Storing data in the cloud isn't a sure-fire ransomware defense method. Expert Rob Shapland examines how the cloud helps and hurts when it comes to ransomware attacks.
The latest wave of highly damaging ransomware attacks, such as WannaCry and NotPetya, has provided a stark reminder that organizations need to get the basics of ransomware defense right -- backups, patching and minimizing the exposed attack surface. However, we also need to consider how these more advanced ransomware attacks affect companies that are primarily cloud-based.
To date, ransomware has primarily targeted on-premises data, leaving companies to restore data from their own backup systems. Many discovered that their backups were not fit for this purpose or -- worse -- were non-existent.
Even if all your data is stored in the cloud, it is not entirely safe, and it still needs some sort of ransomware defense. Infrastructure-as-a-service platforms, such as Amazon Web Services (AWS) and Microsoft Azure, operate on a shared responsibility model.
For example, with AWS, Amazon is responsible for the physical security of the servers, the hardware, and the host operating system and virtualization. However, anything installed onto this hardware by the customer is the customer's responsibility.
This means all the software and data is managed by the customer and, therefore, if the data is encrypted by a ransomware attack, it is the customer's responsibility to restore it -- Amazon cannot help retrieve the data.
Why the cloud is still at risk
Due to this shared responsibility model, the same principles of ransomware defense you would use if the servers were on premises need to be applied in the cloud. A regular backup process is the most important, through snapshots or Amazon Machine Images in AWS, or by using Azure Backup in Microsoft Azure. These backups should be protected with multifactor authentication.
Patches should be applied to software using the same patch cycle your IT team uses for on-premises servers. Similarly, network security rules should be configured in the cloud to avoid exposing services that ransomware, such as WannaCry, can use to spread.
Even using SaaS cannot stop the need for ransomware defense. Organizations that are primarily cloud based tend to have facilities that allow staff to access data stored in the cloud quickly, perhaps by mapping a shared drive to the cloud service.
If a staff member were to open an infected email, the ransomware would encrypt any shared drives, including those that are connected to cloud services.
This is the same if synchronization folders are used. In this case, a folder on the user's computer automatically syncs any files placed there to the cloud service. If ransomware encrypts the files in the folder, then they are copied to the cloud.
However, most popular cloud services use version control that could enable users to roll back to an uninfected version.
Overall, ransomware defense for cloud services should be treated the same as on-premises defense. Using the same fundamental security processes as for on-premises data, and using a defense-in-depth approach with technical controls, combined with robust processes and regular staff training on cybersecurity, is the best approach to prevent your cloud data from being compromised.