Due to the ease, flexibility and low cost of securely storing and sharing data between commercial cloud providers, by 2025 cloud deployments are expected to be a $68 billion market. However, current cloud deployments pose significant risks that could be mitigated with minor changes to infrastructure procurement and access.
Currently, most enterprises procure cloud instances using their company’s name. This lack of obfuscation in the billing trail provides an easy target for threat actors in the reconnaissance phase. Adding a simple layer of procurement obfuscation is an important first step that enterprises can take to better protect their most important data sources from potential threats.
The idea behind obfuscated billing is that an adversary may be able to access public records that tie an enterprise to a cloud deployment simply because their name is on the bill. When using an obfuscation strategy, the cloud deployment is procured through separate legal entities that make this discovery of the end user much more challenging.
Cloud obfuscation is another critical best practice given the rise of ransomware tactics that lock up critical business processes and data. Many recent ransomware attacks have involved a compromise of credentials that allowed criminals to access cloud instances. These backup environments were then corrupted with false data making it impossible to use them to recover from a ransomware attack.
Enterprises need to make it much more difficult for threat actors to even know these backup environments exist. One way to do this is by totally disassociating the most critical business data from enterprise cloud deployments. This can be achieved by procuring a totally separate commercial cloud instance that is reserved for the company’s most sensitive data and only accessible through zero trust controls. In addition,this data should be encrypted in transit using keys controlled by the organization.
Cloud deployments allow for extremely cost effective and secure data environments. However, the evolving tactics of threat actors in conjunction with increasing potential insider threats makes additional layers of security essential to protecting an organization’s crown jewels. For example, the Department of Defense has long protected their most classified programs under a term called “Special Access.”
Special Access Programs (SAPs) require a unique vetting process that is well above normal security clearance requirements, is only extended to personnel who have a need to know, and whose identity is often concealed using code names.
Commercial enterprises can learn some important lessons from this approach. Whether it is sensitive customer data, health records, trade secrets, or financial information all organizations have data that requires additional levels of protection. An obfuscated cloud management approach is an essential strategy to keeping one’s crown jewels secure.