Cloud Security: Considerations, Challenges and Solutions
Cloud computing has been around for almost three decades, and offers obvious advantages to its users, such as cost-effectiveness and resources on demand. Regardless, many businesses continue to operate without it, indeed without any real understanding of what it is.
In this article I’d like to talk a little about cloud security — the considerations, the challenges and the potential solutions. But before we do that, we must first understand a bit more about the cloud, and why organisations might be moving there in the first place.
Why organisations are moving to the cloud
Maintaining on-premise IT infrastructure is complex and expensive. Cloud service providers (CSPs) on the other hand offer low-cost storage services, 100% up-time and resources on demand, enabling businesses to strengthen their domain expertise.
According to Salesforce, “94% of businesses saw an improvement in security after switching to the cloud and 91% said it is easy to follow the required compliances.”
Sounds like a simple decision, doesn’t it? But to hand over complete security responsibility to CSPs is to open yourself up to potential breaches. Even after a switch to the cloud, you must consistently monitor and enhance your security to avoid data loss, leaks, hacks or damages to reputation. Companies must focus on security to reap the full benefits of cloud services, and this means prioritising the security of the CSP.
It is critical to realign your security and compliance strategy with cloud infrastructure. It’s about sharing the responsibility for security with your CSP and this model is also known as “Shared responsibility model.” The share of responsibility differs depending on the model — SaaS, PaaS or IaaS, private, public or hybrid. The CSP must ensure that their infrastructure is completely secured, and the user must keep their own security procedures in place.
1. Compliance and regulation challenges
CSPs are running multiple servers in different geographical locations with huge infrastructure, and it can be challenging to identify how the packet flows, how different networks function together, and, ultimately, on which disk the physical data live.
Today though, the major challenge for any cloud service provider or consumer is not just securing the cloud infrastructure, but also remaining compliant with data regulations.
Cloud computing is a global solution trying to fit into what is still a very localised world. It can be tricky for an organisation to document and track required compliance, as different countries and states have their own data protection, data localisation, data sovereignty and access to information laws. GDPR, HIPAA, PCI-DSS, NIST 800–53, ISO-27001, FISMA, CLOUD Act and POPI are just a handful of examples.
2. Security challenges
Most security issues are a result of cloud environments that are not properly designed or configured, and these issues can be either related to misconfigured or unmanaged cloud components.
Cloud security is a huge domain and cannot be fully explained in just few paragraphs, however the concepts of confidentiality, integrity and availability can help us understand the core issues at play:
Confidentiality
Confidentiality refers to the prevention of unauthorised access to CSP user data by making sure that access is limited to authorised users. This is generally accomplished through encryption and AAA (authentication, authorisation and auditing.)
Encryption means complete encryption for both resting and in-transit data. Most components have an inbuilt encryption option available, and an option for key management and rotations is usually available. You can also use a cloud-based hardware security module (HSM), which enables you to generate and use your own encryption keys.
AAA is a framework for controlling the access of resources, enforcing the required policies, auditing resource usage, and providing the required information to the relevant users. It is made up of:
● Authentication: This involves strong access policies at GUI, CLI and API levels, and using AWS IAM custom policies written in JSON.
● Authorisation: Multi-factor authentication (MFA) offers an extra layer of protection on top of your username and password. Restricting user access from unusual geographic locations is another element. You should be able to identify and label the cloud resources that includes data on the basis of required access for performing specific tasks and that each access originated from a legitimate source.
● Accounting/Auditing: Proper auditing of usage and access logs, like that offered by AWS’s Config, CloudWatch, CloudTrail logs and Guard Duty, is recommended.
Integrity
Integrity means maintaining the data accuracy. Integrity breaches can be avoided by using the following practices:
● File permissions: Only allow authorised users to access certain files. Proper API configuration and permissions should be established for CRUD operations on storage/compute services. Role-based access control (RBAC) can also be used to limit the service capabilities based on the assigned roles.
● Access control list (ACL): Further to the file permissions, ACLs can be used to define the level of required access. You should use ACLs to customise the access of particular objects, while identity and access management (IAM) can be used for setting up common access to all objects.
● Data validation: CSPs use a combination of MD5 checksums and cyclic redundancy checks (CRC) to detect the accuracy, quality, alteration and corruption of data. Multiple validations ensure point-to-point data integrity in transit, but using explicit end-to-end data integrity confirmation adds additional protection for issues that may go unnoticed.
Availability
This element is all about ensuring that cloud systems are available to the user whenever they’re required — something that CSPs, with their multiple servers spread across the globe, are good at. If site A goes down, they still have site B. This is referred to as ‘high availability and disaster recovery’ (HA and DR).
Even though HA and DR are in place, we still need to safeguard against risks like distributed denial of service (DDOS) attacks that can make resources unavailable by temporarily disrupting services. The likelihood of service disruptions can be minimised by using:
● Multiple regions and availability zones: This is the process of setting up scalable cloud services and running them across different geographies or regions.
● Automation and codification: Not only can automation and codification minimise downtime, in service distribution cases it can facilitate faster deployments.
● Backups: There’s always a risk of data loss, leakage or ransomware attack. Keeping multiple copies of data and backing up daily to the cloud can help you with data recovery, no matter the cause.
Non-repudiation
It can be confused for ‘authentication’ as both of these talk about identifying the responsible users. However, non-repudiation concept is related to legal side of business for auditing purposes and identifying liability. Read more on: FedRAMP NIST 800–53 Rev 4 AU-10
You may want to look at Mitre’s “Att&ck” Matrix and Framework to help you map your cloud-related risk:
Readymade cloud security solutions
As most users will be unfamiliar with the intricacies of cloud security, the job of ensuring your systems and data stay safe can feel like an overwhelming one. Fortunately, there are readymade cloud security tools that can take the weight off your shoulders. Two of the most common are CASB and CSPM.
Let’s take a look at what they do, and how they differ.
CASB: Cloud Access Security Broker
CASB is a type of software that sits between on-premise and CSP infrastructure. It acts as both a gatekeeper and facilitator, allowing the organisation to enforce their security policies beyond their own infrastructure.
CASB can be deployed in three ways: as a reverse proxy, a forward proxy or in API mode. It ensures that the network traffic between the on-premise infrastructure and the CSP complies with company policy.
Some of the core features of a cloud access security broker include:
● Visibility: Cloud service usage tracking, alerting, reporting and logging.
● Compliance: User authentication and authorisation, enforcing regulatory requirements.
● Threat protection: User behaviour analysis and malware detection.
● Data security: Encryption, tokenisation and DLP policies.
CSPM: Cloud Security Posture Management
CSPM is a group of reporting tools that aims to continually adapt and improve cloud security. It is a largely automated process that helps to administer the following key security processes:
● Access identification
● Compliance policy assessment and monitoring
● Operational monitoring
● Incident response
● Risk identification and visualisation
● Asset inventory and classification
Cloud security is all about shared responsibility — both the CSP and the user have roles to play. If both are committed to doing their part, the cloud can be an exceptionally useful, and safe, business tool.
In my role as Senior Security Automation Engineer, I enjoy a spot on the frontline of cloud security and its automations, ensuring that organisations can access all the benefits of the cloud without any of the potential pitfalls.
Originally published at https://www.linkedin.com.
