Cloud Security Requirements, Best Practices for MSPs
As cloud security grows more complex, so do the market opportunities for MSPs.
February 11, 2019
By Chris Braden
Chris Braden
The amount of data (and the value of that data) being stored in the cloud is growing rapidly, and cybercriminals are quick to recognize the opportunity.
The cloud is inherently less secure than on-premises solutions and therefore requires a greater and more complex security strategy. The cost and complexity of designing, implementing and executing a security strategy across cloud, hybrid and physical network assets is growing, and as the cost and complexity increase, the challenge for companies to protect and secure their data becomes greater. This also means that the market opportunity today to provide cloud security solutions for MSPs is tremendous. It certainly comes with challenges, but there are fewer security solutions available today than there are for traditional network-based security requirements. This represents an opportunity for those companies with cloud-security capabilities to target a less competitive market, with predictably less commoditization and greater ability to differentiate.
Cyberthreats traditionally targeting on-premises resources, such as ransomware, identity theft, and data exfiltration, are a growing concern for cloud services as well. As organizations continue to adopt the cloud, effectively addressing these additional security challenges is a top concern. Midmarket companies are especially susceptible because cloud adoption is more prevalent among the midmarket range — enterprises with from 100 to 999 employees and earnings of $50 million to less than $1 billion in annual revenue, according to Gartner’s definition — due to its ease of deployment and low upfront costs. Midmarket firms typically lack the expertise and resources required to effectively secure their cloud deployments, which is where the MSP comes in.
Contrary to popular belief, the cloud customer is still responsible for ensuring that their workload is secure and protected against things like credential abuse or data exfiltration, both of which are leading cloud security concerns.
Some of the largest cloud breaches over the last two years could have been prevented with proper security due diligence.
The first step in securing cloud data is understanding what security responsibilities are covered by the service provider and what steps need to be taken separately. Using a cloud service creates a shared security responsibility between the customer and the cloud provider. If expectations aren’t clearly defined from the start, security holes may develop.
The next step to establishing strong cloud security is ensuring that stored data is categorized and documented. This should be done retroactively to be sure previously stored data is well documented. As previously stated, out of sight, out of mind. Keeping organized information on data stored in the cloud decreases the chance that private information will be stored in an insecure way. Data that is meant to be private must be stored in a cloud bucket set to private (not public).
Cloud storage buckets should have randomized names. This increases the difficulty of attackers locating specific buckets belonging to the targeted company. It is also prudent to avoid the use of externally facing web portals. Although not always possible, this step will decrease the available attack surface.
Companies should have a regular auditing schedule to review what groups or individuals have access to data stored on the cloud. Once this has been established, permissions should be re-evaluated based on task requirements. It is highly recommended that all administrative accounts for cloud storage require multifactor authentication, as this implementation will decrease the likelihood of account compromise. Similarly, following security best practices for passwords is highly recommended; this involves using a strong password or passphrase and never reusing the same password for multiple accounts.
Lastly, encryption should be implemented at rest, as well as in transit, for data stored on cloud infrastructure. Encryption is the last line of defense against the sinister characters looking to pilfer data. Keeping sensitive data encrypted will minimize the effect of a breach or leak and ensure that data meant to be private remains private.
Additionally, there are various cloud security checklists, including this one from eSentire, available to help your team …
… navigate priority security concerns and contractual considerations for all cloud service providers.
MSSP Differentiation Equals Opportunities
No solution can make an MSSP rise to the top by itself. However, the ability to address the growing opportunity to secure assets and data in the hybrid space is one that few MSSPs address effectively. An effective and differentiated solution that is well-executed and supported with strong customer service can reap tremendous benefits for an MSSP. For most MSSPs, the security solutions and their ability to implement, operate and manage said solutions is what differentiates them from other MSSPs, MSPs or competitors. Much of the cloud and IT stack is either already commoditized or is rapidly on its way, and as with any industry, differentiation and product or service evolution is critical to gaining and keeping market share. Having a hybrid cloud security solution can certainly be a game-changer for any MSSP as it would represent the ability to gain new customers while reducing churn in their installed base.
The opportunities for MSPs to partner with a cloud security vendor represent a choice (one of many) between building and running their own security operations center (and effectively becoming an MSSP) or partnering with companies who can add full or partial SOC service offerings to their portfolio. This gives an MSP a chance to reap some of the benefits of having a SOC (e.g., customer acquisition and retention), while avoiding the challenges that come with the investment in budget and personnel to build and develop their own SOC. Of course, there are trade-offs associated with risk/reward/return, but for many MSPs this is a highly viable and appealing option.
Mitigating Cloud Security Mistakes
Cloud security mistakes have become all too common in recent years, causing both reputational and financial damage for companies – for example, when marketing firm Octoly discovered that, due to a misconfiguration in its Amazon Web Services (AWS) cloud storage, the private information of 12,000 clients was publicly available for anyone to view. Or the infamous Uber breach, when two hackers gained entry to a third-party cloud-based service provider where sensitive driver and customer data was stored. And don’t forget about the when the Pentagon left 100 GB of classified data from a failed joint intelligence-sharing program — run by the U.S. Army and National Security Agency — publicly accessible for years.
The explosive popularity of cloud computing has resulted in a new attack surface for cybercriminals, one that has troves of valuable, sensitive and often poorly secured data. It’s not a move to make without first asking, what risks exist for cloud data and how can they be mitigated?
Chris Braden is vice president of global channels and alliances at cybersecurity company eSentire. Follow Chris on LinkedIn or @eSentire.
Read more about:
MSPsYou May Also Like