In the case of AWS, S3 buckets should never have a public access policy.
Another common mistake is leaving SSH open, something that 73 percent of organizations did in ThreatStack’s analysis. ThreatStack also found that 13 percent allowed SSH connections directly from the Internet, which meant anyone who could figure out the server location could bypass the firewall and directly access the data.
Major cloud providers all offer identity and access control tools; use them. Know who has access to what data and when. When creating identity and access control policies, grant the minimum set of privileges needed and temporarily grant additional permissions when needed. Configure security groups to have the narrowest focus possible, and use reference security group IDs where possible.
Amazon VPC lets administrators create a logically isolated network within the AWS cloud to launch servers in virtual networks. This is one way to protect the production environment from the development and staging environments and keep data separate.
3. Protect the data
Another common mistake is to leave data unencrypted on the cloud. RedLock’s CSI found that 82 percent of databases in the public cloud are not encrypted. Voter information and sensitive Pentagon files were exposed because the data was not encrypted and the servers were accessible to unauthorized parties. Storing sensitive data in the cloud without putting in place appropriate controls to prevent access to server and protecting the data is irresponsible and dangerous.
Where possible, maintain control of the encryption keys. While it is possible to give cloud service providers access to the keys, bottom line, the responsibility of the data lies with the organization.
“It’s like trusting your home renovator with the keys to your home,” said. Mark Hickman, COO at WinMagic. “You expect all will be well, but you can never be 100 percent certain if they’re locking the door or the character of their subcontractors. So why take that risk in giving them access to your keys in the first place?”
Even when cloud providers offer encryption tools and management services, too many companies don’t implement it. Encryption is a fail-safe—even if a security configuration fails and the data falls into the hands of an unauthorized party, the data cannot be used.
4. Secure the credentials
As the OneLogin breach showed, it’s not uncommon for AWS access keys to be exposed. They can be exposed on their public websites, source code repositories, unprotected Kubernetes dashboards, and other such forums. Treat AWS access keys as the most sensitive crown jewels, and educate developers to avoid leaking such keys in public forums
Create unique keys for each external service, and restrict access following the principle of least privilege. Make sure the keys don’t have broad permissions, as in the wrong hands, they can be used to access sensitive resources and data. Create IAM roles to assign specific privileges, such as making API calls.
Sign up for CIO Asia eNewsletters.