How Do I Urgently Harden Cloud Services?

This week the White House released a statement warning of potential cyber attacks. The statement was accompanied by a fact sheet outlining specific steps companies should take “with urgency” to “harden cyber defenses immediately.”

ScaleSec builds modern security programs with cloud customers. We offer this review of the White House Cybersecurity Statement to equip those who need answers and guidance immediately.

Many of our clients are already addressing the security steps outlined below. But many more start-ups and small-to-medium sized businesses are facing these challenges with staff stretched thin, in conditions where hiring is as difficult as it has ever been, and when technology is evolving faster and faster.

Major cloud providers include native security services and features that security administrators can use right away. Our team has pulled together a concise list of links to accelerate planning and implementation. We hope this encourages teams to further secure their cloud environments, and allows companies to stay as focused as possible on their businesses.

Part 1: For All Companies

We urge companies to execute the following steps with urgency:

Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;

Azure AD: Azure AD Multi-Factor Authentication overview | Microsoft Docs
O365: Set up multifactor authentication for users - Microsoft 365 admin
AWS IAM: IAM tutorial: Permit users to manage their credentials and MFA settings
AWS SSO: Multi-factor authentication - AWS Single Sign-On
Google Cloud Identity and Google Workspace (G Suite) Enforce uniform MFA to company-owned resources | Cloud Identity

For a multifactor authentication device, we recommend use of hardware keys which have been shown to greatly reduce phishing.

Google Titan Key

Yubico YubiKey

Deploy modern security tools on your computers and devices to continuously look for and mitigate threats


Security Command Center \| Google Cloud	Threat Detection with AWS Cloud	Microsoft Defender for Cloud

Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities

and change passwords across your networks so that previously stolen credentials are useless to malicious actors;

A password manager is useful here. Here are some:

Back up your data and ensure you have offline backups beyond the reach of malicious actors;

Google Backup And Disaster Recovery | Google Cloud
AWS AWS Backup | Centralized Cloud Backup | Amazon Web Services
Azure Cloud Backup Services | Microsoft Azure

Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;

Understand the role your provider plays:

Google Data incident response process | Documentation | Google Cloud
AWS AWS Security Incident Response Guide
Azure Incident response overview | Microsoft Docs

Note: The AWS Security Incident Response Guide includes notes about simulations Simulate - AWS Security Incident Response Guide

Note: CISA provides materials for tabletop exercises CTEP Package Documents | CISA

Review your support plans and make sure the support and SLAs meet your business needs.

Google Customer Care portfolio - Support
AWS Compare Support Plans | Developer, Business, Enterprise On-Ramp, Enterprise | AWS Support
Azure Azure Support Plans Comparison

Encrypt your data so it cannot be used if it is stolen;

Google Data encryption options | Cloud Storage
AWS How to choose an encryption tool or service
Azure Azure Data Encryption-at-Rest - Security

Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and

Training options https://www.google.com/search?q=employee+security+training

Anomaly detection in cloud:

Google Using Event Threat Detection | Security Command Center | Google Cloud
AWS Intelligent Threat Detection—Amazon GuardDuty–Amazon Web Services
Azure Azure threat protection | Microsoft Docs

Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.

Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.

Shields Up Technical Guidance | CISA

Part 2: For "Technology and Software Companies"

We encourage technology and software companies to:

Build security into your products from the ground up — "bake it in, don't bolt it on" — to protect both your intellectual property and your customers' privacy.

Start from the ground up by securing your cloud platform. Look for issues reported in the security dashboard for your cloud:

Google Security Command Center | Google Cloud
AWS Cloud Security Posture Management - AWS Security Hub - Amazon Web Services
Azure Microsoft Defender for Cloud

Develop software only on a system that is highly secure and accessible only to those actually working on a particular project. This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.

Manage access control and other policies centrally with these cloud services:

Google Resource hierarchy | Resource Manager Documentation | Google Cloud
AWS AWS Organizations - Amazon Web Services
Azure Overview of Azure Policy

Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them. There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.

Code security scanning services:

Google Overview of Web Security Scanner | Security Command Center | Google Cloud
AWS Amazon CodeGuru | Find Your Most Expensive Lines Of Code | AWS
Microsoft About GitHub Advanced Security
OWASP maintains a list here: Vulnerability Scanning Tools | OWASP Foundation

In-line web security services:

Google Tuning Google Cloud Armor WAF rules
AWS AWS WAF - Web Application Firewall - Amazon Web Services (AWS)
Azure Azure Web Application Firewall (WAF)

Operating system vulnerability management:

Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, much of which is open source. Make sure developers know the provenance (i.e., origin) of components they are using and have a "software bill of materials" in case one of those components is later found to have a vulnerability so you can rapidly correct it.

Code provenance:

Google Viewing build provenance | Cloud Build Documentation | Google Cloud
Google Google Online Security Blog: Introducing SLSA, an End-to-End Framework for Supply Chain Integrity
Microsoft Features · Security · GitHub

Get started with SBOM:

https://github.com/awesomeSBOM/awesome-sbom

Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity.

We wrote about this EO here: Executive order | ScaleSec


Cybersecurity Executive Order: a tl;dr	Deep Dive on the Cybersecurity Executive Order

How Do I Urgently Harden Cloud Services?

How Do I Urgently Harden Cloud Services?

Part 1: For All Companies

Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;

Google Titan Key & Yubico YubiKey hardware keys

Deploy modern security tools on your computers and devices to continuously look for and mitigate threats

and change passwords across your networks so that previously stolen credentials are useless to malicious actors;

Back up your data and ensure you have offline backups beyond the reach of malicious actors;

Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;

Encrypt your data so it cannot be used if it is stolen;

Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and

Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.

Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.

Part 2: For "Technology and Software Companies"

Build security into your products from the ground up — "bake it in, don't bolt it on" — to protect both your intellectual property and your customers' privacy.

Develop software only on a system that is highly secure and accessible only to those actually working on a particular project. This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.

Use modern tools to check for known and potential vulnerabilities. Developers can fix most software vulnerabilities — if they know about them. There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.

Cybersecurity Executive Order: a tl;dr

Deep Dive on the Cybersecurity Executive Order

RELATED ARTICLES