For every action of threat, there should be an equal and opposite reaction of protective countermeasures.
OK, so that's not exactly how Isaac Newton envisioned the application of his third law of motion, but for MSPs, this must ring true. You can't afford to move to the cloud without first understanding that security is of utmost importance when dealing with any client data. Just as the scope of IT will continue to become increasingly complex and intertwined, so too will the threat landscape. Attackers will find new access points to compromise and new ways of gaining access to these entry points, all the while endangering your clients' sensitive data stored in the cloud. That's why your cloud defense strategy must be a proactive, multilayered approach. Bad guys don't think in one dimension, and neither should you.
Overview of the 3 Tenets of Cybersecurity
In order to better understand and appreciate the cloud security discussion, let's first review the fundamental model of cybersecurity, as first popularized by the highly revered, Dartmouth-sanctioned paper, Three Tenets for Secure Cyber-Physical System Design and Assessment. Essentially, you want to regularly evaluate your clients' networks and systems for the following three key qualities:
1. System susceptibility
System susceptibility answers the question, "what is the potential risk?"
To answer this, you need to assess the superset of all your clients' public access points. By virtue of being public, open and available, this IT infrastructure is susceptible to attack. Now, that is not to say that if something is susceptible, it is automatically unprotected. That brings us to our second, closely-related consideration in cybersecurity risk analysis, threat accessibility.
2. Threat accessibility
Threat accessibility answers the question, "what is the likelihood that the risk can be exploited?"
It refers to the attacker's ability to act on your system's vulnerabilities and find an access point you didn't know existed or hadn't sealed off.
3. Threat capability
Threat capability answers the question, "what is the potential impact if the risk is exploited?"
Here, MSPs typically predict so as to mitigate the damage in terms of data loss, downtime and the costs associated with each. How successful will your attacker(s) be once unleashing a threat on a susceptible system? That's what this metric signifies.
Your job as an MSP is to focus on the intersection of all three of these spheres (as depicted below), particularly when it comes to defining your cloud security and backup strategies.
image source: http://www.dartmouth.edu/~gvc/ThreeTenetsSPIE.pdf
3 Layers of Cloud Security to Consider
With this basic framework, you now want to more closely examine the three layers of cloud security to make sure you are optimizing each and accurately forecasting potential threat vectors.
1. Physical Security
Have you asked yourself the following series of questions:
- What is the ability to access my client's system or data center?
- Is this access only physical?
- Can it be accessed virtually?
- If so, how many levels of security are there?
The ramifications of virtual (or logical) and physical access can be vastly different! For instance, let's say you have one physical server that hosts fifty virtual machines (VMs). With virtual access, an attacker would then be able to access and shut down only one of those VMs. Conversely, with physical access, that attacker can access the whole server and compromise all fifty VMs. While these are two different situations, you need to be prepared to address each with appropriate countermeasures by first recognizing that the vulnerabilities exist in the first place.
By conducting a physical security assessment, you'll gain a better understanding of your cloud environment and all of its access mechanisms, thereby gauging your client's system or data center's susceptibility to attack.
2. Operational Security
Next, you need to be able to cover each of these points of entry with security precautions to make sure the wrong people don't infiltrate your system. In order to do this, go back and review all of your policies, procedures and processes. Are they adaptable? Are they responsive? Consider for a second that you're the attacker attempting to weaken the security defenses of your target. You're going to want to know what those defenses are and how strong the barrier is. Cybercriminals test the waters by introducing minor changes that they hope their victims won't notice and respond to. How do they know when their malicious activity has been detected or not? The MSP responds with the appropriate operational countermeasure.
A perfect example of this is when there's threat accessibility and a machine gets infected with a virus. The first thing a virus does is shut down your antivirus (AV), but think about how many of your clients simply trust that their antivirus is working. To them, it's just something running in the background, but does not require constant regulation. Despite their systems becoming compromised, they still expect the antivirus software procedure to download and update automatically. To tighten operational security, however, companies should have processes in place that indicate whether antivirus is working or not. Perhaps you need to perform regular antivirus tests or check the date of the last completed scan. Then, once you know you're under attack, work backwards to figure out how the attacker gained access to your system. Recall all of the access points that made your system susceptible. If any unused ports are open, close them and monitor the rest with a firewall. If you suspect an application was compromised, implement muti-factor authentication for user access. With these policies and procedures in place, you'll be able to react before the virus can cause any more damage, thus reducing the threat capability.
One more pro-tip when strengthening your operational security - constantly revisit it! Don't assume that once is enough. Continually test and evaluate your system for vulnerabilities and consider how you can minimize the exploitation of each with the right response policy. Going forward, ensure you have a defined set of procedures that encompasses both the ongoing review, management and remediation of identified issues within your cloud environment.
3. Data Transfer Security
How do you protect the data that's both in use and at rest?
- encrypt the data
- enact strong authentication and access control requirements
- have an effective data retention and backup policy
First, look for a backup and disaster recovery (BDR) solution that encrypts your data right when you start backing up. Then, ensure that only authorized personnel are able to access this data. As described in a recent cloud security MSPtv interview, Continuum's fully-managed business continuity solution, Continuum BDR, actually restricts access to the backed up, encrypted data with an encryption key maintained only by the MSP. Although we provide the platform for secure data storage, management of that data is the other half of the battle. You must also have the right backup and data retention policy. More specifically, you need to know how many backups you've taken, how much backed up data you're storing, and must only store that data for as long as you need to. For a better understanding of how to set this policy, download our Data Retention Best Practices eBook below.
Unprotected backups are one of the attack vectors exploited the most. But now let's say you recognize that you need to bolster your data transfer security policies, and you adjust user privileges and encrypt all backed up data going forward. What about all of the unencrypted data you're currently storing? Unfortunately, all too often, people change their backup policies and neglect to bake them into their data retention policies. Even if you have infinite storage, if you're taking frequent backups (like you should), you would then have to encrypt all of the previously backed up data to protect yourself from risk. That's why you don't want to keep data for longer than you need to.
Because we understand that data maintenance is not only a bandwidth, but a security concern for MSP businesses of all sizes, we've decided to rely on IBM Softlayer's public cloud to store all data backed up with Continuum BDR. Unlike private cloud solutions, public clouds offer a dedicated support team staffed to ensure the protection of your clients' data, both when it's in use and at rest. To learn more about the advantages of public clouds and security risks with private clouds, check out Breaking Down Public and Private Clouds.
By Meaghan Moraes
By Monika Gupta