There is a saying in the industry that goes, “The cloud is just someone else’s computer.” However, if you’re storing sensitive information and user credentials in a cloud environment, should you treat that environment as if it were just someone else’s computer? Cloud engineers manage data in the cloud, but what could happen if this data is unprotected? A 2019 study by the security research firm Proofpoint found that 92% of Fortune 500 companies’ cloud accounts had been attacked. These attacks could have been avoided if the companies had taken the time to harden their cloud environments configuration as if they were on premises.
The following is a list of precautions to take in order to ensure that you’re managing your cloud environment in a secure way:
• When configuring cloud infrastructure, one of the first lines of defense is encryption of at-rest and in-transit data. An SSL/TLS certificate and user credentials should be generated to enable HTTPS and SSH traffic. In addition, a firewall should be configured with inbound rules for that traffic, and each cloud server should have its own set of user credentials.
• Check that cloud account credentials are not hardcoded into any software. This includes version control repositories, public and private. Also, user credentials should be changed frequently. Your cloud platform may have a key management service that centrally stores and rotates the credentials for your servers.
• Each network service (the web server, database server, email server, etc.) should be run on its own instance. This makes it difficult for attackers to access all of the assets.
• As burdensome as it may be, use two-factor authentication (2FA) whenever you log in. Unless an attacker also has access to your mobile device, this can help prevent them from infiltrating your cloud account.
• Change the default configuration files and port numbers for your services. If you are using default configurations, your environment is at risk because attackers will know where to look once they are able to infiltrate with your user credentials. Give them a hard time and leave that /var/www/html directory empty.
• Use your platform’s monitoring and logging service to notify you when suspicious activity and/or traffic is detected and to log as many assets as you can: your servers, cloud virtual private network (VPN), file storage system, etc. If an attack is implemented in your environment, logging helps you determine which assets are being targeted.
• Although it may not seem like it, maintaining availability of your resources is a security practice. An attacker may not aim to infiltrate your environment, but prevent legitimate web traffic from flowing through it by flooding it with a distributed denial-of-service (DDoS) attack. Configuring a load balancer and a web application firewall (WAF) in your environment can help mitigate such attacks.
• Finally, back up your cloud assets frequently. In the event that an attacker infiltrates your account and wipes all your data (or possibly worse, if you or someone in your organization unintentionally wipes all the data), you need a copy to restore all of it. Whether you store your backups on removable media or use your platform’s backup service, if one is available, this step is a vital part of securing your data.
Of course, you don’t have to follow any of this advice. You may continue to make cloud penetration testers’ jobs like mine easier instead. :)