Securing Access to your Cloud AppsAnirban Banerjee
Securing Access to your Cloud Apps should be simple. For pure efficiency SaaS seems to be the universal answer. It eliminates the expense of power, maintenance, environmental controls, maintaining parallel backup sites, and a massive IT staff.
BYOD (Bring Your Own Device) strategies have led to disruptive incompatibilities when people are creating files. A Mac™ user has difficulty sharing documents and files with a Windows™ or BlackBerry™ user, and vice versa. Access to company data by tablet or phone has created new vulnerabilities.
SaaS uses a thin-client (software that can run on an ordinary desktop, laptop or other device), completely isolated from the untrusted native operating system of the machine itself. It reads the keystrokes and mouse movements and sends them to the remote server which performs all the calculations or actions required. It returns nothing but screen data.
This means all employees are always using the same software. There are never incompatibilities and you eliminate the need for thousands of updates of individual computers.
It keeps data in a secure location, and not in the possession of employees. They can manipulate it, but it should never leave the remote server other than as a screen image on the thin-client.
Everything is moving to the cloud (yesterday)
The difference between local security on your own servers and security offered by public/private/hybrid cloud servers is almost indistinguishable. Reliability and monetary savings make the choice much easier.
As local servers and CPUs inevitably fail, begin moving to a cloud service rather than replacing equipment as per usual. You can maximize the remaining life of your servers and expand onto the cloud as your requirements increase.
Your own server farm entails massive expenses. Most of that can be eliminated by using remote IaaS (Infrastructure as a Service) where you have a virtual space, on servers shared by thousands of others, and thus the cost can be reduced.
The advantage is that once your local server system reaches minimal size, you can use it exclusively for the highest-security data. It can be totally isolated from external access.
Challenges of Cloud Apps / Saas
Your data can be broken down into three types:
- Restricted Data, such as financials, bids, or proprietary methodology. Only employees with need-to-know authorization should ever be able to access that data.
- Confidential Data, such as clients’ credit information, or any data which could destroy the credibility of your company. This information should only be available to the department which directly owns the data.
- Generic Data is safe for public consumption. It’s the sort of information that anyone can look up online about your company.
Best practices on Securing Access to your Cloud Apps
- Password theft is still the number one intrusion method. Enforce strong password policies with a minimum length, requiring uppercase letters, lowercase letters, numbers and symbols.
- Administration passwords permitting access to the entire system should be tightly regulated. Even the CEO should expect to be refused when s/he says “I forgot my password, Jim. What’s yours?” Use the proper password recovery methodology at all times.
- Have SLAs (Service Level Agreements) with your cloud provider identifying responsibilities and liabilities in the event of service disruption. Make sure your supplier has the appropriate safeguards for your working environment including firewalls, virus solutions, and anti-intrusion regimes and solutions.
- An e-mail solution should include anti-spam technology, antivirus technology, dangerous attachment blocking, and the ability to create other filtering rules.
- Have a Disaster Recovery Agreement with your supplier to assure business continuity. If one of their data centers goes down, it should be mere milliseconds before another invisibly picks up the slack.
- Identify the geographical location of the Data Centers which are storing your cloud solution. Different jurisdictions can impact the legal requirements for your provider, whether it is state or country.
- Agree on backup frequency, external storage sites, and data-handling in the event cloud service ends. In the latter case, transfer of data is vital, as is the timely destruction of backups.
- You have to identify all privileged accounts and immediately terminate any that are no longer in use, or that are connected to former employees.
- If you use tokens for security (such as RFID chips) determine who has them, and disable all that can’t be accounted for. It might even be wise to disable all of them and have them re-enabled manually the first time they are subsequently used.
- Log all uses of privileged accounts, and the activity on them. Automatically disable unusual activity such as downloading.
- Initiate training for all employees about the methodology used to obtain secret information. Anti-phishing training should be online and mandatory. Organizations can be hired to send mock-phishing attempts to employees to demonstrate how easily they can be taken advantage of.
- Survey your hardware system to find vulnerabilities such as Windows Server 2003 which is no longer supported by Microsoft (since mid-2015) meaning you will no longer receive security updates for it. There are still 10,000,000 physical Win 2003 servers running, and millions more virtual servers. As hacking technology improves these servers become more and more vulnerable, as does your data.
SaaS can be secure provided you clearly define the employees’ responsibilities and gain their cooperation. Knowing they are going to be tested regularly keeps them participating, particularly if there is an incentive for people that have never been tripped up by a Phishing attempt or other testing.
- Internal systems need to be surveyed for antedated hardware that risks incursions.
- Privileged accounts must be monitored regularly and permissions removed as soon as they are no longer required.
- Policies cannot merely exist; they must be enforced in order to be useful.
You shouldn’t fight the future—embrace the changes to enhance your operational security. Keep your top IT people working on better security every day, auditing the system, and developing better ways to detect unusual and inappropriate activities.
Also published on Medium.