Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Checklist: 9 Cloud Security Best Practices Your Organization Should Follow

mm

Written by Barbara Hoffman

December 1st, 2020

Transitioning to the cloud is one of the most significant technology shifts your company will face. Last year, over 80% of organizations operating in the cloud experienced at least one compromised account each month, stemming from external actors, malicious insiders, or unintentional mistakes.

The specifics of cloud security activities may vary depending on your cloud platforms and use cases, however, there are some best practices that every organization should follow. We’ve learned many of those practices from helping thousands of businesses plan, design, and build their cloud PAM programs.

The PAM cloud security best practices checklist detailed below will help you prevent your privileged accounts from being compromised and ensure security controls are in place to mitigate the risk of a successful cyber attack.

#1. Map compliance requirements to cloud functions

Compliance isn’t the ultimate goal of cyber security, but it’s an important step to protecting your cloud resources. Map your privileged access management policies to any compliance mandates that are required for your business. Whether you follow NIST, CIS Controls, or another best practice framework for cyber security, make sure you include cloud protections in your policies. Document your PAM policies and share those policies with anyone who may interact with privileged accounts.

#2. Establish a Cloud Business Office

Some of the most successful organizations we work with, especially those that have adopted a cloud-first vision, create a Cloud Business Office (CBO). In this best practice model, the CBO has broad visibility and oversight over all cloud activities. They serve as a central point for decisions, communications, and project management to ensure that corporate or government policies and best practices for cloud security are being followed.

The CBO may sit within the IT department, but it actually represents a cross-functional team. It’s a great way to organize your stakeholders across departments, including cloud architects, cloud engineers, developers, operations, security teams, compliance/risk managers, and business owners that have an impact and perspective on cloud usage and strategy.

The Cloud Architect Alliance organized an event about the Cloud Business Office and posted several videos that are worth checking out.

#3. Know your cloud security responsibilities

Did you know that the vast majority of cloud misconfigurations and inconsistent controls are the customer’s fault, not the cloud provider’s? Amazon Web Services and other cloud platforms have many best practice guides they can provide regarding setting up root accounts for servers, configuring S3 buckets, and other settings. Make sure you follow their guidance and have checks in place to ensure all settings are correct.

It’s on your shoulders—not the cloud provider’s—to manage appropriate access and permissions for every person and every system that interacts with cloud-based systems. These systems could include critical applications or databases that are stored in the cloud, cloud platforms for application development, or tools used by your business or technical teams. Cloud access should be incorporated and tracked using the same PAM policies, processes, and solutions you use for your organization as a whole.

#4. Implement granular controls over all types of cloud platforms

Granular cloud access control is one of the PAM best practices many companies fail to achieve. While organizations tend to have broad RBAC in place for cloud infrastructures such as AWS or Azure, they often don’t consider the diverse levels of access involved with web applications.

PAM that is designed for the cloud lets you precisely control what users can see and do in all cloud platforms, including databases and web applications.

#5. Don’t make monitoring an afterthought

While the vast majority of users are trustworthy, it’s a best practice to monitor and audit their behavior when they’re accessing sensitive information and privileged accounts. As part of your security program, you should monitor network traffic for unusual activity, such as off-hours access, remote connections, and other outbound activities. Search for telltale signs of compromise by temporarily blocking outbound internet traffic and tracking data outflows.

Even with multiple business and technical functions using different types of cloud resources, with an enterprise-scale PAM solution, it’s possible to have a consolidated view of privileged access across your organization.

#6. Take extra care for third parties

Don’t limit insider threat monitoring and oversight to employees. You may be engaging with third-party vendors in a number of ways, such as a remote contractor working on a time-limited project, an embedded contractor, or outsourced staff augmentation.

Vendor security should be practiced both while the third party is actively employed with your organization, and once the engagement is over. Vendor privileged access management (VPAM) solutions can contain the risk, manage privileged access, and provide an audit trail to hold everyone accountable.

#7. Never grant standing access

Many companies keep privileges in place for too long, neglect to expire passwords and accounts, and fail to remove privileges when projects end or people leave. Granting standing privileged access violates the best practice principle of least privilege and introduces significant risk.

Implementing Just-In-Time access within Privileged Access Management (PAM) ensures cloud users and systems have appropriate access when needed and for the least amount of time required.

Advanced PAM tools use workflow features such as “Request Access,” which allow users to request access for a specific amount of time. In addition, “Checkout” features can rotate credentials as soon as the checkout period ends, so even if credentials are not expired, a user won’t be able to return with the same credentials.

#8. Put your systems to the test

Following a best practices checklist gets you far, but without testing, you’re leaving an important question unanswered: is this effort working as expected? Test your cloud security controls to see how well they would stand up to a cyber attack. Many companies bring in ethical hackers or “red teams” to simulate an attack on their cloud systems. This best practice can reveal security vulnerabilities before they get exposed by a criminal hacker or flagged in an external audit.

#9. Plan for change

Last on the checklist but no less important—anticipate change. The average enterprise uses approximately two thousand cloud services, an increase of 15% over last year, mainly due to SaaS growth. Chances are, your organization has many new SaaS or web applications coming online right now.

If you work in a DevOps environment, new people and systems are continuously accessing your AWS instance or other cloud platforms.

The occasional discovery scan of privileged accounts isn’t going to provide you the visibility and control you need. Rather, implement continuous discovery for all types of cloud accounts as a best practice. Then you can make sure permissions are properly configured and appropriate oversight is in place.

To match the expected growth of your privileged accounts, cloud applications, and users, it’s best to use a cloud-based PAM solution. Cloud PAM gives you the ability to scale without slowing down other resources or losing control.

In DevOps organizations, where a broad range of cloud resources are continuously created, used, and retired on a large scale, PAM automates high-speed secret creation, archiving, retrieval and rotation.

PAM in the Cloud

PAM in the Cloud. Powerful. Secure.

Try the only feature-complete, enterprise-class CLOUD PAM solution in the world.

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS