By Martin Johnson, VP Marketing at Polyrize
Current global events and government mandates are forcing many organizations that have not, to date, encouraged remote work to suddenly allow their employees en masse to make a quick, often chaotic scramble for the exit and into the safety of their own homes. Typically, that means an unplanned migration to business-enablement cloud apps and services, even before security measures have been fully established. So, it is important, as soon as the dust settles, for those same organizations to then look to ensure that they are establishing formal processes to secure the entire remote work lifecycle in the cloud. In all probability, remote work will become the new normal, and a growing attack vector, even after the current crisis passes.
As many companies who have allowed remote work for a while know, as employees move outside of the network perimeter and into the cloud, so too does your business-critical data, and, unfortunately, your employees’ risky collaboration and bad file sharing habits. Cloud email, file sharing, instant messaging, and collaboration are critical to facilitate remote work, but organizations need to ensure that use of these apps is managed in a way that protects their business-critical resources by preventing account takeovers and data leakage.
This means making sure cloud users are only granted up-front the least amount of privileges within those services needed to do their specific jobs; that resource sharing is limited to specific groups to prevent external oversharing while employees and contractors do their work; and that remote offboarding is a quick, efficient, and thorough process when they leave.
To that end, it is recommended that you take the following 7 steps to secure your remote work lifecycle with respect to leveraging cloud services:
STEP 1: Segregate your cloud workflows by group, department or location to determine what apps and resources they and their associated employees and contractors need to do their jobs. If possible, roll-out new cloud services incrementally for remote access, allowing only a manageable number of individuals from each group to try out the app and their associated access privileges before full deployment.
STEP 2: Adhere to the principle of least privilege access by ensuring employees have the minimum access privileges needed to do their job. For example, consultants shouldn’t have unfettered access to customer PII and interns shouldn’t have access to sensitive engineering documents and IP. It also means placing controls on privileged users of both SaaS and IaaS services to prevent them from abusing admin privileges for non-admin related activities that can place your organization at high risk. In addition, you should eliminate unused or stale permissions of employees and external contractors to effectively reduce your attack surface by minimizing the risk of account takeovers and data loss.
STEP 3: Ensure your business-critical resources are protected with MFA. This means identifying and consolidating your business-critical resources within IT-sanctioned cloud apps that have been fully vetted for MFA support, as well as PII security controls, SOC-2 compliance, encryption support, etc.
STEP 4: Make sure that file and folder sharing permissions within your sanctioned apps are restricted within specific groups, depending on usage. This will help prevent accidental oversharing of business-critical data. Realize that a sensitive file carelessly dropped into a folder with overly-broad sharing rights will inherit those same rights and be automatically exposed.
STEP 5: Implement cloud DLP policies to provide a last line of defense against the leakage of business-critical data. This includes placing strict controls on externally sharing sensitive files, especially those containing PII, PCI and PHI, with contractors and on copying files to personal accounts.
STEP 6: Set up processes for off-boarding remote employees and contractors. This process can be a challenge since many cloud services are managed outside of your SSO. Adopting a unified, cross-service access control solution that allows you to identify and revoke permissions when employees or contractors leave the company is recommended.
STEP 7: Reprioritize security team resources to cloud data protection, focused on preventing data leakage and account takeovers.
Ultimately, with few exceptions, all organizations will need to accept the fact that remote work is here to stay, and that cloud apps and services are critical to making it work effectively. Reorienting your employees, security teams, and processes to that new reality is critical to reducing your remote-work attack surface and ensuring that your business remains secure against the financial, reputational, and compliance related impact of cloud account takeovers and data loss throughout the remote work lifecycle.
The team at Polyrize put together a white paper with 6 Tips for securing identities in the cloud.