Cloud service providers are becoming standard models of cloud computing for many types of businesses.
Cloud-based software models offer many benefits related mostly to devolving maintenance responsibility to service providers. Moreover, pricing models are often built in the pay-per-use approach, which allows small businesses to start small.
Shared responsibility model
One of the key aspects of software-related services is data security. When deliberating about cloud security, we should adopt a twofold approach which differentiates between the security of the cloud and the security in the cloud.
This is due to the shared responsibility model for cloud services. The cloud provider is responsible for the security part only to some extent and depending on the service model.
In the simplest model, Infrastructure as a Service (IaaS), the cloud provider is responsible only for the physical security of power supply, hardware, and host operating system with virtualization. In the Platform as a Service (PaaS) solution, the cloud service provider’s responsibility extends to all software needed to run customers applications.
The least effort related to the security relies on clients in the Software as a Service (SaaS) model. In this approach, the service provider is responsible for all security, except for the end user’s access management.
Security of the cloud
Security of the cloud involves all technical and organizational measurements implemented by cloud service providers to protect their systems and the client’s data. Those controls include:
- Assuring uninterruptible power source and environment controls
- Assuring physical security of hardware and networks: access control
- Assuring network connectivity with high availability
- Assuring storage with high availability
- Assuring and securely managing up-to-date system components
- Data backup, retention, and recovery procedures
- Software development life cycle and change management
- Usage of cryptography, encryption key management
- Security auditing, measuring, and testing
How to check the security of a cloud?
Al service providers claim that their services and environments are secure and best for your business. Your job is to perform fact checking.
The security of the cloud must be audited internally by both the cloud provider and an independent third party. Ask your provider for the latest certification results. Most recognizable security certifications include:
- SOC 2 Type II – confirms the compliance with US AICPA’s SOC 2 requirements in the following areas: network and physical security, data availability, data processing integrity, data confidentiality, privacy
- CSA STAR Level 2 – confirms the compliance with the Cloud Security Alliance STAR requirements for high-risk data processing
- ISO/IEC 27001 together with the declaration of compliance with ISO/IEC 27017 and ISO/IEC 27018 – confirms implementing standardized Information Security Management System along with security and privacy controls dedicated for public cloud providers
- PCI-DSS – confirms the compliance of all (or some) services with the Payment Card Industry Data Security Standard
Security in the cloud
For the security in the cloud, it is the client who assumes the responsibility for the security of anything stored in the cloud. Security controls which may be used for this purpose depend on the cloud computing model.
Identity and Access Management
Identity and Access Management is essential in every cloud computing model. It is up to the client: what accounts are created, what level of access to applications or infrastructure is granted to them, how they are protected, and – most importantly – if accesses are revoked when no longer needed for business purposes.
Access polices should be created and managed in line with the principle of the least privilege – permissions are granted only when they are needed to perform a task and only for the period required to perform that task.
Cloud IAM must offer strong authentication mechanisms which rely not only on passwords, but also on other factors, such as U2F hardware keys, one-time time based codes, push notifications, etc.
It’s also important to train all users of cloud applications how to recognize phishing. Account takeovers by phishing are one of the most commonly spotted issues, along with weak or leaked passwords. Even multifactor authentication (except U2F hardware keys) does not protect against phishing.
Cloud Identity and Access Management services are also connected with additional security tools which can increase the security of accounts. Examples of such tools include:
- Generating reports on effective permissions for a set of users and services
- Generating reports on the usage and age of credentials (passwords, API keys, etc.)
- Machine learning-supported reports on possible sensitive data storage
- Conditional access to applications based on user’s behavior or detected environment
Logging and monitoring
Another security control which can’t be underestimated is the visibility of security-related events in applications or cloud-based platforms. It can be achieved by enabling audit trails. At least the following events must trigger the audit trail entry:
- Signing-in with success
- Failed attempt of signing-in
- Creating an account, group, role
- Altering an account, group, role
- Deleting an account, group, role
- Changing passwords, pairing an account with devices and one-time password applications
- Granting and revoking permissions
- Changing configuration, especially enabling or disabling security controls
- Operations on any confidential data: creation, alteration, deletion
Each log entry must include the data that indicates:
- Who generated the event
- When the event happened (exact time, synchronized with the reputable time source)
- What the subject of the event was (which data was accessed or changed)
PaaS security services
In PaaS cloud models, clients are responsible for applications' maintenance and security. This includes:
- Security of the applications’ code
- Vulnerabilities in the used libraries and other components
- Securing high-level network connections
- Data encryption in transit and in storage
- Machine learning supported multi-sensor threat detection
- Cryptographic keys’ management
- Data backup and restore procedures
Almost all cloud service providers offer dedicated tools to solve the issues mentioned above. In case the provided functionality is not enough, clients may choose to implement third-party solutions from cloud applications’ store. Clients should check cloud providers’ white papers or involve commercial cloud consulting companies.
IaaS security tools and processes
The highest number of security-related topics that need to be addressed by the client materializes in the Infrastructure as a Service cloud model. In addition to all the aforementioned concerns, the following security controls must be applied and maintained by the client:
- Operating system’s vulnerabilities and patch management
- Network security
- High availability
- Operating system and configuration backup, along with restore procedures
- Data storage scalability
To achieve security in the above mentioned areas, additional security services and tools must be implemented. Some of them may be provided by cloud providers, especially if they are standardized. Examples of such services are:
- Additional Distributed Denial of Service network protection
- Agent-based operating system vulnerability monitors
- Network and application-level load balancers
- Backup and recovery wizards
- On-premise to cloud lift-and-shift tools
- Intrusion Prevention Systems
- System-scaling calculators and wizards
Such tools require to be handled by qualified staff with cloud operations skills. Having them on board requires having a set of security policies and organizational procedures so that their work can be performed securely. Additional investment might be necessary to perform security training and procedures’ review.
The right cloud computing model
Cloud security is a wide discipline built with the already explained “shared responsibility” idea in mind. The successful implementation of cloud security relies mostly on choosing the right cloud cooperation model. In Software as a Security cloud computing, the agility is the lowest – but so is the client’s responsibility for maintenance and security.
On the opposite side, we have the Infrastructure as a Service cloud model which expects the client to take the responsibility for everything except for hardware. Ensuring security in this case requires not only proper tools, but also skilled staff and regularly tested procedures.