With more than a decade long history of businesses adopting cloud computing, less than one-third of the enterprises have a documented cloud strategy as per Gartner's estimation. Despite the increased migration to cloud security, we discussed the top cloud security risks that security experts are afraid of today.
The idea of frameworks in cybersecurity is not a new concept. Frameworks provide a structure for the long-term and also focus on the methodology to implement that structure. This is precisely why we are discussing the importance of the NIST Cybersecurity Framework for the cloud. The following article discusses NIST CSF's implications on public cloud services like Office 365 using examples. But before unfurling that, let us first strengthen our understanding on NIST Cybersecurity Framework (CSF) and what implication does it have on cloud security.
What is NIST?
The National Institute of Standards and Technology (NIST) developed a Cybersecurity Framework (CSF) in 2014. The framework combines government and private sector organisations' efforts to build globally recognised cybersecurity standards. It researches technologies like identity management and verification, maintenance of system security configurations, automation of access authorisation, besides different access policies.
NIST Cloud Security Guidelines
In the beginning, the NIST framework focused on on-premise infrastructure security best practices. However, today its benefits extend to managing risks in cloud security also.
When we think of applying NIST in the cloud, we visualise the following aspects:
- Promoting the effective and secure use of the technology by providing technical standards and guidelines
- Ensuring the confidentiality, integrity, and availability of IT systems
- Providing a continuous security process to ensure future regulations and compliance requirements
NIST CSF Functions
To create an infallible cloud security strategy for your organisation, the given checklist of NIST functions is a must-follow.
Develop the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Identify the core elements of your cloud and strategise how to secure them.
Cloud is virtual and continuously keeps changing its relationship between the entities. Thus, it can be challenging to visualise the elements and deploy a security process.
Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Choose third-party security tools and services to protect your cloud infrastructure
Easy and instant access permissions increase the risk surface and open the cloud for security vulnerabilities like recent data breaches with S3 buckets.
Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Quickly eliminate false alerts and narrow down on the genuinely harmful incidents.
The abundance of cloud operations data makes it challenging to detect relevant attacks on time
Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Understanding the context of incidents and designing a mitigation strategy accordingly.
Comparing and inferring trends from different types of data and assessing their impacts
Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Restoring all the systems, including yours and third-party and feeding it back into the security framework.
If the platform does not paint an accurate picture of the incidents, recovery results will also be inadequate.
How to Implement NIST Cybersecurity Framework for Cloud Security
NIST offers guidance for each of the four cloud deployment models, namely: Private, Community, Public, and Hybrid. Each model has its own set of cloud solutions that do not fit every model.
Technically the five functions of the NIST Cybersecurity Framework can be grouped according to their implementations. In that scenario, we can say that Prevent, Detect and Recover would be the three core functions of a NIST Framework.
Now that we have understood the above division of core functions of NIST CSF, let us visualise what this means for a cloud service like Office365. In the following section, we will go through the main security challenges in Office 365 and how can we break them down into answering the three questions
- How do we prevent?
- How do we detect?
- How do we respond?
Phishing and Malware Threats
How do we Prevent
For preventing this threat, a mail endpoint protection solution is the answer. Go for the likes of Microsoft's Defender (formerly ATP) and Mimecast. Also, consider investing in device endpoint protection like Defender for Endpoint.
How do we Detect
While using Microsoft ATP, check for ATP events while monitoring. Configure alerts on events like TIMailData (for suspicious mail items) and TIUrlClickData (for when someone clicks a suspicious, unsafe link in an email).
How do we Respond
In case malware is suspected, respond by running a deep virus scan on compromised devices. In the case of phishing, reset the password to the compromised account and look for unauthorised entry. You can do this with security audit logs present in the security and compliance centre.
User Account Security
How do we Prevent
Safeguarding a user account requires steps like keeping a solid and unique password for each account, saving all unique passwords in the company's password manager and turning on MFA for every user, or at least your admins.
It would be best if you also considered the access methods each user needs. For example, they might need to run PowerShell commands or access outlook on the web (OWA). Turn off the ones that are not required. This practice can go a long way to reducing the risks in the event of a breach. Lastly, ensure a powerful outbound spam filter policy to prevent malicious external forwarding from breached accounts.
How do we Detect
You can use the audit logs in Security and Compliance Center, Cloud App Security and monitoring & alerting solutions in Octiga here.
Observe User Login Events from unsafe IP addresses or suspicious locations. For example, monitoring in Octiga lets you configure country "allow" lists and sends you alerts for fraudulent IP address activities.
How do we Respond
Upon suspecting a breached account, instantly restrict the user by resetting their password and removing logged-in sessions. Then check for the risky mailbox rules and remove them.
User access, Sharing and Data Loss
How do we Prevent
SharePoint supports Microsoft sharing & collaboration tools like Teams. Implement the concept of SharePoint sites and decide who should have access to each SharePoint site and folder.
To make sure that access is made available to the right people, use privileged access groups. Manage and prevent inadvertent sharing of SharePoint data over external sharing by creating "sharing" areas. A sharing area is a folder or even site within SharePoint or a Teams Channel in Teams marked explicitly for sharing.
Having employees share only within these areas limits the risk of inadvertently sharing sensitive data from other areas. While it limits flexibility, the security benefits are clear, and it is maintainable from a policy point of view.
How do we detect
Through an audit, find out who has access to shared locations using MS access reviews. Examine the audit logs for SharePoint page viewed and downloaded events from unusual users or locations. You can consider adding an effective alerting solution along.
How do we respond
Restrict the SharePoint access to leaving employees. Monitor what they download and share. Remove their shared links after they go. In case of a data breach, check the affected SharePoint area for sensitive and personal data to avoid the GDPR breach.
Applying NIST’s cybersecurity framework to improving Office 365 security posture is a great way to organise and guide your cloud cybersecurity efforts. At Octiga, we align our solutions to the functions mentioned earlier.
Octiga's single dashboard gives you complete control of Office 365 security. Scan entire Office 365 instance, highlight issues, implement safe user account access and management, enable safe sharing, restore safe and secure operations using security best practices, and apply easy security baselines within clicks!
Are you looking to disrupt your cloud security with an automated and simple solution? Book a demo with us to enquire about the Office 365 Security Suite today!