Protecting your cloud from ransomware

For enterprises that use the cloud, the key to being protected starts with understanding the layers that make up the components of their cloud stack. These different layers create multiple potential targets, and for the informed, they each represent a piece of the cloud environment that can be secured against potential threats.

Ransomware doesn’t have to be terribly complex stuff. To be effective, it just needs access. By paying attention to the different pieces of the cloud stack and addressing their unique security needs with these preparations, your environment will be far more resistant to ransomware threats:

Identity management

If a bad actor can gain access to your systems using your credentials, you’re done for.

Secure password: Establish policies that require complex passwords (12 characters with mixed case, letters and numbers, at a minimum).

Require multi-factor authentication (MFA) everywhere: Having a strong password is not enough these days, you need multiple layers of protection. Using a second validation or authentication method provides another layer of protection around your user login.

Least privilege roles: Only give users access to the least amount of accounts and systems that allow them to be productive. This limits the damage that can be done if an accident is made or a bad actor gets access to the account.

Disable dead accounts: When people leave your organization, disable access to all systems and disable their access keys immediately. Dead accounts leave more endpoints and are not monitored the same way live ones are.

Secure the compute layer

Take steps to secure your compute layer to ensure availability of systems and data, and to keep bad actors from using your compute power to further spread malware across your business and the Internet.

Harden the OS: Remove unnecessary programs that only serve to broaden your attack surface. Stay up-to-date on service packs and patches as much as you can. While it doesn’t ensure that you won’t be vulnerable to a zero-day attack, it makes it much less likely.

Enable secure login (issue SSH keys issued to individuals): This will keep your assets protected when moving across unsecured networks.

VPN (network): Protect the connections between devices and the Internet by creating a secure (tunnel), or VPN. You’re creating your own version of a network that is more specific to your own security requirements.

Use jump host: The jump host is placed in a different security zone and provides the only means of accessing other servers or hosts in your system. The security groups for your other cloud assets, should be set up to only allow SSH access from the jump host. It is an extra step that might make keep the hackers out of your system.

Hypervisor firewall rules: The most effective way to manage firewalls is at the hypervisor level because you can restrict or set limits on both ingress and egress traffic. Take care to set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many are reluctant to set up outbound rules, but because ransomware often threatens the leaking of your intellectual property, it is important to ensure you have outbound rules that are explicitly declared.

Only use trusted images: Build your images or templates from scratch or get them from very trusted sources like AWS or Microsoft. Don’t use the ones you find on Stackoverflow or on random message boards or communities.

Secure your storage

If data is the new oil, you want to be sure to protect your precious resources to ensure your business is viable for years to come. If attackers get access to your storage layer they can potentially delete or expose entire buckets or blobs of data.

Manage data access: Identity and Access Policies (IAM) policies and Access Control Lists help you centralize the control of permissions to your storage. Bucket policies allow you to enable or deny permissions by accounts, users, or based on certain conditions like date, IP address, or whether the request was sent with SSL.

Encrypt, encrypt, encrypt: Encrypt your data both in transit and at rest. Note that the metadata is often not encrypted, so be sure not to store sensitive information in your cloud storage metadata.

Versioning / logging: Versioning allows you to preserve, retrieve and restore data if something goes wrong. WIth versioning turned on, you can always restore from an older version of the data if a threat or application failure causes loss of data. Maintaining access logs provides an audit trail in case someone or something gets into your system.

No delete rights or MFA for delete: You can set up roles in your cloud infrastructure that do not all the user to delete any data. In most cloud storage solutions you can enable a feature that requires that the six-digit code and serial number from your MFA token to delete any version of data stored in your storage layer. This means that attackers won’t be able to delete your data if they get access, unless they’ve got your MFA key.

Protect your cloud services

After you’ve “surrounded the perimeter” and enforced smart policies, you then need to emphasize security specifically for your services in the cloud.

Use good source control management: Use a source control to secure versions, access to builds, and deployment instances. This will reduce the surface area of your code and limit the potential for attacks across your entire network.

Don’t allow services to call home to SaaS systems like Github: All it takes is for a bad actor to get access to your repo, and they can infect and potentially get access to more of your systems the next time one of your systems calls home. It’s better to store your Git or code repositories securely in your cloud environment.