Over the last 2 decades, Cloud Computing has changed business IT beyond all recognition. Today, IT capabilities that were once confined to large corporations are accessible to SMEs, thanks to cloud services available through affordable subscriptions and pay-as-you go pricing. It’s estimated that around 94% of UK businesses currently leverage the cloud in some form, and that appetite for cloud services looks set to increase further in the near future.
One of the benefits that attracts businesses to the cloud, is the promise of improved security. Indeed, for the most part, cloud providers take the security and integrity of their services very seriously. A good case in point is Microsoft, which is currently investing $4 billion dollars annually in the security of its services and platforms. With measures like geo-redundancy, encryption and intrusion detection and prevention systems (IDPS) in place, cloud customers can have confidence in the steps providers take to safeguard their data centres.
However, this doesn’t paint the full picture when it comes to cloud security…
Cloud service providers deliver services under the proviso that customers maintain ultimate responsibility for ensuring the security, privacy and integrity of the data they host on their service. This is often referred to as the ‘Shared Responsibility Model,’ as data protection responsibilities are partitioned between the user and service provider.
How Does the Shared Responsibility Model Work?
In virtually all cases, a cloud service provider will assume responsibility for maximising the availability of its service and ensuring the physical protection of its servers. In most cases, the service provider will also be responsible for applying proportionate cyber security measures to these servers in order to prevent cyber threat infiltration.
Users however, remain responsible for configuring settings on apps and services in ways that maximise cyber threat protection. Cloud customers are also responsible for identity and access management and ensuring the appropriate use of secure authentication protocols like MFA (multi-factor authentication).
It’s important to bear in mind that the exact delineation of responsibilities depends on the nature of the cloud service and the specifics of your agreement with your cloud service provider. The table below shows how the division of responsibilities varies across different types of cloud services.
So What Does This Mean for My Business?
It means you need to pay close attention to your areas of cloud security responsibility, and apply the appropriate controls, policies and protections to ensure risks are adequately managed. Using SaaS products like Microsoft 365 makes this easy, as such products come with the many of the features you need to secure your cloud environment already built in: all you have to do is configure them.
Proactive IT Support and Managed Services for Businesses Across Glasgow and Central Scotland
BrightSkye provides IT support, managed IT services, cyber security and best-in-class IT solutions to businesses across Greater Glasgow, Lanarkshire and the wider Central Belt region. In recent years, we’ve helped many organizations make the transition to the cloud, helping them to save money, boost productivity and harness the many other benefits the cloud can offer SMEs.
When correctly configured and carefully managed, the cloud can offer levels of security that surpass even the best on-premises hosting setups. Doing so however, requires businesses to recognise where their cloud security responsibilities lie. In this article, we’ll draw your attention to some of the policy-based and procedural security controls you can implement today to lock down your cloud data, ensure compliance, and keep threat actors out of your cloud assets.
Enforce the ‘Principle of Least Privilege’
The ‘principle of least privilege’ dictates that users should be afforded the minimum level of access and authorization necessary to perform their job role. At first this seems counter intuitive, surely you want to give your staff widespread access to files and other resources, right?
The reasoning behind this concept, is that should a user account become compromised by a threat actor, the account will restrict the attacker’s access to key administrative capabilities and sensitive files, thus limiting the amount of harm that can be caused. Here are some handy tips for implementing this strategically valuable security control:
- Define user roles. Start by thinking about each job role in your organization and consider the files, services and privileges required in each case. Rank users according to level of access required, and designate ‘Global Admin’ privileges to as few as possible.
- Carry out regular access reviews. Continually assess access rights and privileges on an ongoing basis. Swiftly withdraw privileges from individuals who leave your business, and create a process for extending and withdrawing privileges on the basis of role changes.
- Create Role-Based Access Control (RBAC) policies. Create policies that clearly define how permissions and privileges should be assigned on the basis of job role. This creates a clear framework that ensures access rights are granted consistently across your organization.
- Use account ‘Groups.’ Assigning ‘group privileges’ can make it easier to manage access to resources and services. Different cloud services approach the concept of group privileges in different ways. In Microsoft 365 for example, a user group is created when you add users to a site in Microsoft Teams. Permissions and privileges for this group can then be configured through the Microsoft 365 Admin Center.
Establish a Strong Password Policy
Your account passwords are the keys to your digital estate, which in the wrong hands, could give an attacker free rein to cause maximum damage to your network and access the most sensitive information you hold. Cybercriminals make use of readily-available password cracking tools, which have the ability to guess weak password in minutes or even seconds. It’s therefore vital that you establish a strong password policy to enforce the use of robust, complex and secure passwords across your cloud accounts.
Depending on the nature of your cloud assets, your password policy may require the compliance of end users, or it may be enforceable through an identity and access management service like Azure active directory. Regardless of how it’s enforced, here are some of the key stipulations your password policy should contain:
- Set a Maximum Password Age. Users should be required to change their passwords on a periodic basis. This limits the window of opportunity available to hackers to steal and exploit each password, thus reducing risk. A 90-day password expiration date is considered best-practice for security-critical accounts.
- Require a Minimum Length. Longer passwords contain more possible character combinations, which makes them far harder to guess than shorter ones. Best practice guidance on password length varies, but we’d recommend a minimum length of around 14 characters.
- Require Complex Passwords. Passwords should be alpha-numeric (comprised of both letters and numbers) and ideally contain special character and a mixture of upper and lowercase letters. Recognisable words and phrases are acceptable as long as these don’t bear close association to the user or the organization. For example, a Glasgow business shouldn’t be using ‘Glasgow123ABC!’
- Enforce an Account Lockout Policy. An account lockout policy secures an account against further login attempts after a set number of failed attempts. Users are given a specified number of ‘tries’ before either the account is frozen, or a timed ‘lockout period’ begins. This is a common account security feature, that’s easy to configure across a wide range of cloud services.
Create a Data Classification and Handling Policy
A data classification and handling policy classifies data according to characteristics such as sensitivity, use, risk and organizational value, and sets out rules governing how each category of data should be handled, processed and stored.
A risk-based approach to managing data security is important for maintaining compliance with key data protection regulations and standards, including UK GDPR. A data classification and handling policy should therefore identify high-risk, critical data types and prioritize these for protection using the most rigorous security controls. This policy should be combined with the principle of least privilege to ensure users only have access to the data they need on the basis of strict need.
Here are some key considerations and tips for establishing a data classification and handling policy:
- Can the data be used to identify an individual? If data can be used to infer someone’s identity, it’s classed at ‘personally identifiable information’ (PII) and falls within the scope of GDPR. This data must be prioritized for strict governance and be subject to multi-layered cyber security protections.
- Attach processing, handling and storage rules to each classification level. Each data type should be assigned an appropriate level of protection based on factors such as handling risks, information sensitivity and the data’s value. These protections should be applied uniformly across processing and handling activities, as well as data storage locations, to ensure confidentiality, privacy and integrity is maintained at all times.
- Review data classifications and protection measures regularly. Create a schedule for reviewing data classifications and the controls being applied to safeguard sensitive information types. This ensures that new information types are captured by your policy, and subjected to the appropriate level of data governance in accordance with your compliance obligations.
- Train employees on data handling best practice. It’s important that employees understand your data classification and handling policy and their role within it. Ensure employees that handle sensitive data types understand their duties and responsibilities within the context of both the policy and your data protection compliance obligations more broadly.
Conclusion
With state-of-the-art data centres that feature the latest security infrastructure and intuitive, integrated security features that make it easy to safeguard user accounts, the cloud can provide a secure, reliable solution for hosting business-critical data and applications. By being mindful of where your business’s cloud security responsibilities lie and taking the necessary steps to secure your accounts, data and systems, you’ll ensure that your cloud assets remain invulnerable to the majority of cyber threats and data risks.
Stay tuned for our next blog, where we’ll look at some of the technical measures you can use to further protect your cloud environment.
BrightSkye – Ensure cloud security with our expert guidance and solutions.
We’re cloud experts, with an impressive track record in delivering secure, compliant and fully-optimised cloud deployments for businesses across Glasgow, Lanarkshire and the wider Central Belt. Let us help you harness the power of the cloud without compromising on security. Get in touch today, to find out how our expert guidance and solutions can benefit your business.
Blog recommendations: