In-Depth

Prepare for Ransomware in 2025: Baseline Practices for Cloud Security

• By David Ramel
• 12/20/2024

Ransomware is at an all-time high, and it will only get worse in 2025. To help organizations prepare for the new-year onslaught, experts are making the rounds providing guidance and advice.

Joey D'Antoni is one such expert, and he shared his hard-won knowledge this week in a live cybersecurity education event titled "Ransomware & Cloud Data Protection Summit: What's Ahead for 2025," now available for replay thanks to the sponsor, Rubrik.

D'Antoni, principal cloud architect at DesignMind, helmed a presentation titled "Ransomware: Threat Outlook for 2025" in which discussed the importance of cloud data protection, emphasizing the need for continuous monitoring, robust backup strategies, and adherence to best practices like zero trust and multi-factor authentication (MFA).

He highlighted that 94% of businesses use the cloud, with 70% of enterprise workloads having been deployed by 2023. He noted that misconfigurations are a leading cause of cloud breaches, advocating for infrastructure as code and regular audits. He shared case studies of companies successfully implementing data protection measures, including a healthcare provider that reduced misconfigurations by 90% and a financial services firm that improved encryption and monitoring.

Each session of these free half-day summits is chock full of expert advice and information, way too much to present here, but because cloud security is of most important to readers of Virtualization & Cloud Review, we've distilled baseline practices for cloud security to provide a good foundation for more specific techniques and strategies to fight ransomware.

Here are thoughts D'Antoni shared about some of those baseline practices, just a small part of his one-hour presentation.

Understand the Shared Responsibility Model
"So the cloud providers, AWS, Azure, Google, Oracle, Alibaba, will all say they operate under a shared responsibility model where they secure the cloud infrastructure, but organizations must secure their data within the cloud," he said.

"I think there's a lot of misunderstanding of this model, and it's been a significant contributor to security incidents. A really good example of this was the Snowflake breach. And I wrote about this in Redmond [see "The Snowflake Affair: What It Can Teach IT About SaaS Security"]."

"And the Snowflake breach was interesting, because Snowflake was like, 'We were never breached,' right? The hackers never accessed Snowflake computers or Snowflake's data. But what happened was, the way Snowflake rolled out multi-factor authentication was that there was no system-wide way for a Snowflake customer to opt in all of their users into MFA. So each user had to accept multi-factor authentication and turn it on, which, frankly, is as good as not having it at all. And obviously hackers know this, because they look for these kinds of vulnerabilities, and the hackers targeted Snowflake specifically, and I think they ultimately got access through a managed service provider somewhere in Eastern Europe that had access to a number of Snowflake customers at a high level. So my point being there is, yes, it's a shared model, but the cloud provider needs to give their clients all the tools that they need to manage their data and secure it in an encrypted fashion, or not encrypted fashion, but just doing secure things like MFA."

D'Antoni addressed the shared responsibility model throughout his presentation.

"It's important to understand that shared responsibility model not just from your cloud provider itself, but from the cloud services you're using, because they may all have different levels of security models in them, and especially those like second- and third-party solutions," was another nugget of advice.

Encrypt Everything (At Rest & In Transit)
"You want to encrypt everything at rest and in transit," D'Antoni said. "This is mostly going to be handled for you by your cloud provider, or you can bring your own certificates."

Elsewhere he discussed the differences in those approaches.

"If you bring your own certificates, the cloud providers have no access to your data, because that data those certificates are stored in a key vault that's only managed by you, and they cannot access those key vaults," he said, recounting an event concerning an Azure SQL Database in which the customers who lost data were those who supplied their own certificates because Microsoft couldn't access their data.

He discussed tools that can be used to encrypt data at rest and in transit to ensure that if data is intercepted or accessed, it remains unreadable without the decryption key.

He also noted encryption is used by the bad guys, too.

"Ransomware has evolved to target cloud workloads by encrypting data and holding it hostage until the ransom is paid," he said. "A common tactic by those attackers is to steal data before encrypting it, and kind of used to what's called a double extortion method ... a lot of the same things we talk about on-premises apply here in the cloud."

Implement Multi-Factor Authentication (MFA)
"You want to implement multi-factor authentication," he emphasized repeatedly. "I feel like I say this every time we talk. You also want to implement phish-resistant multi-factor authentication. If you use Azure or Microsoft authenticator, it pops up a number on your screen that you have to enter in your phone, text message. Multi-factor authentication is not secure, because there are phone hijackings that can take place. My wife's colleague had his phone number stolen, and they were able to breach a number of his accounts ... this applies in your personal life too.

"There's a [audience] question around what you're choosing for in MFA. Don't choose SMS, choose something else. You want to use that role-based access control. Use the principle of least privileges. Back up your data with your redundancy. Make sure you're automating everything."

Use Role-Based Access Control (RBAC)
Speaking of RBAC, that approach was brought up in a question from the audience: "How does your organization manage the balance between strict security measures and user accessibility, particularly with principles like zero trust and role-based access control?

"This is always a big challenge," D'Antoni replied. "I talked about how security controls are friction, right? You don't need to secure everything with the same level of security. So for things that can be publicly accessible -- aren't mission critical -- maybe you don't have that same level of security. So you're isolating your highest levels of security to your system admins and your executives. So that your regular business users have a lower-friction environment, and you just don't let have them have access to the more sensitive data.

"That's one common path in some organizations, but I've seen some really crazy controls with like, half of passwords being stored in two different vaults and in different locations, and the people have to get together to type in the password. So it's just a matter of balancing your priorities and really understanding what the risks are and how much that risk is worth to your organization, and if those level of controls are needed for the level of risk you have, it really comes down to pricing that risk."

And More
That response to an audience question highlights the advantage of attending such events live so users can get one-on-one advice from experts sharing their expertise from hard work on the front lines.

With that in mind, here are some upcoming events being put on by Virtualization & Cloud Review through next month.

• Multicloud Trend Watch: Top Challenges, Strategies & Solutions Summit - Jan 10
• Top 10 Technical Predictions for 2025 -- Jan. 14
• Balance Security and Developer Productivity in the software supply chain: Trusted strategies and best practices - Jan 15
• Made for Today, Ready for Tomorrow: Corporate Resiliency with Insight & ChromeOS - Jan 21
• Leaders in Tech Series | Build a Modern Disaster Recovery Approach - Jan 22