How To Protect Your Cloud Accounts From Being Hacked

Gartner reports that by end of this year, 60% of global companies will have stored customer sensitive data in the public cloud, a 40% increasing in just two years. In addition, our State of Cloud Adoption survey uncovered that over two-thirds of organizations are already using Infrastructure-as-a-Service (IaaS) and 64% are using at least one Software-as-a-Service (SaaS) application. These are clear indicators that the business world has fully embraced the cloud and is quickly adopting and migrating to SaaS and cloud deployments.

This trend has resulted in an organization’s administrative credentials for cloud services having a high value to hackers. Instead of trying to hack into an enterprise network or endpoint, attacking an organization’s cloud administrator’s account and leveraging those credentials can lead to higher impact data exfiltration endeavors. A hacker’s infiltration of the service can put the entire organization at risk, since cloud services have become mission critical for many organizations.

We will continue to see service providers innovate to provide enterprises with security improvements for cloud administration. Until then, here are five steps to protect your valuable cloud administration account credentials and workflows.

1.      If the cloud service offers multifactor authentication, enforce usage for all your administration accounts and even non-admin accounts.  Multifactor authentication can be a bit painful, but is well worth it, as the service could have vulnerabilities that may be leveraged to access your sensitive data.

2.      Utilize different administrative account names and passwords so that any hacked credentials cannot be utilized across your cloud deployments or SaaS implementations. It is all too common to have the same login and password for all your admin accounts. Enforce a policy to ensure they are significantly different for every service.

3.      Enable all auditing within the cloud service, and review the audit data each day in a security stand-up/review. Expect malicious behavior to begin with stealth activities – what I refer to as “moles.” The moles will log in with the hacked credentials, create a new admin account, and then utilize that account for continuous data mining.

So pay particular attention to new administration account creation and verify the legitimacy of the account. With the audit information you should also be able to track any admin account creation to the original account it was created from, to find which accounts may be compromised.

4.      Create and enforce password rotation policies, especially if multifactor authentication is not available. Ideally the admin passwords live for less than 168 hours (seven days) but even that could be too long for maximum protection.

5.      Strictly enforce policies around administration account management, creation, modification, and deletion. Many organizations provide many admin accounts for many reasons. This creates a security risk by expanding the attack surface, especially when you have employee turnover.

Ideally, only allow administrator access to a select a few individuals access and be sure that those accounts are deleted first thing upon the employee’s departure. At a minimum, adopt a weekly admin account review that includes a justification for that particular person to have admin access.

6.      Define critical workflows that require review and approval of two or more administrators before the activity can be completed. Wherever possible, create notifications and reports to track when these activities have been started and keep a change log for the review process.

This will provide a couple of benefits. First, if the review and approval did not happen you will know at a minimum that an incorrect action happened in your organization that could have potentially devastating impact. Second, by defining the critical workflows you will have a list of activities and their expected outcomes or failures, which can lead to adding multiple protections against those activities.

For example, exporting or deleting all customer data from a CRM application is defined as a critical workflow, which requires approval but also full encryption and backups every six hours to protect against malicious activity. In a worst-case scenario in which you have identified malicious behavior, you can now detect, isolate, and remediate much quicker than if you did not define the critical workflow process.

As we continue to utilize the cloud and adopt SaaS, it is a good idea to review how you manage your administrative accounts and define process and procedures to protect them from malicious behavior. If you are employing AWS, take a look at 5 best practices for setting up secure Identity and Access Management in AWS.