Cloud Security Planning in the Time of Social Distancing
By Joao-Pierre S. Ruth
With organizations compelled to push work out to remote, cloud security becomes a very tangible matter. The rapid move to remote work can raise security questions for organizations that must now lean heavily on their cloud resources. In some cases, teams may be relying on familiar systems and platforms that were established well in advance because of accelerated digital transformation and cloud migration.
For other organizations, this may feel like a trial by fire. Security solutions company Optiv and enterprise software developer Atlassian offer some insight on what organizations should consider when it comes to cloud security concerns during the COVID-19 outbreak.
Adrian Ludwig, Atlassian’s chief information security officer, says his company has employees around the world and the majority of the business is cloud based. “With two exceptions, we don’t run our own data centers,” he says. Employee laptops make up the primary hardware used by Atlassian, Ludwig says, and in recent years, the company put security measures in place to authenticate devices people use. Even with those steps, he says the company still ran into some hiccups in recent weeks when the entire team was directed to work from home. “The capacity we had for our VPN was nowhere near as large as it needed to be,” Ludwig says. “That was found out in a rolling cascade of failures.”
This led to changes in routing, he says, in order to restore secure access to services. Atlassian follows the zero-trust networking principle with different corporate applications assigned varying levels of protection. “Our most sensitive applications are only accessible from a corporate device,” Ludwig says, with less-sensitive areas available through personal devices. Security steps that he recommends organizations consider include categorizing applications to identify which ones are used daily and therefore will be needed remotely. Then organizations should consider the ways remote teams will tap into those resources, Ludwig says, and prioritize securing those connections. “Think about what that access looks like and how users will authenticate to that,” he says.
Joe Vadakkan, global cloud security leader at Optiv, says many enterprises already had some sort of remote plan or remote workforces to some degree. “From their perspective, it’s just about scaling it at a higher level,” he says. That includes increasing VPN access and virtual desktops, which can also mean higher risk. The move to remote work though increases the need for security awareness training, Vadakkan says, as employees transition from operating within the controls of on-prem infrastructure. For example, an employee at home might use a personal laptop for sake of convenience to download sensitive data or log into company email and other resources. “Those are some of the highest-risk areas from an end-user standpoint,” Vadakkan says.
There are security resources available, he says, with services such as Amazon WorkSpaces and Microsoft’s Virtual Desktops that can be used with quick and minimal set up. Controls and guardrails need to be established for observability and monitoring in the cloud, Vadakkan says, as organizations make this shift to remote. Security hygiene must improve to keep up as risks escalate, he says. Lapses in human behavior could unwittingly create points of exposure that hackers might attempt to exploit. “During this time, people are going to be spinning up a lot of workloads without security controls,” he says. “That is bound to happen.”
Questions Vadakkan says organizations should discuss include capacity planning and matching rules to the increasing volume of remote work. “Traditionally, enterprises that are risk averse have everything locked out,” he says. “Anything that’s not corporate IP is just shut down. Managing that at a higher scale is on the checklist.” Companies may have continuity plans in place and Vadakkan says it is important for those plans to include an understanding of data governance as people work from home. He suggests reviewing data loss prevention measures and discuss ramifications of business communications taking place over nonsecure, commercial versions of resources such as Skype, Google Talk, or mobile texting. As people operate outside a corporate network, the chances increase that they might use a plethora of unsecure communication that may move faster or are simpler to access. The problem is that using such conveniences may run the risk of exposing the company to bad actors who have been waiting for someone’s guard to come down. “We are already see massive phishing campaigns going on around COVID-19,” Vadakkan says.