Do teeth brushing and cloud security correlate? Can teeth brushing save us money?
Hey everybody. I'm Yoav and this the last and not least of our cyber hygiene post serious. This one is on implementing cyber hygiene on cloud environments.
On our previous post “cyber hygiene – actions” we learned how good security practices and habits will increase your network security. As cloud computing is on a rise, let’s take a step further and see how it impacts cloud environments. Bottom line is the same, good habits will dramatically increase your security posture. Another huge value is that cloud hygiene will keep your environment in order and with good cost-effective ratio.
In order to achieve these goals, you need to apply the following hygiene actions:
Management Console Review
The console is where you can review each account, virtual network and service to see what’s currently going on. Review the service list and write down unnecessary services, services you don’t recognize, services that you think shouldn’t be in your cloud and no less important, services that consume high volume of memory. Analyze each service you listed: justify or get rid of them.
The console review is an old school approach to maintaining your system, but it is a highly effective way of keeping costs under control and keeping security in check.
Cloud Invoice Review
In the invoice there is a consolidated itemization of spend across various services. It also provides a breakdown of spending on services within each linked account. Modern organizations review payed invoices, however, usually it is done by finance and they look on the capital spent and not on the content. We recommend you to jointly review the invoice. When you locate unexpected spend on services it can use as a warning that helps your IT team and especially the security guys. Also, the invoice provides a list of the services that your cloud has consumed and what accounts were active during the period. If there are significant anomalies you will probably identify them right away.
Services Automated Restart
Another simple way to reduce costs is to shut down the systems when they are not needed. An organization can save a lot of money by simply turning the development and test environments off when they’re not needed. If you don’t believe me ask Werner Vogels, CTO of Amazon Web Services: “One way to save really significant dollars in dev and test is to switch your resources off when you go home”.
Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your username and password. With MFA enabled, when a user signs into the cloud, they will be prompted for their user name and password (the first factor—what they know), as well as for another authentication information such as biometrics and tokens (the second factor—what they have) to ensure tighter security. This annoying control will decrease 95% of account hijacking, which is one of the most common cloud related incidents.
When you add cloud-based firewall, usually its default rules are set to deny all. The simplest way to solve that is to add “allow any” rule and let all sorts of data get in your network. That is completely wrong. We recommend you to carefully check which ports should be open, enabling your cloud services continuous work. Do not use allow any ruling!
Here is an example: RDP and SSH are common protocols that enables remote management for virtual machines (VMs). The exposure of using these protocols over the internet is that attackers can gain access by breaking these unsecured protocols. Obviously, the VMs are just a starting point to spread into your virtual network. Therefore, we encourage you to disable DIRECT RDP and SSH access to your virtual machines from public internet.
In order to allow you more controlled management and security, you should split your cloud environment into different areas. Many cloud environments include three core areas: production, test and internal IT.
Production is where your customers and partners facing services run. Production services usually have high up-time and security requirements. Test area is typically accessed only by your own DevOps team. Internal IT is where you run applications and services used by employees.
Separate these environments with dedicated firewall. Mange and secure the environments by their needs, starting with user permissions. Don’t let anyone access anything. Note that you should not add too much complexity to the overall environment. After all we need a smooth and effective cloud operations.
Monitor access logs frequently. This simple routine will help you seek anomalies and will ensure correct level of access, but not only. Access monitoring can allow you to control the balance between security and productivity by adding the “how” users are accessing the services. Monitoring access paths can give business value much more than just security.
Another good practice is giving access to resources based on device identification, identity, network location and other restrictions. Again, do not let security be a burden. Do not exaggerate.
Another way to improve your permissions control is to grant temporary permissions to perform privileged tasks. this habit will prevent malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it.
The last hygiene advice about users’ permissions is to set a process that ensures the immediate disable of terminated employee’s accounts. Simple control to avoid unauthorized access. Afterall, open accounts are exposure that can be easily exploited.
Awareness & Training
Just like we raised this topic on our network cyber hygiene posts, cloud environments are no different. In order to prevent errors and mistakes that may lead to unnecessary risk, you should train your employees on how to behave in the digital world. The massages from the cyber hygiene posts are the same:
- Maintain data classification with clear controls for sensitive data. The fact that the data is in the cloud is irrelevant. Relevant controls should be applied.
- Updated anti-malware software and critical patches on your cloud servers and nodes. Use your cloud provider’s “Shared Responsibility Model”, to validate what is under your responsibility. Ensure it is covered.
- Ensure you have backups and restoration options in case of a disaster. Not all disaster scenarios are relevant to the cloud data. Just ensure that those who are, have a recovery plan attached.
- Safe internet habits – Train employees over phishing attacks and not to open suspicious attachments, disable popup windows and don’t install programs from unknown sources.
Now that we understand the importance of cloud hygiene habits to improve manageability, security and to keep costs under control, I invite you to start implementing those habits in your organization.
This is a very good start. Hope this post is useful.
If there are any questions, we at CST-360 would love to help.
What is this post?
These posts are the firsts out of some new series I will write about cyber world fundamentals. My name is Yoav Berger, and I am an analyst at CST-360. I started a research process on cyber-related topics, and I wish to share what I have learned. Eventually, the goal of these posts is to help anyone who wants to improve his cybersecurity knowledge and give him fundamental cybersecurity tools that they can start applying right away.