Demystifying Cloud Security
By Aneesh A S
Cloud security refers to the technologies , policies , applications and controls that secures cloud computing environments against insider and external cybersecurity threats.
Cloud computing can be defined as the delivery of different services through the Internet. These services include applications and tools like data storage, databases, software and networking. Cloud computing has become essential for businesses and governments for increased productivity, cost savings, performance, speed & efficiency and security.
Categories of Cloud Computing:
There are four main categories of cloud computing:
- Public cloud services [operated by public cloud provider]
These include services such as –
Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS)
2. Private cloud services [operated by public cloud provider]
These services grant a computing environment which is dedicated to one customer, operated by a third party
3. Private cloud services [operated by the internal staff]
These services are an evolution of the traditional data center, where internal staff operate a virtual environment that they control
4. Hybrid cloud services
Private and public cloud computing configurations can be combined, hosting workloads and data based on optimizing factors such as security ,cost, access and operations.
Types of Cloud computing :
Cloud computing is a system primarily comprised of three services:
- Software-as-a-service (SaaS) involves the licensing of a software application to customers. Licenses are usually provided through a pay-as-you-go model or on-demand.
- Infrastructure-as-a-service (IaaS) involves a method for delivering services from operating systems to servers and storage through an IP-based connectivity as part of an on-demand service. Clients can avoid the necessity to purchase servers or software, and instead get these resources in an outsourced, on-demand service.
- Platform-as-a-service (PaaS) is considered to be the most complex of all the three layers. PaaS shares some similarities with SaaS, the main difference being that instead of delivering software online, it is a platform for creating software that is delivered through the Internet.
In all types of public cloud services , customers are responsible for securing their data and controlling who can access that data. Data security in cloud computing is crucial to successfully adopt and gain the benefits of the cloud.
Organizations considering SaaS offerings like Salesforce or Microsoft Office 365 need to plan on how they will fulfill their shared responsibility to protect data in the cloud.
Those who are considering IaaS offerings like Microsoft Azure or Amazon Web Services (AWS) need a broader plan that starts with data, but also covers cloud app security, operating systems, and virtual network traffic.
Cloud security challenges:
- Visibility into cloud data — Cloud services are accessed outside of the corporate network and from other devices that are not managed by the IT team. The IT team needs the ability to see into the cloud service itself to have full visibility over data, as opposed to the traditional means of monitoring network traffic.
- Control over cloud data — In a third-party cloud service provider’s environment, IT teams usually have less access to data than when they controlled servers and applications on their own premises. Cloud customers are given limited control by default, and access to underlying physical infrastructure is not available.
- Access to cloud data and applications —Users may access data and cloud applications over the internet, making access controls based on the traditional data center network perimeter no longer effective. User access can be from any device or location, including BYOD technology [Bring-Your-Own-Device]. In addition to this, privileged access by the cloud provider personnel could bypass your own security controls.
- Compliance — Use of cloud computing services adds another dimension to the regulatory and internal compliance. Your cloud environment may need to adhere to the regulatory requirements such as HIPAA, PCI and Sarbanes-Oxley, as well as requirements from internal teams, partners and customers. Cloud provider infrastructure, as well as interfaces between in-house systems and the cloud are also included in the compliance and risk management processes.
- Cloud–native breaches – Data breaches in the cloud are unlike on-premises breaches, in that data theft often occurs using native functions of cloud. A Cloud-native breach is a series of actions by an adversarial actor in which they land their attack by exploiting vulnerabilities or errors in a cloud deployment without using malware, then expand their access through weakly configured interfaces to locate valuable data, and exfiltrate that data to their own storage location.
- Misconfiguration – Cloud-native breaches often fall to a cloud customer’s responsibility for security, which includes configuration of the cloud service. Research shows that just 26% of companies can currently audit their IaaS environments to check for configuration errors. Misconfiguration of IaaS often acts as the front door to a Cloud-native breach, allowing the attacker to successfully land and then move on to expand and exfiltrate data. Research also shows almost 99% of misconfigurations go unnoticed in IaaS by the cloud customers.
- Disaster recovery – Cyber Security planning is needed to protect the effects of significant negative breaches. A disaster recovery plan includes policies, procedures, and tools designed to enable the recovery of data and allow an organization to continue operations and business.
- Insider threats – A rogue employee is capable of using cloud services to expose an organization to a cybersecurity breach. A recent McAfee Cloud Adoption and Risk Report revealed irregular activity indicative of insider threat in 85% of organizations.
Cloud security solutions
Organizations seeking cloud security solutions should consider the following inorder to solve the primary cloud security challenges of control and visibility over cloud data.
- Visibility into cloud data: A complete view of cloud data usually requires direct access to the cloud service. Cloud security solutions accomplish this through an application programming interface (API) connection through which we can view
- What data is stored in the cloud.
- Who is using cloud data?
- Roles of users with the access to cloud data.
- Who cloud users are sharing data with.
- Where cloud data is located.
- Where cloud data is being accessed and downloaded from, including from which specific device.
2. Control over cloud data — Apply the controls that best suit your organization. They include:
(a) Data classification — Classify data on multiple levels, such as public, regulated, or sensitive, as it is being created in the cloud. Once classified, data can be blocked from entering or leaving the cloud service.
(b) Data Loss Prevention (DLP) — Implement a cloud DLP solution inorder to protect data from unauthorized access and automatically disable access and transport of the data when suspicious activity is detected.
(c) Collaboration controls — Manage controls within the cloud service, such as downgrading file and folder permissions for specific users to edit or view, removing permissions, and revoking shared links.
(d) Encryption — Cloud data encryption can be used to restrain unauthorized access to data.
3. Access to cloud data and applications— As with in-house security, access control is an important component of cloud security. Common controls include:
(a) User access control — Implement system and application access controls that ensure only authorized users can access cloud data and applications.
(b) Device access control — Block access when a personal, unauthorized device tries to access the cloud data.
(c) Malicious behavior identification — Detect compromised accounts and insider threats with user behavior analytics (UBA) so that malicious data exfiltration does not occur.
(d) Malware prevention — Malware can be prevented from entering cloud services using techniques such as application whitelisting, file-scanning, machine learning-based malware detection, and network traffic analysis.
(e) Privileged access — Identify all the possible forms of access that privileged accounts may have to your applications and data, and put in place controls to mitigate exposure.
4. Compliance — Existing compliance requirements and practices should be improved to include data and applications residing in the cloud.
(a) Risk assessment — Update and review risk assessments to include cloud services. Identify and address risk factors introduced by the cloud environments and providers. Risk databases for cloud providers are available to assist the assessment process.
(b) Compliance Assessments — Update and review compliance assessments for PCI, HIPAA, Sarbanes-Oxley and other application regulatory requirements.