The excitement of launching a new business is contagious. You get an idea and validate it with potential customers, register the business, and launch a website. The first customer transactions trigger high-fives throughout the team.
Throughout the excitement, you can’t shake a nagging worry about security. Ignoring it may cause problems with your infant business. But it also feels it may drain some of your time and money without immediate tangible returns. Should you recruit a security team now or wait a few months till you have enough revenue?
This is a common dilemma among small and medium businesses with no cybersecurity experts. To help them, the Center for Internet Security publishes security control guidelines to create a secure cloud environment right from day one.
In this article, we explain some of these essential cloud security best practices for your new business.
1. Set Up Basic Logging and Monitoring
When there’s a significant operational or security event, your engineers and security teams need to know that something has happened. They’d certainly love to know what happened and when. It helps them understand how and why the event occurred. That way, they can take corrective actions and apply preventive measures for the future.
Logging and monitoring are essential for all that. We suggest setting up logging and monitoring as your first security step early on in your business. As your business grows, they provide the backbone for your security program to keep up.
What are Logging and Monitoring?
Logs are files or databases that store details about events. Every asset can record operational events in operational logs and security events in audit logs. An example of an operational event is an end-user starting an application workflow or a processing workload in the cloud. A user signing in or signing out are examples of security events.
Monitoring is keeping a watchful eye on all these logs and metrics like cloud usage or network traffic. Large changes in metrics tell your teams to pay close attention to whatever is happening by digging into the logs.
Logging for Regulatory Compliance
Apart from guiding security measures, logs may be needed for regulatory compliance. Industries like healthcare and finance face compliance requirements on logging and monitoring by law. Security and privacy laws may also put such requirements on all businesses.
Implementing Logging and Monitoring
Many software-as-a-service (SaaS) solutions and pricing plans are available for log management. If a new business can't afford them, it can use open-source log management systems that allow migrating to SaaS solutions in the future.
2. Plan for Data Protection
In the shared responsibility model of cloud computing, both the cloud service provider (CSP) and you are responsible for data security. The CSP secures its cloud infrastructure. You are expected to secure the contents of your data in cloud storage and control access to them.
Why Your Business Needs Data Protection
Data protection fulfills many business and security goals. It can help you:
Protect your business data from competitors
Avoid data breaches, loss of reputation, and legal penalties
Protect sensitive data about your customers from insider and outsider security threats
Support your business continuity and disaster recovery plans
Follow cybersecurity and privacy laws
Data Protection Best Practices
Let’s review some recommendations for data protection and how to implement them.
Configure Access Control for Your Data
Access management is easier if identities and permissions are centralized. A central source of truth means security policies can be enforced consistently throughout the business.
Most SaaS and cloud storage services support centralized identity and access management through features like single sign-on (SSO) and security assertion markup language (SAML) integration. Centralization can be implemented using technologies like active directory or Okta.
Each SaaS may have its policies. Spread awareness about them through regular training. As the volume of data grows, implement simple automation workflows to give access on-demand and revoke permissions after some time. Always follow the principle of least privilege — grant only the minimum permissions a user needs for their task.
Wherever it’s practical, encrypt any data and backups on the client’s side before transferring them to the cloud. Manage the encryption keys yourself. Use access control over the keys using secret managers.
Client-side encryption may not be available for data stored with a SaaS because the SaaS needs to read or modify the data. In that case, look for SaaS-provided encryption settings. SaaS security posture solutions can help you with such settings.
3. Deploy Authentication and Access Management
Many attacks involve unauthorized access and stolen passwords. Managing user identities, authentication, and access control to data and apps help prevent them.
In the past, on-premises data centers and workstations allowed full control over access to data and applications. But with the popularity of remote work and work-from-home, anybody on the internet can access any cloud application. So, strong authentication and access control have become essential.
Authentication Best Practices
Follow these authentication-related recommendations:
Enforce strong passwords. Use private keys where possible.
Train your employees to use password managers or secret managers.
Use two-factor authentication for everybody. This should include strong factors like hardware keys, not weak factors like SMS-based one-time passwords.
Activate multi-factor authentication with strong factors for all administrator and management accounts.
Access Control Best Practices
Follow these best practices for managing permissions to data and applications:
Always follow the principle of least privilege. Grant permissions only to the data and features a user needs for their task.
Centralize access management using cloud solutions like Azure Active Directory or Okta.
Purchase only those SaaS apps that support centralized identity features like SSO, OpenID Connect, or SAML.
For better availability and redundancy, you may want a hybrid cloud. Ensure that your identity management is compatible with all public cloud platforms.
Use your human resource information system (HRIS) as your user database for all cloud services. When an employee is removed from the HRIS, all their credentials and permissions should be automatically revoked.
If your data is highly confidential, set up zero-trust policies to verify every access.
4. Avoid Cloud Service Misconfigurations
Misconfiguration of cloud environments can open up vulnerabilities due to the complex working of different systems. But the average user won't know that an innocent configuration change can lead to a cyberattack.
Best Practices for Cloud Configuration Management
To avoid misconfiguration vulnerabilities, follow these best practices:
Train users about unsafe settings.
Deploy security solutions that specialize in SaaS security to automatically detect and remediate misconfigurations.
Avoid using service accounts with wide permissions that allow third-party apps or malware to query and modify cloud configurations.
5. Plan Malware Protection
Before we talk about malware protection, let’s review how malware, ransomware, and phishing differentiate.
Malware is software used to gain unauthorized access to data or malicious attacks on a system.
Ransomware is malware that corrupts data or locks out a system until a ransom is paid.
Phishing aims to deliver malware through social engineering. An email that appears trustworthy is sent with malware as an attachment. When a user opens the attachment, the malware gets deployed in the business’ network and carries out its cyberattack.
Ransomware can bankrupt your new business. Malware can steal your customer data and damage your reputation.
Best Practices for Malware Protection
To protect your business from malware, follow these recommendations:
Set up daily encrypted backups for all data. Follow the “3-2-1 rule” for all your data — at least three copies of all your data, two of those on different media (like tapes and cloud storage), and at least one stored offsite (which means use different cloud services for a cloud-native business).
Install anti-malware software on your workstations, employee laptops, and mobile devices.
Configure all devices to automatically update their malware signatures.
6. Endpoint Security
Many employees prefer to work from their mobile devices, tablets, or personal laptops. Devices like these that access cloud services are endpoints.
Follow these endpoint security best practices:
Issue pre-configured and secured mobile devices to all your employees if possible.
Install endpoint security software on all devices.
Enable logging on all devices.
Set up centralized logging to collect malware and other security alerts from endpoints.
Respect your employees’ privacy if you expect them to use personal devices for work.
Only collect relevant security information during work hours.
7. Network Security
The security of your network is critical to your cloud security. If a hacker gets into your company network, they may access your cloud data and SaaS applications.
If you’re a small, fully remote company, your employees may just sign in to your SaaS apps from their residential networks. Even so, you should pay attention to network security.
Best Practices for Network Security
You can improve your cloud security by following these recommendations for network security:
Even if you’re fully remote, set up a virtual network for your company. It gives you better access control over your cloud data and applications. Use an infrastructure-as-a-service (IaaS) offering like a virtual private cloud from Amazon Web Services (AWS).
Buy a virtual private network (VPN) service for all your employees to access anything in your company network. A VPN secures your data in transit over the network and gives you better access control over your network.
Use security tools like firewalls and intrusion detection systems to restrict access to your data and applications.
Distributed denial-of-service (DDoS) attacks can block your customers and employees from your websites and services. Cloud vendors like Cloudflare provide DDoS protection, firewall, and rate-limiting to fend off such attacks.
ThreatKey Helps You With Cloud Security Best Practices
Best practices for logging and monitoring, data protection, authentication and access control, avoiding cloud misconfigurations, malware protection, endpoint security, and network security will help your new business follow an effective cloud security strategy right from launch day. For more suggestions, check out the full “Establishing Essential Cyber Hygiene” (PDF) guide.
ThreatKey is a security service for SaaS and cloud services that helps you implement many of these best practices:
Built on years of expertise with SaaS security, ThreatKey detects insecure misconfigurations in your cloud environments and SaaS applications. It can also remediate them automatically.
ThreatKey looks for security issues in the most popular SaaS applications like Google Workspace, Microsoft 365, Slack, Box, Salesforce, GitHub, Okta, and more.
Our service detects insecure authentication and access control settings to protect your cloud data.
ThreatKey continuously monitors SaaS logs for signs of cyberattacks.
No time for an introductory call? We get it. That's why we have a simple, no-pressure way to get started with ThreatKey. Just sign up for a free account and you can start using our platform immediately. No credit card required.