With more organisations adopting some elements of cloud services, and some migrating fully into the cloud to take advantage of the services offered at cost effective prices, cloud service providers have continued to grow and expand. The COVID-19 pandemic has highlighted how modern organisations need to be robust and distributed to offer redundancy in challenging situations, and the cloud is a fantastic platform for doing so.
However, there are several security challenges that come with using the cloud, some of which are existing cyber security challenges and others of which are specific to the cloud itself. This week’s blog focusses on these challenges, and how an organisation can address them, in order to keep their cloud operations secure.
Not sure where to start? Get in touch today at email@example.com to speak to one of our experienced industry professionals and let us know how we can help your organisation achieve its strategic goals.
Time for some buzzwords…
The term ‘cloud’ is broad in nature, primarily because of the vast number of services and capabilities that cloud service providers offer, and the advantages that using the cloud brings over a traditional on-premises approach. But one of the first steps in the cloud security journey is honing in on the specifics and moving away from this broad approach.
In order to understand the main security and functionality objectives for your cloud environment, you first need to define both the cloud deployment model and the service model.
There are four main deployment models within cloud environments which offer different capabilities and challenges. These include;
Similarly, within a cloud environment there are a number of service options, denoted by “as a Service (aaS)”. Whilst the list of service options in cloud environments continues to expand lets focus on the three primary services;
Wait so whose responsibility is it?
So now we have defined the different types of cloud deployment and service models, it is time to highlight the shared security model within cloud environments. Whilst there are likely to be other stakeholders involved, the two primary stakeholders for an organisation using cloud services would be;
In a traditional on-premises environment, the business would have responsibility for almost all areas of security, however in a cloud environment a number of areas are outsourced and transferred to the CSP to manage.
However, a common mistake made by cloud consumers is in believing that all security responsibilities are transferred over to the CSP, when in reality they still maintain a level of responsibility, that varies depending on the service model chosen. The table below represents the shared services model for cloud services.
|ON-PREMISES ENVIRONMENTS||IAAS ENVIRONMENTS||PAAS ENVIRONMENTS||SAAS ENVIRONMENTS|
|Runtime System||Runtime System||Runtime System||Runtime System|
|Operating System||Operating System||Operating System||Operating System|
Cloud Service Customer Manages
Cloud Service Provider Manages
Sensitive data? Even data has feelings…
So far we have established that no matter what the cloud deployment or service model is, the customer is ultimately responsible for the security of the data, as the data controller. But with different service and deployment models, it can be difficult to grasp how to secure data in each scenario.
Encryption is a term that is often thrown out in relation to data security and for good reason – it provides a strong layer of protection over data. The problem that it brings however is that it adds extra weight to applications and systems, meaning that latency is increased, and users experience longer waiting times.
So why is encryption so relevant in the cloud? With the remote nature of access for customers, and the geographical replication of data across multiple data centres, data needs to be secured in transit. This is typically achieved through Transport Layer Security (TLS) to protect data in motion.
The other element to consider is data at rest. Cloud service providers offer a wide range of services at cost effective prices because services are virtualised – a physical instance hosts multiple virtual hosts within it, so many customers contribute to the cost of that physical host. Whilst security controls are in place at the cloud provider’s side, for sensitive data it is recommended to add an additional layer of security through encryption to protect against a rogue insider at the cloud provider’s side, another virtual user potentially laterally moving across into your virtual environment, or law enforcement potentially seizing a physical host for investigation, due to another virtual environment separate to yours.
Excuse me, don’t you know who I am?
Authorisation within cloud environments represents the process of granting or denying access to a resource and is one of the most important areas to address from a security standpoint. In a cloud environment the physical infrastructure, i.e. the servers, storage units and other functionality that you access is all done remotely. This is one of the primary benefits for cloud consumers, as they can access cloud service capability from any location highlighting the flexibility that it provides.
But this also re-affirms the need to secure access to cloud environments, as greater flexibility means more potential surface area for attack. So how can you do this? Step forward IAM.
Identity & Access Management (IAM) represents the function that governs secure access to cloud services and resources. Each cloud provider has its own IAM service, but ultimately these all work in the same way.
So what can you enforce with IAM to secure access to accounts?
Excuse me, this floor is not accessible to anyone without a swipe card.
Authorisation and Access controls are often areas that are confused with each other, but they represent two significant but different areas. Authorisation is all about permitting or denying a connection to a system, whereas Access focusses on what a user can actually do once they are connected.
Within the security domain, the principle of least privilege is often recommended. Essentially users are only given the amount of access rights required to do their job, which helps to reduce the likelihood of a user conducting activities that are not approved.
When you have small number of users in an environment, it can be a simple process to select appropriate permissions on a per user basis, however this becomes significantly more challenging as the number of users grows.
Step forward Role Based Access Control (RBAC) and Groups. It is recommended from a security and auditing perspective to manage permissions per user groups, with one method of grouping users by their role, for example administrators, HR, finance teams. This way you can standardise the level of access for each group, and as users join the organisation you add them into that user group and inherit the same defined permissions.
So what went wrong? Can’t tell you, don’t have any logs…
Monitoring and logging is a fundamental part of security – knowing what action has been taken on a system and who did it. It doesn’t just have to be from a security perspective, you will want health checks and other application-level monitoring in place to identify and troubleshoot issues that have occurred.
Each cloud vendor has its own inherent logging system that consumers can enable and fine tune to specific requirements. For example, in AWS through CloudWatch and CloudTrail a consumer can log all the activity within their cloud environment;
For start-up and smaller organisations this monitoring and logging can form the basis and main component of this domain. For larger organisations with multiple environments, it is likely a Security Information & Event Management (SIEM) system is being used to ingest logs from these sources. So the next step in the security strategy should be to incorporate your cloud environment logs into this SIEM solution, for full monitoring of the digital estate.
Where’s your homework? The dog ate my computer that had it on. What about the backup?
One of the primary selling points to using cloud environments is the availability and reliability metrics that are advertised. So how exactly do cloud providers offer these strong levels of availability and reliability? Whilst each cloud provider may have a slightly different naming convention, the most common definitions are Availability Zones and Regions for Data Centre.
A Data Centre is the primary physical location for a cloud service provider, containing the physical equipment – servers, storage racks that are used to provide computing capability to the consumers to access remotely. An Availability Zone contains one or more Data Centres that are equipped with independent power, networking, and other capability. A Region contains a number of different Availability Zones, which are completely independent of each other.
This outlines the fundamental pathway to achieving these high levels of availability – one Data Centre may have an unexpected issue but it is highly unlikely that all Data Centres in an Availability Zone will suffer from the same unexpected issue, and even more unlikely that multiple Regions will be affected.
This highlights the importance of robust cloud security strategy planning – truly understanding what components, systems and applications are mission critical along with prioritising, in order to make cost effective decisions. In a perfect world all systems would be placed in multiple Availability Zones and Regions, and data replicated across these to ensure minimal chance of data loss. In reality, this would be too expensive and so the most appropriate method is to focus on the most important apps for this.
Whilst using a cloud provider reduces the chances of a significant issue affecting critical systems, it does not remove the risk. Data should be backed up periodically and securely stored.
Everyone’s favourite topic…
From a security & compliance perspective cloud services provide a number of challenges but also opportunities if managed correctly. That is why it is imperative for organisations to be fully aware of relevant regulations and certifications to their industry as well as geographic location.
For industry specific regulations, examples include the PCI DSS for organisations processing payment card data directly and HIPAA for organisations processing health care information. From a geographic perspective there are a number of region specific data security standards, such as GDPR for the EU and DPA for the UK.
With the multi-region availability model of cloud services, regional data security standards are an essential component for a cloud security strategy program. There are restrictions under these standards as to where sensitive data can be stored physically, so the cloud customer must take care to ensure that they as the data controller are adhering to the standards. This could for example involve only using data centres hosted within the EU for an outfit operating in the European Market, or a location that adheres to GDPR.
For more mature organisations, there are also a number of International Accreditations that a company can certify against, to demonstrate their security controls to existing and potential customers. Whilst the common ‘triad’ involves ISO 27001 for Information Security, ISO 9001 for Quality Management and ISO 22301 for Business Continuity Management (Confidentiality, Integrity and Availability), there are also cloud specific certifications that help to provide customers with confidence in an organisation, such as ISO 27018 for Privacy Management in Cloud Environments.
For the amount of time people spend on digital devices you would think it would be the most secure possession.
Whilst cloud environments provide remote access to consumers and the physical infrastructure itself is managed by the cloud service provider, users must still be wary of the physical devices that they use to access the cloud environment. This could be a laptop, desktop, mobile device, or tablet, essentially any device with internet capability has the potential to access a cloud environment.
So, it is imperative to ensure that the devices used to access the cloud are secure, to prevent unauthorised access, or malicious software being deployed onto them. In order to secure a physical device, the following steps should be taken, regardless of what type of device it is;
I know everything about the cloud, except the things I don’t know.
When discussing security in the cyber domain, the focus is often on technical systems, and what controls and software can be used to help secure devices and systems. One of the most overlooked aspects is the people who access technical systems, and ensuring that they are regularly provided with security and functionality training.
Ultimately, no matter how sophisticated the technology, it will always be administered and used by human users, so it is imperative to ensure that users are kept up to date with new developments and security best practices. Each cloud service provider maintains a comprehensive list of educational resources, typically on their website and usually a large portion is freely available. These can be used to identify security best practices for the cloud environment as a whole, as well as particular applications and systems within it.
With security awareness for staff, the most effective method is to come from a positive perspective. Providing access to training material, allocating time to focus on education and development provides both a benefit to the organisation and the employee themselves, making it more likely to be taken on board.
From this article we hope it is clear that whilst there are a number of benefits to using cloud technologies, there are still a number of security elements that need to be addressed, including cloud specific challenges. This guide however is not to put users off from using the cloud! When used securely, the cloud offers a fantastic platform for organisations of all sizes to access computing capability without a significant up-front investment, and truly go global all from one location.
The most important lesson to take away from this blog is to be fully aware of the chosen deployment and service model in the cloud, as well as the specific restrictions and challenges that come with it. Security strategy, and cloud security strategy should be at the forefront of business strategy discussions, not an afterthought to frantically address down the line. Not sure where to start? Get in touch today at firstname.lastname@example.org to speak to one of our experienced industry professionals and let us know how we can help your organisation achieve its strategic goals.