Did you know that phishing attacks targeting cloud storage services make up nearly 23 percent of all security attacks, an increase of 125 percent over the past four years? It’s a strategy fraudsters are using as they try to gain access to valuable login credentials for business cloud storage accounts.
And the problem isn’t limited to unauthorized access of vital accounts. Phishing schemes are also the most common way to deliver ransomware to systems belonging to businesses, government agencies, schools, and other critical infrastructure.
It’s an IT security challenge that will become more difficult in the next few years. That means that you, as a cybersecurity leader, must plan and implement best practices to keep your company (and individual employees) from falling victim to these schemes.
As you review these IT security best practices for cloud access control, consider how you’re currently handling them for your company and what changes you might make.
MAINTAIN THE PRINCIPLE OF LEAST PRIVILEGE FOR USER ACCOUNTS
Privileged user accounts give key employees greater access to sensitive data and allow them to make high-level changes to network systems. Because this access is so far-reaching, these credentials are targeted more heavily by hackers looking to bypass firewalls and intrusion prevention protocols.
By incorporating the principle of least privilege—and giving employees the lowest level of user rights that still allows them to perform all necessary job functions—you’re protecting both your business systems and your workers.
You’ll also want to limit the number of privileged user accounts to the minimum necessary, assign privileges by roles rather than to individuals, and log all access attempts and all executed changes from these accounts. Don’t forget to create specific procedures and guidelines to handle employee departures—including suspending account access and retrieving any access tokens and company-owned IT equipment.
REQUIRE MULTI-FACTOR AUTHENTICATION
You can limit unauthorized access to cloud applications by requiring every user to enable multi-factor authentication (MFA). Instead of simply entering a username and password—which could be stolen more easily—MFA includes at least two independent credentials.
These credentials could be something you know, such as a password; something you have, such as a security token; or something you are, such as a thumbprint, a retina scan, or some other biometric marker. If one factor is weakened—say a password is stolen—there’s another line of defense that might not be so easy to breach.
In a perfect world, access to any user account in the cloud would require MFA. But at the least, users with admin privileges—especially those with access to management consoles and other sensitive data—should use approved multi-factor authentication.
ENFORCE CONDITIONAL ACCESS CONTROLS
When you set up conditional access policies for users and devices, you can prevent many problems with stolen and phished credentials. This proactive strategy lets you set specific conditions for users to gain access to applications. It’s also a way to restrict access to those using approved devices and trusted networks.
For example, user access may depend on membership in selected groups, or the device platform used—like iOS, Android, and Windows. The location of the user may also trigger higher-level controls—requiring multi-factor authentication, or blocking access on untrusted networks.
When you use device-based conditional access, you can deny access to users on devices that fall short of your security standards. That means unknown or unmanaged devices, attempts to gain access via unsecured wireless networks, or those without sufficient security controls.
SECURE CRYPTOGRAPHIC KEYS
Most admin accounts require the use of cryptographic keys for access. Often these keys are generated when a new user is created. Because of the power of these keys, you’ll need procedures to manage and monitor their use.
If you have business processes operating in the cloud, as part of an IT security plan, you’ll want to safeguard your keys both internally and in the cloud. Most experts recommend employing a hardware security module (HSM) to control cryptographic keys.
Designed to meet strict regulatory standards, HSMs stand alone in securely storing cryptographic keys while also managing their lifecycle. And with the option of a cloud-based HSM, you may have lower overhead and configuration costs because the physical hardware is maintained by the data center.
As more business applications move to the cloud, take particular care in safeguarding user accounts—especially those with administrative access. It could mean the difference between a thriving company and one that’s no longer in business.
Using security framework, such as Centrinet’s SAFER IT, ensures that organizations are following best practices for IT security. Credentials like passwords and tokens are Safeguarded, business procedures are Adapted for maximum security, IT-managed objects are Fortified, and best practices for user accounts are Enforced. Access to sensitive systems and data is Regulated, high-level standards are Imposed, and Trusted systems get regular checks.
Does your IT security plan cover cloud access control? If not, your business data could be at risk. Working with a company like Centrinet ensures you have a comprehensive security strategy no matter where your data lives.