Hey you, get off my cloud: Mitigating cloud cyber risks
Or, how an underwriter taught me proper cyber hygiene practices for the cloud.
At the 2023 RAS Conference on cybersecurity, nearly 40% of professionals in attendance said cloud security was their most pressing concern, according to a survey from cybersecurity vendor Delinea. In 2022, cloud security was also the top concern for cybersecurity pros at the conference.
Cloud environments are attractive targets because of the troves of data they store, according to Bobby Bianconi, head of U.S. cyber and technology E&O for Aspen Insurance Group. Additionally, one cloud vendor can serve as a single access point to inflect damage to multiple users
“Cloud providers certainly are an enhanced target, and always will be. That is why their controls need to be the best possible,” Bianconi adds.
Cloud security, which is causing more consternation than ransomware and remote workers, takes a different approach than if a policyholder were managing an on-site server.
So what are underwriters looking for?
“We’re looking for a holistic approach from our insureds,” Bianconi says. “There is not just one magic control that will stop a threat actor from getting in.”
For policyholders working with third-party cloud providers, a good amount of due diligence should be undertaken when awarding that contract, according to Bianconi.
“Aside from some IT assessment, they (insureds) should also require a certain amount of insurance be purchased relative to the amount of data they are transferring,” he says.
Get initial configurations right, review regularly
When setting up a cloud environment, getting the initial configuration correct is vital, according to Bianconi.
“You can get into trouble very quickly if you don’t set the permissions right and someone is allowed to see something they aren’t supposed to,” he says. “Aside from being a potential privacy compliance violation, it could also expose you to a threat actor being pervasive in your network.”
In addition to carefully controlling permissions during setup, policyholders should regularly review their cloud configurations to make sure no mistakes have been made or vulnerabilities left exposed.
Capital One’s 2019 data breach serves as a prime example of what can happen if configuration mistakes are made. The breach was set off by Paige A. Thompson, who was arrested by the FBI and was alleged to have stolen data from more than 30 companies, including an unnamed state agency, a telecomm conglomerate and a university. Thompson, a former Amazon Web Services employee, had created a scanning tool that helped her identity cloud servers with misconfigured firewalls.
The configuration review should include making sure there are no gaps in access permissions. For example, if a policyholder had contractors working on their network or an employee leave, those permissions should be revoked.
MFA & PAM go hand in hand
Multifactor authentication (MFA) and privileged access management (PAM) tools are examples of permission controls that are commonly being deployed.
While many people might be familiar with MFA, such as banking apps that require a username and password as well as a numeric verification code, PAM might not be as familiar. However, the two work in conjunction.
While an MFA ensures only approved users can access a network, PAM concerns itself with access to particular resources within a network. Or put more simply, MFA is the ticket that gets you into the venue, PAM is the backstage pass.
Evolution is necessary
Bianconi explains during annual renewals, Aspen wants to see that clients are showing measured improvements in their cybersecurity posture each year.
Part of this should include alternating between vendors used to conduct cybersecurity audits, according to Bianconi. One provider could become too familiar with the environment and maybe wouldn’t view as someone with fresh eyes would.
“We don’t want to see that everything is the same. We want to see certain things improved upon,” he says. “For example, we want to hear that the results from their most recent phishing tests were strong because they have buy-in from all their employees. Again, we want to hear about a holistic approach, particularly around social engineering stuff like phishing.”
Getting buy-in from the top down when it comes to good cyber hygiene practices is absolutely vital. Bianconi points out that 99% of all cloud security failures are due to some level of human error.
“This is one of the top risks any business faces, regardless of industry, because if you can’t run your network then you can’t conduct business a lot of times,” he says. “There is really no way for an executive to continue to improve their company if there isn’t buy-in from the top down.”
Related: