Hybrid environments are a fundamental reality for businesses of every size. What that environment looks like for any given company is unique to that company. One size does not fit all, and it shouldn’t – that’s the nature of hybrid. One challenge that is not unique, however, is the need for security. Data security in cloud computing has characteristics all its own.
Because cloud computing mainly Azure AD changes the traditional perimeter, data security in cloud computing requires a different approach. It’s as if more doorways have been added to a building – a lot more doorways.
This changing business landscape is driving cloud security
Strengthening cybersecurity is one of the top investments that companies will undertake as part of their digital transformation project plans over the next three years. The ongoing trend of remote and hybrid workplaces has created a shift that directly impacts security. Much like hybrid itself, there is also no one size fits for cyber security.
Cloud security encompasses technology solutions, policies, and procedures to protect cloud-based applications and systems. That sounds simple, but it isn’t. Depending on the industry, for example, healthcare, compliance concerns can impact what’s on-prem and what’s in the cloud. Yet, the core principles of information security and data governance—data confidentiality, integrity, and availability, apply in the cloud.
Cloud Choices: Public, Private, Hybrid, Or Community Clouds
The right tool for the right job applies whether you’re building a house or a hybrid environment. Current choices include:
- Software-As-A-Service (Saas)
- Platform-As-A-Service (Paas)
- Infrastructure-As-A-Service (Iaas)
- Function-As-A-Service (Faas).
It’s also imperative you consider data security in all facets of cloud computing and the data lifecycle including:
- Development
- Deployment
- Migration of applications and systems
Common Risks to Azure AD Security
As discussed earlier in this blog, hybrid and associated technologies are like adding more doors to a building, which creates more ways of getting in, and for data to leave. The other risks we are all too familiar with, are:
- Cyberattacks
- Data breaches
One of the best proactive measures you can take is by keeping Azure AD, and MS 365 groups up to date by automating your groups and users that mitigates the threat of unused or expired identities that are frequently used as attack points in cyberattacks and breaches.
Other Cloud-Related Risks
Following are the other cloud-related risks:
- Data Leaks
- Regulatory Non-Compliance
- Loss of Trust from Customers
- Business Interruption along with Financial Loss
Data Leaks
Data leaks and loss may result from insufficient security practices like misconfigured cloud systems or threats from inside your organization.
Regulatory Non-Compliance
Whether it’s the Healthcare Insurance Portability and Accountability Act (HIPAA) or the General Protection Data Regulation (GDPR), the added complexity of cloud computing creates compliance risks.
Loss Of Trust from Customers And A Hit To Your Brand Reputation
Customers trust you with their personally identifiable information (PII) and when security is compromised, you lose customer loyalty.
Business Interruption Along with Financial Loss
Downtime is expensive and a disruption caused by the failure of cloud technology/platforms or supply chains can lead to difficult conversations with senior leadership.
Threats to Azure AD Security Groups
Unsecured application programming interfaces (APIs) Cloud services and applications rely on APIs for authentication and access, but these interfaces have security vulnerabilities like misconfigurations.
Insider threats—who has access to what? Should they, have it? Lifecycle and attestation are important pre-emptive tools you can use.
Account takeover. If your Active Directory (AD) or Azure AD groups and associated users are out of date, the result is compromised identities that hackers love.
There are five reasons why groups in Azure AD are so popular among cybercriminals:
- Groups are the Basis for Granting Access
- Groups already have access
- Groups often have too much access.
- Nesting is an Attacker’s Best Friend
- Who looks at groups? That’s Right: Nobody
We’ll look into each of the options more in detail as follows:
-
Groups are the Basis for Granting Access
Groups have long been-been how many users are granting access to applications, systems, and data. Of course, one-off permission assignments are an exception. So, groups become a natural target for cybercriminals. They provide the easiest way to gain access to the very same internal resources.
-
Groups already have access
Easier if you were a hacker – explicitly granting a compromised user account with the necessary permissions to access. Say, your Hyper-V environment, or adding a user to a group that has been granted the access before. It’s obvious the latter is much easier
-
Groups often have too much access.
Over time groups become repurposed. Such as older permission assignments aren’t removed, or groups get renamed. After years of existence, such a group often provides more access than you believe it does in the first place.
-
Nesting is an Attacker’s Best Friend.
Groups make a good hiding spot. Attackers will leverage group nesting to further confuse the addition of a user to a group. They do it by first creating another group and nesting it as a member of the group – with granted permissions to the target resources.
-
Who looks at groups? That’s Right: Nobody.
Think about it. Having an extra member in a group will go completely unnoticed. This is unless you are performing proper group attestation on a regular basis. Such as validating group memberships and permissions assigned to the group.
Because groups pose a risk to organizations, it’s necessary to include some form of group lifecycle management into play. IT should lead an attestation team periodically through a process. In this process, IT should attest to each group’s permissions and memberships
Cloud Security Is a Shared Responsibility
Data centers and infrastructure are on-prem and security responsibility falls to your organization. But in the cloud, you’re using a vendor’s services, and the lines of responsibilities change.
Cloud providers manage the physical security of the infrastructure while their customers are responsible for data classification and accountability. For all the other security, the responsibility either falls to one of the parties or it can be shared.
Keeping Your Data Safe in The Cloud
As you continue leveraging cloud technologies, your challenges become complex. Data security in the cloud is an important aspect of an organization’s risks.
An identity-centered approach built around accurate, up-to-date information is the easiest, pro-active approach you can take.
Imanami Defines Group and User Management
Imanami, a Microsoft Gold Certified Partner, is the leader in Group Management Solutions. Our suite of Active Directory tools provides solutions to provision users. Our solutions get them into the correct distribution and security groups immediately. Contact GroupID to talk with one of our engineers, who can solve your specific use cases.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.