Bringing Cloud Security Down To Earth: Beware of Third-Party Infrastructure Access Agreements
By: Ali Gomulu
Moving business applications, workflow and data to the cloud represents a major shift, requiring enterprises to change their security posture, as sharing information outside the organization creates a greater need for diligence and governance. Cloud vendor agreements must be carefully written, and security policies implemented as moving all or part of an organization’s IT infrastructure does absolve the organization from security responsibilities. Knowing what security requirements to include in cloud vendor contracts must include Privileged Access Management (PAM) policies to reduce risk and provide clarity.
Cloud adoption continues to rise; according to International Data Corporation (IDC)’s “Nine Ways to Maximize the Value of Cloud Contracts,” 52 percent of all companies are currently using cloud-based delivery models and an additional 27 percent have firm plans to implement cloud solutions within the next year.
When entering into cloud agreements, security must be a forethought, not an afterthought, and a big part of this is to contract in such a way that the cloud services provider understands the boundaries, including the protection of not only the cloud instances, but the connectivity to the organization’s infrastructure, especially when hybrid solutions are in place. If a cloud provider needs to access internally generated and stored data, they must be required to do so within the context of a solid PAM solution.
This same PAM solution, architected wisely, can also protect mission critical infrastructure internally (ensuring employee activity is monitored and managed), while also protecting the same infrastructure should vendors who are, for example, performing maintenance on servers, gateway or other physical infrastructure.
Cloud and infrastructure vendor contracts can be designed to mitigate risks to the confidentiality, integrity and availability of an organization’s data and applications, offering an additional layer of protection.
Third-Party Infrastructure Access Agreements: Negotiate to Protect What You Connect
As part of the digital transformation process, including moving more to the cloud, and/or outsourcing certain IT functions requiring third-parties to access systems, it is important for IT leaders to become proficient in negotiating and managing contracts, while also designing a system which can authenticate and authorize access by people and machines, by matching the right workflows and processes in the context of securing valuable assets.
When signing up for any agreement enabling a third-party to access corporate resources, here are five basics principles to keep in mind:
- Require the cloud or infrastructure vendor to provide regular reporting on security status, including security incident and intrusion detection/prevention system (IDS/IPS) log reports, with the right to audit and asses this as part of the agreement; to simplify this, organizations can use solutions like Ironsphere’s PAM platform which manage privileged credentials including passwords and profiles (which individuals can access which domains for example).
- Clarify service monitoring and requests alerts in real time should systems go down, as these can be indicators of a security breach; organizations will want to be able to monitor availability anyway and discuss any patterns of downtime should they occur.
- Include language in agreements that affirms the cloud provider or infrastructure vendor’s business continuity plan, with specific requirements in place associated with data backup and recovery responsibilities should there be a security issue or other system failure.
- Ensure agreements cover regulatory requirements, especially in the most regulated industries (financial services, healthcare, e-commerce, and others) in parallel with increasingly strict laws regarding private information protecting consumers, and map privileged access policies in such a way that only those who “need to know” can access data that is most vulnerable.
- Specify technical standards for encryption and transmission, access controls, and background and/or security check protocols for cloud providers and infrastructure vendors, including the use of the organization’s own choice of PAM software. Confirm exactly how the different user permission roles are put in place, and mandate accessibility parameters for each role and the administrator’s access rights, ensuring all access events can be recorded and tracked.
Ironsphere provides advanced technology software in the fields of Access Control Systems, Privileged Task Automation and Next-generation Security and Audit. With the world’s most cost-efficient, flexible and easily deployed Access Control software, our technology platform supports many global telecom service providers and large enterprises.
Our core offering is a Privileged Access Management (PAM) solution protecting mission critical systems and infrastructure, used as administrative access, information security and governance tool to prevent internal data breaches and malfeasance using privileged accounts, which enables the sound management of heterogenous environments – cloud, prem, hybrid and multi-cloud – making sure that only the people and systems who are authorized to access data and infrastructure can do so.
To learn more about how your organization can reduce risks associated with an increasingly interconnected world, please contact us at firstname.lastname@example.org.
As Cyber Attacks Grow, Data Center Operators Can Bring Value-Added Services to Enterprises Leveraging Cloud-Based Access Management Services
No threat facing businesses today has grown as fast, or in a manner as difficult to understand, as the danger from cyberattacks. Cyber threats are increasing in both volume and sophistication, and as the world continues to become more digital with every passing day, cyber threats will only keep growing in both aspects. As a result, organizations today are turning to robust cybersecurity solutions, such as Privileged Access Management (PAM), to keep both their data and their customer’s data safe.
Privileged Access Management as a Service: An Exciting new Value-Added Service for Data Center Service Providers
Given the increasing complexity of compliance, and the growing risk of data breaches, even as public cloud, hybrid cloud, and multi-cloud solutions are being implemented, businesses of all sizes need support in protecting what they connect, and many count on their data center providers for guidance and solutions.
How Secure Are VPNs? Given Increasing Successful Attacks, It’s Time to Take a Hard Look at PAM for Zero Trust Solutions
Since the early 1990s, VPNs (Virtual Private Networks) have been central to providing remote users with access to the corporate network.
Thirty years later, in 2020, when legislation and population health initiatives mandated work-from-home, bad actors recognized and acted upon their massive opportunity to attack VPNs and initiate data theft and ransomware attacks as applications, in the heat of the moment, moved outside the traditional perimeter.