Configure settings and mitigate risks with this cloud application security checklist
Doing business in the cloud provides companies with many benefits. From improving productivity and collaboration to outsourcing infrastructure security, organizations of all shapes and sizes are making the move to the cloud. But there are security issues in cloud computing, and this cloud application security checklist is designed to help you mitigate those issues.
What is cloud application security? It is a series of defined policies, processes, controls, and technology governing all information exchanges that happen in collaborative cloud Software as a Service (SaaS) applications like Microsoft Office 365, Google G Suite, Slack, Box, etc.
As your company moves more information and activity to the cloud, your perimeter security safeguards become less effective. More IT and InfoSec professionals are opting to secure cloud storage by deploying a zero trust security model. This checklist also helps you lay the groundwork for deploying zero trust security for your own cloud applications.
1. Set password policies
Passwords are the foundation of any good security plan. Educate your team on what factors makes passwords strong or weak, and why password strength is so important.
As a system admin, you can set policies and standards for your organization’s cloud app passwords. At minimum, you should enable your system’s “require a strong password” feature. You can also set minimum and maximum password lengths, password expiration, and more. If you’re setting the standards for the first time, be sure to run a check of current passwords to see whose passwords are out of compliance with the new standards. You can then force a password change through your admin console.
2. Make multi-factor authentication mandatory
Multi-factor authentication requires users to take a second step, after entering the correct password, to prove they have authorized access. This typically includes entering a code that is sent to their phone via SMS. It can also include phone calls, answering security questions, mobile app prompts, and more.
3. Manage SaaS access and permissions
Open Authorization makes app use convenient for end users, but it can be a little bit of a nightmare for those in charge of IT security. The proliferation of SaaS use in the workplace makes it difficult to stay on top of what apps have access to your cloud environment, what permissions are granted to them, and how secure the app is itself.
System admins have the ability to control what apps are allowed permissions to the company’s Google or Microsoft cloud accounts. This can be as simple as restricting access to risky apps, or as customized and detailed as creating sanctioned and unsanctioned apps lists.
4. Enable anti-phishing protections
Email phishing is still the most common external threat vector. And there are a myriad of tools on the market aimed at removing phishing emails from company inboxes. Unfortunately, none of them work with 100% accuracy.
The best option is to start with configuring your native cloud email provider’s anti-phishing capabilities, and then layer additional safeguards and monitors on top of it. Educating the rest of the company about common phishing attacks, new ones as they arise, and how to spot them is also extremely important.
5. Turn on unintended external reply warning
One of the ways you can ensure that sensitive, internal information isn’t improperly shared outside of the company is to enable an external reply warning. This feature also protects companies against forged emails from malicious hackers trying to gain access to internal files and information.
When the external reply warning is enabled, users receive a pop-up notification asking if they’re sure they want to send to an external domain. It’s important to reinforce to your colleagues why they need to pay attention to this pop-up and think twice before dismissing it.
6. Set external sharing standards
Beyond sending emails, you should configure external sharing standards for shared calendars, drives, folders, and files. The best approach is to start with the most strict standards possible, and then open up as needed.
Files and folders containing the most sensitive information such as employee and customer personally identifiable information, and financial information, should rarely (if ever) be configured to allow external sharing and access.
7. Set up message encryption
Encryption prevents anyone other than the intended audience from viewing a message. Microsoft and Google provide native encryption options; or in Google’s case they provide “Confidential Mode”, which works a little differently. There are also a variety of third party encryption tools available.
Sending sensitive or confidential information via email should always have encryption and confidential protections enabled. It forces the recipient to authenticate that they are the intended audience and protects the information from being forwarded to others. The sender can also set up an expiration date to ensure the information isn’t lingering in someone’s inbox into eternity.
8. Set up data loss prevention policies
Fundamentally, data loss prevention is a strategy to ensure that your company’s sensitive and protected information does not inadvertently leave the company network—whether it’s accidental or malicious.
System admins have the ability to set up data loss prevention policies in most popular and “enterprise level” cloud applications. These policies help admins maintain and automate rules around how information can be accessed and shared. Most policies create alerts and actions that the system can take if a data loss prevention policy is broken. For example, if an employee account is trying to share a spreadsheet containing social security numbers with an outside domain, the policy can be set up to automatically warn the user and/or quarantine the file.
9. Enable mobile management
Everyone in your company uses mobile devices to access company cloud accounts- mainly email, files, and drives. These mobile devices represent more endpoints that need to be secured by IT. But, endpoint security isn’t enough in cloud computing. When it comes to cloud security, you will also need to configure mobile device policies in your cloud applications.
10. Run a security health/score audit
Once you’ve completed this checklist, it’s a good idea to run a security audit of your cloud environment. An audit will re-check for any configuration errors, sharing risks, files containing sensitive information, and more.
It’s also important to run an audit on a periodic basis. Weekly and/or monthly audit and reports can be automated and provide you with detailed information into the security health of your cloud applications. Microsoft provides Office 365 Secure Score, which is very helpful in providing on-going health checks and recommendations. Particularly as new security features are rolled out and new risks are identified.
If your company uses SaaS applications such as G Suite, Office 365, Slack, and others, cloud application security is a critical layer in your cybersecurity architecture. Without it, monitoring and controlling behavior happening within your applications is impossible. This blind spot creates critical vulnerabilities in your organization’s sensitive information, and financial future.