How to think about Security in Cloud

How secure are IT assets in Cloud? In a hypothetical world, if one euro equals each time I answer this question, my Christmas holiday this year would be somewhere with the Caribbean view. Back at my everyday desk, let me begin my answer with a non-Cloud example.

Let us assume you have a million euros with you. Do you think your money is safer with you, or at the bank? If you are the pragmatic kind, the latter is a de-facto choice. This scenario is not very different from keeping our IT assets in Cloud. Because Security in Cloud is inherent. The need is to understand scope of responsibility, and what shared ownership implies. Back to our bank story, it is like explaining to your grandma that the bank cannot be blamed for fraudulent transactions if the choice of bank passcode has been ‘1234’. Similar, just a tad-more thought-through.

Physical Security

Cloud providers address Physical security on several levels.

Personnel access to data centers is highly restricted and follows strict guidelines for even company personnel.

When a system reaches its end of life, industry compliant wiping solutions for data bearing devices and stringent procedures of equipment disposal are employed.

An array of national, regional and domain wide compliance is in place for most Cloud players and the list is growing every year with the widening of Cloud customer base. As of 2019, both AWS and Azure have 50+ credentials to their name with GCP quickly catching up on this count.

Infrastructure Security

Infrastructure in Cloud addresses

• Hosts, the machines that run servers, store data or run cloud-native code
• Network, the layer that connects components within a Cloud and the Cloud to the rest of the world
• Applications that may be hosted on Cloud containers (Kubernetes for example) or run natively on Cloud (i.e. serverless functions, orchestration services such as queues, events).

Hosts

Technical considerations such as High Availability, Disaster Recovery and Backup are handled within a geographic boundary via support for multiple data centers, and different levels of availability sets within each data center. This can be cascaded beyond a country or even a continent if your use case permits. e.g. going for a SaaS provider with a local data center for an HR application may help you meet the compliance requirements with respect to personal data that a specific country may mandate.

Network

For a Cloud player, Network security has three main aspects.

Protection of public facing web servers deployed on Cloud against DDoS (denial of service) attacks is supported by most players e.g. Cloud Armor in GCP.

Encryption of data in transit is also a transport standard most services support.

Network on Cloud needs a high-level layout and decisioning around artifacts to enable it. This includes decisions around overall network topology e.g. choosing between establishing a dedicated tunnel between the Cloud provider and on-premise systems versus relying on a gateway for on-premise and Cloud traffic. Private enterprise-specific deployments of public cloud services are available too e.g. Azure Stack.

Application

With stringent authentication methods, and straight-forward monitoring mechanisms to couple applications with – cyberthreat detection and notifications to administrators can be made near-real time in Cloud. Microsoft Cloud App Security is one such Cloud Access Security Broker covering several Azure cloud services.

Client End point protection

Client end point protection is a weak link in Cloud security.

Be it a workstation, a hand-held, an IoT enabled device or a browser interface, the list of components that the end user leverages to interact with the application of choice is exhaustive. This makes management and monitoring of end point access and behavior crucial to ensure protection.

While Cloud providers have native services to ensure a lot of these in place (automatic patching of servers for a PaaS solution, virtualized browsers for SaaS products are some examples), uber-players in the Security world (Symantec, for example) provide custom services tailored for popular cloud providers to ensure that the customer’s Cloud landscape is safe from the risks that open Client end points bring along.

Identity and Access Management

Identity and Access Management is a mapping of ‘who’ can do ‘what’ on ‘which’ IT assets.

Resources, i.e. servers, network, database, services, applications and the people i.e. administrators, developers, support staff, end users are created in Cloud independent of one another.

The key to successful Cloud usage is defining the degree of control that each authorized personnel has on each provisioned resource.

About all Cloud providers enable role-based access control. Enterprises should map their existing roles to the future Cloud roles in order to cascade the existing model to Cloud. Once one such user is successfully established with a role (or privilege group) and sanity checked, there are straight forward means to replicate it for other users of the group.

Data - Classification and Accountability

This stack layer remains the customer responsibility in Cloud, and therefore, needs focused effort at the time of deciding on Cloud provider and designing Cloud Architecture.

Data Classification

Depending on your level of service, the Cloud provider must be capable of accurately categorizing data in the likes of Confidential, Sensitive and Public. For an IaaS, this means support for data classification with features like resource tagging and compliance with respect to data center locations. For a PaaS, data classification at an application level should be a realistic outcome. e.g. a microservices driven approach where data layer is siloed per microservice instead of being tightly tied to the whole middle layer. For a SaaS, the application should be natively architected to ensure role-based access to data. E.g. Amazon Macie is a relatively fresh machine learning powered security service to discover, classify and protect sensitive data on your data assets at AWS.

Data Accountability

Depending on scale of the product (global or country-siloed) and the domain (health data, for example), the ownership, sensitivity, retention and protection guidelines vary greatly and are some important factors to consider early on in the Cloud journey.

Final Words

Security in Cloud is a consequential consideration of your Cloud transformation, and it is imperative to ensure that appropriate governance is in place to ensure that Security is not compromised. Starting early can help align ways of working within an enterprise towards a Secure Cloud landscape.