Keeping the cloud secure
John Tipton, senior security consultant, at Adarma explains how to tackle the third party risks Introduced by cloud computing on this Teiss article
If we had to summarise business today in one word, it would likely be ‘interconnected’. Not only is virtually everything linked to the internet and now the cloud, but we are also increasingly reliant on external parties.
As we lean into each other’s strengths and assume greater collaboration, we have witnessed an acceleration in innovation, improved efficiency, more flexibility and agility. Yet, despite the myriad benefits this brings, interconnectivity does come with its own set of risk.
On the cyber security front, it means potentially leaving one’s business susceptible to the security posture of its partners.
Cases such as the SolarWinds hack disclosed in early 2020, which saw thousands of its customers affected, certainly put supply chain attacks on the map. More importantly, it begs the question: how do we understand and manage the third-party risks introduced to an organisation’s digital ecosystem?
Before all else, it is important to take inventory, charting every provider operating within one’s network. While the providers vary according to different business types, examples may include accounting software, data back-up solutions and cloud hosting services. Chances are the list is extensive, but all should be accounted for.
You will then want to take careful note of what data and services they consume, how they are consumed and where they do so. Once this has been clarified, we can move on to ensuring the right security measures are in place.
The key to good third-party risk management is through communication, recognising that it is a two-way street. Cybersecurity requires a joint effort and should be seen as mutually beneficial.
We must not assume that the other’s method of data transfer or storage is appropriate by default, in the same way that we should not expect them to automatically accept our existing approach. Partners need to be involved in risk mitigation and planning processes, where expectations are laid out and both sides can hold each other accountable.
Nevertheless, as most self-help books would profess, real change starts from within; in this case, effective protection from third-party risks begins internally. Indeed, there are a few steps organisations can take to strengthen their supply chain security today.
The first is to execute an attack surface analysis, whereby the organisation’s IT infrastructure is scanned continuously for attack vectors, then it is monitored, evaluated, prioritised and remediated. In most cases, insider threats are posed by negligence as opposed to malicious intentions. By managing the attack surface appropriately, we significantly minimise the negative impact of human error.
This leads us nicely into the next point: implement a strong identity and access management policy as well as control mechanism, notably privileged access management.
In particular, extra attention should be paid to the access policies surrounding an organisation’s sensitive data. By limiting an employee’s access according to what they need only, this too restricts the impact of poor security behaviours or a breach.
In fact, it is recommended that businesses adopt a Zero Trust security model. As its name suggests, it is built upon the notion that all access attempts should be verified as no one and nothing should be trusted.
In addition, organisations must introduce strict shadow IT controls. It is critical to monitor cloud applications and data flow from employees to truly understand and control data breaches in the unfortunate event that they do occur.
Last but not least, take the time to educate employees on existing threats, such as phishing, smishing and ransomware, as well as how to avoid falling foul of these attempts.
Apart from internal protection, other general best practices to manage risk include:
– assuming the worst, and creating a thorough incident response plan;
– pinpointing the most vulnerable or high-risk resources and dedicating time to protecting these assets; conducting regular third-party risk assessments;
– embracing the DevSecOps approach by integrating security into the development lifecycle; ensuring any misconfigurations of one’s Public Cloud and SaaS environment is appropriately addressed;
– consider forming a Security Operation Centre (SOC) or automated threat prevention and hunting set-up.
As organisations are increasingly immersed into the world of cloud computing, it can quickly become overwhelming to see the list of third-party partners grow and the associated risks rise.
However, taking the time to understand who these partners are, and opening communications with them to discuss risk mitigation and remediation, is critical to the overall security posture of the supply chain.
Meanwhile, don’t forget that there are steps your organisation can take as well to minimise exposure.