Securing Your Cloud Stack… Against Ransomware and Other Threats

When it comes to protecting your environment against ransomware and other looming threats, you need to cover every layer of your cloud stack. Here are nine practical actions you can take now.

securing your cloud stack

If you use the cloud, the key to being protected starts with an understanding of the layers that make up your cloud stack. These different layers create multiple potential targets. And for the well-informed, they each represent a piece of the cloud environment that can be secured against potential threats. Ransomware doesn't have to be terribly complex stuff. To be effective, it just needs access. By paying attention to the different pieces of the cloud stack and addressing your unique security needs with these preparations, your environment will be far more resistant to ransomware threats:

Identity Management

Besides enforcing secure passwords and MFA, apply the "least privilege roles" concept: Only give users access to the fewest accounts and systems that allow them to be productive. This limits the damage that can be done if an accident happens or a bad actor gets access to the account.

Secure the Cloud Compute Layer

Take steps to secure your compute layer; not just to ensure availability of systems and data, but also to keep bad actors from using your compute power to further spread malware across your business and the Internet. The first step here is to enable secure login by issuing SSH keys issued to individuals.

Use a Jump Host

A jump host is placed in a different security zone as the only means of accessing other servers or hosts in your system. It is an extra step that will add a layer of security complexity to keep hackers out. As the single administrative entry point, be sure to take steps to protect this server and maintain strict access controls. And be sure to turn on logging so you can audit all activity. Be warned, though, if this one server gets hacked, a new one can be created with the push of a button.

Create Hypervisor Firewall Rules

The most effective way to manage firewalls is at the hypervisor level because you can restrict or set limits on both ingress and egress traffic. Take care to set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many are reluctant to set up outbound rules, but because ransomware often threatens exposure of intellectual property, it is important that outbound rules are explicitly declared.

Only Use Trusted Images

Build your images or templates from scratch or get them from very trusted sources like AWS or Microsoft. Don’t use the ones you find on Stackoverflow or on random message boards or communities. The hackers have gotten clever enough to respond to hot topics and embed malware into packages and templates.

Manage Data Access for Cloud Storage

Identity and Access Policies (IAM) policies and Access Control Lists help you centralize the control of permissions to your storage.  Bucket policies allow you to enable or deny permissions by accounts, users, or based on certain conditions like date, IP address, or whether the request was sent with SSL. 

Encrypt, Encrypt, Encrypt

When using public cloud infrastructure, it is imperative that your data is encrypted both in transit and at rest. There are many great encryption tools and services that will help with each. Note that the metadata (the data describing what you’re storing) is often not encrypted, so you’re not storing sensitive information in your cloud storage metadata.

Restrict Delete Rights or MFA for Delete

You can set up roles in your cloud infrastructure that do not allow the user to delete any data. This protects you in case an attacker gains control of a user’s account. They may be able to access the data, but not delete it which is usually what is threatened in ransomware attacks. Also in most cloud storage solutions you can enable a feature that requires that the six-digit code and serial number from your MFA token to delete any version of data stored in your storage layer. This means that attackers won’t be able to delete your data if they get access, unless they’ve got your MFA key.

Don’t Allow Services to Call Home to SaaS Systems Like Github

All it takes is for a bad actor to get access to your Git repo. They can then infect and potentially get access to more of your systems the next time one of your systems calls home. A better option is to store your Git or code repositories securely in your own cloud environment.

Our Evident Security Platform analyzes more than 10 billion events every month, and we see that poor configuration, lack of policies, and permissive behaviors that lead to too many openings that are exploitable by ransomware. We can help you create an optimal security environment for your cloud environment that will assist in thwarting ransomware through a set of corrective actions and behavioral modifications. There will always be bad guys, but we’ll work with you to figure out how to keep them out of your cloud.