Access control is paramount for effective security of data in the cloud
Companies are increasingly shifting IT services and applications to the cloud to be readily available to employees, empowering their productivity from wherever they are and from any device. Moving critical business information to the cloud does come with security challenges, with unauthorised access topping the list. To protect data in the cloud, companies need to have appropriate measures in place to manage and control who has access, based on their credentials. This is according to Charl Ueckermann, CEO at AVeS Cyber Security.
“Before the cloud, everything was hosted on physical servers in your data centre at your premises. If someone wanted access to your data, they had to overcome several security obstacles along the way. A person needed physical access to your server room, had to bypass a firewall or intrusion prevention services installed on the servers, and outwit any other security controls blocking his/her way into the organisation’s databases.
“There is a misperception that if the cloud is secure, measures to control access like this are not necessary, as the data is in a ‘safe place’, so it must be safe. This isn’t necessarily true. The same level of vigilance is required to control access to data in the cloud than is necessary with data hosted onsite. It is also essential to control and manage what different levels of employees can do with that data. Lack of access control, as well as the misuse of employee credentials, means data can be accessed by people who are not allowed to see it,” says Ueckermann.
He explains that companies operate in a highly regulated environment and are obligated to protect their information. To comply with industry or governmental regulations, they should protect their data and carefully control who has access to it.
“Companies cannot rely on usernames and passwords alone to effectively control access to the cloud, as 80% of breaches in the cloud are due to weak passwords. Multi-factor authentication to access cloud services should be non-negotiable. For example, when you use Microsoft’s Authenticator on your smartphone, there are four layers of security. These are: where you are, based on the geographic location from where you are logging in; what you know, being your username and password; what you have, namely your mobile device in your hand; and who you are, which would be your biometric code to access your phone.
“Similarly, you ideally want at least three ways to authenticate your employees before they can access company resources in the cloud. Besides, there should be clearly defined containers to segregate who has access to what information once they have been authenticated. Employees should be granted access only to the information they require to do their work. Authorisation measures should also be in place to ensure that information cannot be downloaded by or shared with people who don’t have permission.
“Monitoring tools can also help to pick up on abnormal behaviours. For instance, geolocation control would detect unusual behaviours, such as a login by an employee in Pretoria and, five minutes later, a login in Germany by someone using the same login details. Monitoring tools will also detect mass downloads, mass deletes and any other activities that are outside the norm,” Ueckermann recommends.
He stresses that employee education should form part of any organisation’s cloud security strategy.
“People tend to trust too easily and not verify enough when it comes to IT security threats. They open e-mails, click on links, share information, download information and share their passwords without understanding the potential consequences. For a cloud security strategy to succeed, it is vital that employees understand the risks, how their actions can make data vulnerable, and what they can do to keep data safe.”
Ueckermann concludes with these three tips:
- Implement appropriate governance processes and policies to formalise and govern how organisations manage their data security in the cloud.
- Deploy effective technologies that are specific for the cloud to enable identity management and control access to data.
- Relentlessly continue with user education and awareness to make your employees part of the solution rather than a vulnerability.
1. Martins, A. (2019, 02 27). Poor Access Management Leads to Majority of IT Hacks, Study Finds. Retrieved from businessnewsdaily: https://www.businessnewsdaily.com/11310-cyberattacks-poor-access-management.html
AVeS Cyber Security
AVeS Cyber Security is a specialist IT Governance & Architectural services consultancy that combines expert knowledge and services with leading technology products to provide comprehensive Information Security and Advanced IT Infrastructure solutions. Over the past 21-years, AVeS Cyber Security has strategically honed its solutions and services to help Southern African businesses future-proof their IT environments against the constantly evolving threat landscape while achieving their digital transformation aspirations. The company offers a leading portfolio of professional services, products, and training in security, infrastructure, and governance solutions. This year (2019), the company won three awards from some of the world’s top technology vendors, indicating competency, strength, innovation and robustness in an industry that is fast growing in complexity due to evolving challenges, such as ransomware, advanced targeted attacks and the Internet of Things. The awards include Kaspersky's Africa Partner of the Year 2019, ESET Regional SMB Sales Champion 2019 and ESET Product Champion 2019. AVeS Cyber Security also received three new partner statuses namely, Microsoft Gold Datacenter Partner, DellEMC Gold Partner, and Barracuda Preferred Partner .