Cloud is becoming so cheap, reliable and safe that more and more companies are moving workloads there. Anything from database management to IoT, from data storage and backup to email exchange servers, can nowadays be run in the cloud in a scalable and cost-efficient manner. In fact, you can build a company solely upon the infrastructure of one of the cloud giants: Amazon Web Services, Microsoft Azure or Google Cloud. And, in fact, many companies do this.
As a managed service provider, you’re sure to have seen this trend for “cloudization”. And as a managed service provider, you should also have seen the significant rise in cybersecurity attacks and breaches. So, with most of your clients’ business-critical workloads in the cloud, it is your responsibility to protect these workloads.
In this guide, we will provide the best tips to harden your cloud security, identity, and access management.
IAM in the Cloud
Cloud “IAM”, which stands for identity and access management, is a term that encompasses access credentials and user management tools used in the cloud. The term itself is not necessarily used by all of the cloud services vendors. While AWS has Amazon IAM and Google Cloud Platform has Google Cloud IAM services, Microsoft Azure has incorporated identity management into Microsoft’s cloud Active Directory services.
From the security standpoint, your interactions with cloud resources break down into two categories:
- Credentials and user management. The first point of contact with the cloud occurs when you are about to sign in to the service. You typically need to enter your access and secret key to get access to your resources. Needless to say, this first point should be properly secured.
- Managing resources inside the cloud account. Sometimes you need to grant access to certain resources to third parties – other users or applications. This creates the possibility of misconfiguration of the access patterns, which raises security risks, as we will see later in the article.
Here are the best measures to be sure that your credentials are secure:
- Create strong passwords. A mix of 12-16 symbols containing digits, both upper- and lowercase letters and special signs should be enough to withstand a password spray or a brute-force attack.
- Rotate passwords on a schedule. Change all your passwords at least once a month.
- Use two-factor authentication. A password of any length and complexity might still be compromised by, for example, phishing or social engineering techniques (or, more trivially, a sticky note on a monitor with a password). So you need a second layer of protection – the second factor. Typically, it’s a push or SMS notification to a mobile device, with a shortcode that you type in after you’ve entered the password. Most cloud service providers will have a native tool for 2FA.
- Use password management tools. These tools minimize the possibility that your credentials will be compromised. Password management tools keep your secrets encrypted in vaults secured by a set of passwords and 2FA. They will also allow you to create users in order to share your credentials securely with others. Typical choices for password management for MSPs are Duo, Lastpass or Okta.
Further reading Password Management Best Practices for MSPs
The poster pack includes:
- Best practices for creating strong passwords
- Reminders on how secure passwords should look like
- Chart to check if your password is secure enough
The Principle of Minimal Privilege
The more resources you control in the cloud, the greater the number of users who will need access to them. For example, your staff in charge of a given client may need access to their storage, or your clients' solution architect may require to work with their production database. Granting access to other users obviously raises security risks.
The prime IT rule is the least or minimal privilege principle, which means that you grant access only to what is needed. It might take longer to create several users with granular access to the cloud, but doing so will greatly diminish the risks of losing access to all of your cloud workloads.
This approach requires planning access patterns beforehand, together with a structure. Carefully document all users accessing the cloud and establish their requirements and the resources they need to work with.
Dangers of Sharing Data
Over the past year, there have been several huge leaks of personal and corporate data from AWS, including from the database of Dow Jones, the company behind the famous industry index, the personal data of almost 200 million US voters, and a database containing over 500 million personal records from Facebook. Amazon Web Services, however, is not the only cloud provider whose users wrongly configure access to their resources. In late January 2020, an exposed database with over 250 million records was found on the Microsoft Azure servers.
The scenario behind these leaks is similar: the users in charge of database management were sharing access to them. And when you open access to “everyone”, your data becomes exposed to the internet, where, eventually, it will be found either by ethical or unethical hackers who constantly scan the cloud for possible breaches.
AWS has introduced several means of protection for data that is exposed to the internet but, in the end, the problem is always misconfiguration by a user. The message is, don’t make any of your cloud resources open to the internet.
Cloud security rules are simple and any IT professional knows them by heart. And yet, the number of successful attacks and data breaches is rising each year. Start by assessing your cloud security and define the possible weak points. After you’ve defined them, create a list of what needs to be done to eliminate them. Perform such assessments on a scheduled basis, monthly or quarterly, to be sure that your clients' workloads are safe in the cloud.