Like their larger counterparts, small- and medium-sized businesses (SMBs) are moving swiftly to migrate IT workloads to the cloud, hoping to slash operating costs, eliminate technical debt, and accelerate digital transformation projects. However, cloud migration security risks are often poorly understood at the outset or overlooked entirely. Causes include the complexity of cloud service provider (CSP) offerings, the numerous use cases they support and the lack of experienced cloud security engineers on staff. According to Gartner:
- Through 2024, the majority of enterprises will continue to struggle with appropriately measuring cloud security risks.
- Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data and at least 95% of cloud security failures will be the end-users’ faults.
This article shares best practices SMBs can adopt to reduce this risk exposure and maximize returns on their cloud migration investments.
Cloud Migration Scenarios and the Shared Security Model
Rather than maintaining racks of servers and absorbing fixed ongoing costs for software, services and maintenance, organizations can rent network infrastructure from a CSP and pay only for what they use. Offerings from CSPs like Amazon Web Services (AWS), Microsoft Azure (“Azure”) and Google Cloud are typically divided into three broad categories:
- Infrastructure as a Service (IaaS):
The CSP furnishes the servers, storage and networking devices typically found in an on-premises data center. Customers are responsible for installing and managing operating systems, applications, databases and network connectivity. Once tested, secured and tuned for performance, the virtualized resources can start running production workloads. IaaS is attractive to organizations with aging infrastructure that can no longer be updated or maintained cost-effectively.
- Platform as a Service (PaaS):
The CSP adds responsibility for the operating system, middleware, and ancillary tools and services. Geographically dispersed software development teams, for example, choose PaaS solutions with software testing, version management and group collaboration features to meet aggressive production deadlines.
- Software-as-a-Service (SaaS):
The CSP provides customers with browser-based access to a hosted application on a subscription basis. This is the simplest service model to adopt since it offloads responsibility for software hosting, management and maintenance to the CSP.
In every case, customers retain sole responsibility for maintaining the integrity and availability of their data both at rest and in transit. This includes such tasks as managing backups, encryption, and administering identity and access management (IAM) systems on prem (e.g., Windows Active Directory) and in the cloud (e.g., Azure Active Directory).
Depending on the service tier, the CSP and the customer may share responsibility for client and endpoint protection, identity and access management, application-level controls and more. To prevent incidents, it’s essential that SMBs fully understand and fulfill their obligations under this Shared Responsibility Model, which is enshrined in CSP contracts and delineated by the Center for Internet Security (CIS) in Figure 1 below.
Figure 1: The Shared Security Model Source: CIS
Kroll Recommendations and Best Practices
Kroll cloud security experts employ a multi-layered approach to assess and mitigate risks that encompass CIS benchmarks, guidelines from The National Institute of Standards and Technology (NIST) and frontline insights from handling thousands of cloud security incidents. Here are 10 recommendations for SMBs to consider:
1. Begin with a Project That’s Both Practical and Cost-Effective
It may not be practical to migrate a business-critical legacy application that was developed internally or extensively customized. Adapting it to the cloud may incur significant costs for software modifications and testing. Performance and other problems might surface when the cloud version goes into production. Instead, consider beginning with a shrink-wrapped application like Microsoft 365 (M365), which is well understood and widely available from SaaS providers.
2. Ask the CSP Where Your Data Will Be Physically Hosted
The location of your data may expose you to regulatory risks. For example, Europe’s General Data Protection Regulation (GDPR) obligates organizations that “target or collect data related to people in the EU” to meet strict data security and privacy requirements. State and federal authorities in the U.S. impose similar standards. Organizations that violate local data security laws can incur significant regulatory penalties.
Location decisions should also be informed by disaster recovery plans. Avoid having critical data hosted in a CSP data center near your physical location. For example, if a Florida firm’s data is hosted in California, it may be less likely to experience a significant outage from a hurricane or resume operations more quickly.
3. Conduct Annual Cloud Security Risk Assessments
Customers often underestimate cloud risks. Consequently, Kroll offers cloud security assessments that determine how well the customer’s security controls and policies comply with NIST and CIS Foundation Benchmarks and best practices. Areas of focus typically include:
- External and internal network access controls
- User management and authentication
- Multifactor authentication for privileged and remote access
- Backup and disaster recovery
- Security event logging, correlation and alerting
- Incident response planning
After each engagement, Kroll consultants provide clients with a risk-prioritized list of detailed cloud security configuration hardening and mitigation recommendations.
4. Control Network Access to the Cloud
To reduce risks, SMBs should implement foundational network security practices, such as limiting the number of public IP addresses that provide access to cloud resources. They can shrink the attack surface further by blocking unauthorized traffic with a Web Application Firewall.
5. Implement Multifactor Authentication for All Users
Modern CSP platforms support MFA, which reduces the risks of credentials being stolen and abused by attackers. MFA should be enabled for every user, especially admins. SMBs should also restrict access to cloud resources from legacy applications that don’t support MFA, such as Outlook 2010. In such cases, basic authentication and access controls should be disabled and restricted, using conditional access policies.
6. Adhere to Least Privilege Best Practices
During cloud security assessments, we often find SMBs violating the principle of least privilege, which states that users and applications should be granted access only to the minimum set of resources and functions they need to complete tasks. Instead, we find user accounts that grant dozens of excess privileges. If one of those accounts is compromised, resources are exposed, and attackers may be able to use the stolen credential to gain a foothold on the victim’s network. To reduce risks, administrators should create granular access policies that don’t confer excess privileges.
7. Create Separate Administrator Accounts for Managing On Prem and Cloud Resources
SMBs often assign a single engineer to manage both on prem and cloud computing environments. If the engineer’s management account is compromised, an attacker can acquire privileged access to the entire IT infrastructure. Kroll recommends creating separate administrator accounts for each cloud environment and endorses Microsoft guidance to avoid synchronizing on prem privileged Active Directory accounts with Azure Active Directory instances.
8. Utilize Network Segmentation
It’s recommended to sub-divide an enterprise network into discrete segments protected by granular security policies. Segments can service operational silos, with sensitive areas such as accounting operating under stronger controls due to their use of credit card or payroll data or enabling use cases such as allowing an IoT device to access an application server, which requires less strict controls. Network segmentation bolsters security by making it harder for attackers to conduct reconnaissance and move laterally.
While the concepts and goals are the same, segmenting virtual networks in the cloud requires a deep understanding of each CSP's security services, software tools and configuration options. For example, the Amazon Simple Storage Service (S3) enables administrators to configure network security groups for use cases ranging from websites to big data analytics. Among other capabilities, a network security group policy can restrict access to data in S3 buckets to application and database servers based on their IP addresses and port numbers. In keeping with the principle of least privilege, default and pre-defined network access policies that allow all traffic to pass should be disabled. Permissive services and access protocols may be acceptable when the corporate network is behind multiple firewalls and protected by compensating security controls. In the cloud, lax access controls expose vulnerabilities that are soon discovered and exploited.
9. Enable and Correlate Cloud and On-Premise Logs
In Azure cloud environment, diagnostic settings must be configured at every subscription and resource object level in the cloud. In AWS, for example, logging of S3 server access files is turned off by default. Without those logs, it may be difficult to detect anomalous access patterns that may be indicators of exfiltration. It’s the customer’s responsibility to ensure logs are enabled, collected, correlated and analyzed with those from on-prem networked devices. SMBs lacking a Security Operations Center (SOC) can acquire the necessary support and expertise by retaining managed detection and response (MDR) services such as Kroll Responder, which can ingest those logs to hunt and respond against suspicious activities. Advanced threat actors can linger on a network for years, so Kroll recommends retaining logs for at least 18 months to facilitate threat hunting, incident response, penetration testing and forensic investigation.
10. Actively Monitor and Manage Your Environment
Finally, it’s essential to continuously monitor your cloud environment to detect anomalous and potentially malicious activity. Login attempts from odd locations, during non-business hours or made with mechanical frequency (e.g., 1,000 attempts per minute) may be indicators of a compromised identity. SMBs can also utilize tools such as Amazon CloudWatch and Azure Monitor to spot anomalous spikes in usage, running processes and data flows. Tools like these help admins detect active infiltrations, spot misconfigured services and close gaps in the cloud security architecture.
Kroll cloud security specialists are on call to provide unrivaled knowledge and expertise that SMBs need to reduce their risk exposure, protect their data and minimize the potential impact of a serious security incident. Connect with our team here, or reach out via our 24x7 security hotlines or contact page.