Mitigating cloud vulnerabilities – A checklist for enhanced security

Cloud provides several security advantages over traditional, on-premises technology, such as the ability to automate security-relevant processes, including threat and incident response thoroughly. However, despite careful adoption of the cloud, cloud services can introduce several risks that organizations should understand and address during the procurement process or cloud operations.

Cloud vulnerabilities are similar to those found in traditional architectures, but shared tenancy cloud features and potentially ubiquitous access may increase the risk of exploitation. A thorough evaluation of the security implications when shifting resources to the cloud will help ensure continued availability of resources and reduce the risk of exposure to sensitive information.

Organizations should also consider cyber threats to cloud resources to implement effective mitigations, just as they would do in an on-site environment. In addition, security in the cloud is a constant process, and customers should monitor their cloud resources continuously and work to improve their security posture.

In this post, we will look at a complete checklist of recommendations organizations should enforce for a better cloud security.

  • Understand what type of data is stored in the cloud and keep a record.
  • Use cloud policies to prevent users from publicly sharing data without a mission-justified role.
  • Ensure only the intended recipients have the permissions if you share sensitive data with others through the cloud.
  • Ensure that any software running on the device of the cloud service consumer accessing a cloud service will only synchronize the data allowed between the device and the cloud.
  • Define appropriate permissions for files and folders.
  • Limit access to and between cloud resources.
  • Enforce encryption of data with robust encryption methods and properly configured, managed and monitored vital management systems.
  • Understand your data and how it flows across different systems.
  • Evaluate areas where traditional operating or infrastructure IT silos can be fused into cloud deployments.
  • Configure the software to update automatically in cloud systems.
  • Ensure all levels of logging are enabled, and logs are stored immutably.
  • Correlate logs from hybrid or multi-cloud environments.
  • Use multi-factor authentication with strong factors and require regular re-authentication.
  • Enforce multi-factor authentication for password resets.
  • Use predefined roles over primitive, much more granular roles.
  • Limit the number and specifics of who is allowed to operate as a service account.
  • Be restrictive about granting members the owner role.
  • Establish automated continuous monitoring for configuration changes and security events.
  • Control virtual machine image selection to require hardened baselines and allow for predictable cyber defense.
  • Disable protocols using weak authentication.
  • Use strong passwords for each account.
  • Use different accounts for different staff.
  • Use different passwords for different accounts.
  • Immediately delete access accounts or change passwords when staff changes.
  • Change passwords periodically.
  • When possible, use cloud-based access controls on cloud resources.
  • Do not include API keys in software version control systems where they can be unintentionally leaked.
  • Use dedicated, whole-unit, or bare-metal instances for sensitive workloads.
  • Use virtualization for isolation instead of containerization, for sensitive workloads.
  • Use automated tools for auditing access logs for security concerns.
  • Evolve architecture and processes to incorporate new features.
  • Control and audit cloud service policies.
  • Adhere to applicable standards (e.g., CSP guidance, Center for Internet Security Benchmarks, DoD CCSRG).
  • Audit access logs with automated tools to identify overly-exposed data.
  • Ensure proper training for individuals creating or modifying cloud service policies.
  • Follow best practices to avoid the abuse of privileged accounts.
  • Use trusted devices only for accessing cloud services. Evite the use of public computers to process sensitive cloud data.
  • Physically secure access device. Protect the device against unauthorized access.
  • Restrict sensitive data to approved storage and use data loss prevention solutions to enforce these restrictions.
  • Use cloud or third-party tools to detect misconfigurations in cloud service policies.
  • Keep your access device’s operating systems, browsers, and applications, including computers and mobile devices, up to date with the latest versions of software and security patches.
  • Be cautious about browsing, especially not to click on any links from untrusted sources.
  • Establish a contract that satisfies organizational needs for redundancy, availability, performance, data ownership/sovereignty, physical security, incident handling, and cloud infrastructure transparency.
  • Ensure that development and migration contracts stipulate adherence to internal standards or similar processes for mitigating supply chain risk.
  • Establish a simple access account policy for using the cloud service.
  • Check to see if the service provider reserves the right to use, disclose, or make your information public.
  • Check to see if your own data intellectual property rights remain intact.
  • Understand whether your data and the service can be moved or transferred to another provider when you want to and whether there are export utilities available and easy to use.
  • Check that the service provider retains your information rights even if you delete your data from the cloud.
  • Check whether data, including any backup storage, can be permanently erased from the cloud when you delete this data or when you terminate the service.
  • Perform a regular backup of your data stored in the cloud service.
  • Develop a business continuity plan and work out alternatives when there is no cloud service or data.
  • Keep a local backup copy of your critical data, so that this data can still be available when the service provider is temporarily or permanently out of service (e.g., network outage).