CSA - 7 Steps to Securing Your Remote Work Lifecycle in the Cloud

こんにちは、丸山満彦です。

CSAがリモートワークのセキュリティに関する記事、「7 Steps to Securing Your Remote Work Lifecycle in the Cloud」を掲載していますね。。。

● Cloud Security Alliance

・2020.03.27 7 Steps to Securing Your Remote Work Lifecycle in the Cloud

作者は、Martin Johnson, VP Marketing at Polyrize

ということも含めて見ておいてくださいませ。。。

-----

STEP 1: Segregate your cloud workflows by group, department or location to determine what apps and resources they and their associated employees and contractors need to do their jobs. If possible, roll-out new cloud services incrementally for remote access, allowing only a manageable number of individuals from each group to try out the app and their associated access privileges before full deployment.

STEP 2: Adhere to the principle of least privilege access by ensuring employees have the minimum access privileges needed to do their job. For example, consultants shouldn’t have unfettered access to customer PII and interns shouldn’t have access to sensitive engineering documents and IP. It also means placing controls on privileged users of both SaaS and IaaS services to prevent them from abusing admin privileges for non-admin related activities that can place your organization at high risk. In addition, you should eliminate unused or stale permissions of employees and external contractors to effectively reduce your attack surface by minimizing the risk of account takeovers and data loss.

STEP 3: Ensure your business-critical resources are protected with MFA. This means identifying and consolidating your business-critical resources within IT-sanctioned cloud apps that have been fully vetted for MFA support, as well as PII security controls, SOC-2 compliance, encryption support, etc.

STEP 4: Make sure that file and folder sharing permissions within your sanctioned apps are restricted within specific groups, depending on usage. This will help prevent accidental oversharing of business-critical data. Realize that a sensitive file carelessly dropped into a folder with overly-broad sharing rights will inherit those same rights and be automatically exposed.

STEP 5: Implement cloud DLP policies to provide a last line of defense against the leakage of business-critical data. This includes placing strict controls on externally sharing sensitive files, especially those containing PII, PCI and PHI, with contractors and on copying files to personal accounts.

STEP 6: Set up processes for off-boarding remote employees and contractors. This process can be a challenge since many cloud services are managed outside of your SSO. Adopting a unified, cross-service access control solution that allows you to identify and revoke permissions when employees or contractors leave the company is recommended.

STEP 7: Reprioritize security team resources to cloud data protection, focused on preventing data leakage and account takeovers.