Ransomware continues to be a hot topic of conversation in the public. Cybercriminals use ransomware to hold a company’s data hostage and extort millions of dollars from them. As more businesses adopt a cloud strategy for infrastructure, applications and data, the potential for vulnerabilities to be exposed and exploited will grow. Proper planning is needed, which requires answering the following questions:
- Who is accountable and responsible for protecting the company from ransomware?
- What steps should you take to prevent a cloud ransomware attack from becoming a reality?
- Where is the company’s most sensitive data located?
- Why does a ransomware attack take place?
- How can a company protect itself from a cloud ransomware attack?
Let’s dive deeper into each of these questions and outline some effective strategies to better protect a company from ransomware.
Why do ransomware attacks take place?
First, it’s important to understand the “why” around ransomware. Understanding why will help you in planning and preparing for what may occur. After any attack or breach takes place, the first questions are always “Why did this happen?” and “Why is my company being targeted?”
These are basic human reactions, but to stay ahead of an attack, these questions should be asked proactively, not reactively.
Ransomware attacks happen primarily because of vulnerabilities with access to the environment, a lack of network segmentation between public and private resources, and a gap in preventative and resiliency efforts within the architecture. Attackers exploit these vulnerabilities to gain access to the network and steal sensitive data. When sensitive data is found, the attacker encrypts it, exits the environment with the encryption keys and contacts you with their ransom demands.
What steps should you take to prevent a cloud ransomware attack?
As stated above, access security, network segmentation and resilient architecture are all areas that help protect against ransomware. However, because everything in the cloud is accessed through the Internet, security in these areas becomes more complex. It is therefore critical to properly define proper permissions and limit access to sensitive information within your applications, virtual machines and storage accounts.
In contrast to a private data center that has physical controls at the perimeter, the cloud does not. This potentially creates multiple pathways for an attacker to gain access and move through your network resources. You must build segmentation between public-facing resources and data that is identified as sensitive and private. Blocking this public-to-private access helps prevent lateral network movement towards the company’s sensitive and critical data.
Because an attack is thought to be inevitable, having a mitigation and response strategy in place will allow you to recover if a ransomware attack occurs. Ransomware holds data hostage at a single point in time. Therefore, implementing back-up strategies across your environment will provide a path to recover from a ransomware attack with minimal impact. The impact level will differ based on how often you back-up your cloud storage, database and compute services.
Access to critical systems and data should be limited to those who require it for their daily work. Those people that do have access should only have access when they need it. All privileges should be requested and auditable to maintain a chain of custody and activity for access to all resources and data. This brings us to the next question.
Where is the company’s most mission critical and sensitive data located?
Before you define the access permissions and network segmentation, you must know where your most sensitive data resides within your virtual network. When it comes to ransomware protection, this is priority number one.
The geographically dispersed nature of the cloud creates its own challenges. However, if you plan, identify and classify your data correctly, you will be able define those locations.
It may not be possible to avoid storing certain types of sensitive information on a public infrastructure. For example, customer data will be accessed on a public website when that customer is ordering from your e-commerce site. The due diligence of understanding that it exists there will enable you to classify that data and protect its location. The blending of public and private data on the same applications and databases will require increased resiliency for the public infrastructure.
You may decide that having a public e-commerce website is mission critical. This website should be included in the same resilience and ransomware protection planning as other private applications and data.
Who is accountable and responsible for protecting the company against ransomware?
When it comes to protecting access to resources and preventing data loss, everyone in the company shares the responsibility. Cloud technologies provide users the ability to access information from virtually anywhere. This flexibility and freedom are what attackers leverage to gain access and take malicious actions, like installing ransomware. Everyone in the company should take active ownership for protecting their online identities, just as they do with their driver’s license and credit cards.
In addition, taking proper care when handling data is an important responsibility for everyone. Understanding the data they are accessing or creating, as well as protecting who they share that information with and where it is stored, will protect the company from data loss.
Cloud security and risk stakeholders will be responsible for defining the processes, procedures and infrastructures that will create the boundaries and virtual walls that protect against ransomware attacks. This includes data access and permissions through identity and access management, as well as data segmentation within the infrastructure of storage, compute and networking.
How can a company protect itself from a cloud ransomware attack?
Throughout this article, we have discussed different considerations and approaches to protect your company from a ransomware attack. You have probably noticed that there isn’t just one magical solution to protect your cloud environment against ransomware or other attacks. You should have a multi-faceted approach to protecting against these attacks.
One such approach employs defense-in-depth as a protection strategy, as illustrated below.
In cloud infrastructures, the provider handles all physical security for the data center campus, including access to the building, surveillance and auditing. Protecting the layers of identity and access — including perimeter security, network security, compute and applications on the way to your data — will be you and your company’s primary responsibility. You must define the security controls that will prevent, protect and preserve your data from attacks, while also maintaining infrastructure resiliency to prevent a ransomware attack from holding your data hostage and taking down critical systems.
These questions and answers should serve as a foundation for planning your cloud environment and protecting it from security threats like ransomware. However, these should not be considered the only questions to ask. There may be others based on regulatory and standards compliance, as well as company-specific requirements and policies. Hopefully, this list will get you thinking about ways to protect your company against ransomware and other threats.
About the author
Global Principal Cloud Security Lead
Dwayne is the Global Principal Cloud Security Lead at Atos/SpinCo. He supports the cloud security portfolio for the technical capabilities, solution business plans and strategy for Atos/SpinCo, and supports cloud education for Microsoft, AWS, and GCP.
He has served in many roles over a 34+ year career in IT, including as a solution engineer and product manager. Dwayne is a Microsoft Security MVP and Microsoft Certified Trainer Regional Lead, an AWS Security and Identity Community Builder, an (ISC)2 Authorized Instructor with CISSP, CCSP and CC certifications, and 18x certified in multiple Azure and M365 security, data engineering, architecture, and administrator roles. He is the author of multiple books on security and is a Security Professional Community Manager for Packt publishing.