Cloud Security: How To Keep Your Cloud Environment Secure

Introduction

With more organisations adopting some elements of cloud services, and some migrating fully into the cloud to take advantage of the services offered at cost effective prices, cloud service providers have continued to grow and expand. The COVID-19 pandemic has highlighted how modern organisations need to be robust and distributed to offer redundancy in challenging situations, and the cloud is a fantastic platform for doing so.

However, there are several security challenges that come with using the cloud, some of which are existing cyber security challenges and others of which are specific to the cloud itself. This week’s blog focusses on these challenges, and how an organisation can address them, in order to keep their cloud operations secure.

Not sure where to start? Get in touch today at sales@digif9.co.uk to speak to one of our experienced industry professionals and let us know how we can help your organisation achieve its strategic goals.

TYPES OF CLOUD SERVICES

Time for some buzzwords…

The term ‘cloud’ is broad in nature, primarily because of the vast number of services and capabilities that cloud service providers offer, and the advantages that using the cloud brings over a traditional on-premises approach. But one of the first steps in the cloud security journey is honing in on the specifics and moving away from this broad approach.

In order to understand the main security and functionality objectives for your cloud environment, you first need to define both the cloud deployment model and the service model.

Deployment Models

There are four main deployment models within cloud environments which offer different capabilities and challenges. These include;

1. Public Cloud
   Most common type of cloud deployment, where cloud resources are owned and operated by a cloud service provider and delivered over the public internet. Examples include Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP).
2. Private Cloud
   A segregated cloud offering with a dedicated infrastructure for a single customer, meaning resources aren’t shared across multiple customers like they are in public cloud. Examples include a dedicated Microsoft SharePoint Server, Citrix and Rackspace offerings.
3. Hybrid Cloud
   Where a provider offers a blend of public and private cloud capability to an organisation, allowing them to take the best of both worlds. Typically involves using private cloud for sensitive resources and public cloud for non-sensitive resources, and backup capability. Examples include highly regulated industries, such as Financial and Health Care using a blend of the two capabilities.
4. Community Cloud
   A hybrid form of private clouds that are built and operated for the purposes of a group’s interests. They are often designed for collaborative projects, applications, or research, so multiple distributed outfits contribute in some way. Examples include the PlayStation cloud-based gaming service, as well as Research Universities.

Service Models

Similarly, within a cloud environment there are a number of service options, denoted by “as a Service (aaS)”. Whilst the list of service options in cloud environments continues to expand lets focus on the three primary services;

1. Infrastructure as a Service (IaaS)
   Where a cloud provider manages the physical infrastructure behind the scenes but provides the customer with full control over the operating system, and any applications that they wish to install. This offers the most control and selection options for the customer, so is typically used for specific application requirements for a customer.
2. Platform as a Service (PaaS)
   Where a cloud provider manages the physical infrastructure behind the scenes as well as the operating system environment. This allows the customer to focus on the applications within, so is typically used in application development processes, where customers can select from multiple programming languages and frameworks to build upon within a pre-built environment to speed up the process.
3. Software as a Service (SaaS)
   Where a cloud provider manages the physical infrastructure behind the scenes, the operating system and the application. The customer uses the defined application and manages only the data that they bring into it. It offers the lowest administrative overhead for the customer, but the least amount of flexibility, so is typically used for very specific application requirements where flexibility is not required, such as for Accounting, Payroll and HR software.

SHARED SECURITY MODEL

Wait so whose responsibility is it? 

So now we have defined the different types of cloud deployment and service models, it is time to highlight the shared security model within cloud environments. Whilst there are likely to be other stakeholders involved, the two primary stakeholders for an organisation using cloud services would be;

1. The cloud service customer (CSC)
2. The cloud service provider (CSP)

In a traditional on-premises environment, the business would have responsibility for almost all areas of security, however in a cloud environment a number of areas are outsourced and transferred to the CSP to manage.

However, a common mistake made by cloud consumers is in believing that all security responsibilities are transferred over to the CSP, when in reality they still maintain a level of responsibility, that varies depending on the service model chosen. The table below represents the shared services model for cloud services.

ON-PREMISES ENVIRONMENTS	IAAS ENVIRONMENTS	PAAS ENVIRONMENTS	SAAS ENVIRONMENTS
Data	Data	Data	Data
Applications	Applications	Applications	Applications
Runtime System	Runtime System	Runtime System	Runtime System
Middleware	Middleware	Middleware	Middleware
Operating System	Operating System	Operating System	Operating System
Virtualisation	Virtualisation	Virtualisation	Virtualisation
Servers	Servers	Servers	Servers
Storage	Storage	Storage	Storage
Networking	Networking	Networking	Networking

Key:

Cloud Service Customer Manages

Cloud Service Provider Manages

ENCRYPT SENSITIVE DATA

Sensitive data? Even data has feelings…

So far we have established that no matter what the cloud deployment or service model is, the customer is ultimately responsible for the security of the data, as the data controller. But with different service and deployment models, it can be difficult to grasp how to secure data in each scenario.

Encryption is a term that is often thrown out in relation to data security and for good reason – it provides a strong layer of protection over data. The problem that it brings however is that it adds extra weight to applications and systems, meaning that latency is increased, and users experience longer waiting times.

So why is encryption so relevant in the cloud? With the remote nature of access for customers, and the geographical replication of data across multiple data centres, data needs to be secured in transit. This is typically achieved through Transport Layer Security (TLS) to protect data in motion.

The other element to consider is data at rest. Cloud service providers offer a wide range of services at cost effective prices because services are virtualised – a physical instance hosts multiple virtual hosts within it, so many customers contribute to the cost of that physical host. Whilst security controls are in place at the cloud provider’s side, for sensitive data it is recommended to add an additional layer of security through encryption to protect against a rogue insider at the cloud provider’s side, another virtual user potentially laterally moving across into your virtual environment, or law enforcement potentially seizing a physical host for investigation, due to another virtual environment separate to yours.

AUTHORISATION CONTROLS

Excuse me, don’t you know who I am?

Authorisation within cloud environments represents the process of granting or denying access to a resource and is one of the most important areas to address from a security standpoint. In a cloud environment the physical infrastructure, i.e. the servers, storage units and other functionality that you access is all done remotely. This is one of the primary benefits for cloud consumers, as they can access cloud service capability from any location highlighting the flexibility that it provides.

But this also re-affirms the need to secure access to cloud environments, as greater flexibility means more potential surface area for attack. So how can you do this? Step forward IAM.

Identity & Access Management (IAM) represents the function that governs secure access to cloud services and resources. Each cloud provider has its own IAM service, but ultimately these all work in the same way.

So what can you enforce with IAM to secure access to accounts?

• Password controls to enforce strong password choices for users
• Enforcing users to regularly update their passwords
• Enforcing multi-factor authentication for users
• Integration with an existing Active Directory (AD) to synchronise users
• Add in fine grained controls around time of day, user location and IP address

ACCESS CONTROLS

Excuse me, this floor is not accessible to anyone without a swipe card.

Authorisation and Access controls are often areas that are confused with each other, but they represent two significant but different areas. Authorisation is all about permitting or denying a connection to a system, whereas Access focusses on what a user can actually do once they are connected.

Within the security domain, the principle of least privilege is often recommended. Essentially users are only given the amount of access rights required to do their job, which helps to reduce the likelihood of a user conducting activities that are not approved.

When you have small number of users in an environment, it can be a simple process to select appropriate permissions on a per user basis, however this becomes significantly more challenging as the number of users grows.

Step forward Role Based Access Control (RBAC) and Groups. It is recommended from a security and auditing perspective to manage permissions per user groups, with one method of grouping users by their role, for example administrators, HR, finance teams. This way you can standardise the level of access for each group, and as users join the organisation you add them into that user group and inherit the same defined permissions.

MONITORING & LOGGING

So what went wrong? Can’t tell you, don’t have any logs…

Monitoring and logging is a fundamental part of security – knowing what action has been taken on a system and who did it. It doesn’t just have to be from a security perspective, you will want health checks and other application-level monitoring in place to identify and troubleshoot issues that have occurred.

Each cloud vendor has its own inherent logging system that consumers can enable and fine tune to specific requirements. For example, in AWS through CloudWatch and CloudTrail a consumer can log all the activity within their cloud environment;

For start-up and smaller organisations this monitoring and logging can form the basis and main component of this domain. For larger organisations with multiple environments, it is likely a Security Information & Event Management (SIEM) system is being used to ingest logs from these sources. So the next step in the security strategy should be to incorporate your cloud environment logs into this SIEM solution, for full monitoring of the digital estate.

BACKUP & RECOVERY

Where’s your homework? The dog ate my computer that had it on. What about the backup?

One of the primary selling points to using cloud environments is the availability and reliability metrics that are advertised. So how exactly do cloud providers offer these strong levels of availability and reliability? Whilst each cloud provider may have a slightly different naming convention, the most common definitions are Availability Zones and Regions for Data Centre.

A Data Centre is the primary physical location for a cloud service provider, containing the physical equipment – servers, storage racks that are used to provide computing capability to the consumers to access remotely. An Availability Zone contains one or more Data Centres that are equipped with independent power, networking, and other capability. A Region contains a number of different Availability Zones, which are completely independent of each other.

This outlines the fundamental pathway to achieving these high levels of availability – one Data Centre may have an unexpected issue but it is highly unlikely that all Data Centres in an Availability Zone will suffer from the same unexpected issue, and even more unlikely that multiple Regions will be affected.

This highlights the importance of robust cloud security strategy planning – truly understanding what components, systems and applications are mission critical along with prioritising, in order to make cost effective decisions. In a perfect world all systems would be placed in multiple Availability Zones and Regions, and data replicated across these to ensure minimal chance of data loss. In reality, this would be too expensive and so the most appropriate method is to focus on the most important apps for this.

Whilst using a cloud provider reduces the chances of a significant issue affecting critical systems, it does not remove the risk. Data should be backed up periodically and securely stored.

SECURITY & COMPLIANCE

Everyone’s favourite topic…

From a security & compliance perspective cloud services provide a number of challenges but also opportunities if managed correctly. That is why it is imperative for organisations to be fully aware of relevant regulations and certifications to their industry as well as geographic location.

For industry specific regulations, examples include the PCI DSS for organisations processing payment card data directly and HIPAA for organisations processing health care information. From a geographic perspective there are a number of region specific data security standards, such as GDPR for the EU and DPA for the UK.

With the multi-region availability model of cloud services, regional data security standards are an essential component for a cloud security strategy program. There are restrictions under these standards as to where sensitive data can be stored physically, so the cloud customer must take care to ensure that they as the data controller are adhering to the standards. This could for example involve only using data centres hosted within the EU for an outfit operating in the European Market, or a location that adheres to GDPR.

For more mature organisations, there are also a number of International Accreditations that a company can certify against, to demonstrate their security controls to existing and potential customers. Whilst the common ‘triad’ involves ISO 27001 for Information Security, ISO 9001 for Quality Management and ISO 22301 for Business Continuity Management (Confidentiality, Integrity and Availability), there are also cloud specific certifications that help to provide customers with confidence in an organisation, such as ISO 27018 for Privacy Management in Cloud Environments.

PHYSICAL DEVICE SECURITY

For the amount of time people spend on digital devices you would think it would be the most secure possession.

Whilst cloud environments provide remote access to consumers and the physical infrastructure itself is managed by the cloud service provider, users must still be wary of the physical devices that they use to access the cloud environment. This could be a laptop, desktop, mobile device, or tablet, essentially any device with internet capability has the potential to access a cloud environment.

So, it is imperative to ensure that the devices used to access the cloud are secure, to prevent unauthorised access, or malicious software being deployed onto them. In order to secure a physical device, the following steps should be taken, regardless of what type of device it is;

• Automatic updates in place for the operating system and applications on the device
• Anti-virus solution in place
• Strong password or passcode in place to secure access
• Remote wipe capability in place for stolen devices
• Only installing applications and software from trusted and verified sources

TRAINING

I know everything about the cloud, except the things I don’t know.

When discussing security in the cyber domain, the focus is often on technical systems, and what controls and software can be used to help secure devices and systems. One of the most overlooked aspects is the people who access technical systems, and ensuring that they are regularly provided with security and functionality training.

Ultimately, no matter how sophisticated the technology, it will always be administered and used by human users, so it is imperative to ensure that users are kept up to date with new developments and security best practices. Each cloud service provider maintains a comprehensive list of educational resources, typically on their website and usually a large portion is freely available. These can be used to identify security best practices for the cloud environment as a whole, as well as particular applications and systems within it.

With security awareness for staff, the most effective method is to come from a positive perspective. Providing access to training material, allocating time to focus on education and development provides both a benefit to the organisation and the employee themselves, making it more likely to be taken on board.

CONCLUSION

From this article we hope it is clear that whilst there are a number of benefits to using cloud technologies, there are still a number of security elements that need to be addressed, including cloud specific challenges. This guide however is not to put users off from using the cloud! When used securely, the cloud offers a fantastic platform for organisations of all sizes to access computing capability without a significant up-front investment, and truly go global all from one location.

The most important lesson to take away from this blog is to be fully aware of the chosen deployment and service model in the cloud, as well as the specific restrictions and challenges that come with it. Security strategy, and cloud security strategy should be at the forefront of business strategy discussions, not an afterthought to frantically address down the line. Not sure where to start? Get in touch today at sales@digif9.co.uk to speak to one of our experienced industry professionals and let us know how we can help your organisation achieve its strategic goals.