Oct 01 2021

What Cloud Security Posture Management Looks Like for Nonprofits

With tighter budgets and a growing reliance on cloud services, nonprofits must understand the relationship between configuration and security.

From supporting basic business functions to helping with fundraising strategies, nonprofits have found a lot to like about cloud computing. However, as cloud reliance grows, so does the risk involved. There are more opportunities to misstep during setup, and more systems and processes that need regular updating.

John Pescatore, director of emerging security trends for the SANS Institute, a cybersecurity training resource, says that cloud-based applications often proliferate in smaller organizations like nonprofits, particularly in the form of Software as a Service (SaaS) offerings, which can extend the capabilities of an organization.

“They might start out with Office 365, and then a year later, if they were to count, they'll find they’re using six or seven different ones,” he said.

The challenge is that these applications are often brought into the fold piecemeal, and the configuration settings are similarly siloed. While other issues may emerge in other settings — the phenomenon of “shadow IT,” for example, is common in larger organizations — the largest issue, according to Pescatore, is the problem of configuration.

Pescatore adds that nonprofit system administrators “need to be working with the security group to make sure all known configuration guidelines are being applied.”

For that reason, cloud security posture management tactics may be necessary to help protect your nonprofit from unexpected security risks.

Click the banner below to dig deeper into cloud security posture management guidance from CDW.

Follow Cloud Security Guidelines

For smaller organizations and nonprofits, Pescatore recommends following standards for benchmark configurations put out by the Center for Internet Security, which are publicly accessible and free to download.

One challenge is that cloud security is a constant effort, as risks can emerge that require a timely response. In SANS’ case, Pescatore says the organization ran slightly behind on a single round of CIS guidelines and got hacked a few years ago.

“If we’d been using the latest CIS guidelines, we would have configured Office 365 in the right way, and the attacker would not have gotten through,” he says.

He also recommends following recommendations from the U.S. Cybersecurity and Infrastructure Security Agency.

Cloud Policy vs. Cloud Automation

Pescatore recommends getting standardized policies for configuration from the beginning so that IT teams are spinning up new instances with cloud security in mind.

“I hear this a lot when I'm talking to smaller organizations. ‘Yeah, we can’t do all those things well,’” he said. “If you work with IT so they’re doing most of this, when they spin up a new cloud service, if this is something that they’re calling in, you can get a lot of this done.”

CYBERSECURITY AWARENESS MONTH: Explore cloud security tools and solutions all month long.

Beyond that, Pescatore suggests that nonprofits use a tool like a web security gateway from a provider such as Palo Alto Networks or Barracuda Networks. He says that these tools often have cloud security add-ons that can help with automated monitoring, which may be necessary when using multicloud systems.

“Many organizations may already be using products that are doing this sort of cloud security posture management, or you could buy additional products that do that specifically,” he says. However, he warns that organizations need proper training to take advantage of these tools. “It’s not as simple as buying a product, turning it on, and everything’s OK.”

Consider Your Nonprofit’s Cloud Security Needs

Pescatore says that despite the range of solutions out there, nonprofits will need to do research to determine what makes the most sense for their infrastructure.

“There’s no one solution that’s right for everybody,” he says. “There could be 20 nonprofits, all about the same size and with the same budget, and there's not one solution that’s right for all of them. Everyone has different organizational governance there, they do IT slightly differently, and so on.”

With that in mind, it’s wise to collaborate with an external partner to help your organization properly assess its cloud security posture. CDW’s Cloud Security Posture Assessment can help determine your organization’s capability to manage cloud configuration at scale.

Given the often constrained resources of nonprofits, they may not be able to address all these recommendations. Pescatore says limiting access to external systems through multifactor authentication is a good place to start.

“To me, it’s a matter of being able to convince the organization that we need to do some things, and here’s the most important thing,” he says. “Start there, and it doesn’t mean you resolve every security problem, but you can make it that much harder for attackers.”