Securing internet-exposed services

Limiting and securing your internet-exposed services will help you prevent unauthorised access.

Summary

In today’s world, your organisation likely needs to support staff or vendors working remotely. This usually means allowing access to internal systems from external networks, via the internet. When correctly managed, this can be a great boost to productivity. Unfortunately, we often see organisations that have been affected by breaches or compromises of systems that were exposed to the internet without the right security controls. This includes services such as:

  • email
  • remote access to your organisation’s network or systems
  • cloud storage, such as Azure Blob or AWS S3
  • databases such as MSSQL, Elasticsearch, and MongoDB.

Purpose

The intent of this control is to ensure your organisation has a good understanding of what systems and services are remotely accessible, and has the appropriate controls and processes in place to keep them secure.

Measuring success

A successful implementation of this control will look different for each organisation, depending on which services you need to be exposed. In general, the goal of this control is to:

  • be able to identify all the internet-exposed services your organisation uses, and refresh this list on a regular basis
  • have an understanding of why each service is needed and where it needs to be accessed from
  • make sure services are only exposed to the internet when this is truly necessary for operation
  • configure all services to require multi-factor authentication
  • have centralised log analysis and alerting for all internet-exposed services
  • keep all services up-to-date, and disable or replace any services that can’t be patched.

Key internet-exposed services takeaways

  • This control takes your organisation a step further past just disabling unused ports and services. For the ports and services that remain open, you need to make sure they are secured using multi-factor authentication, have logging enabled, and are using the latest patches. This applies both to services in your network and hosted on cloud providers.
  • Cloud systems such as AWS and Azure have a huge range of services, many of which can be exposed to the internet in unsafe ways if not correctly configured. Adhering to secure reference architectures for your cloud services, along with regularly reviewing your cloud infrastructure, will help you avoid accidentally exposing systems and information to the internet.

Advice for implementation

Securing internet-exposed services