Cloud Security Best Practices
In our series of cloud security best practices, we will be outlining some basic, actionable steps that organisations should consider when migrating to a new cloud infrastructure or securing their existing estate. This article will consider the role of user security via Identity and Access Management (IDAM).
Principle 1: Secure Identity and Access Management
Secure Identity and Access Management in the cloud relies on your provider making appropriate tools and services available for you to manage their service securely. Ensuring privileged account access and procedures are properly implemented is imperative in preventing unauthorised access and corruption of your infrastructure and sensitive data.
Secure User Management
In order to protect your infrastructure you should implement the following cloud security best practices:
- Strong authentication mechanisms to all management interfaces and support channels
- Limit authorisation to the principle of least privilege and separation of duties
Make sure you are aware of all channels through which your infrastructure can be accessed, such as the email address to which the cloud infrastructure is registered. This should be a tightly controlled, standardised account to which only authorised individuals have access.
Ensure that users with privileged access employ multi-factor authentication (MFA). Lack of strong authentication can lead to account hijacking allowing attackers access to steal data, impact critical services and damage reputation.
You should ensure that:
- you have identified all vectors by which you can instigate support or management requests (telephone phone, web portal, email)
- the use of those mechanisms is restricted to authorised personnel in your organisation
- Prevent sharing of account credentials among users
- Monitor all account activities
- Ensure all actions are traceable to a human owner, even service accounts
In our next article we will outline steps organisations can take to improve their security posture via role-based access control and separation of duties.