We speak with business owners every day about how to help make their team more productive, mitigate the risks in their business, and get more done. Recently we’ve noticed a dangerous trend: Business owners treat the ‘cloud’ and the security of the ‘cloud’ the same way that they treated their on-premises networks: In short, they don’t care.
They assume that ‘someone else is taking care of the security. This mindset is extremely dangerous. In the traditional model of on-premises IT infrastructure, it was the responsibility of IT to secure the perimeter of the network. Essentially, that involved installing a good firewall, only opening ports that were needed, purchase good security software – rinse and repeat. With the cloud – this has all changed. While the security of your network is important, in many cases, the network is just the mechanism you use to get out to the cloud, where your data is now physically located.
In the old world, we had to secure the perimeter so we could secure the data.
In the new world, we no longer have a perimeter, so how do we secure the data?
When working with businesses, we focus primarily on two areas of the business where we can have the most significant impact: employees and their identities.
Driving Employee Awareness
Almost all phishing and account security attacks happen as a result of user action: a user is tricked into giving away their credentials, clicks on a malicious link, or uses poor password hygiene. You can spend a ton of money on building fences around your information – but if you leave the front door open, you have wasted your money.
This all starts with regular user training and awareness. Test your employees’ ability to spot email-based attacks, like phishing (but don’t stop there – use the results to help guide your training). Share articles after significant breaches (like the recent Equifax breach) to make it real for your team members. Include examples of what to look for in phishing attacks in your regularly scheduled security training. Don’t forget about your new hires - make security awareness part of their on-boarding.
Protecting User Identity
Right behind driving user awareness is protecting user identity. Since so much of our information is stored in the cloud, protecting the user’s account (or identity) from being stolen is critical. Brute force attacks on user accounts (where hackers try to guess the password) are widespread. Or, in many cases, users will re-use the same password across all their accounts – making it easier for hackers to gain access to their accounts.
At the very least, you should deploy multi-factor authentication (MFA – sometimes called dual-factor authentication). MFA protects an account, even when the password is compromised. An MFA protected account requires the password AND a physical action (such as approval from a mobile device or a code from a text message) before the account can be accessed.
We also recommend deploying services that help flag and prevent risky account behavior. Azure Identity Protection Manager uses machine learning to flag risky account behavior (such as a login from an unusual location for that user). Azure Privileged Identity Manager goes a step further by putting restrictions on administrator accounts.
If you own a business or are responsible for a department of a company – please do not treat the security of your data stored in the cloud the same you treated the security of your network. Data security can longer just be the responsibility of only the IT team. While your IT team should no doubt be managing the tools and leading the charge, data security needs to be a team effort. Your business may depend on it.