At a time of unprecedented global remote working due to COVID-19 social distancing and lockdown strategies, organizations’ reliance on the sufficiency of cloud internet services has never been greater as they seek to adapt to new ways of working in an IT landscape much changed.
One such service is that of web hosting – an internet hosting service that allows individuals and organizations to make their website accessible via the World Wide Web. Web hosts are companies that provide space on a server as well as internet connectivity, typically in a data center.
Hostinger International Ltd is an employee-owned web hosting provider and internet domain registrar. Established in 2004, Hostinger now has over 29 million users collectively with its subsidiaries in 178 countries. The company uses cloud web hosting technology and provides hosting with MySQL, FTP and PHP.
As such, Hostinger is particularly well placed to share detailed insight into the various security mechanics currently impacting the ever-growing and pervasive web cloud landscape, and Infosecurity spoke with the company’s cybersecurity specialist, Egidijus Navardauskas, to explore.
“Nowadays, the cloud is the primary location for most of the business”
What are the key cloud security risks impacting organizations in 2020?
Nowadays, the cloud is the primary location for most of the business as it allows them to do more with less downtime, cost and loss, and offers better security compared to what customers have on-premises. Also, cloud hosting providers can offer backups, server maintenance, software updates and more – you can overview Hostinger’s plans as an example.
However, as people post in memes, there is no cloud, it’s just someone else’s computer, and risks associated with cloud computing undeniably exist. There are many, but I would like to highlight and point out the two most common cloud security risks which, in my opinion, are challenging for organizations these days.
The first is misconfiguration and insufficient change control. Configuration of cloud resources in a secure fashion isn’t an easy task, and inappropriate changes or misconfigurations may break the asset’s functionality, cause service interruption or even allow unauthorized access to attackers through unnecessarily enabled services or unchanged default administrative credentials, which may lead to data breaches. The cloud environment is complex, so it’s a challenge to control it and track the changes.
The second risk is the lack of identity and access management. In the cloud environment, it’s a challenge to manage every access manually. Privileged user accounts are used on most critical company systems and are extremely powerful. They have the highest clearance levels and permissions to manage other lower privilege accounts. If an attacker would gain access to a privileged account, they could easily compromise or shut the entire network down. If access to the accounts is not disabled immediately during employee off boarding, any sensitive information stays with the account. There is a possibility that the information could be stolen from a phone or tablet, or even a disgruntled employee might intentionally try to compromise the business.
Other risk factors are excessive account permissions, reused and easily guessable credentials, no passwords or sensitive keys rotation, and lack of multi-factor authentication (MFA).
How can organizations prepare for and defend against those risks?
As traditional change control approaches for proper configuration might be difficult, the best way to prepare is planning and overseeing the challenges. There are plenty of cloud automation tools in the market that can be used for configuration deployment, tracking and appropriate change control assurance. Choosing the right cloud automation and auditing tool that supports your cloud infrastructure before moving business to the cloud will definitely help reduce the risk associated with misconfiguration and insufficient change control.
For identity and access management-related risk mitigation, I would suggest creating a correct and strict access policy, enforcing passwords and access keys rotation and auditing. Also, consider using centralized identity and access management (IAM) and/or privileged account management (PAM) tools which help to manage and audit elevated (privileged) access and permissions for users, accounts, processes and systems across an IT environment.
Additionally, to follow the least privilege principle and restrict access rights and permissions for users, accounts, applications, systems, devices and computing processes to the absolute minimum necessary to perform routine, authorized activities, add an extra layer of security by implementing a single sign-on (SSO) and/or MFA on every system where possible.
“The cloud environment is complex, so it’s a challenge to control it and track the changes”
What role will cloud hosting technologies play in business operations over the next 12-24 months?
As cloud hosting technologies are innovative and empower digital transformation, improve business continuity and offer multiple benefits like stability, flexibility, security and accessibility, they are already playing a huge role in business operations. Also, due to the COVID-19 pandemic situation, companies are forced to move to remote working and cloud technologies can help a lot with enhancing remote business operations. It doesn’t matter if it’s Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS) cloud technology, I believe that over the next 12-24 months, demand for all of them will keep growing and more and more companies will be moving at least part of their business operations to the cloud.
Is there currently enough clarity around and awareness of cloud security?
In my opinion, clarity and awareness in any field of expertise come from studying, training, researching and learning from others and your own mistakes. Even though the cloud security topic isn’t simple, I can state that there is enough clarity and awareness regarding cloud security, especially in knowing that we are living in a digital world where the internet offers a variety of cloud security courses, videos, articles, documentations, feeds and training which explains best cloud security practices and common security challenges.