These days, hosting your own cloud environment is easier than ever. However, it’s critical to follow basic cybersecurity best practices to ensure bad actors can’t access the management side of your cloud.
A good place to start is by taking a look at the key behaviors identified by Cybersecurity Awareness Month this year: implementing the use of strong passwords and a password manager, turning on multifactor authentication (MFA), recognizing & reporting phishing, and making sure any software you’re currently using is up to date.
Rules of Thumb for Cloud Administrative Accounts
Cloud administrator user IDs should be used solely for that purpose and not used for other general user accounts. Also, passwords should be at least 12 characters long and include all four types of characters (uppercase, lowercase, numbers, and symbols). The more unique your password, the longer it will take for a bad actor to compromise it.
The same holds true for any cloud services or cloud infrastructure cloud resources you create. Regardless of whether such services and resources are public-facing or in your private networks, it’s important to ensure any default accounts are removed and/or disabled. In addition, default user IDs should be changed along with the password, following the same password criteria used for an administrative password. This ensures all doors to your cloud resources are closed.
Importance of Routinely Using MFA When Accessing Cloud Environments
Incorporating multifactor authentication (MFA) for your management (administrative) access is a must. (Recently, this step has become easier to implement as many cloud hosting providers now provide MFA capabilities). Recommendations for use on your mobile device are an authenticator application like Microsoft Authenticator, Authy, Google Authenticator, or Duo. (Hardware tokens are also an option if your mobile device isn’t available.)
MFA adds another barrier of protection by restricting access to only authorized individuals. (If MFA is required to access cloud resources, you should also implement this capability for anyone logging into those resources.)
Guarding Against Phishing and Social Engineering
Phishing has become increasingly popular for bad actors, whether it be electronic via email, smishing (text message phishing), or phone by using social engineering techniques. Properly verifying the email or text authenticity is critical; also critical is ensuring that end users don’t click on links included in unverified messages. Social engineering—a technique in which bad actors impersonate someone who has legitimate access to a given environment—has become increasingly prevalent in recent years. When social engineering (or suspected social engineering) occurs, it’s critical that cloud administrators report this to the proper groups within your company so that proper mitigations can be put in place to either block, track, or (if necessary) notify authorities.
Administration of Cloud Environments Includes Regular Patching
Lastly, you must ensure that all instances you control in the cloud are patched as soon as security updates are released. All cloud-deployed instances are vulnerable if back doors are not properly closed.
Shared Responsibility and Managing Cloud Environments Moving Forward
Cloud security is typically a shared responsibility between the provider and the cloud customer, and it’s important to understand who is responsible for each security component.
Beyond that foundation—and the key behaviors identified above—companies often benefit from working with a trusted partner to assist with cloud migration and ongoing managed cloud services moving forward.
Telos designs and implements scalable, durable, cost-efficient, and secure cloud environments. Telos and its partners for managed services provide customized IT operational support tailored to your organization’s needs. Our managed services take the challenge out of IT operations with solutions to mitigate IT risks, reduce costs, and increase operational efficiencies. Click here to learn more.
