A Guide To Securing Data In The Cloud For PaaS, SaaS & IaaS
The InfoSec Consulting Series #28
By Jay Pope
As more and more Organisations migrate their systems and sensitive data to the cloud, securing data in the cloud is becoming an ever-increasing challenge for everyone in the Organisation’s IT change organisation, and their CISO department. This article discusses some of the problems that should be considered along with some tips for improvement plans.
In some organisations there’s a perception that Cloud Transformation Programs can do away with security and be led by business stakeholders with a cursory security light touch that ticks their box. This attitude creates a disproportionate imbalance between the business and security. It is often characterised by; a ‘box ticking culture’, no coherent risk management, late security engagement, improper (or complete absence of) enterprise architecture planning, random product procurement, zero accountability of business stakeholders, and delivery focused project managers. Apart from driving a significant technical debt problem that increases suppliers’ costs, these issues will also help set the perfect conditions for a headlining security breach.
Consult with Security at the ‘Concept Phase’
Another issue is that cloud systems are not all the same and a lack of security engagement at the ‘Concept’ phase usually results in Businesses being committed to a problematic technical direction or product from the outset. There are various models and the general models are software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS). There are distinct differences in the requirements and responsibility models when it comes to securing data in the cloud depending on the cloud usage model. Consultation with a Security Architect at the Concept Phase will help identify the appropriate model for the business and security requirement. Just a half hour consultation could avoid being committed to a SaaS solution for 5 years when what was needed was PaaS.
The Cloud Responsibility Models
SaaS is all about access to applications from the cloud. Securing data in the cloud here involves ensuring that the right people have access to applications and perhaps that they are restricted to access from certain locations at certain times.
PaaS is offers more flexibility and control when it comes to securing data in the cloud, such as shared storage and the restrictions and access control that can be applied. Security here should focus on keeping data safe using techniques including encryption, segregation, and on guarding against system outages and on regulatory and compliance requirements.
IaaS is about managing virtual machines and having a framework in place to govern them effectively. Security needs to cover how they can be created and removed and how access to them can be controlled.
Before procuring any of these services, it’s important to ensure that the security responsibility models are well understood by the delivery team and that proposed SaaS solutions are subjected to a comprehensive security and data privacy evaluation to ensure that regulatory and other compliance requirements can be satisfied.
As mentioned earlier, public cloud environments such as Amazon Web Services (AWS) are sometimes seen as removing responsibility for security from the business. But maintaining AWS Security brings its own challenges. This generally requires a cloud responsibility model to define security responsibilities, and once this is understood, a comprehensive set of security configuration guides, auditing monitoring integration, architectural patterns and good practices need to be approved and supervised by an appropriately scaled security team, preferably within the Product Team. The security team should also improve the current security standards, as well as maintain them, and should be looking to resolve any esoteric security flaws that may be concealing potentially critical vulnerabilities in the information systems.
While the cloud provider may take responsibility for securing the software and hardware of the cloud system, the cloud responsibility model dictates that the customer is still responsible for the securing data in the cloud. Of course, some organisations will be using a hybrid approach, mixing public and private clouds or using a mix of different public cloud providers. This requires a multi cloud security approach to ensure that whatever the platform, it is properly secured and remains compliant.
Increasingly, cloud usage involves containerisation using Kubernetes or similar. Containers allow the separation of applications from the platforms on which they run. This means that they can be deployed easily and moved between machines or cloud providers with minimal disruption. This is in many ways an extension of the virtual machines principle, but containers go further by allowing an application and all its dependencies and libraries to be packaged together. There are significant benefits of cloud containers in DevOps environments too. They are lightweight, allow applications to boot faster and give a consistency that is ideal for development use. It also becomes easy to move from development, to test to production.
Preparing For Security
The key to securing data in the cloud is that it should be considered from the outset, rather than bolted on later. The first thing is to understand who owns the security – who is accountable? What is the provider’s responsibility and what is yours? Never assume that the other party is doing something only to find out that you should have been; this can leave you seriously exposed when problems arise. The second is to ensure that you have visibility across all cloud workloads. Without this, security becomes far more difficult to enforce. You should work with your chosen cloud provider to build in security at every stage to ensure that your data is safe if an attack should occur at any level.
If you are dealing with sensitive information such as personal details, it is vital to check the ‘privacy by design’ aspects and protect it regarding any laws that govern its use. Sending personal sensitive and special category data to the cloud may constitute transferring to a third-party, for example. It is increasingly common to use encryption for this type of data and any system you put in place should ensure that the data gets encrypted automatically before it gets sent to the cloud. It’s also essential to document data mapping and maintain an audit trail so that you can track what data is where.
Where employees are using SaaS applications, it is vital that they can access them securely. Many businesses are now choosing to move away from passwords as these create their own problems and may be compromised due to poor practices. Use of single sign on (SSO) technology can allow people to access all the systems they need, whether locally or in the cloud, using a single password or biometric security solution.
Although cloud service providers offer their own levels of service monitoring, businesses should always consider implementing their own governance regime. This is particularly important if you are using multiple providers. Some Organisations use a cloud broker service that allows all of the systems to be accessed via a single portal. It’s also vital to ensure your APIs that enable access between systems are robust and regularly tested. If these fall into the wrong hands, they can lead to a serious breach.
Securing cloud systems is a major challenge. IT departments must decide whether to use an off-the-peg brokerage solution, or put together a bespoke alternative. Ultimately, the needs of the business will dictate the solution – whether it’s appropriate or not depends on the personalities and competencies in your Organisation.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.