There’s no hiding that business in today’s day and age is done differently than when I was first entering the job market. Ordering servers, waiting for them to come in, configuring storage, network, finding rack space in the data center - all took time and so the time to value was significant. Enter today where anyone can “spin up” a platform in Amazon, Google or Microsoft and have it up and running in less than 30 minutes. Certainly the cloud has decreased the time to value significantly.
But what about the access to that application? It used to be that administrators spent time configuring the server, securing the server and application, and, only when they felt all the necessary controls were in place, did they begin allowing users to authenticate to and use the application for its intended purpose.
How do those activities translate to today? Certainly there are similar steps that should be taken to set up controls such as logging, network monitoring, maybe user behavior monitoring, as well as securing the virtual server and attaching access control lists (ACL) to resources that need to be protected. Sounds like all the same steps - and certainly with technologies such as Docker containers and the like, these processes can also be significantly accelerated to bring that time to value even shorter.
But all you have to do is catch some recent headlines to know that not all companies do this well. Just this week, the résumés of over 9,000 candidates seeking government positions with Top Secret clearance were exposed because the company responsible for hosting those résumés did not properly secure access to their cloud data storage.
So when it comes to securing your cloud applications and data, how much protection is necessary? Do I just set ACLs and call it done? That should help keep bad people and bad things out, right? Do I need to track access to the applications? Do I need to put data loss prevention (DLP) in place? Do I care what devices users are using to access applications? Do I care whether the access is coming from a corporate-owned device or a personal one? These are all questions that should be answered before the server or application is ever made available.
The answer? As with most tough questions, it depends. It depends on how sensitive the application or data is that you’re trying to protect. If I’m protecting the HR data of all the employees in the company, I probably want that protected really well. If it’s information on the products a company sells, that information should be available to the public so I may only put minimal protection there. So as a CISO or CIO, I want controls that I can adapt to the level of sensitivity of the application. I don’t want to waste precious dollars and hours putting strict controls across everything when it’s not necessary. That’s a huge waste of resources.
So what about those devices? Should I care what device an end user is accessing the application from? The answer is a resounding “Yes.” Without validating the hygiene of the device, malware could be inviting itself into the application or hosting environment. Is that user’s PC vulnerable to known exploits? Is it using a Flash plugin that’s three months out of date? Is that mobile device accessing your Epic EHR jailbroken? If so, you can’t put any degree of confidence in the security posture of the device. So it’s necessary to check the hygiene of the devices that are being used to access your applications and enforce a minimum standard.
Maybe I’m front-ending the application with a virtual host such as Citrix or VMWare - do I care what device they’re using then? Although it’s true that some of these technologies can “abstract” the device from the application access, doesn’t it still make sense to require stronger authentication controls for your most critical applications? It certainly makes sense to use stronger user and device authentication for critical applications such as your HR system or medical record system, especially for remote access from home or another facility.
The good news is that technology today has made this level of authentication of users and devices simple. It’s now possible to evaluate devices without the use of agents and match that with strong authentication of the user to ensure you’re providing “trusted access” to your most sensitive applications. And the user experience can be painless and require no additional equipment or fobs to carry around.
So how much cloud authentication is enough? I’ve been a strong advocate of multi-factor authentication for years, but that’s not enough when dealing with BYOD, cloud applications or even critical applications hosted in your data center but being accessed remotely. For those, you should be using strong authentication methods that verify both the user and the device.