One of the most frequent topics our clients talk to us about is how to secure data in the cloud. As more organisations look to the cloud for their information and applications, we often see that business management and security professionals each hold different opinions about cloud security:
- Management often erroneously believes that cloud relieves them of risk and responsibilities.
- Security professionals realize that cloud actually makes their job more complex since they have to manage security across physical, geographical and organisational boundaries.
Let's be clear: you always retain the risk of your information being lost or stolen, whether it's in the cloud or on-premise. Using "The Cloud" just means you're choosing to host your data on someone else's system. If your customer information gets stolen, your customers are not going to find it acceptable if you just blame your provider's lack of security. They will want evidence that you performed appropriate due diligence. Cloud just changes who is responsible for the individual security controls – you still need to be accountable that the appropriate controls are in place and being operated correctly. In some cases, you will be responsible for the control; in some cases, the cloud provider will be responsible; in other cases, you will share the responsibility.
How do you decide who is responsible for what? There's no easy answer to that – every cloud situation is different, and part of the due diligence process is identifying the appropriate controls for your particular need and working with the cloud provider to ensure your needs are being met. Broadly, the split of security control responsibility will vary depending on the cloud model being used:
- Infrastructure-as-a-Service (IaaS): The provider is responsible for securing the data centre, physical infrastructure and network hosting the virtualised environment. You are responsible for the design and implementation of your virtual network, the servers hosted on it, plus any applications and data.
- Platform-as-a-Service (PaaS): Same as above, except the CSP takes on responsibility for the security of the network and servers that provide the platform.
- Software-as-a-Service (SaaS): The CSP is responsible for the whole application stack, including the application, servers, network and physical infrastructure. You often retain responsibility for the security of the data (e.g. through encryption).
The CSP will always be responsible for the physical security of its infrastructure and the security of its staff, but generally things like Access Management, Incident Management, Disaster Recovery and Encryption will be shared responsibilities, so it's important to figure out in advance which parts of those aspects you will secure and which parts your CSP will secure. While a broad, holistic approach is required for cloud security, there are a number of common elements below that should be considered for most cloud deployments.
The first step in working with a CSP is making sure it is capable of protecting your data. You should ask your CSP for copies of its audit reports and consider auditing the CSP yourself to ensure that proper security measures are always in place. Ideally, the CSP should have some security certifications, follow security guidelines and inform you about the exact security measures that it takes. Reputable CSPs will have undergone external security assessments and will have one or more certifications, such as ISO 27001 or the Cloud Security Alliance Security, Trust & Assurance Registry (CSA STAR) Certification.
To ensure you and your CSPs are clear about which of you is going to handle which particular security duties, roles and responsibilities should be clearly documented in a RACI matrix. Make sure your CSP is willing and able to do the things you need it to do. Make sure your contract states the CSP's security duties and that you may audit the company to ensure it is honouring the agreement. Most CSPs are used to hosting customers who want to inspect the security of their facilities. The frequency of audits should be based on risk and resources. A small CSP providing bespoke services probably has not been rigorously vetted by multiple customers, so you should invest in auditing the company at least annually. A well-known large CSP probably undergoes regular external audits by one or more certification bodies, as well as audits by its own customers.
Communication between you and your CSP is vital to ensure effective ongoing security. Make sure that your CSP will provide timely information to you and that you have effective processes in place to collect this information and use it accordingly. Your CSP should notify you of security incidents that may affect your data and of planned changes that may affect the availability of your systems. All of this should be stated in your contract.
Visibility (or Lack Thereof)
When your data is held in the cloud, you often have very little visibility into what goes on in that environment. Logging and monitoring is restricted to those logs that the CSP makes available to you. SecureWorks has seen several examples of customers being faced with hefty invoices to get access to critical logs in the midst of a major security incident. It's important that your contract states which logs you require access to so that there are no issues when you really need them, such as when you are conducting a forensic investigation.
Geography should be a big consideration when analysing cloud security. Although it's nice to think of the cloud as an abstract entity, the reality is that your data is sitting on a server somewhere in the world. Make sure you know where your data is and the legal ramifications of that. Data protection authorities can impose financial penalties on organisations that violate their restrictions on where personal information can be stored. If your data is subject to any of these restrictions, make sure your CSP guarantees it will be held only in one or more locations that have been approved by you.
Encryption is a key security control in all cloud environments. All traffic to and from the cloud provider should be encrypted. Data at rest should be encrypted if possible – ideally with encryption keys that only your organisation has access to. This way, if your CSP has any rogue employees who access your systems or physically loses a server backup, the employees won't be able to access your data. For some CSPs, it is not technically possible to encrypt the data and let you keep the keys as the CSP may need the keys to read and process the data, so always explore what's possible with the CSP. If you're using a SaaS provider's Web app to store sensitive data, such as an HR system with employee data, you probably have no control over whether it's encrypted on the backend or not. If the SaaS provider has an option to encrypt the data at rest, then you have no option but to let the CSP keep the encryption key. Otherwise, it can't read or process the data.
An area often overlooked by confidentiality-focused security professionals, but one that is important for the availability of business services, is lock-in. If your CSP goes bankrupt, or changes the service in a way you're not comfortable with, do you have a plan and the technical means to extract your information from the service to use elsewhere? You should have some technical means to extract data somewhere else if required, such as to a spreadsheet or to an API you can call from another application. Or, perhaps you can export your virtual machines in a standard reusable format. Plan in advance how you will be able to recover your data.
In a public cloud environment, which is internet-accessible, access control is very important. How do you provision new users, and remove access when no longer required? Can you use identity federation to manage authentication and authorization centrally? Often customers forget to deprovision ex-employees from cloud services, which allows them to continue to access your company's sensitive information.
Security of Management Interfaces
CSP management interfaces/hypervisors can be extremely powerful and valuable to an attacker, particularly if they're Internet accessible. Ensure these interfaces are locked down. Enforce two-factor authentication and use IP whitelisting if possible to restrict access to users visiting from your corporate IP addresses.
Security in the cloud can be complex, but it's not too different from securing information on your own premises. However, there's added complexity since your organisation does not have total control or visibility of your data. Working with the right security partner can help you navigate through the cloud.