Corvus Insights Blog | Smart Cyber Insurance

Best Practices for Securing Cloud-Based Organizations

Written by Danial Ahmed | 04.19.23

While the widespread adoption of cloud technologies has come with significant security benefits for small to mid-sized businesses, companies that are entirely cloud hosted or SaaS based still need defense in depth to protect their data. Corvus Claims observes that threat actors are increasingly targeting and obtaining login information for cloud environments in order to steal or encrypt (or both) data for extortion purposes.

Strategies for Securing Cloud-Based Organizations

While it is true that cloud and SaaS providers offer some level of security and protection over the data they store on behalf of a customer, it is still important for organizations to implement additional layers of protection. Specifically, what controls must a cloud based organization implement and take ownership over? Security controls like EDR, a resilient backup strategy and MFA must be top of mind to reduce overall security risk. Let’s dig into why these controls are important.

Endpoint Security

Even if an organization is entirely SaaS-based, deploying EDR on endpoints that access cloud-based resources provides a necessary additional layer of security and as we all know, security is a multi-layered approach. An endpoint can be used as an attack vehicle to compromise cloud resources which can lead to unauthorized data access or data exfiltration. EDR provides protection, visibility and control over these endpoints - which is an area that is outside of the SaaS-based environment’s visibility and control. Key reasons to deploy EDR on endpoints include: 

Threat Detection

  • EDR software can detect threats that originate outside of the cloud environment, such as a malware-infected download on a users device.

Incident Response

  • If an attack does occur, EDR can provide valuable information about the attack and how it happened.

Asset Management

  • EDR software can help track and manage laptops and other devices used by employees.
    • This ensures that devices are secure, up-to-date, and compliant with security policies.

Improved Visibility

  • EDR provides visibility into endpoint activities, allowing an organization to detect potential threats and suspicious behavior that are not visible to a SaaS provider.
    • This is because the endpoints owned by an organization are outside of the SaaS environment.

Reduced Response Time

  • EDR provides real-time monitoring and alerts over endpoints outside of the SaaS environment - which can expedite response time to an incident.

Based on Corvus threat intel, threat actors are increasingly targeting session cookies from end user devices. These session cookies can be thought of as a badge that a device can show an application or website to signify that the user has already been authenticated and they do not need to re-enter their credentials. While this may be convenient for the end user, threat actors have been increasingly stealing these session cookies. 

Once these session cookies are compromised, attackers can use them to gain unauthorized access to users accounts and cloud resources without having to know the users credentials (i.e. session hijacking). Typically, malicious software on the victim’s device is used to steal session cookies. This technique was most recently seen in the YouTube Accounts Hijacking attack. Malware-infected downloads on a user's device can also be used to steal credentials with keylogger spyware, which tracks and logs keystrokes as you type. This enables cybercriminals to steal credentials that a user types.

Resilient Backup Strategy

Similar to putting all your eggs in one basket - having all your data in a SaaS provider’s environment (i.e. 0365 or Google Workspace) is not a good idea. This is because it is a single point of failure which can lead to data loss in the event that there is either:

  1. Vendor-side failure or outage; or

  2. The environment is compromised by a threat actor (malicious file deletion, ransomware, data corruption)

In case those reasons weren’t convincing enough, Microsoft actually recommends that customers should use a third-party backup solution (Microsoft’s service agreement). Specifically they state:

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or data loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

All this to say - data is still the responsibility of the customer, which includes backups. An uninfected copy of your data in cloud-hosted environments using a third-party backup solution increases the odds that your organization can fully recover from an attack. This also minimizes downtime and risk of data loss, and even Microsoft recommends this best practice approach to safeguard your organizations data.

For many organizations, data redundancy and protection is top of mind, and that sentiment still applies for SaaS-based companies. Leveraging a C2C (cloud-to-cloud) backup solution to backup your SaaS environment will allow for data redundancy and ensure that your organization has a fighting chance in the event of an attack or disruption.

Multi-Factor Authentication (MFA)

Credentials are the keys to access an application or system, and this is no different in a cloud based organization. Whether it be an admin account that can modify configurations, or a regular user that can access sensitive company data - protecting initial access into resources is the first line of defense. This is where MFA becomes so important. 

Rather than asking for a single password that hackers and cybercriminals can steal, MFA adds an additional layer of security to protect against account compromise. It requires the user to present a secondary authentication method to access an account. With MFA in place, if an attacker is able to steal a username and password, they will still have one more barrier to overcome. 

MFA decreases the likelihood of a threat actor taking over an account - which will protect against unauthorized access, data breaches and password-based cyberattacks. Ensuring that access to your cloud hosted resources are protected with MFA will enhance the security posture of your organization and decrease the likelihood of a successful cyber attack.

 

Other Helpful Resources

Endpoint Detection Response (EDR)

Guide to Common Security Controls

How to implement Multi-Factor Authentication (MFA) (Microsoft)

Multi-factor Authentication (MFA)

Resilient Backup Strategy