Mitigating Third-Party Risks in an Era of ‘Too Big to Fail’​

An ever-increasing number of companies are embracing third-party cloud computing technologies (Microsoft 365, Google Workspace, AWS) due to their extensive security and collaboration tools, as well as their unmatched integrated artificial intelligence solutions, such as the recently announced Microsoft Copilot.  

As the use of cloud technology has become more widespread over the past two decades, concerns about its potential security vulnerabilities have risen. Governments and businesses alike have entrusted sensitive data to third-party tech giants like Amazon, Microsoft, Google, and Oracle, who offer near-limitless storage, advanced security solutions, and powerful collaboration tools. However, the Biden administration is now embarking on the first comprehensive plan to regulate the security practices of cloud providers, recognizing that the cloud, much like systemic Swiss banks, has become essential to daily life and is now “too big to fail.” The fear is that a major cloud provider going down could have catastrophic consequences, such as disrupting the economy and government.  

Considering these events, what can businesses do to improve their own cloud security posture, particularly in the context of hybrid, distributed workforces? Listed below are 10 security tips for securing cloud-based environments: 

1. Primarily, reducing your attack surface is one crucial step in securing your cloud environment, especially for remote teams. By limiting the number of devices that can access your network, you can minimize the risk of unauthorized access and protect your company’s data. This can be achieved by decreasing the number of entry points in your network and limiting access to your cloud environment only to corporate-managed devices or Virtual Desktop Infrastructure (VDI). 

2. Using a centrally managed password manager is another crucial aspect of managing cybersecurity, whatever your environment might be. This allows you to ensure that team members are using strong passwords and adhering to best practices for password management, and to share passwords securely across your organization. At the same time, ensure that all remote team members are utilizing multi-factor authentication (MFA) or password less authentication to access company systems and data. 

3. Deploying targeted data loss prevention (DLP) policies is another crucial component of securing corporate data in a cloud environment. One crucial step to efficiently deploy targeted data loss prevention (DLP) policies is to establish a data classification policy and label your data accordingly. This helps to identify the proprietary information that needs to be protected and ensures that it is protected appropriately. DLP policies can then be implemented to prevent data leakage by monitoring, identifying, and stopping the unauthorized transfer of sensitive information. This is done in accordance with your classification policy, reducing the risk of data loss and protecting your company’s confidential information, especially in a distributed workforce. 

4. Leveraging the use of cloud access security broker (CASB) solutions to manage the security of third-party SaaS platforms and data. A CASB is a cloud security technology that enables organizations to monitor, manage, and secure their cloud applications and data. This solution provides comprehensive cloud security, visibility and control over cloud usage, and real-time threat detection. It allows for the enforcement of security policies, the configuration of alerts, the detection and prevention of threats, and the monitoring of data usage and sharing. 

5. Establishing clear guidelines for your team is also critical. Developing a remote work policy that covers topics like secure connectivity, password management, and the use of company-owned devices can help ensure everyone is on the same page when it comes to working securely from outside the office. Regular training and education for your remote team can also help keep everyone up to date on the latest threats and best practices. Focus your information security awareness workshops on what is expected of your team by presenting concrete and practical examples. 

6. Implementing Center for Internet Security (CIS) benchmarks for cloud environments. In its Top Threats to Cloud Computing report, the Cloud Security Alliance cited “Misconfigurations” as one of the highest threats to cloud environments. The CIS provides configuration benchmarks and guidelines for securing cloud environments, including those provided by major cloud providers like Amazon, Microsoft, and Google. Implementing these benchmarks can help organizations secure their cloud environments and reduce the risks linked to misconfigurations. 

7. Utilizing commercial Virtual Private Networks (VPNs) when accessing the internet from untrusted networks. Using VPNs is a common advisable practice for businesses to secure their data and communications when accessing the internet from untrusted networks, such as public Wi-Fi hotspots. VPNs provide an extra layer of security by encrypting data when connecting from untrusted networks, thus preventing man-in-the-middle (MITM) attacks, where an attacker intercepts and alters the communication between two parties. By encrypting the data, VPNs make it difficult for attackers to read or modify the information being transmitted. In addition, some VPNs offer additional security features, such as malware protection and intrusion prevention, which can further enhance the security of your data and network. 

8. Implement a disaster recovery plan. Even if cloud environments provide high availability, reliability, and redundancy by spreading a network infrastructure across multiple geographical locations, a disaster recovery plan is nonetheless essential for minimizing the impact of any potential disruptions to your cloud-based environment. This plan should include regular backups of critical data and systems. It should also include a process for restoring those backups in case of data loss or system failure. Additionally, it is imperative to test the disaster recovery plan regularly to ensure that it is effective, relevant, and up to date. 

9. Remove standing Global Admin privileges. Standing Global Admin privileges in cloud environments can pose a significant security risk for businesses, as they give unrestricted access to sensitive data and systems. This level of access can be exploited by malicious actors or even by employees with malicious intent, putting your company’s confidential data and systems at risk. Instead, businesses should adopt a just-in-time (JIT) privilege access approach, using Privileged Identity Management (PIM) solutions. PIM solutions provide temporary, time-bound access to privileged accounts, reducing the risk of unauthorized access, and ensuring that any privileged activities are monitored and audited. By implementing a PIM solution, administrators can request elevated access for a specific period, and their access will be disabled at the end of the allotted time. 

10. Finally, along with removing standing Global Admin privileges, setting Global “root” Admin accounts (ex: Azure Initial Administrator or AWS root account) as break glass-only accounts ensure that Global Admin privileges are only used in emergency situations. This approach reduces the likelihood of administrative errors and unauthorized access to sensitive data. This is because break glass accounts should only be used in exceptional circumstances, such as when no other accounts have sufficient privileges to perform a critical task. The usage of this account should be closely monitored, and its access should be protected with hardware MFA tokens.  

As the reliance of businesses on third-party cloud infrastructure grows, a proactive and multi-faceted approach is necessary to manage cybersecurity in a cloud environment, especially in the present hybrid and distributed workforce scenario.  

By implementing these best practices, you can reduce the risk of data breaches and protect your company’s sensitive information by establishing a strong zero-trust security posture. To ensure that these measures are relevant to your environment, you must conduct a risk analysis prior to implementing them. In addition, they should be evaluated continuously to ensure their effectiveness in mitigating the corresponding risks.  

Conclusion 

Finally, as businesses today increasingly rely heavily on third-party vendors and cloud service providers to carry out their operations, these partnerships can also create security vulnerabilities that can be exploited by cybercriminals. Third-party risk monitoring is thus a critical component of any effective cybersecurity strategy to ensure that your partners have adequate security controls in place, reduce the risk of data breaches, and maintain a strong overall security posture. 

Check out Supplier Shield to learn more about monitoring and managing third-party.