Thoughts on Cloud Security Standards

Before we attempt to define Cloud security I need to explain what virtual machines and distributed computing technologies accomplish. Simply put cloud computing comprises a set of capabilities that are exhibited by networked computers. These uniquely configured architectures provide services through shared resources that are managed from a central governing point and accessed through networked systems and delivery platforms like desktops, laptops, tablets and IOT devices. The advantage of cloud computing is that it can be configured rapidly and released for service.

To date there are 98 Cloud specific security controls which can be applied to implementation independent security control frameworks. That is another way of saying the security frameworks are flexible in their application.The disadvantage these generic Cloud security controls have is that they lack the power to block emerging threats and new developmental Technologies. Each component of cloud computing has been addressed separately as in networks virtualization, autonomic systems and Web 2.0 and more. There are general purpose security controls applicable to each of these components. However from what has been observed there are multiple standards with each standard providing incomplete security coverage.

 The cloud broker or provider must secure each customer's data sets. if more Computer Resources are required then these need to be scaled and secured. When resources are shared as in cloud computing attacks against one customer might compromise anothers data. This is an internal risk much like how an apartment on fire can affect another apartment in the same building. One customer might gain access to the service and launch an attack against another customer. Authentication and access control can be used to protect infrastructure while cloned VMS can be used as backups should a VM go down to allow quick resumption of service. One of the tasks that must be performed is windows updates which are not automatically done to VMS and must be done manually. 

Azure has something called security Center that can actively monitor for threats and store log information. Definitely useful but as we see it's simply a tool that needs an operator and it works in conjunction with Azlog and LogRhythm. It is promising technology and growth in its adoption is evident.

To catch malicious activity, an LogRhythm AI Engine rule can be created to identify and alert the security team when PowerShell runs with encoded parameters.

The added protection of encryption of the data in your VM should be a priority. When there is a large Network to access built in security of iot devices can become important. Normally they don't have built-in safeguards where they should have especially since those devices access the network or cloud in a more continuous fashion without as much user intervention. Much of the discussion around cloud security types of controls that are applied to individual resources is being addressed and unfortunately this is inadequate as resources do not work in isolation they work tandem which can present additional security challenges.The current approach is one of a checklist mentality where controls are matched to vulnerabilities. Much responsibility can be laid up on the employee when an inadequate response to vulnerabilities may be discovered and not acted up while important updates are not applied. That explains the value of diligence.

According to what seems to be happening now with Phishing being a relevant attack vector research is identifying a problem with insider threats. Different missing controls and their standards provide inconsistent and inadequate coverage to protect against all attacks.

Indeed each of the security frameworks have different security holes that need to be addressed. The (BCR-10) control omitted in C5 framework can lead to possibility of insider threats and misconfigurations going unchecked. FedRamp has two important security controls missing that could prevent insider channel attacks. Side Channel attacks are when shared resources are used to Leverage attacks against other tenants. The DSi - 02 can be used to ensure attackers are not farming out information that is being processed by other users. The possible reason this control might be relaxed is in order to create a flexible environment programming and development. I only mentioned fedRamp controls because this is based on the prevailing security environment that applies to today. With proper application fedRamp control policies in place this could in my opinion block many attempted breeches before they occurred.

The will to implement the necessary controls needs to exist and the acknowledgement that the cost is worth the gain of maintaining a safe repository of tools, applications and data the customer or client has ready access to. What we have to realize is that it isn't only the outside that is a risk, but the inside also.