As public sector organisations become increasingly reliant on mobile devices and cloud-based technologies to run their teams and vital services, networks, services and devices become prime targets for cyber criminals.
Everybody thinks they won’t fall victim to an attack until they do. So we’ve put together some points for consideration when it comes to building secure cloud environments.
Firstly, understand the types of data that you intend to store in the cloud. This will help guide you to the types of security tools and processes needed to be put in place. It’s important to ensure the most appropriate controls are used so the organisation isn’t hindered and can still gain the full benefit of using the cloud.
Different types of data will need to be secured in different ways. If, for instance, the organisation is using collaboration platforms, then there is a need for employees and users to be able to communicate safely and securely. Locking away collaborative tools and file-sharing capabilities in a too complex or restrictive way will prove counter-productive. Instead, understand the types of information shared across the platform and take steps to allow employees to share data safely and practically.
Data classification can play a part in helping to secure collaboration platforms and solutions, for example, stopping employees from sharing sensitive information such as child protection records with users who are not authorised to view them. Getting data classification right from the start and driving policies from the centre makes it easier to keep data safe and secure. Ultimately, employees Building secure cloud environments need to be protected by policies that stop them from inadvertently exposing confidential data.
However, this is very different from the type of security implemented around a business application database. Security needs to be a core part of the design when it comes to protecting applications and databases. The crux of this is good product architecture and understanding that cyber security processes need to be layered in. This approach minimises the risk of exposing information residing in the cloud and should centre around the Zero Trust security model.
The Zero Trust Security Model
The Zero Trust security model is based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network.
By layering applications behind several defensive barriers, it’s easier to prevent unintended consequences, and employees can only access the systems and data they require. Segmenting the network in this way and breaking it into a multi-layer structure enables organisations to hinder cyber criminals, restrict their movement across the network and stop them from reaching mission-critical data.
The three principles of Zero Trust are:
Use all available data points to authenticate users and authorise access. This includes user identity, location, device health, service, workload, data classification and anomalies.
Use least privileged access
You can also secure your data and productivity tools by using JIT and JEA – Just in Time and Just Enough Access policies. There are adaptive policies that can automatically block and flag based on risky behaviour and take protective actions.
Limit the trust you place in applications, identifies and networks by treating them all as compromised or breached.
These principles should not be used alone but reinforced by other security measures such as multi-factor authentication, backups, patching and anti-social engineering/phishing measures, DDoS defences and whitelisting.