Global Top 10 for Any Service

10 things you should know about cybersecurity in the cloud to prevent cloud security threats

Written by: Gillian Colan-O'Leary on Mar 05, 2021

Global Top 10 for Any Cloud Service

<5 min read> Cloud computing is a necessary business strategy, and that, in turn, makes cloud security necessary as well. We’ve pulled together what you should know about cybersecurity in the cloud to prevent cloud security threats.

1. Implement good password policies where possible e.g. Cloud, E-Mail

  • Allow users to reset their own password
  • Do not set an expiry time
  • 8-Characters or more
  • Do not require complexity such as special characters
  • Help and inform users on how to generate better passwords
  • Make it easier to manage password overload e.g., password managers provided
  • Use SSO solutions where possible.

2. Enable Multi Factor Authentication (MFA) for all accounts

  • Make MFA mandatory especially for Administrative accounts of any role
  • Educate users on how to set it up, what it does and how to use it.
Enable Multi Factor Authentication (MFA) for all accounts

3. Block and discourage any legacy connections, applications, functionality

  • Where possible disable connections from old applications such as outdated browsers, old Outlook and similar software
  • Legacy software does not utilise up to date encryption or security features.

4. Enable phishing detection and external banners for e-mail clients and providers

  • Notify users when an e-mail arrives from an external domain
  • Use automated systems to detect phishing attacks sooner
  • Train staff on detecting and reporting phishing emails
  • Do not discourage users from disclosing successful phishing attacks by reprimanding or scolding their actions - educate and instruct instead.
Enable phishing detection and external banners for e-mail clients and providers

5. Provide access based on the principle of least privilege

  • Never grant full privileges to someone who does not need them
  • Review Administrative users on regular basis
  • Assign privileges individually or with groups.

6. Never hard code credentials, API keys, secrets or other sensitive details

  • Applications should call secret variables from a trusted source such as AWS Secrets Manager or similar
  • Hard coded details can be retrieved once access is gained to the server or application is compromised
  • Rotate keys on a regular basis.

7. Utilise Monitoring, Logging and Alerting tools

  • Create alerts for billing, overuse and login exceptions where possible
  • Establish multiple channels for reporting alerts such as IM, email and SMS
  • Create a procedure for dealing with alerts based on their severity
  • Use trusted tools such as CloudTrail, Azure Sentinel, Logz.io and ELK stack
  • Retrieve alerts when resources are scaling up, down, are backing up or are being terminated.
Utilise Monitoring, Logging, Alerting tools

8. Limit accessibility on a technical level between services and application

  • Utilise Firewall rules and security groups to divide IN and OUT traffic between resources
  • Logically separate resources with different Virtual Networks and VPCs
  • Only allow necessary connections by restricting IP addresses and Ports where possible
  • Keep resources as “internal” where possible.

9. Develop and Maintain solutions instead of Fire and Forget

  • Implement a process for permission, privilege, administrator, device review
  • Log/Detect where possible; failed login attempts, multiple password resets, SSH and other server logins
  • Train users in how to maintain their own good password practices and accessing corporate services.
Train users in how to maintain their own good password practices

10. Implement centralised management where possible e.g. Devices, Anti-Virus, Updates, Encryption

  • Make it easier for devices to be secured by implementing policies and rules with tools such as Microsoft ECM (MSCCM)
  • Deploy applications across the organisation such as anti-virus software already configured
  • Do not rely on users preference to install updates, make it a scheduled task (should have a rolling deployment process)
  • Implement Firewall rules, encryption, logging and user account management.

Get in touch ([email protected]) if you'd like the Vertical Structure team to check the configuration of your cloud infrastructure / account / service.

This Autumn we're launching a Cyber Foundations training course to cover this topic. Its objective is to help organisations (especially those responsible for securing their data and mission-critical applications in the cloud) successfully navigate the security challenges presented by cloud services.

The course is designed for those involved in securing cloud services and with a higher level of technical knowledge than the participants of our basic Cyber Security & Social Engineering Awareness training. It looks at securing Azure, AWS, Office365 and Google Suite environments.

It’s not as much of a technical deep dive as our Threat Modelling & Web Application Security, and Cloud Application Security training courses but these would be a great follow on. Please get in touch if you'd like to find out more!

(As an aside - we've successfully transitioned training and workshops to online delivery over the last year
.)

Cyber Foundations online

Need help?

Email Us
email hidden; JavaScript is required

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.