What does a threat actor need to compromise a network? Technical proficiency, experience, luck? Yes, all of these help. However, to successfully compromise a network and undermine your cloud security, threat actors ultimately need access and time.
Denying them either of these luxuries should be the objective of a well-designed cloud security program. Most organizations understand this need and are eager to implement measures that prevent intrusion into their critical systems. Despite their enthusiasm, it’s often challenging to know exactly where to start with cloud security. This confusion can lead to overspending (or underspending) on cloud security tools, talent or providers without a clear understanding of data protection requirements – all to the benefit of threat actors.
Fortunately, there is a starting point for cloud security. Organizations can get a headstart on lowering their risk by implementing three essential elements, which are:
- Network segmentation
- Access control & strong authentication
- Logical encryption
These aspects significantly reduce a threat actor’s ability to successfully breach your critical data and should be the starting point for an organization – regardless of the type of data they manage and where it’s hosted.
Essential #1: Network segmentation
To compromise systems, a threat actor needs to be able to “see” them on the network. Network segmentation can make this much more difficult if done properly. A hospital provides an excellent example of segmentation at the physical layer. Access to various areas of the hospital is restricted to only those with a need to enter them. This is an effective way to protect sensitive areas, such as admissions/discharge, file rooms, diagnostics, etc., from unauthorized people. You can take this same approach with your network and create isolated areas where your sensitive data resides, only allowing authorized users to “see” and access these areas.
Network segmentation is relatively easy and inexpensive to implement as your current networking equipment has the capabilities already available. However, network segmentation alone isn’t all you need.
Management of user groups, in addition to network segmentation, is also critical, especially with the potential compromises due to human error or negligence (think phishing scams). Once compromised, a user’s level of access becomes weaponized, granting threat actors the same permissions as the user. A network admin and sales manager don’t need the same level of access.By limiting user groups to the lowest level of needed access and only granting higher level permissions on an at-needed basis, you can greatly diminish a threat actor’s ability to move laterally inside your network.
Essential #2: Access control & strong authentication
Segmenting your network to protect sensitive data must be accompanied by robust access control and authentication procedures to prevent unauthorized individuals from gaining access to those systems they can “see.” Access to specific systems and data should be based on roles and privileges, limiting users to only what’s necessary to accomplish their tasks.
This process requires the participation of system owners who are responsible for approving the roles and permissions along with IT and HR staff. Centralized solutions like Active Directory or Lightweight Directory Access Protocol (LDAP) should be used along with groups that match up with the roles created to implement the required access.
While access refers to specific role-based permissions, authentication is the technical implementation in which individuals must confirm their identity during the access process.
Multi-factor authentication is a key crucial element for confirming users’ identity. This combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification). If one factor is compromised or broken, the attacker will have at least one more barrier to breach before successfully breaking into the target.
Multi-factor authentication should be used for access to all sensitive systems and data. Essentially, it renders user credentials useless, significantly reducing the risk of compromise and making it extremely difficult for hackers to move laterally within your network. Access permissions and user authentication should be reviewed regularly to account for staff joining, leaving or switching roles within a company.
Essential #3: Logical encryption
Logical encryption for data at rest ensures that it is useless except to those applications and users with a legitimate need to access the data. For organizations subject to HIPAA, this is vital as the regulation essentially requires that all protected health information (PHI) at rest be encrypted. It’s important to note that not all encryption is equal.
While some believe whole disk encryption is sufficient, it’s only suitable for mobile devices and removable media. Always-on servers require entering credentials at boot up, rendering data unsecured as long as the server is running. Logical, credential-based encryption provides more comprehensive security as access to decrypted data is dependent on specific credentials that are allowed access to the decryption key. As with all encryption, strong key management is critical to ensuring the protection of encrypted data.
Putting it all together
Implementing network segmentation and strong access control with multi-factor authentication can dramatically reduce the ability for a threat actor to enter and move laterally within your network – providing significant risk reduction at a relatively low cost. Adding logical encryption for your most sensitive data provides further protection by only allowing access to this data under well-documented and understood circumstances.
Starting with these three practices will strengthen your base cloud security, reduce risk and ensure proper evaluation of all security layers needed for a comprehensive cloud security program.