Cloud Security Requirements, Best Practices for MSPs

Chris Braden

The amount of data (and the value of that data) being stored in the cloud is growing rapidly, and cybercriminals are quick to recognize the opportunity.

The cloud is inherently less secure than on-premises solutions and therefore requires a greater and more complex security strategy. The cost and complexity of designing, implementing and executing a security strategy across cloud, hybrid and physical network assets is growing, and as the cost and complexity increase, the challenge for companies to protect and secure their data becomes greater. This also means that the market opportunity today to provide cloud security solutions for MSPs is tremendous. It certainly comes with challenges, but there are fewer security solutions available today than there are for traditional network-based security requirements. This represents an opportunity for those companies with cloud-security capabilities to target a less competitive market, with predictably less commoditization and greater ability to differentiate.

Cyberthreats traditionally targeting on-premises resources, such as ransomware, identity theft, and data exfiltration, are a growing concern for cloud services as well. As organizations continue to adopt the cloud, effectively addressing these additional security challenges is a top concern. Midmarket companies are especially susceptible because cloud adoption is more prevalent among the midmarket range — enterprises with from 100 to 999 employees and earnings of $50 million to less than $1 billion in annual revenue, according to Gartner’s definition — due to its ease of deployment and low upfront costs. Midmarket firms typically lack the expertise and resources required to effectively secure their cloud deployments, which is where the MSP comes in.

Contrary to popular belief, the cloud customer is still responsible for ensuring that their workload is secure and protected against things like credential abuse or data exfiltration, both of which are leading cloud security concerns.

Some of the largest cloud breaches over the last two years could have been prevented with proper security due diligence.

• The first step in securing cloud data is understanding what security responsibilities are covered by the service provider and what steps need to be taken separately. Using a cloud service creates a shared security responsibility between the customer and the cloud provider. If expectations aren’t clearly defined from the start, security holes may develop.
• The next step to establishing strong cloud security is ensuring that stored data is categorized and documented. This should be done retroactively to be sure previously stored data is well documented. As previously stated, out of sight, out of mind. Keeping organized information on data stored in the cloud decreases the chance that private information will be stored in an insecure way. Data that is meant to be private must be stored in a cloud bucket set to private (not public).
• Cloud storage buckets should have randomized names. This increases the difficulty of attackers locating specific buckets belonging to the targeted company. It is also prudent to avoid the use of externally facing web portals. Although not always possible, this step will decrease the available attack surface.
• Companies should have a regular auditing schedule to review what groups or individuals have access to data stored on the cloud. Once this has been established, permissions should be re-evaluated based on task requirements. It is highly recommended that all administrative accounts for cloud storage require multifactor authentication, as this implementation will decrease the likelihood of account compromise. Similarly, following security best practices for passwords is highly recommended; this involves using a strong password or passphrase and never reusing the same password for multiple accounts.
• Lastly, encryption should be implemented at rest, as well as in transit, for data stored on cloud infrastructure. Encryption is the last line of defense against the sinister characters looking to pilfer data. Keeping sensitive data encrypted will minimize the effect of a breach or leak and ensure that data meant to be private remains private.

Additionally, there are various cloud security checklists, including this one from eSentire, available to help your team …