Follow Cloud Security Guidelines
For smaller organizations and nonprofits, Pescatore recommends following standards for benchmark configurations put out by the Center for Internet Security, which are publicly accessible and free to download.
One challenge is that cloud security is a constant effort, as risks can emerge that require a timely response. In SANS’ case, Pescatore says the organization ran slightly behind on a single round of CIS guidelines and got hacked a few years ago.
“If we’d been using the latest CIS guidelines, we would have configured Office 365 in the right way, and the attacker would not have gotten through,” he says.
He also recommends following recommendations from the U.S. Cybersecurity and Infrastructure Security Agency.
Cloud Policy vs. Cloud Automation
Pescatore recommends getting standardized policies for configuration from the beginning so that IT teams are spinning up new instances with cloud security in mind.
“I hear this a lot when I'm talking to smaller organizations. ‘Yeah, we can’t do all those things well,’” he said. “If you work with IT so they’re doing most of this, when they spin up a new cloud service, if this is something that they’re calling in, you can get a lot of this done.”
Beyond that, Pescatore suggests that nonprofits use a tool like a web security gateway from a provider such as Palo Alto Networks or Barracuda Networks. He says that these tools often have cloud security add-ons that can help with automated monitoring, which may be necessary when using multicloud systems.
“Many organizations may already be using products that are doing this sort of cloud security posture management, or you could buy additional products that do that specifically,” he says. However, he warns that organizations need proper training to take advantage of these tools. “It’s not as simple as buying a product, turning it on, and everything’s OK.”
Consider Your Nonprofit’s Cloud Security Needs
Pescatore says that despite the range of solutions out there, nonprofits will need to do research to determine what makes the most sense for their infrastructure.
“There’s no one solution that’s right for everybody,” he says. “There could be 20 nonprofits, all about the same size and with the same budget, and there's not one solution that’s right for all of them. Everyone has different organizational governance there, they do IT slightly differently, and so on.”
With that in mind, it’s wise to collaborate with an external partner to help your organization properly assess its cloud security posture. CDW’s Cloud Security Posture Assessment can help determine your organization’s capability to manage cloud configuration at scale.
Given the often constrained resources of nonprofits, they may not be able to address all these recommendations. Pescatore says limiting access to external systems through multifactor authentication is a good place to start.
“To me, it’s a matter of being able to convince the organization that we need to do some things, and here’s the most important thing,” he says. “Start there, and it doesn’t mean you resolve every security problem, but you can make it that much harder for attackers.”