Users of cloud-based services often assume that the provider is responsible for managing the security of their services.
While Amazon Web Services (AWS), Microsoft Office 365 (O365) and Azure are compliant with security best practices, their compliance only covers the components they are responsible for. Using a shared security model, their customers are still primarily responsible for the security of many other components.
For example, Amazon is responsible for managing their infrastructure and foundation services such as compute, storage, databases and networking. In many cases, customers still may be responsible for managing (and ensuring security for) operating systems, network configuration, platform and application management, customer data, firewall configurations, encryption, credential management and more.
In addition, while cloud services can be configured to support a high level of security, many times clients use default configuration options that provide attackers with vulnerabilities they can exploit. Attacks on poorly configured O365 environments made up a significant number of our incident response calls this past year.
It is very important that users of cloud services understand their security responsibilities versus the responsibilities of their service provider. Users also need to ensure that the configurations and settings for their cloud services establish the appropriate level of security.
Here are five best practices that can help your organization reduce the risk of a data breach or unauthorized access to your cloud services.
- Enable Multi-Factor Authentication
Multi-factor authentication (MFA) goes beyond providing your user ID and password to log on to a service. MFA requires additional authentication mechanisms such as tokens, biometrics, texts, calls or approval of notification using an app on a user’s mobile device. This one control can stop the majority of initial attacks on most cloud implementations.
- Practice Effective Security Hygiene
Just as personal hygiene is important each day (e.g., brush your teeth, brush your hair and wash your face), having effective security hygiene can reduce your cyber risk. Your credentials are essentially the key to your systems and data. Good security hygiene starts with using strong passwords and passphrases, avoiding dictionary words and not sharing passwords between accounts or with other users.
- Be Aware of the Use of Cloud-Based Federated Services
Services such as Microsoft’s Active Directory Federated Services (ADFS) provide easy ways to collaborate (e.g., send IMs and texts) between organizations. They also can provide tools for hackers to impersonate and phish for information. Evaluate the use of federated services, and ensure you understand the potential risks of the configuration settings.
- Remember That Cloud Still Consists of Hardware, Networks and Applications
Utilizing services in the cloud doesn’t change the fact that computing environments still run on hardware and software. While some of the responsibilities for management might change, the underlying mechanisms for securing your systems and data are similar to managing your physical devices.
Processes like system hardening, patching, asset management, firewall management and log and audit information maintenance all are just as important in cloud environments.
- Understand the Tools Available for Managing Cloud Configurations and Settings
Many cloud vendors have tools that can assist their customers in managing their online security. For example, O365 has a Secure Score feature that is designed to help IT administrators gauge the security of their O365 configuration. The O365 Secure Score rates the configuration on a scale, where the most secure score is (curiously) 364. O365 is not set up for strong security as it is initially provisioned; the initial, out-of-the-box score for O365 is a lowly 26.
By implementing the configuration options and corresponding controls that have been deemed most important by Microsoft, you can improve the Secure Score accordingly. Below are seven recommendations for your cloud and O365 environment.
- Enable MFA: As we discussed above, this is the single most important control to implement increased security in cloud environments.
- Enable Audit Data Recording: This provides you with a record of every user and administrator's interaction with the service, making it possible to investigate and determine the scope of a security breach.
- Enable Client Rules Forwarding Blocks for Email: External mail forwarding has been increasingly used to exfiltrate data, and this will mitigate that risk.
- Review the “Signs-Ins After Multiple Failures” Report Weekly: Review cloud security reports at least every week. An example is a report that identifies accounts that have successfully signed in after multiple risk events, such as changing locations and IP addresses, which could be an indication that the account may be compromised.
- Set Outbound Spam Notifications: Set your outbound spam notifications to copy and notify someone when a sender in your environment has been blocked for sending excessive or spam emails. A blocked account is a good indication that the account in question has been breached and that an attacker is using it to send spam emails to other people.
- Enable Mailbox Auditing for All Users: For example, O365 non-owner access is audited by default, but you must enable auditing on the mailbox for owner access to be audited as well. This will allow you to discover illicit access and activity if a user's account has been breached.
- Enable Email Content Encryption/Rights Management: For O365, this involves enabling Information Rights Management (IRM) services. IRM services give users the ability to apply protection to their files and limit the ability to access and distribute files. This will allow your users to encrypt their files so that only the intended target can open and decrypt them.
There are many benefits of using cloud computing platforms, but the management of risk remains primarily in the user’s hands. Cloud environments can be managed to a high level of security, but out-of-the-box configurations rarely provide adequate levels of security. Ensure your IT team or IT service provider understands and has implemented appropriate controls and security measures.
You can explore additional topics related to this article at the following links:
O365 Secure Score
O365 Security Roadmaps
Amazon Web Services Compliance
Amazon Web Services IAM
If you would like to learn more about how to protect your business’s cloud environment, contact Wipfli.