Security concerns around cloud adoption are on the rise. According to the 2016 Cloud Security Spotlight Report from Crowd Research Partners, 53 percent of organisations see unauthorised access, through the misuse of employee credentials and improper access controls, as the single biggest threat to cloud security.
Today, perceived security risks are a significant factor holding back faster adoption of cloud computing. However, the many benefits that cloud services deliver, from more flexible working practices to improved efficiency, are driving organisations and security teams to find more secure ways of working. As such, implementing the right security can have a profound impact on business transformation.
Trusted access to the cloud provider
[easy-tweet tweet=”Outsourcing services to a #cloud provider means more centralised controls” hashtags=”tech, IT”]
While the benefits of using the cloud are numerous, outsourcing services to a cloud provider means more centralised controls. The cloud hosting providerโs services also often include an administrative/management dashboard with the controls to manage an organisationโs cloud services. This means the username and password for the cloudโs dashboard or accounts would be the โmaster keyโ to the entire IT infrastructure.
Protecting access to these cloud applications with only a username and password is insufficient for todayโs user targeted attacks. If those credentials are stolen and exploited, it can be very difficult to regain control. Cloud security is certainly many-faceted, but guarding the entry point should be an integral first step to protecting data, networks, resources and other company assets located in the cloud.
With that in mind, keeping cloud logins secure is vital for businesses. Streamlining login security is also essential in making security easy to implement and manage, which is why using a two-factor solution that works for on-premise and enterprise-level cloud apps is ideal. Adding an extra layer of security means an attacker canโt log into an administrative account by simply exploiting stolen credentials โ they would need the associated physical device in order to successfully authenticate and gain access to the cloud management console.
Identifying security risks
Hackers will typically choose the easiest target, and โpath of least resistanceโ, which is why they are increasingly targeting end users directly, with an estimated 95 percent of breaches now involving stolen user credentials. The continued rise in phishing scams and use of social engineering techniques to steal credentials means that even the most complicated and ingenious of passwords is no longer enough.
[easy-tweet tweet=”Devices running outdated operating systems and browsers pose a significant security threat.” hashtags=”#firmware”]
The users themselves are not the only risk; devices running outdated operating systems and browsers also pose a significant security threat. Research from Duo Securityโs labs team found a concerning lack of device security in the enterprise, with 25 percent of Windows devices running now-unsupported versions of Internet Explorer, leaving those un-patched systems open to more than 700 vulnerabilities.
Mitigating these risks and ensuring only trusted access to a companyโs cloud services is achievable by adhering to the following golden rules on access control and device visibility:
Passwords are not enough
First and foremost โ ensuring users are who they say they are. Using only passwords as a form of authentication or access can leave organisations vulnerable to stolen credentials. Especially as users often reuse passwords for multiple accounts, both work and personal.
Employing two-factor authentications across all logins provides an essential extra layer of security that doesnโt rely on user behaviour. Solutions such as cloud-based two-factor are quick to deploy, easy to use and easy to manage for administrators and IT teams.
Securing employee devices
Attackers will exploit any vulnerability, and out-of-date systems are a potential treasure trove. With that in mind, organisations need to focus on the health of devices, ensuring they are running the latest operating systems and removing any blind spots, in order to mitigate any risks these devices may pose. Providing administrators with data on device ownership and health allows them to make risk-based access control decisions. As such, out-of-date devices should not be permitted to connect to the cloud and the network, or access any highly sensitive data.
Embracing the Cloud and BYOD
The era of widespread cloud adoption, and BYOD (Bring Your Own Device) has encouraged organisations to set specific usage policies on employee-own PCs, smartphones and tablets, addressing the rules that govern how all workers access the corporate network. With more sensitive company data stored in the cloud, organisations need stronger, more secure, trusted access to enable employees to work freely, and safely from wherever they are.
Henry Seddon, VP EMEA, Duo Security
Henry Seddon oversees Duoโs operations in Europe, the Middle East, and Africa.ย He was previously part of the leadership team at QlikTech, helping QlikTech through rapid growth becoming one of Europeโs most successful technology IPOโs.