 1950s with the first mainframe computer, and evolved from there. However, only recently have firewalls evolved alongside virtual machines and increased bandwidth availability through the internet, taking the very concept of a physical appliance, and transplanting it into cloud infrastructure.

Because security reacts to the trends happening elsewhere, and molds itself to be the antithesis to the latest attacks, it is always late to the party, and especially to the cloud as entertainment and commercial ideas took priority. This meant that firewalls weren’t on the cloud until many other things were first, so most companies still applied clunky physical appliances to their growing cloud networks. Another reason that FWaaS hadn’t appeared at the forefront of the cloud movement was because it’s purpose is to protect infrastructure, and IaaS (Infrastructure as a Service) didn’t become popular until long after SaaS.

The blooming of SaaS before IaaS was largely due to the ease with which a SaaS product can be hosted – even on a single machine under your desk – so it made sense why a physical firewall would suffice as SaaS matured. No longer. Now, the increasing embrace of IaaS and the wholesale movement of entire departments onto the cloud has meant that firewalls simply must be a part of this environment.

FWaaS is Now a Must

As companies move to the cloud, their IT teams have discovered that relying on old firewalls is more than inefficient for configuration and integration. It also reduces visibility over the network and resources within the network that are now a few degrees of separation from the office premises itself. The old perimeter guard approach, where firewalls are the sentinels standing inside the moat of the “network castle”, doesn’t work when resources are no longer inside the walls and are not thoroughly protected by cloud providers.

Moreover, a quickly-multiplying number of mobile devices are now connecting to these cloud resources, so IT teams struggle to define their network perimeter, let alone protect it. FWaaS solves this problem by integrating easily with third party cloud infrastructure, giving IT a looking glass into how users are accessing SaaS products such as Salesforce, AWS, and Google Suite, and the centralized, cloud-based access management panel for them to control traffic through these resources and fight malware.

Cloud Accelerating Changes FwaaS Too

As workers move from offices to their homes, FWaaS has become a central tool that IT teams can use to provide safer remote access. This idea hasn’t changed, but the way it’s being delivered to businesses is, as single-purpose security tools “as a Service” are going through the same cloud consolidation process that productivity and entertainment products did not long ago. Firewalls and other things like VPN tunneling and Single Sign-On are better for security in today’s mobile environment, but when orchestrated independently of one another are still risking network security.

This is why a new idea in the industry, SASE (Secure Access Service Edge) has zeroed in on FWaaS as one of its cornerstones. Security providers are racing to provide SASE platforms since Gartner introduced the idea late last year, but they must first collect and provide the tools that deliver SASE’s promise: unified network security on the cloud edge. FWaaS, CASB, SWG, MFA, VPN, and other security services are part of this single unified platform. FWaaS is one of the most important pieces of the SASE puzzle and one of its core functions, because it has a unique job that other components can’t do.

Thanks to growing SASE platforms like Perimeter 81 and the FWaaS functionality provided as part of this consolidated, cloud-native offering, organizations are able to aggregate their traffic effectively from all resources and enjoy total visibility across them, with no hardware involved. Though it’s true that the acronym FWaaS is now standing in SASE’s immense four-letter shadow, it cannot be discounted.

Because even alone, FWaaS has merit when paired with some other basic security tools like VPNs. Companies with simpler networks, a few SaaS resources, and smaller teams can rely on a basic setup like this to mime the cloud security chops of SASE until growth demands an even more scalable solution. FWaaS is central to a safe future on the cloud any way you slice it, and will 

Read More
Can SASE Reinforce Remote Voting?
Reading Time: 4 minutes

The risks behind remote voting

Election interference is the new normal, or perhaps it quietly has been for some time now. Until recently, though, it has escaped the limelight because the process of voting in most places has barely changed since the dawn of democracy. People show up their designated voting booth, wait in line, verify their identities and cast their ballots – but in the era of COVID-19 this idea is more complicated than it once was – and also more compromised. 

Obviously, the ideals of democracy must be upheld even during a pandemic in which the pathogen at large is airborne, and people must be empowered to vote even if they aren’t able to stand in line. Especially as an important US Presidential election approaches in a mere handful of weeks, the idea of remote voting has emerged as a potential solution to the obstacles put in its place by coronavirus – but solutions must also be found for securing the remote vote itself.

A Rocky Start to Remote Voting

Rather than mail-in ballots, which require immense administrative efforts to corral, count, and authenticate, remote voting would entail using technology to mimic the same processes but in a streamlined digital manner. In the midst of COVID-19, governments have already embraced digital alternatives for physical processes steeped in tradition and respect – just look at the testimony of Dr. Anthony Fauci, who recently appeared in front of the Senate via Zoom.

Thanks to H.R. 965, which was passed in mid-May during the throes of the pandemic, members of the House have been alpha testing remote voting at a very small scale. While Senators must still show up and have their Yeas and Nays tallied on paper, House members are able to send in their votes via encrypted email and have them counted. This is still an early and rudimentary solution, and there’s no doubt that rolling out digital voting to the greater USA or even individual States would require something much more complex.

So far, some States are experimenting with digital voting, but they are doing so against the advice of Homeland Security’s recent report, which highlights remote voting as extremely high risk. This is no doubt a remnant of 2016, when hackers successfully breached online voter registration systems in an attempt to sway results of the election – or simply to test the water in advance of the “real” interference attempts which are soon to come. The wagons haven’t circled yet, and any efforts to advance remote voting efforts now are as undefended as they were then.

Remote is a (Necessary) Risk

Evidence points to the fact that the varied and disparate digital systems that already exist can’t be capably secured, meaning any attempts to institute remote voting will be built on a flimsy foundation and cause even more trouble. This would create an untenable situation in which both election results and faith in the system can be challenged, so any efforts to help US citizens vote from afar must also come with accompanying security technology.

Attempts to secure local and state voter registration systems so far have focused on the lowest-hanging fruit: patching software and hardware, and “backing up” incoming digital votes by writing them down on paper. This approach is smart, because it’s often the most basic exploits that hackers use to disrupt the voting process. The remote voting apparatus, in the States where it currently exists such as Delaware and West Virginia, is extremely flimsy and reliant on a stack of tools that are each capable of being compromised in different ways.

Hackers don’t necessarily need to infiltrate systems and change votes themselves, they can simply disrupt the process by deleting or multiplying votes, adding false data, compromising signature-verification software, or overloading them via DDoS. This can occur for the ballots, voting machines, Secretary of States or registration websites, and other weak links in the chain. Accordingly, the entire voting flow must be secured from the moment a citizen logs on, through the verification process and until the final vote is tallied.

SASE a Secure Voting Solution

Remote voting is coming whether we’re prepared for it or not, because if you ask election officials, it’s more important to re-enfranchise those who are disenfranchised than it is to secure the systems we use to accomplish it. Though problems are bound to arise, given that in classic federal government style it’s up to individual States and the agencies within them to choose relevant security vendors and solutions, a new type of unified product is emerging that can kill many of these issues with one stone – in theory.

Coined by research firm Gartner, SASE is a cloud-based security product that  is capable of being integrated directly into many different types of resources and environments, like those in use across government offices, and regardless of where they are physically. It essentially weaves an impressive array of different networking and security solutions into all network resources, such as those deployed in the digital voting process, and theoretically can blanket protections over participatory voters and officials across the country, including custom access privileges, security layers and close monitoring for suspicious activity.

The thinking is that if a SASE product were to be deployed in the State of Florida, it might mandate that voters logging into whichever voting application Florida chooses will first need to authenticate with 2FA, for example. During the vote, voters’ connections to State applications would be encrypted with IPSec tunnelling, and even automatically disconnected from the internet if the application should fail.

Elections to Evolve in the Near Future

If government IT teams match the variety of remote voting hardware and software with a similarly disparate selection of security tools, then their efforts will be further distracted from ensuring an accurate vote and go instead towards managing their teetering software stack. What’s necessary is a unified security model encompassing all tools that States need to protect their voters, and one that fits natively into the systems they’ve already begun implementing and is therefore easily onboarded as other States come “online”. 

This idea has become more real thanks to SASE, though the security industry has some catching up to do before it’s ready for elections. That’s alright, because poorly deployed security would do more harm than good, and it’s important to be airtight: The point of elections isn’t to pick the winner but to remove any doubt in the mind of the loser that results can be argued. For this reason a robust and proven security solution is necessary if remote voting is to be the status quo.

Read More
Tightening Security on Microsoft Teams
Reading Time: 4 minutes

Remember driving down to your local computer store and picking up a shiny new copy of the latest Microsoft Word? Sleek in its box, the neatly wrapped Microsoft product had both disc and license inside, but it also came with something you didn’t bargain for: responsibility for its successful, safe operation. 

As a physical offline copy, security issues in operating this relic of the past could be placed squarely on you. But now that Microsoft Word has gone through multiple cycles of product consolidation and emerged as a vital business pillar, security considerations surrounding the whole Office suite, and now Teams, deserve another look.

Microsoft Teams allows collaboration and communication across the various services that are included in Office 365. Make no mistake, Teams users can be confident in the safety of their data, but when more weight lands on the solution as a productivity cornerstone, it’s smart for organizations to supplement Microsoft’s built-in safety mechanisms

From discs to on-demand software, the now fully-integrated nature of Teams makes it a powerful tool, but one that sits at the epicenter of a bustling cloud encapsulating both good and bad actors. 

Consolidation of Products, and of Problems

Exemplified primarily by Microsoft, products that were once sold separately eventually congeal into a single platform that offers them all as functions conveniently packaged together. This is what happened to Word, Excel, PowerPoint and other Microsoft software that turned into the Microsoft Office 365 “as a service” solution. 

With Teams, increasing sophistication and connectivity in the name of a good user experience has also created new ideas in the world of security, as most innovations do. Teams represents a single window into the virtual Office, where employees can discuss projects happening in real time, talk over chat, voice or video call, and work on shared documents together. This shiny front end doesn’t bely any backend complication, but it’s there. 

For each “team” you create, the backend gets a new SharePoint site, Office 365 group and other assets in places like OneNote and more. This doesn’t include other integrations that your organization might choose, such as ZenDesk, Salesforce, Mailchimp and other popular platforms. With an impressive level of integration comes an intricately complicated environment for security professionals, especially as companies expand and lean on Teams even more. 

Licenses are online, so much of the functionality that Teams offers is largely available when an organization is connected to the web. Moreover, since November 2019 Microsoft has allowed Enterprise customers to grant guest access to contractors and other non-licensed individuals who work with them. Suddenly, file sharing of sensitive documents and resources is happening outside the network and unfamiliar entrants are streaming in, so managing the chaos becomes necessary.

Integrated Solutions Beg Integrated Security

Both in how Teams is secured and used, and in the tools that IT security teams must enforce for users, care should be taken so that data inside Teams doesn’t sprawl outside of its boundaries, or alternatively, become concentrated and offer hackers a single ripe target. Much like Slack, Teams users can create different channels where they communicate about specific subjects or tasks related to this department or the other. 

While users should be encouraged to create new and different channels for their conversations, it’s crucial to maintain control and ensure that loose ends (dead, repeat, underused channels) don’t occur, and that sensitive information isn’t overly shared or replicated in multiple different places or with people who don’t need to see it.

Integrations are crucial to any organization relying on Teams, and when implemented correctly they are amazing productivity boosters. However, one of the most underestimated issues that occurs in a highly integrated environment is configuration: Sometimes the integration may work well but the most minor settings might create a security gap that leaves the network exposed. 

When many third parties are a part of your Teams installation, whether they’re services or service providers, it’s recommended to layer an extra security blanket over the whole thing. Teams has built-in two-factor authentication, and IT should require it before users are able to log in. Don’t stop there, though, extra effort to track devices and endpoints should be taken as it will also help IT prevent downloads from Teams to unmanaged devices, or those that haven’t passed through the gates of “Zero Trust”. 

Because Teams is a nucleus of business activity and by definition holds assets that might spell trouble in the wrong hands, a strict least-privilege access model should be instituted. Another integrated solution is suitable, but one that simplifies the security functions that can plug into Teams, and with a purpose to remove trust from the equation, full stop.

Teams Turns Zero Trust

In few organizations does each employee need access to the full list of functions and capabilities that Teams provides. Microsoft understands that not every employee will need access to SharePoint, for example, and supports Teams separately as a cloud app for Azure Active Directory and the conditional access policies it offers. To take advantage, however, administrators must ensure that the correct policies exist on all applications inside the Teams installation such as Exchange. 

This can take some maintenance and oversight, so it’s easier to find a more unified, seamless Zero Trust solution where all this is done from a single admin panel. Security providers pursuing the Network as a Service model are already being used for this purpose, and when integrated with Teams are able to better streamline the orchestration of necessary security tools. Network as a Service solutions reside on the network layer and therefore allow organizations to easily define custom access policies for segments of their local and cloud resources (like Teams, or parts of it). 

This way, IT controls which roles, devices, and locations are allowed into specific parts of Teams and other network areas with greater ease. Additional security tools can’t hurt, and add a safety net to Teams in a couple different ways. Though Microsoft has 2FA, Single Sign-On and the encryption of files, a wider array of options is helpful. 

Support for other MFA and SSO providers is nice, as is the option between SSL, IPSec, and WireGuard in terms of encryption, for instance. One idea which should surely not be forgotten is better network activity monitoring. This is one of the most important points for complex Teams installations: logging and monitoring is a lynchpin to proactive threat detection and compliance alike. 

Integrating these functions directly into Teams doesn’t complicate it. Why? Simply because they’re all offered under the umbrella of a single security provider which integrates directly into Teams and saves IT from fiddling around with different settings between Exchange, SharePoint, Word, Azure, and others. Teams is an amalgamation of multiple useful software tools, but there’s no question that productivity is the primary reason for its existence, and that third-party security services improve it is neither a surprise nor takes from its impressive reputation.

Read More
SASE_Gov
SASE: Evolving Government’s Cloud and Network Security Strategy
Reading Time: 4 minutes

Even though cloud technology has become the new normal for the private sector, it has a less than tenuous grasp on government. In 2018, cloud neglect in the public sector prompted the White House to launch its “Cloud Smart” policy, designed to promote the idea that government agencies should begin adopting this useful breed of computing technology. 

At the time, relevant agencies didn’t jump quickly on the opportunity due to security concerns such as data storage and the sharing of information. However, the time is now ripe. With cloud computing over a decade old and long proven as a pragmatic solution to many administrative problems, it’s time for lagging governments to bring themselves up to speed. 

Despite some public offices embracing a cloud-first approach or cloud-only policy, the majority of the United States government is woefully behind, and still in the dark about the risks and benefits that come with moving network resources to the cloud. Most concerns circle the notion of privacy or security, but these days they’re addressed more easily than they once were.

Cloud Security a #1 Priority  

In the United States, there are more than 90,000 government offices that comprise a patchwork of different approaches for cloud computing and cloud security. In most cases, local and state governments are more open to adopting cloud solutions and services as opposed to the federal government.

These government offices are finally clueing into the tangible benefits that the cloud provides: low costs, ease-of-use and higher productivity. With these advantages within reach, ensuring that preferred cloud solutions are secured has become the top priority for governments. Any and all benefits can be ignored if the implemented cloud services or solutions aren’t totally secure, and this is why analog processes have reigned supreme for so long.

As government offices begin to push their networks onto cloud infrastructure and connect them with remote workers and IoT devices, the number of endpoints that hackers can attack has climbed significantly. As we saw in March 2018, the City of Atlanta was attacked by hackers with ransomware that shut down government services for six days. Likely a victim of the SamSam exploit on Java-based servers, this is an example of how ditching self-managed hardware for a provider’s cloud would likely add a barrier between hackers and government property.

Gov_breaches

It is also just one of many examples for how governments have become a more popular target. In response to the growing sophistication of attacks, cloud security must now go beyond malware defense, and so government IT teams are forced to look at the big picture. Instead of focusing on specific types of attacks, they need to promote efforts to gain omniscience within the network. In the past, governments tended to only pay attention to the data leaving their network perimeter, but today they need to be just as cognizant of permissioned users and data being accessed by government employees. The rise of the remote workforce has pushed visibility even further into government IT teams’ awareness.  

Taking Control of the Network 

As more governments adopt network security solutions for their work environment, an increasing number of security events and alerts have overwhelmed governments’ security teams, which actually distracts from the idea of better network visibility. IT teams need to have complete knowledge of what is occurring on their network at any given time, across public and private clouds, applications running on the network, and more. Where numerous unqualified alerts create a swarm blocking proper visibility, hackers can use the hubbub to muffle their steps and make a quiet entrance into government agencies’ networks. 

To fight visibility and network control concerns, governments should adopt Security Information and Event Management (SIEM) systems. These systems accumulate the data from different sources and recognize which are outside normal parameters, and also provide an appropriate response. SIEM systems play a huge part in helping IT and security teams to detect and prevent security risks across governments’ infrastructures in an intelligent manner. 

More Solutions, More Headaches 

For any modern government cloud security strategy, it’s often recommended to implement a range of products that deal individually with a wider range of common network attacks. Until recently, this strategy worked well, but now we are seeing that it creates a bigger problem. Adding a large number of products to IT’s stack causes misconfiguration and exposed deployments of various software solutions. This, together with ensuing hybrid IT complexity, is creating a tangle of security challenges for IT teams.

This challenge has a label; “tool sprawl”. It is the idea of investing in a range of security products that work together, yet make it harder for IT teams to manage and orchestrate them in the network. In order to achieve a more flexible and productive network and cloud security strategy, governments have to move away from the multi-vendor tool sprawl approach and look to adopt a unified platform model. It’s especially true for governments that are looking to ensure the privacy and security of their data against outside threats. This is where SASE comes into play.  

Perfect Cloud Security Model for Governments 

By adopting edge data security, government agencies can enhance their security hygiene with the help of quicker, integrated, and more elastic solutions that simultaneously keep government employees connected from afar. This approach has become more relevant with the introduction of Secure Access Service Edge (SASE).

Secure Access Service Edge (SASE) was introduced by Gartner in August 2019. SASE is a new cloud-based network security model that combines multiple network technologies delivered as a service, including SWG, CASB, FWaaS and ZTNA with WAN capabilities (i.e., SD-WAN) to support dynamic secure access to organizational assets. The SASE model allows government IT and security teams to easily connect and secure all of their networks and users in an agile, cost-effective and scalable way through the cloud.

By adopting a SASE platform, government offices can enable the delivery of integrated secure network security services that support digital cloud transformation, edge computing, workforce mobility, identity and access management. This new model will help governments get over the hump of doubt that has built up around the cloud. It will allow governments to manage all of their security and network solutions from one platform, fight off new threats and secure employees’ data no matter their location. On the near horizon is a cloud security strategy for the future and one that has no more relevant home than government.

Read More
Cloud Policies
Why Your Organization’s Security Strategy Starts with a Cloud Security Policy
Reading Time: 4 minutes

The IT industry has made significant strides with cloud computing security and many organizations remain anxious about emerging cloud security risks. A new generation of malware and hacking techniques continue to threaten different organizations’ data and apps on the cloud. We are seeing many different cloud security vulnerabilities being introduced through bringing your own device (BYOD) risks, web application risks and incomplete cloud visibility. 

To fight off these cloud risks, organizations need to act quickly to seek the cloud’s advantages while maintaining control over their assets. So how do organizations grow with the cloud and ensure they’re acting responsibly when it comes to cloud security? 

The Cloud is Not as Secure as You Think

When we think of cloud security, the first thing that comes to mind is data loss but that is the wrong way to think about it. When organizations implement different cloud services, one of the main security factors that is focused on is if the network and resources are safe. Instead, we should be additionally focusing more on how employees are using cloud services. One of the lesser-known challenges with the cloud is if your team is implementing and taking the appropriate cautionary steps when deploying resources.

Organizations need to implement different cloud security tools that encrypt data and access control and implement organization-wide cloud policies. By implementing these tools they will fix or play safeguard with the appropriate amount of cloud security hygiene. But at the end of the day, it all starts with a strong cloud security policy.

What is a Cloud Security Policy?

With the increasing global adoption of cloud computing, having a cloud security policy is essential for every organization. Cloud security policies are the guidelines under which companies operate in the cloud, often implemented in order to ensure the integrity and privacy of company-owned information.

When most organizations migrate to the cloud, they often mistakenly indicate that the current security policy will cover the cloud security rules in their policy. While there is some sense to this, it’s rather lacking and it can create specific holes exposed to potential risks. However, organizations need to consider incorporating the importance of cloud security into their existing security policies and standards. A cloud security policy needs to be flexible and interchangeable in order to meet the new security rules of the organization. 

Your policy must be simple to understand by all of your employees. In order to keep training costs down, it’s best to avoid overcomplication and technical complexity in the policy. The best security policy will be one that is clear and concise. Don’t be afraid to state the obvious, as that way nobody can claim to have missed the point. Every cloud security policy should start with a definition of intent, which clearly outlines the whole point of the policy. 

The Key Principles of a Successful Cloud Security Policy 

The policies for your organization’s cloud security must come from all corners of an organization; from your developers, security team, management team, and so on. These policies are the basis for all cloud security planning, design and deployment. These policies should be able to provide direction on how the issues should be handled and what are the best technologies to be used. 

While security policies are very easy to decide on, the main issue is to implement them properly. The organization’s security policies depend on the different content on which they are implemented. These security policies of an organization are required to protect the cloud security of an organization.

Here are the key principles of successful cloud security policies that you can implement at your organization:

Implementing Security Awareness Program

Educating users on the need for security is important as it will help them understand the importance of cloud security, and how it will benefit them in their daily work. Implementing a security awareness program is a major step with your cloud security policy. 

The program should explain why security is everyone’s responsibility and show the users about their role in maintaining security. This is because people often tend to think that only the security team’s responsibility in protecting the security of their company.

Clear Communication

Once an organization has implemented the policy, it has to be clearly communicated to all the people responsible for enforcing and complying with it. It can include employees, service providers, and other relevant users. 

The policy can be introduced to the employees during their start at the organization and incorporated into the company’s Employee Handbook. A key part of the communication process is to establish a record that those involved have read, understood, and agreed to abide by the policy. It is a challenge to ensure that users understand and accept the policy that governs them. A clear, concise, coherent, and consistent policy is more likely to be accepted and followed.

Authorized Access Regulations

To prevent any unauthorized access to your cloud network environment or cloud resources, organizations need to implement precise access control regulations internally. By implementing access regulations it will prevent potential holes in your organization’s network on the cloud. 

By implementing these regulations in your cloud security policy you will be only giving access to the users that actually need access for their day to day job. The policy should include authentication protocols, identity and authorization management, authorization, and authentication protocols, like in the Zero Trust security model.

Encrypting Cloud data

When creating a cloud security policy one of the most important sections has to be data encryption. By enforcing cloud data encryption, organizations will be more secure knowing that only authorized users will be able to access sensitive data and cloud resources. Additionally, organizations should encrypt data and cloud resources that are being uploaded to the cloud to ensure that they are secure and protected.  

We recommend that you schedule a monthly data encryption update to make sure that your data and resources on the cloud are secure and protected.

Monitoring your cloud environment

Monitoring is a critical component of cloud security policy. By implementing automated tools helps your organization get a macro view of your entire network. Cloud monitoring provides an easier way to see different activity patterns and any potential vulnerabilities in your network on the cloud.  By implementing an effective cloud monitoring solution it will put the organization’s security and compliance team at ease knowing there is a system in place. 

An organization’s cloud security policy can be a decisive factor when deciding the right direction by implementing different cloud services and resources. However, it shouldn’t change the organization’s mission. With that in mind, it’s important to create an employee-friendly cloud security policy that is aligned with an organization’s culture and helps the employee work more smoothly without interfering with their day to day work environment. In conclusion, a more complete cloud security policy will keep your company safe but don’t forget the policy starts with your employees. 

Read More