Accounting in the Cloud – the light and the shade (PART 2)

Cyber Essentials logo with laptop

This is the second in a two part blog about cyber security in the cloud. The first part explores the changing practises in utilising elements of cloud computing employed by many accounting firms. In this blog, we take a look at how to mitigate the inevitable risks.

Keeping your customer data secure in the cloud

Due diligence – do your homework

You do not have physical control over the servers owned by your cloud service provider, so how do you know if they are secure?

With 24/7 onsite security, advanced encryption, secure backups, and firewall protected servers, most cloud service providers have invested in security features that you could never match if you used your own servers. However, it is worth bearing in mind that not all cloud service providers understand or value security. It is essential that your organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service. Have you checked the security features of the platform you’re using?

When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to.

Working with a cloud provider can be unfamiliar and new for some organisations and it is helpful to outline from the start where the line is between the cloud provider’s security responsibilities and those of the user organisation. Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards and different contact points. The business owner or IT manager should reference their service-level agreements, and clear up any confusion with the provider when necessary to ensure a successful security strategy. Putting all these details together and creating a coherent multi-cloud security strategy is a vital process. It is a good idea to have security in mind when researching a cloud service product in the first place, and to document a named point of contact to help and support your organisation if there are difficulties.

Where the cloud provider implements a control, the user organisation must satisfy themselves that this has been done to the required standard. Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres.

The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management. With smaller providers or SaaS products, however, these details may be less explicit, but they will still need to be accounted for.

Understanding your security responsibility is essential to keeping your data safe in the cloud.
User access control

User access control covers the precaution of controlling who can access your devices, accounts and data and what they can do once they have access. This is essential for all cloud service accounts.

About 60% of all cyber attacks are orchestrated internally. A rogue employee can use their knowledge and access to company information to steal data or commit fraud, or an employee can threaten security with an unintentional mistake.

This can be prevented when you use the rule of ‘least privilege’ and configure accounts with in depth permission settings that only allow staff to access information that they need to perform their role but no more. Administrative accounts must be restricted, kept track of and not used to carry out everyday tasks. Admin accounts typically have the greatest level of access to information, applications and computers and if accessed by attackers, they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes. It’s a good idea to have a comprehensive policy that details the processes for creating, and controlling accounts with special access privileges including how and when to revoke access to information in a timely way when a member of staff changes role or leaves the organisation.

Secure configuration

Setting up your accounts to minimise the ways a criminal can get in is essential for all cloud services. Many software packages come with additional accounts or features that you do not use, these are simply unnecessary access points that could be used to break into your account and steal your data. Disable or remove any services or accounts that are not required for day to day use.

Passwords are still currently the main method securing access to almost all our different accounts and the data they are holding. Have a clear password policy that applies to everyone in your organisation including contractors.

This should include:

How to create good passwords using three random words or a random generated password created by a password manager. (Your password policy will specify which one and how to use it).

There needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised.

Enable multi-factor authentication (MFA) to all accounts on all of your cloud services.

Provide clear advice on good password hygiene such as not using guessable passwords (e.g. children or pet names), not re-using or sharing passwords and storing them securely on a password manager or locked out of sight.

People and processes – educate the users

When using cloud services, it is necessary to set up separate policies on each individual service and ensure that all access is controlled. It may be necessary to update staff about the functions and responsibilities in the cloud with training and information courses on each chosen cloud service. Google, AWS and Microsoft all offer a range of certifications and cloud computing training programs for their platforms. The goal is to get companies that aren’t as familiar with cloud to be comfortable with modern techniques and practices.

The shift in focus has to go from the technology to business processes where the cyber security controls that protect user accounts influence and inform the behaviour of the users. Password hygiene, the use of admin accounts and MFA, and being accountable for account security become part of a security culture in an organisation where cyber security is prioritised by senior management.

The wide adoption of cloud services is not the only growing security challenge facing modern organisations. Home working and the use of privately owned devices for work mean that more workers than ever are working outside the boundaries of the company’s secure network. Bring Your Own Device (BYOD) is a widespread term for when a company allows employees to use their own laptops, tablets or phones for work purposes. This can pose some serious risks to an organisation’s security and privacy. A Bring Your Own Device policy can help an organisation control and protect their company information.

Cyber expertise

In the last three years, the cyber security sector has grown exponentially and consequently, IT and cyber security staff are in short supply. In house or outsourced expertise applied to your specific business set up is a crucial security factor. Organisations can use internal experts, external consultants and third party providers. IT consultants are often accredited by different companies. Many are accredited by Microsoft, Cisco, Citrix, HP, and Dell but if your organisation, for example, wanted to use Citrix products, you would need a consultant that was accredited with Citrix and this can be very expensive. It is worth noting that accredited, listed companies that offer IT solutions may not always be well versed in cyber security practises. A cyber security consultant is often needed in addition to IT support.

Prove that you are secure

The Cyber Essentials scheme  offers businesses a simple and affordable way to tackle cyber security and covers the basic technical controls that will help protect organisations from a whole range of the most common cyber attacks.

If you need help preparing your organisation for Cyber Essentials, there is a free online tool that helps you gauge your current level of cyber security in relation to where you need to be to achieve Cyber Essentials. The Cyber Essentials Readiness Tool includes a series of guidance documents, written for non-technical people, to help you understand the five controls and how they apply to your business. Your answers to the readiness tool questionnaire will inform the tailored guidance and step by step action plan which will be presented to you when you reach the end of the readiness tool.

For in depth and bespoke support, contact one of the Cyber Essentials Certification Bodies located around the UK and Crown Dependencies. These specialists are trained and licensed to certify against Cyber Essentials and are available to offer consulting services to help you achieve your certification.

The requirements for infrastructure and question set can be found here.

Apply for Cyber Essentials here.