Securing staff identities in the Cloud, why it matters and where to start

Between July 1st 2019 and June 30th 2020, the Australian Cyber Security Centre responded to 2,266 cyber security incidents and received 59,806 cybercrime reports, at an average of one report every 10 minutes. This is alarming when you consider thatin 2019, 42% of Australian businesses were using Cloud – a figure that will have certainly increased in 2020, given the significant shift in remote work caused by COVID-19. 

With the rapid uptake of Cloud services, businesses need to ensure they are applying the right security measures. Best practice is to ensure you configure your security as part of a Cloud migration, but all too often, especially when migrations are rushed, it is a delayed afterthought.  

“The way I explain it to customers is to use the analogy of driving a car, you wear a seat belt because you have to. This thinking should be applied to working in the Cloud, you secure your data because you have to,” says Daniel Baptist, Consultant at Retrac Business Solutions.  

Previously you could protect your server with solutions like firewalls, and rest easy knowing your data was all stored in one place. In the Cloud, data is often spread across different environments. Protecting your data therefore becomes more about managing the approved end users who can access it.  

This becomes even more important when you consider that, of the 59,806 cybercrimes reported, identity-related crimes incorporating the theft and misuse of personal information was the second most common category.  

Identities matter, protect them to protect your business  

In order to secure end users, you need to look at the different roles within your organisations and the access and tools they require.  By securing who is using your information, and putting parameters around how they use it, you can secure your data. 

“Security options in the Cloud hone in on specific functions rather than looking at the infrastructure as a whole. We now have the ability to lock down files to be readonly for certain users, or prevent files being downloaded to USB or screen-shotted,” says Daniel.  

In a Microsoft Cloud environment, Azure’s Active Directory Identity Protections offers a multitude of options to secure even the most sensitive of information.  

“In the past, we had limited functionality and had to protect business data as a whole. Today, with information dispersed, you can limit who can see what on a whole new level. You can classify documents based on content. If your system is configured correctly, AI can detect the sensitive content and apply the necessary security to it directly,” adds Daniel.  

The benefit of focussing on identities also reduces the risk associated with unprotected devices. If an employee needs to, they can access key files from a PC, iPad, or iPhone. By securing identities you can protect all the devices and ensure the data is only used as intended. This was pretty much impossible in the pre-Cloud era.  

Whilst tools like Multi Factor Authentication (MFA) are becoming increasingly commonplace, functions like detecting ‘impossible travel’ are still relatively under used.  

“In the Cloud, if you log in at 4pm and are in Melbourne, and then an erroneous log in occurs at 9pm, from Uzbekistan, AI will detect this and set security protocols in motion to prevent data being accessed,” notes Daniel.  

Where do you start?  

It may seem time consuming and complex to roll Cloud security features, but our seasoned team of experts can actually have identity protection up and running quite quickly. By configuring your security at the get go, you dramatically reduce the risk of breaches and cyberattacks.  

“When we undertake a migration or security hardening project, we sit down with our customer and talk about the various roles in the business, and who needs access to what. By understanding who is who in the zoo, we can map out the access requirements in collaboration with the customer,” explains Daniel.  

For small businesses, there may be payroll IP saved on an on-premises server, which may or may not be password protected. Before migrating to the Cloud, you should assess what information you need and who needs to access it. If you have users who regularly require access to sensitive IP, you can apply more rigorous identity protection settings to their specific roles.  

Security takes time and expertise, it isn’t automatic 

According to Daniel, people used to ask how to secure their servers, but the question is not frequently postured when discussing Cloud.  

“We find people aren’t asking about security in the Cloud as often as they should. Small businesses, especially those with limited inhouse IT resources, misunderstand the importance of Cloud security. It isn’t seen as important but these days most businesses have some assets in the Cloud and securing them should always be a top business priority,” concludes Daniel.  

If you are unsure of the state of your current Cloud security or would like to advice on how best to secure your end users, take our free Security Assessment