Software as a Service (SaaS) is the new IT, and cloud identities are the new perimeter. The more users you maintain in the cloud, the broader your organization’s attack surface and vulnerability to security incidents. As your organization boosts its reliance on SaaS, your public cloud posture expands and your threat landscape changes.
Exposed login credentials for operation-critical SaaS and Infrastructure as a Service (IaaS) accounts, overly privileged cloud user identities, and shadow IT admin accounts create potential entry points for attacks and place your business-critical assets at risk.
If your organization is like most, you’re adopting new cloud services as your business changes and grows. You’re provisioning new users and admins as employees cycle in and out and escalating privileges for employees taking on new roles. As your organization shares and stores more information in the cloud, your risk multiplies exponentially. These shifting points of exposure tend to increase the risk of account takeovers and data leakage.
Fortunately, you can create a secure, identity-defined cloud perimeter and reduce your cloud attack surface with these six steps.
#1 Reduce publicly available resources
The average employee can access more than 17 million documents on their first day at work. Cloud services make it easy for employees to share and over-share these documents within your organization and externally.
Think that’s scary? In some cases, search engines may catalog and surface these documents in search results where they are accessible to anyone with a link.
Security teams should train users to share documents with specific users rather than with the entire organization. Removing exposed information can be time-consuming, but it is necessary to keep your critical and sensitive data within your organization. It will also make it easier to spot if and when a breach occurs.
#2 Follow the principle of least privilege
Minimize your employees’ access privileges so they can access only the information needed to do their jobs. Do your external contractors need uncontrolled access to customer details in Salesforce? Do your summer interns require access to sensitive engineering documents in Jira? Maybe, or maybe not.
Then, go one step further and remove unused or stale permissions belonging to former employees and contractors. Least-privilege access isn’t just nice to have; it can reduce your attack surface by minimizing the possibilities for account takeovers and data loss.
#3 Enable MFA for all critical SaaS and cloud services
(MFA)—whether biometric, TOTP, SMS or email-based—is your first line of defense in the cloud. It helps ensure that stolen passwords alone cannot grant cybercriminals access to your critical data. Then, identify and consolidate your business-critical resources within only IT-sanctioned cloud apps that have been vetted for MFA support, PII security controls, SOC-2 compliance and encryption support.
#4 Remove redundancies
To maintain good security policies and configuration hygiene, continually review and eliminate any redundancies. Redundancies can enable old and inappropriate policies or misconfigured privileges that were improperly deployed or not deactivated to override or negate the sanctioned ones you meant to deploy.redundant roles creep in, they can grant users overly broad permissions and increase the chances of mistakes and, ultimately, security incidents.
#5 Keep accounts for admins separate
Your SaaS and IaaS admins require extra attention because their access and privileges can expose your organization to risk. First, place controls on your SaaS and IaaS admins to help prevent them from abusing their rights. Then, provide privileged users with separate accounts for administrative activity and day-to-day non-admin use. Administrative user accounts will be less prone to phishing attacks and other threats.
You must also identify all shadow admins (non-privileged users who maintain admin-level control over your cloud environment without IT’s involvement, either through a misconfiguration or malicious intent). Rightsizing privileges will prevent shadow admins from doing system-wide damage within your cloud accounts and can decrease the potential for data exfiltration.
#6 Enforce off-boarding processes
Every time an employee or contractor leaves your organization, you must revoke their permissions across all of your cloud services managed outside your SSO. Surprisingly, we found that three out of four cloud identities for external contractors remain active after leaving. Security teams must routinely confirm their automated policies for disabling users in your IDaaS (such as Okta).Distributed work and the rise of SaaS put to rest any lingering doubts that traditional perimeters and security protocols could defend against modern attacks. Securing identities and their associated privileges and access should be at the heart of your strategy for reducing your cloud attack surface.