Cloud Security – The Basics
Tom Pinou, Director- Data Center Operations
While Cloud services offer flexibility and scalability with increased economies of scale, there have been equal concerns about security as more data moves from centrally located server storage to Cloud Service Providers (CSPs).
The confidentiality, availability and integrity of data are at risk if appropriate measures are not put in place prior to selecting a Cloud Security vendor or implementing your own cloud mitigation strategy. The potential for corporate, personal and private data to be compromised continues to increase.
As one moves to the Cloud, total cost of ownership, proficiencies and savings should be quantified in multiple areas such as cyclical replacement of hardware, licensing and maintenance costs. Traditional server farms can now be replaced with centrally hosted virtual servers that can be managed by a fraction of the people.
According to Gartner, the typical IT organization invests two-thirds of its budget in daily operations. Moving to the cloud will free up 35 to 50 percent of operational and infrastructure resources. As savings mount and as efficiencies increase, Cloud computing will continue to grow.
Cloud services hold several distinct advantages over traditional infrastructure, such as allowing for rapid large-scale deployment of computing resources. Organizations have different requirements, which can be met by various types of cloud services that usually fit into three broad categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Management responsibilities (shown below) vary depending upon the type of service and whether the cloud environment is hosted privately.
Cloud deployments can be public or private. While Private clouds tend to be specific to a single organization, Public Cloud offerings tend to be multi-tenant. Security concerns depend upon the service type as well as where the cloud service is deployed. Security should be a primary consideration when choosing a CSP and deployment type. Private clouds shift more of the security responsibility to the organization. With public clouds, organizations share security responsibilities with the CSP.
Public Cloud service providers are responsible for the physical security of cloud infrastructure, as well as implementing logical controls to separate customer data. Organizational administrators are usually responsible for application level security configurations such as mandatory access controls for authorization to data. Many CSPs provide cloud security configuration tools and monitoring of systems.
Primary risks to cloud infrastructures are malicious adversary activity and unintentional configuration flaws. Public cloud services use shared infrastructure which can lead to unintentional vulnerabilities. Organizations must consider what their security requirements are before deciding on a cloud service that fits their specific threat model. Using a public cloud service extends the trust boundary beyond the organization.
Misconfigured access controls in major cloud storage providers have resulted in the exposure of sensitive data to unauthorized parties. Controlling access is a key requirement when storing sensitive data. Public cloud storage providers have default access control configurations are likely to differ from the security requirements of the information being stored. Administrators must configure permissions according to the people and systems that have a need to access the data. Logging and automated systems should be used to confirm correct access control configurations, as well as maintaining data for auditing compliance with security requirements. Many CSPs provide specific tools to manage access permissions and to log unusual or unauthorized activity.
Implementing software security updates is a significant requirement for running a secure cloud environment. The responsibility of applying software updates varies depending upon the type of cloud service used and who is responsible for its management. Updates to the underlying infrastructure will be handled by the cloud service provider. However, organizations are responsible for applying security patches to services they manage themselves in the cloud. Applying security patches as soon as they are released is critical to preventing data breaches.
Multi-tenancy allows sharing common cloud resources between multiple collocated cloud customers. Depending upon the type of cloud service (IaaS, PaaS, SaaS), cloud service providers will allocate resources differently. CSPs at a bare minimum will implement logical controls to separate user data and operations, however vulnerabilities or unintentional configuration flaws could be exploited by a collocated malicious actor. Private clouds or dedicated public clouds with physical separation should be used for sensitive operations as required.
Protecting PII and other sensitive data requires encrypting data in transit as well as when stored at rest. Organizations should define a policy that identifies the sensitive data that should be encrypted and the process for doing so. Cryptographic keys used for encryption operations should be stored securely and separately from the cloud instance of the data being stored. Keys should be directly managed by the owner or by a trusted third-party. Depending upon the type of data being stored, organizations can encrypt sensitive data before transmitting it to a cloud service. Stricter policies, for example in Federal and DoD agencies, require sensitive data to also be encrypted at rest.
CLOUD SECURITY SERVICES
Cloud service providers provide threat information as well as defensive countermeasures. Customers should fully take advantage of cloud security services and supplement them with their on-premises tools to address gaps. This decision must be weighed against the costs of managing security controls in-house.
DENIAL of SERVICE
Cloud denial of service (DoS) attacks prevent users from accessing cloud services by overwhelming the cloud service provider’s resources. Mature CSP’s will employ good defenses against known attacks and quickly respond to attacks with tools to mitigate. Whenever possible, organizations should distribute redundant systems across multiple geographic regions or diverse cloud providers for high availability.
The cloud debate will continue to swirl. Smaller customers have implemented some types of security and could also get better security in the cloud, while larger customers tend to have employed security measures which is similar many aspects of the cloud.
The size of a company isn’t always the criteria – it’s their security profile which differentiates them. Typically, SMBs fall into the “reluctant” or “cannot afford” category. Whereas the industry giants like Amazon, Microsoft, Google, Salesforce, have unlimited resources. The giants know a lot about information systems and Cloud Security.
Cloud services enable powerful capabilities and enterprise flexibility; however, they introduce new risks that must be understood and addressed before procuring a CSP.
Question remains: if the giants can build great security in the cloud, then why don’t all customers move into the cloud of the giants?
Answer: because companies are solving different problems with different business Strategies, Goals and Objectives in mind; as a result, things become increasingly challenging. Also, large companies find it more difficult to deliver custom details that make it harder to prove to auditors that specific regulations are being complied with. So, while we know giant companies have the resources to secure data, they don’t always make it easy to prove it to auditors.