The cloud transition is just about complete for many businesses in Tennessee, Kentucky, and the rest of the country. Any that hadn’t yet made a switch at the beginning of the year found they were forced to in order to facilitate a remote workforce during pandemic stay-at-home orders. But with so much business data now being hosted in cloud solutions, it shines a new light on the need for cloud access security. Hackers go where the data is and they are currently following it to the cloud. The tactic they are using most to get by stringent security standards of providers like Microsoft and Google is to steal legitimate user login credentials.
Password/Credential Theft Statistics
A number of troubling statistics from the latest Verizon Data Breach Investigations Report (DBIR) point to a distinct effort to breach cloud accounts through stolen or hacked logins. These include:
- 77% of cloud account breaches are due to credential theft
- Password dumpers have become the top malware threat
- The #1 phishing attack has become those designed steal login credentials
- Over 80% of hacking-related data breaches involve brute force or use of lost/stolen credentials
Once a hacker gains access to a cloud account, they can access sensitive files, email, and potentially cloud account settings and other user information, depending upon the password access level.
Tips for Cloud Account Access Controls
There are several protections that you can put in place to help secure your cloud accounts and data.
Enact Multi-Factor Authentication (MFA)
One of the best password protections you can use is multi-factor authentication. This stops most fraudulent account sign-in attempts using hacked or stolen passwords because the hacker can’t get past the second factor of authentication. MFA adds the requirement of inputting an additional piece of information, usually a code that’s sent to a pre-registered device. Because the hacker won’t typically have access to that device, they can’t get in even if they have the username and password. You want to enable MFA on all cloud accounts. You can streamline the user experience (so they don’t have to go through several MFA prompts per day) by using a single sign-on (SSO) technology.
Use a Cloud Application Security Broker (CASB)
Another excellent protection that a business can use for securing cloud accounts is a CASB platform, such as Microsoft Cloud App Security. CASBs are created specifically to secure cloud accounts and include multiple features for monitoring and security. Some of the advantages of using a CASB include:
- Ability to apply company-wide data security policies across your cloud tools
- Monitoring of cloud access from all devices
- Ability to restrict or grant access to any device
- Review cloud applications for compliance
- Real-time threat protection controls
- Protect assets at the source, no matter which endpoints are attempting access
Use a VPN for Remote & Mobile Employees
Unencrypted connections to your cloud accounts over public Wi-Fi or home routers that lack business-class security can leave account information at risk. Having remote working employees or those that are accessing data while traveling use a business VPN can add another important layer of cloud security. VPNs encrypt data traffic, which keeps it from being compromised even if a hacker is on the same Wi-Fi attempting a “man-in-the-middle” attack.
Employ the Rule of Least Privilege
One mistake that many businesses make is just making all users “admins” when they set up their cloud accounts or giving them access privileges higher than they actually need. The more users you have with admin privileges on a cloud account, the more risk there is that a stolen credential could do serious damage to your account data. You want to use the Rule of Least Privilege, which means granting users only the minimum access level they need to perform their job. This reduces the amount of damage a hacker could do if they sign-in with an employee password that doesn’t have a high access level.
Use a Separate Account for Platform Administration
One step farther from using the least privilege rule is to assign one specific account that is not regularly used as a user account as your admin. This reduces the number of admin accounts you need, because users that share duties can use that one account whenever they need to add a user or conduct any other admin activity. You then only have one login that has full administrative privileges, and it’s not one used for email that would receive phishing attempts.
Include Cloud Account Access in Employee Offboarding
Many employees access business cloud accounts from their personal mobile devices that they use for work. This can leave you with a security risk if you haven’t disabled account access when the employee leaves your company. It’s important to address cloud accounts, apps, etc. during the offboarding process to ensure that person or their device can no longer sign-in to company accounts. It’s also important to understand how to transfer user data when you close an employee cloud account, so you don’t end up losing important information.
Get Help from Copperband Technologies to Secure Your Cloud Accounts
We can help your Kentucky or Tennessee business decide on the most cost-effective cloud security controls that will help your online data stay protected. Contact us today to schedule a consultation! Call 931.263.8000 or reach us online.