9 Ways to Protect Your Cloud Environment from Ransomware
The same technology driving faster collaboration and data transfer also enables cybercriminals to quickly spread ransomware.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt724065e7c99c110d/64f0dac9872773dbd8926001/ransomwarecloud-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Businesses are moving to the cloud, taking advantage of the increased speed and efficiency it provides for data transfer and collaboration. Unfortunately for them, threat actors are abusing the same technology to accelerate the spread of cybercrime.
Cloud Security Alliance CEO Jim Reavis says the intrinsic nature of the cloud, which makes it appealing to businesses, is also viewed by malicious actors as a "fast lane" for ransomware proliferation. The foundation for strong ransomware protection in the cloud is a clean, secure internal network.
"It is important to have the best internal network hygiene possible: least privilege network architectures, microsegmentation, disabling extraneous network services running on desktops is a must," he says.
In many ways, protecting your business from ransomware in the cloud isn't different from endpoint ransomware protection, says John Pironti, president of IP Architects. He emphasizes the importance of maintaining basic security practices to protect against ransomware.
"It's the basics that always solve the problem," he explains. Patching and hardening systems are especially critical regardless of where data is stored. "It's IT security hygiene. If you do these things, the other things are irrelevant."
However, many businesses are not properly protecting themselves, and are leaving their data vulnerable to potentially disastrous attacks.
"Ransomware is different than traditional confidentiality attacks that infosec has obsessed over for many years," says independent security consultant Gal Shpantzer. "It's an availability attack, but unlike, say, DDoS, the attack is more intrusive, shuts down servers and not just pipelines, and can destroy vast quantities of data if not properly restored."
Here, cloud security pros share their advice on how businesses can protect their cloud environments from ransomware, and what they should do to mitigate the effects of an attack after it occurs.
"The most critical thing you can do, out the gate, is go and secure the cloud computer layer," says Tim Prendergast, founder and CEO at Evident.io. "It's easy to automate, easy to approach for startups and big enterprises alike."
Securing the compute later will ensure the availability of both systems and data, and prevent threat actors from leveraging your computing power to drive the spread of malware throughout your organization. To start, he says, enable secure login by issuing SSH keys to individuals.
Shpantzer advises knowing where your formal and informal assets are located -- a common oversight but important step in planning for and addressing a ransomware attack.
He explains how, for example, many developers are spinning up servers in the cloud for quick testing, but aren't fully aware of the security and compliance implications of doing so. Sometimes they expose full copies of production databases, a mistake that adds confidentiality issues in addition to the ransomware and availability issue.
"Know what's on your formal assets and understand shadow IT and how to mitigate it," Shpantzer says.
For restoration, he advises using cheap cloud storage to grab snapshots, files, folders, and anything you need to reconstitute your operations. Store them in cold storage on a separate MFA-protected account.
"This is about disaster recovery, not just an intrusion incident where someone merely copied PII and left your network and data otherwise intact."
Reavis also recommends separate data storage, specifically offline backups, to stay safe in the event of an attack.
"We are all using real-time cloud storage, which is great," he says. "But the fast autosyncing means that all your copies are infected as well, so it isn't a replacement for the extra effort to schedule backups regularly."
Pironti says businesses should take advantage of the opportunity to segment their networks, now that the architecture is available for them to do it. This can limit and contain the spread of a propagating ransomware attack.
"If I'm living in a non-segmented network, my whole network becomes exposed locally," he explains, using the Target breach as an example. Attackers needed only to compromise an HVAC system to conduct a disastrous incident.
In the cloud, Pironti continues, security teams can use architecture that enables them to put "gates" between critical activities. Walls and containment areas around components can protect them if they're in trouble.
Prendergast puts identity management next to securing the cloud compute layer as the second-most critical step in protecting the cloud against ransomware.
"Without strong identity management, you don't have an idea of who's doing what outside your critical security layers," he explains. "Once you have your core security layers in place, knowing people by uniqueness and their normal behavioral patterns, it helps you make smarter business decisions."
He says this is increasingly important as more people use the cloud to work from wherever they want. The distributed workforce is making a "huge difference" in the importance of monitoring activity and finding anomalies.
"Identity management extends outside the corporate walls as well," Prendergast notes.
In addition to enforcing complex, secure passwords and multi-factor authentication, businesses should also limit employees' access to sensitive information. People should only be able to access the accounts and systems they need to be productive. This limits the damage an attacker can do if they access an account.
Identity and Access Management (IAM) policies and Access Control Lists can help organize and control permissions to cloud-based storage. Bucket policies let you set or deny permissions by accounts, users, or conditions like IP address or date.
Pironti also emphasizes the importance of monitoring user activity and account permissions. Ransomware attackers aim to reach higher levels of privilege on target accounts. If they have the privilege, they can create accounts on the system that should not be there.
The challenge of securing privileged accounts may prove less of a challenge for security pros struggling with management. "I may not be able to cover thousands of user accounts, but I can cover 200 administrative accounts," he says.
A jump host sits in a different security zone and provides the only means of accessing other servers or hosts in the system. "It's a one-stop methodology for inbound access from a management perspective," says Prendergast, noting it has been around for a little while but has not been widely adopted.
The host is a single administrative entry point into the business. It is configured with a standard DNS name and IP address, and only accepts logins from corporate IPs before giving them broader access to the environment.
Because the jump host is a single entry point, it simplifies the process for protecting this server and maintaining strict access controls. If the single server gets jumped, it's easy to create a new one.
"It's not unhackable," says Prendergast of the jump host. "But you're reducing the attack surface to a very small access point." It's easier to secure one server than secure thousands, especially in an emerging attack.
One of the most important considerations, says Reavis, is to realize it's getting harder and harder to know which endpoints are vulnerable to ransomware -- let alone try to install security software to protect them.
He advises businesses implement a cloud-based security-as-a-service solution, which shares a common threat intelligence repository and can block ransomware downloads. While he doesn't mention specific solutions, he says Secure Web Gateway and CASB-type functionality are needed.
Managing firewalls at the hypervisor level enables security leaders to set definitive rules about who can send, receive, and access inbound and outbound data, which data can be sent, and how much.
Many pros are hesitant to set outbound rules, but they are important because ransomware threatens exposure of intellectual property. If you can write realtime monitoring and enforcement actions on the firewall, there is a better chance of maintaining consistency across the environment," says Prendergast.
Pironti adds that leaders should be doing ingress and egress filtering. "Monitor for command-and-control activity," he says. "Only traffic that should leave the environment leaves the environment."
Prendergast cautions against allowing services to call home to SaaS services like Github. Once a threat actor gets access to your Git repo, they can infect and potentially gain access to more corporate systems the next time one of those systems calls home.
He advises businesses to store their Git or code repositories in their own cloud environments but acknowledges this practice may take time to adopt.
"This is one that's extremely hard for people to not do," he admits. "As services get better and there are more self-hosting options, companies can have better control over data leaving their environment."
Prendergast cautions against allowing services to call home to SaaS services like Github. Once a threat actor gets access to your Git repo, they can infect and potentially gain access to more corporate systems the next time one of those systems calls home.
He advises businesses to store their Git or code repositories in their own cloud environments but acknowledges this practice may take time to adopt.
"This is one that's extremely hard for people to not do," he admits. "As services get better and there are more self-hosting options, companies can have better control over data leaving their environment."
Businesses are moving to the cloud, taking advantage of the increased speed and efficiency it provides for data transfer and collaboration. Unfortunately for them, threat actors are abusing the same technology to accelerate the spread of cybercrime.
Cloud Security Alliance CEO Jim Reavis says the intrinsic nature of the cloud, which makes it appealing to businesses, is also viewed by malicious actors as a "fast lane" for ransomware proliferation. The foundation for strong ransomware protection in the cloud is a clean, secure internal network.
"It is important to have the best internal network hygiene possible: least privilege network architectures, microsegmentation, disabling extraneous network services running on desktops is a must," he says.
In many ways, protecting your business from ransomware in the cloud isn't different from endpoint ransomware protection, says John Pironti, president of IP Architects. He emphasizes the importance of maintaining basic security practices to protect against ransomware.
"It's the basics that always solve the problem," he explains. Patching and hardening systems are especially critical regardless of where data is stored. "It's IT security hygiene. If you do these things, the other things are irrelevant."
However, many businesses are not properly protecting themselves, and are leaving their data vulnerable to potentially disastrous attacks.
"Ransomware is different than traditional confidentiality attacks that infosec has obsessed over for many years," says independent security consultant Gal Shpantzer. "It's an availability attack, but unlike, say, DDoS, the attack is more intrusive, shuts down servers and not just pipelines, and can destroy vast quantities of data if not properly restored."
Here, cloud security pros share their advice on how businesses can protect their cloud environments from ransomware, and what they should do to mitigate the effects of an attack after it occurs.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024