Cyber Hygiene - Cloud

Do teeth brushing and cloud security correlate? Can teeth brushing save us money?

Hey everybody. I'm Yoav and this the last and not least of our cyber hygiene post serious. This one is on implementing cyber hygiene on cloud environments.

On our previous post “cyber hygiene – actions” we learned how good security practices and habits will increase your network security. As cloud computing is on a rise, let’s take a step further and see how it impacts cloud environments. Bottom line is the same, good habits will dramatically increase your security posture. Another huge value is that cloud hygiene will keep your environment in order and with good cost-effective ratio.

In order to achieve these goals, you need to apply the following hygiene actions:

Management Console Review

The console is where you can review each account, virtual network and service to see what’s currently going on. Review the service list and write down unnecessary services, services you don’t recognize, services that you think shouldn’t be in your cloud and no less important, services that consume high volume of memory. Analyze each service you listed: justify or get rid of them.

The console review is an old school approach to maintaining your system, but it is a highly effective way of keeping costs under control and keeping security in check.

Cloud Invoice Review

In the invoice there is a consolidated itemization of spend across various services. It also provides a breakdown of spending on services within each linked account. Modern organizations review payed invoices, however, usually it is done by finance and they look on the capital spent and not on the content. We recommend you to jointly review the invoice. When you locate unexpected spend on services it can use as a warning that helps your IT team and especially the security guys. Also, the invoice provides a list of the services that your cloud has consumed and what accounts were active during the period. If there are significant anomalies you will probably identify them right away.

Services Automated Restart

Another simple way to reduce costs is to shut down the systems when they are not needed. An organization can save a lot of money by simply turning the development and test environments off when they’re not needed. If you don’t believe me ask Werner Vogels, CTO of Amazon Web Services: “One way to save really significant dollars in dev and test is to switch your resources off when you go home”.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your username and password. With MFA enabled, when a user signs into the cloud, they will be prompted for their user name and password (the first factor—what they know), as well as for another authentication information such as biometrics and tokens (the second factor—what they have) to ensure tighter security. This annoying control will decrease 95% of account hijacking, which is one of the most common cloud related incidents.

Firewall Configuration

When you add cloud-based firewall, usually its default rules are set to deny all. The simplest way to solve that is to add “allow any” rule and let all sorts of data get in your network. That is completely wrong. We recommend you to carefully check which ports should be open, enabling your cloud services continuous work. Do not use allow any ruling!

Here is an example: RDP and SSH are common protocols that enables remote management for virtual machines (VMs). The exposure of using these protocols over the internet is that attackers can gain access by breaking these unsecured protocols. Obviously, the VMs are just a starting point to spread into your virtual network. Therefore, we encourage you to disable DIRECT RDP and SSH access to your virtual machines from public internet.

Operational Segmentation

In order to allow you more controlled management and security, you should split your cloud environment into different areas. Many cloud environments include three core areas: production, test and internal IT.

Production is where your customers and partners facing services run. Production services usually have high up-time and security requirements. Test area is typically accessed only by your own DevOps team. Internal IT is where you run applications and services used by employees.

Separate these environments with dedicated firewall. Mange and secure the environments by their needs, starting with user permissions. Don’t let anyone access anything. Note that you should not add too much complexity to the overall environment. After all we need a smooth and effective cloud operations.

Users Permissions

Monitor access logs frequently. This simple routine will help you seek anomalies and will ensure correct level of access, but not only. Access monitoring can allow you to control the balance between security and productivity by adding the “how” users are accessing the services. Monitoring access paths can give business value much more than just security.

Another good practice is giving access to resources based on device identification, identity, network location and other restrictions. Again, do not let security be a burden. Do not exaggerate.

Another way to improve your permissions control is to grant temporary permissions to perform privileged tasks. this habit will prevent malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it.

The last hygiene advice about users’ permissions is to set a process that ensures the immediate disable of terminated employee’s accounts. Simple control to avoid unauthorized access. Afterall, open accounts are exposure that can be easily exploited.

Awareness & Training

Just like we raised this topic on our network cyber hygiene posts, cloud environments are no different. In order to prevent errors and mistakes that may lead to unnecessary risk, you should train your employees on how to behave in the digital world. The massages from the cyber hygiene posts are the same:

  • Maintain data classification with clear controls for sensitive data. The fact that the data is in the cloud is irrelevant. Relevant controls should be applied.
  • Updated anti-malware software and critical patches on your cloud servers and nodes. Use your cloud provider’s “Shared Responsibility Model”, to validate what is under your responsibility. Ensure it is covered.
  • Ensure you have backups and restoration options in case of a disaster. Not all disaster scenarios are relevant to the cloud data. Just ensure that those who are, have a recovery plan attached.
  • Safe internet habits – Train employees over phishing attacks and not to open suspicious attachments, disable popup windows and don’t install programs from unknown sources.

Now that we understand the importance of cloud hygiene habits to improve manageability, security and to keep costs under control, I invite you to start implementing those habits in your organization.

This is a very good start. Hope this post is useful.

If there are any questions, we at CST-360 would love to help.

What is this post?

These posts are the firsts out of some new series I will write about cyber world fundamentals. My name is Yoav Berger, and I am an analyst at CST-360. I started a research process on cyber-related topics, and I wish to share what I have learned. Eventually, the goal of these posts is to help anyone who wants to improve his cybersecurity knowledge and give him fundamental cybersecurity tools that they can start applying right away.


by Yoav Berger

Leave a Reply

Your email address will not be published. Required fields are marked *

More from our Blog

April 18, 2020
Is office space part of your strategy?

Could it be that organizations do not need office space anymore? Would it be fair to say that we can reduce a substantial part of our leased space costs? Imagine this: our employees are working remotely. Part of them are working from home, others sit in coffee houses or leased spaces next to their home. […]

March 1, 2020
Cyber Hygiene - Cloud

Do teeth brushing and cloud security correlate? Can teeth brushing save us money? Hey everybody. I'm Yoav and this the last and not least of our cyber hygiene post serious. This one is on implementing cyber hygiene on cloud environments. On our previous post “cyber hygiene – actions” we learned how good security practices and […]

February 17, 2020
Cyber Hygiene Actions

Hey you all, Its, Yoav. Thank you for coming back. On this post I will tell you how simple hygiene actions (with no additional tools required) can be implemented within your network, preventing digital illness and unnecessary disruption exposure. On our previous post, Cyber Hygiene basics, we saw the similarity between body hygiene and network […]

February 8, 2020
Cyber Hygiene Basics

Can you see the connection between personal body cleanse and computer network weaknesses? To my eyes, the connection is based on the term “Cyber Hygiene”. Does it ring a bell? What is Cyber Hygiene? to understand the meaning of this term, I want you to imagine... Imagine the world when people did not care of personal […]

January 4, 2020
Security Software as a Service

In the just ended decade cyberspace has change the way we live and operate. However, with so many cyber incidents and data breaches that impacted global business economy, the market understands that cybersecurity is a vital investment for businesses that wants to sustain their success. With this conclusion the cybersecurity realm received an enormous burst […]

April 30, 2017
CST-360 Protecting What Matters

Hello all, Welcome to our website blog. In this blog, we care to share our thoughts and insights on Cyber Security processes and business outputs, as we believe that governing your cyber defense operations will give your organization the highest value regardless of your tools and solutions. Our moto "protecting what matters", reflects the need […]

May 17, 2017
Governance Against Malware

In the past two weeks, all we hear are #WannaCry, #WannaCrypt, and the world’s biggest cyberattack. However, eventually, protecting against these and other malware,  is still a good Patch Management process. Nothing more. No extra security tools and no extra cost investments. So with no further due, just invest in good practices. Govern your IT and […]

December 31, 2018
2019 - New Year Predictions

Humbly and with respect, I admit that 2018 was very good for us @ CST-360.We had some new fascinating engagements that started and will continue into the new year with new technologies, new business models and above all new BUSINESS RISKS to address. What should we expect of coming 2019? Here are the three bullets […]

Visit Our Blog 

Leverage your business, 
while protecting what matters

Let's Plan Your Security
lockplusunlockunlock-altcopyrightcross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram