In the spirit of National Cybersecurity Awareness Month, we’re running a three-part series on how to shore up identity security and help prevent a data breach caused by a cyberattack. In our second post below, we’ll examine why cloud-based SaaS platforms tend to be more secure than on-prem resources. Stay tuned for guidelines on controlling broad permissions, or learn more about how credential theft really works and how to combat it.
Cloud-based apps and services are more than just convenient. Compared to on-prem resources, they can offer increased security, too. Even though conventional wisdom tells us that moving away from a traditional, hard-wired office domain means giving up a degree of control and security, the process of moving workloads to the cloud can be managed with care in such a way that the risk of a data breach due to a cyberattack is actually reduced.
Why Cloud Resources are More Secure
Cloud services’ comparatively low level of vulnerability can be attributed to two main factors. The first is that in a cloud-based Software-as-a-Service (SaaS) model, the onus to keep up with security updates and patches falls on the provider. One major SaaS selling point is that IT administrators no longer need to purchase, configure, and update on-prem hardware. With security built into the contract, a SaaS company must make constant investments in security and keep up with threats.
Cloud services also help to mitigate cyberattacks because, by nature, they create separate access points for different resources. An attack on your office infrastructure no longer leads to a one-stop treasure trove in your server room. And although your collection of third-party web apps may be configured to talk to each other, they’re still running on separate systems. Traversal from one to another would require crossing an extra access barrier rather than just following a local pathway inside a server room.
In this way, cloud-based services help to contain a successful cyberattack to a smaller surface area. They fit well into a zero-trust security approach, in which every IT resource is regarded as a potential attack vector. By forcing repeated authentication to each individually un-trusted resource, you can mitigate attack traversal. This constant authentication process does have the potential to hinder a user’s workflow, however — that’s one reason single-sign-on (SSO) solutions and the move toward cloud computing often go hand-in-hand.
Options for Migrating Workloads to the Cloud
Even Microsoft, which built its empire through on-prem system management, now recommends moving critical workloads to the cloud in the interest of maximizing cybersecurity.1 But are Microsoft’s IT infrastructure solutions really optimized to work with modern cloud-based resources? So far, Azure® Active Directory® is unable to fully replace the on-prem domain controller as the core source of truth against which user identities are verified. And, if you want to integrate non-Microsoft solutions (G Suite™ instead of Office 365, for example), it can be difficult or impossible to make their user identities sync bi-directionally with Azure. Because of these limitations, the transition point toward cloud-hosted workloads can present an opportunity to explore new cybersecurity solutions beyond Microsoft®.
Some small-to-medium-sized organizations today even operate without a centralized directory, using G Suite™ as a primary business hub. This can be a tricky approach, though, if you need to maintain a certain level of internal control over identity security and user access.
Many IT admins who find themselves wary of the all-cloud, no-directory approach aren’t willing to give up the security benefits built into AD. GPOs, for example, allow a high degree of centralized control over individual user permissions on physical systems. Rather than choosing to operate without a core directory, these admins are looking to cloud-based directory services to stand in for AD when it comes to maintaining a strong cybersecurity footing in the cloud. An ideal solution would be able to manage access to both on-prem and cloud-based resources as needed.
An independent, cloud-based directory service could also streamline SSO for non-Microsoft resources like G SuiteTM, Salesforce, and GitHub, minimizing the number of third-party vendors required to coordinate access management for your cloud resources. A directory from a new provider could also play nicer with non-Microsoft operating systems (Mac® and Linux®) for one-touch employee onboarding and offboarding. Learn more about how JumpCloud® Directory-as-a-Service® can help your organization adopt secure, cloud-based workflows and bolster cybersecurity.
- Simos, Mark. “How to Mitigate Rapid Cyberattacks such as Petya and WannaCrypt.” Microsoft. Accessed Oct. 18, 2019. https://www.microsoft.com/security/blog/2018/02/21/how-to-mitigate-rapid-cyberattacks-such-as-petya-and-wannacrypt/.