10 Steps to Securing the Cloud
If you’re looking to make your customers’ journeys to the cloud as uneventful as they can be, Dave MacKinnon has 10 steps you should follow.
When it comes to cloud adoption, the analogy I always use is that our networks used to be built like castles. We put all our servers and users inside, and we had big walls to protect everything. Today, we’ve shifted large parts of our businesses outside of these walls, and moved them to various cloud and SaaS providers. As a result, we no longer always have the knowledge or expertise to secure and protect them. So, a core part of the journey towards owning the cloud is understanding what you can do to help your customers secure all those bits that now lie outside the castle walls.
This list of 10 steps is not specific to any one provider, it represents a holistic view of the things everybody can — and should — be doing to make this transition to cloud as secure as possible.
1) Deploy Multi-Factor Authentication (MFA)
MFA should be table stakes in the cloud. It’s the lynch pin for securing all environments. Whether you’re a normal user or a super user, MFA should be configured for any, and all access to all systems at any time.
2) Add Conditional Access
MFA on its own sometimes isn’t enough and this is where conditional access comes into play. You can configure specific requirements for users and devices connecting to your environment as a secondary line of defense. Should someone get through your MFA they can still be denied access if they don’t meet set criteria, such as whether they are allowed access to certain apps, whether the device they’re using has been properly patched, or if they have failed authentication a number of times.
3) Keep Privileged Accounts Separate and Vaulted
Privileged accounts are the most valuable to any hacker as they offer unfettered access to your systems. You should not be using these accounts to do your day-to-day job, even as an admin. Separating out those highly privileged accounts is essential if you want to protect both your own and your customers’ networks.
4) Configure RBAC and Standardize Configuration Across Customers
How many times have you spun up new environments, given someone the access they need and then not revoked that access after any specific tasks have been completed? I’m pretty sure we’ve all done it. Making sure that you have role-based access control (RBAC) fully configured across all your customers is essential to control who can do what, but so is regularly going back and auditing that access to ensure people don’t still have access to stuff they shouldn’t.
5) Understand the Technology You’re Using
Cloud technologies have evolved quickly. As of the time of writing, Amazon has more than 200 services that they offer through AWS, and Microsoft has just shy of 500 — and that’s just for those two providers. Whereas historically you could say you were a cloud expert, today nobody’s can claim that because there are so many different aspects of the cloud that you can leverage.
This means you need to invest in the skills in your teams so that you have people that are strong in different areas, either through training or hiring. Having in-depth understanding of the technologies you’re using means you can help ensure best practices are followed when deploying them and that you are properly protected.
6) Know the Surface Area of Your Deployment
This really follows on from my previous point. I would argue that our MSPs that perform the best in terms of managing cloud deployments are the ones who not only really understand the technologies they are deploying, but that also deploy it consistently across their customer base. Creating and maintaining one-off environments, requires a level of expertise that would be very difficult to achieve in even the biggest MSP.
7) Monitor Changes to the Environment and Pay Attention to Adversaries
I think of this first part in the same way as my home alarm system: I might be able to see a back window is open, but is it because somebody broke in or because one of my kids opened it because they were too hot? I don’t know until I investigate further, but I need to ensure that I have “eyes on glass” and am looking for things like this.
In addition to this, you should pay attention to what potential adversaries are doing as this can help you spot the signs of a security event early. There are a number of different sources available, such as regular updates from CISA, that can help you understand how to protect both your business and your customer’s business from current cyber threats. Knowing what’s happening in the broader ecosystem gives you an advantage in that you can leverage that information to make sure that you’re pivoting to proactively protect your customers from whatever the threats are in their environment.
8) Plan Ahead
This is something I’m personally very big on — proactively planning for all eventualities. Essentially this falls into two categories.
- Security events. If you have a security event that impacts your cloud technologies, what are you going to do? What steps do you need to take? How do you recover that? Do you have it backed up?
- Employee departures. As MSPs you have highly privileged access across all your customers. If one of your techs leaves (whether by their own choice or yours) you need to ensure you are able to quickly close down everything they have access to — that could be via single sign on or Azure AD.
9) Understand What You Need to Do to Recover
Again, this follows on from the previous point, if you do suffer a security event of any description, what is your recovery actually going to look like? You need to have a plan in place. So you need to look at things like how you properly communicate with your customers about what you’re doing and what they need to do. This is something that you should be testing via tabletop exercises both internally and with your customers. These events should not go perfectly, they should cause you to find gaps and refine your processes. It’s an extremely healthy exercise to go through.
10) Measure your customer’s security posture
CIS puts out benchmarks for what good security looks like across a number of different operating systems, cloud providers, endpoints, and others. With CIS, there are different levels, so you can determine your risk level and increase your security rating over time. Many solutions have built-in reporting for this. It provides clear details on what it would take to hit level one or two, or specific requirements within both that align with your business risk. This will really help you craft the security story to your customers, as you can clearly demonstrate what you’re doing and how that compares to benchmarks, as well as where they will need to invest if they want to level up their performance.
The tough reality with security is that no one is impervious, but by following these steps you can help make sure that your customer’s journey to the cloud is as uneventful as it can be.
Dave MacKinnon is Chief Security Officer at N-able. Guest blog courtesy of N-Able. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.