Do teeth brushing and cloud security correlate? Can teeth brushing save us money?
Hey everybody. I'm Yoav and this the last and not least of our cyber hygiene post serious. This one is on implementing cyber hygiene on cloud environments.
On our previous post “cyber hygiene – actions” we learned how good security practices and habits will increase your network security. As cloud computing is on a rise, let’s take a step further and see how it impacts cloud environments. Bottom line is the same, good habits will dramatically increase your security posture. Another huge value is that cloud hygiene will keep your environment in order and with good cost-effective ratio.
In order to achieve these goals, you need to apply the following hygiene actions:
The console is where you can review each account, virtual network and service to see what’s currently going on. Review the service list and write down unnecessary services, services you don’t recognize, services that you think shouldn’t be in your cloud and no less important, services that consume high volume of memory. Analyze each service you listed: justify or get rid of them.
The console review is an old school approach to maintaining your system, but it is a highly effective way of keeping costs under control and keeping security in check.
In the invoice there is a consolidated itemization of spend across various services. It also provides a breakdown of spending on services within each linked account. Modern organizations review payed invoices, however, usually it is done by finance and they look on the capital spent and not on the content. We recommend you to jointly review the invoice. When you locate unexpected spend on services it can use as a warning that helps your IT team and especially the security guys. Also, the invoice provides a list of the services that your cloud has consumed and what accounts were active during the period. If there are significant anomalies you will probably identify them right away.
Another simple way to reduce costs is to shut down the systems when they are not needed. An organization can save a lot of money by simply turning the development and test environments off when they’re not needed. If you don’t believe me ask Werner Vogels, CTO of Amazon Web Services: “One way to save really significant dollars in dev and test is to switch your resources off when you go home”.
Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your username and password. With MFA enabled, when a user signs into the cloud, they will be prompted for their user name and password (the first factor—what they know), as well as for another authentication information such as biometrics and tokens (the second factor—what they have) to ensure tighter security. This annoying control will decrease 95% of account hijacking, which is one of the most common cloud related incidents.
When you add cloud-based firewall, usually its default rules are set to deny all. The simplest way to solve that is to add “allow any” rule and let all sorts of data get in your network. That is completely wrong. We recommend you to carefully check which ports should be open, enabling your cloud services continuous work. Do not use allow any ruling!
Here is an example: RDP and SSH are common protocols that enables remote management for virtual machines (VMs). The exposure of using these protocols over the internet is that attackers can gain access by breaking these unsecured protocols. Obviously, the VMs are just a starting point to spread into your virtual network. Therefore, we encourage you to disable DIRECT RDP and SSH access to your virtual machines from public internet.
In order to allow you more controlled management and security, you should split your cloud environment into different areas. Many cloud environments include three core areas: production, test and internal IT.
Production is where your customers and partners facing services run. Production services usually have high up-time and security requirements. Test area is typically accessed only by your own DevOps team. Internal IT is where you run applications and services used by employees.
Separate these environments with dedicated firewall. Mange and secure the environments by their needs, starting with user permissions. Don’t let anyone access anything. Note that you should not add too much complexity to the overall environment. After all we need a smooth and effective cloud operations.
Monitor access logs frequently. This simple routine will help you seek anomalies and will ensure correct level of access, but not only. Access monitoring can allow you to control the balance between security and productivity by adding the “how” users are accessing the services. Monitoring access paths can give business value much more than just security.
Another good practice is giving access to resources based on device identification, identity, network location and other restrictions. Again, do not let security be a burden. Do not exaggerate.
Another way to improve your permissions control is to grant temporary permissions to perform privileged tasks. this habit will prevent malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it.
The last hygiene advice about users’ permissions is to set a process that ensures the immediate disable of terminated employee’s accounts. Simple control to avoid unauthorized access. Afterall, open accounts are exposure that can be easily exploited.
Just like we raised this topic on our network cyber hygiene posts, cloud environments are no different. In order to prevent errors and mistakes that may lead to unnecessary risk, you should train your employees on how to behave in the digital world. The massages from the cyber hygiene posts are the same:
Now that we understand the importance of cloud hygiene habits to improve manageability, security and to keep costs under control, I invite you to start implementing those habits in your organization.
This is a very good start. Hope this post is useful.
If there are any questions, we at CST-360 would love to help.
These posts are the firsts out of some new series I will write about cyber world fundamentals. My name is Yoav Berger, and I am an analyst at CST-360. I started a research process on cyber-related topics, and I wish to share what I have learned. Eventually, the goal of these posts is to help anyone who wants to improve his cybersecurity knowledge and give him fundamental cybersecurity tools that they can start applying right away.
Could it be that organizations do not need office space anymore? Would it be fair to say that we can reduce a substantial part of our leased space costs? Imagine this: our employees are working remotely. Part of them are working from home, others sit in coffee houses or leased spaces next to their home. […]
Do teeth brushing and cloud security correlate? Can teeth brushing save us money? Hey everybody. I'm Yoav and this the last and not least of our cyber hygiene post serious. This one is on implementing cyber hygiene on cloud environments. On our previous post “cyber hygiene – actions” we learned how good security practices and […]
Hey you all, Its, Yoav. Thank you for coming back. On this post I will tell you how simple hygiene actions (with no additional tools required) can be implemented within your network, preventing digital illness and unnecessary disruption exposure. On our previous post, Cyber Hygiene basics, we saw the similarity between body hygiene and network […]
Can you see the connection between personal body cleanse and computer network weaknesses? To my eyes, the connection is based on the term “Cyber Hygiene”. Does it ring a bell? What is Cyber Hygiene? to understand the meaning of this term, I want you to imagine... Imagine the world when people did not care of personal […]
In the just ended decade cyberspace has change the way we live and operate. However, with so many cyber incidents and data breaches that impacted global business economy, the market understands that cybersecurity is a vital investment for businesses that wants to sustain their success. With this conclusion the cybersecurity realm received an enormous burst […]
Hello all, Welcome to our website blog. In this blog, we care to share our thoughts and insights on Cyber Security processes and business outputs, as we believe that governing your cyber defense operations will give your organization the highest value regardless of your tools and solutions. Our moto "protecting what matters", reflects the need […]
In the past two weeks, all we hear are #WannaCry, #WannaCrypt, and the world’s biggest cyberattack. However, eventually, protecting against these and other malware, is still a good Patch Management process. Nothing more. No extra security tools and no extra cost investments. So with no further due, just invest in good practices. Govern your IT and […]
Humbly and with respect, I admit that 2018 was very good for us @ CST-360.We had some new fascinating engagements that started and will continue into the new year with new technologies, new business models and above all new BUSINESS RISKS to address. What should we expect of coming 2019? Here are the three bullets […]
