With the growing awareness of the potential security vulnerabilities of SaaS services, your security team needs to quickly address the fact that the more identity-related points of exposure your organization maintains in the cloud, the broader your organization’s attack surface and resultant risk of cloud security incidents. These points include everything from your operation-critical SaaS and IaaS accounts and their exposed login credentials, overly privileged cloud user identities and unsanctioned shadow admins, to overly broad privileges for your business-critical assets including documents, unstructured data and access keys.
Over time, many new cloud services are adopted, users and admins rapidly cycle in and out of the organization, privileges get escalated and the number of assets that are shared and stored in the cloud multiplies exponentially. All of these shifting points of exposure have a tendency to increase the risk of account takeovers or data leakage to your organization.
Here are six simple steps that you can take to reduce your cloud attack surface:
#1 Ensure Multi-Factor Authentication is turned on for all of your operation critical SaaS and cloud services. Whether biometric, TOTP, SMS or email-based, multi-factor authentication (MFA) is your first line of defense in the cloud, ensuring that stolen passwords alone do not grant malicious actors the keys to your business-critical data. In addition, you must identify and consolidate your business-critical resources within IT-sanctioned cloud apps that have been fully vetted for MFA support, as well as PII security controls, SOC-2 compliance and encryption support.
#2 Adhere to the principle of least privilege access. Ensure all your employees have the minimum access privileges needed to do their job. For example, external contractors shouldn’t have uncontrolled access to customer details in Salesforce and interns shouldn’t have access to sensitive engineering documents in Jira. In addition, you should eliminate unused or stale permissions of employees and external contractors to effectively reduce your attack surface by minimizing the risk of account takeovers and data loss.
#3 Remove redundant roles/duplicate policies/privileges
Redundancies can often enable overly broad user roles, outdated or inappropriate policies, or misconfigured privileges that were improperly deployed or not deactivated to override or cancel out the sanctioned ones you meant to deploy. This increases the likelihood of mistakes and, ultimately, security incidents. Continually reviewing and eliminating these redundancies is critical to maintaining good security policy and configuration hygiene.
#4 Enforce segregation of duties for all admins
Placing controls on privileged users of both SaaS and IaaS services is critical to prevent them from abusing admin privileges for non-admin-related activities that can place your organization at high risk. This includes ensuring each admin owns separate accounts for administrative activity and for daily use so the administrative user account will be less prone to phishing attacks and the like.
In addition to sanctioned admins, you should also identify all shadow admins who are non-privileged users who maintain admin-level control over your cloud environment without IT sanction, either through a misconfiguration or malicious intent. Rightsizing their privileges will prevent them from doing systemwide damage to your cloud accounts and limit the potential for data exfiltration.
#5 Reduce the number of publicly available resources
A large percentage of sensitive documents shared by employees are shared over-broadly, either within the entire organization or externally. In some cases, these can get cataloged by search engines and are accessible to anyone with a link. Removing them can be a time-consuming manual process, but is necessary to keep your business-critical and compliance-related data within your organization and will also make it easier to identify when a breach occurs.
Ongoing, security teams should promote an organizational habit of sharing with specific users instead of the whole company. This may take an extra minute when sharing files, but will greatly reduce the cost of removing all these excess permissions when a breach occurs.
#6 Establish consistent processes for off-boarding employees and external contractors. This process can be a challenge since many cloud services are managed outside of your SSO. Adopting a unified, cross-service access control solution that allows you to identify and revoke permissions when employees or contractors leave the company is recommended.
In addition, many companies may have a policy in Okta or other IDaaS that automatically disables off-boarded users in other services, but no action is taken if this process succeeded or failed. Security teams need to regularly confirm this policy.
Ultimately, securing identities and their privileges and access should be at the center of your strategy for reducing your cloud attack surface. The old network perimeter, with its limited number of points of ingress secured with firewalls and other perimeter defenses, has given way to a distributed arrangement. SaaS is the new IT and cloud identities are the new perimeter with thousands of users and points of potential failure existing outside of your traditional security protocols. By following the six recommendations highlighted here, you can take the first steps toward an identity-defined cloud perimeter that is secure and where your attack surface is minimized.