Stay Tuned and Subscribe For Updates
The objectives of cyber security for using cloud services are the same as those for other ways that IT services are delivered:
The approaches to cyber security around cloud services are set out in various standards.
However, the responsibilities for the different aspects and the processes involved are shared between the cloud tenant and the CSP (Cloud service provider).
In today’s hybrid IT where some services are delivered through the cloud and some are delivered in other ways – on premises, at the edge and via hosting – this shared responsibility can cause confusion.
This confusion can lead to security weaknesses and provide opportunities for the cyber adversaries as well as leading to failure to comply with regulatory compliance obligations.
When using cloud services there are two major security considerations:
There are three different models for the kind of cloud services provided and these can be thought of as layers, each providing more business-oriented functionality.
The lowest layer IaaS (Infrastructure as a Service) provides basic computing capabilities.
PaaS (Platform as a Service) provides the tools and middleware needed to build and deploy business application as managed services.
SaaS (Software as a Service) delivers applications ready for the business to use without the need to install, run and manage them.
One important point to note from the diagram is that the tenant is always responsible for access to their data and the services that they use.
There are 4 ways in which these services can be deployed.
Organizations typically, use multiple cloud services from different CSPs including office productivity tools, a CRM system as well as IaaS for test and development.
At the same time legacy applications and business critical data remain on premises or in managed hosting.
This hybrid multi-cloud environment creates significant challenges relating to the governance, management, security, and compliance of the whole system.
What is needed is a consistent approach with common processes supported by a single platform that provides all the necessary functions across all the various components involved in delivering all the services.
A blueprint for a hybrid IT security architecture provides this.
As previously described, there are six distinct planes in the IT service delivery stack.
For cloud services some of these planes correspond with the service model (IaaS, PaaS, and SaaS). These all need to be managed and secured for all services.
However, the responsibility for managing each plane is split between the tenant and the CSP in a way that depends upon how the service is delivered.
This division of responsibility is illustrated in the figure above. It is important to note that the tenant is always responsible for managing access to the service and the data it contains.
The app on the end user’s mobile device is the visible tip of the digital iceberg.
This app has to be supported by data and systems that to allow it to offer a useful service.
To offer an item for sale needs a database of what items are available, their prices and where they are located.
When an item is put in the bag and purchased the systems need to create workflows for it to be picked, packed, and dispatched.
For the purchase to be completed a financial transaction must take place involving payment card processing as well as tax and accounting processes.
All of this takes place in the datacentres providing the IT services behind the app.
These datacentres need power and cooling together with network access and strong physical security.
The applications need servers and storage devices to be acquired, installed, and set up.
The software and middleware required by the application must be installed and configured.
All of this needs to be secured, updated, and maintained.
At the end of life, these assets need to be decommissioned and disposed of.
These are significant tasks needing a high level of skill, and the benefits of using a cloud service are that many of these tasks are outsourced to the CSP.
While many applications are now essential to the organization the costs of running them in house are too high and the skills needed are too rare especially for smaller organizations.
On the other hand, CSPs have the benefits of scale that allow them to reduce costs and keep the skilled personnel needed.
During the 1990s many organizations acquired software that became shelf-ware that was never put into production because its deployment was too complex.
SaaS offers an attractive solution to this where the tenant buys a working application that is ready to go from day one.
The tenant does not need to acquire, deploy, or maintain the software or the infrastructure and costs move from capital expenditure to operational costs in terms of a subscription based on what is used.
The start up with an idea for a new service or product can obtain the infrastructure needed to develop this idea without the need to obtain large amounts of venture capital to fund the infrastructure needed.
It can use a credit card to buy what is needed to develop and try out the idea in the knowledge that if it takes off, capacity can easily be added as needed and paid for by success.
Organizations can use cloud services to accelerate their digital transformation in a way that is similar to the start up.
They can experiment with new business ideas and new approaches to software development without the need for procurement delays and capital expenditure.
However, the challenge often remains of integrating the new with the old.
Many organizations have legacy applications often decades old but upon which the business still depends.
Keeping these running means that the organization needs a data centre with all the fixed costs that this implies.
These organizations are faced with the challenge of how to integrate legacy and cloud.
One approach favoured by some is application modernization – where the legacy applications are rebuilt using a modern software architecture based on containers.
This may provide future benefits but involves costs and risks and is best based on a clearly articulated business benefit.
Another approach is described as lift and shift – where the legacy applications are moved unchanged to a cloud service.
This is not as easy as it sounds since the applications often has dependencies on obscure features that are not discovered until after the move.
All approaches lead to questions around security and compliance.
The risks and controls in the in-house deployment are known whereas those in the cloud are less certain and this has become a limiting factor for many organizations.
The detailed controls depend upon the kind of service being used.
Since the responsibility for security and compliance is shared you need to ensure that you meet your obligations and assure that the CSP meets theirs.
These risks arise for several reasons. The cloud attracts new threats – as cyber adversaries exploit the opportunities provided through the growing use of these services.
Confusion by tenants over how responsibilities for security and compliance are shared together with poorly managed control over their use of these services.
In addition, many tenants fail to adapt or apply their normal internal controls, such as identity and access governance and vulnerability management within the services.
Many organizations have invested heavily to ensure compliance with the laws and regulations that are relevant to their business.
However, the cloud service itself may not be compliant with the necessary regulations or the tenant may not implement the necessary controls.
Employees and associates can use personal cloud services to perform their jobs without reference to their employer.
The increasing number of laws and regulations relating to the processing of personal data such as GDPR and CCPA add to these challenges.
There are several ways in which the use of cloud services could impact on business continuity.
Data held in cloud services may be subject to ransomware attacks and the tenant’s use of the service may be subject to denial-of-service attacks like DDoS.
Natural disasters may also impact datacentres, communications, or power.
In addition, there is a risk of lock in - cloud services are often based on a proprietary technical architecture which can make it very difficult to migrate to another provider.
The use of a cloud service depends upon the end-to-end availability of resources and organizations must take this into account in their business continuity plans.
Learn how to ensure business continuity for the cloud in the Analyst Chat Podcast. In episode 67 Mike Small joins Matthias Reinwarth to explain why business continuity is essential for cloud services, especially in light of current events.
See all episodes of the Analyst Chat here.
Using cloud services can make it more difficult to control legitimate access to data and increases the risks of data leakage.
The data is potentially at risk while in transit, during storage and while being processed.
To perform maintenance the CSP needs access to the service infrastructure, and this may provide access to the tenants’ data.
In addition, the CSP may be subject to legally binding requests from the government to disclose data held in the tenants’ accounts.
The tenant’s data within the service is held on physical storage devices which may be reused later by other tenants or discarded at end of life with a risk that the data may leak.
End users may store regulated data within the service in a way that breaches compliance obligations.
The organization itself needs to be ready to use cloud services; success starts with mature internal IT governance processes.
There must be a robust process for procuring cloud services that should be easy to use so that it is not bypassed by line of business managers.
Not all risks are equal – this procurement process must prioritize which risks are important and specify the controls needed to manage these.
The cloud service tenant must ensure that the controls for which it is responsible are properly implemented.
Since the delivery of the cloud service is outside the direct control of the tenant, it must assure that the service is delivered securely to the agreed specification.
Tenants should take a risk-based approach to the use of cloud service.
It is only by understanding the precise risks that are relevant to your use can you specify the appropriate controls that are needed.
there are several existing frameworks for the best practices around IT Management including: ISO/IEC 20000, ITIL and COBIT5.
Organizations should adopt one of these.
You should assure that the CSP implements the controls that are relevant through independent certification that they are designed, built, and operated according to security best practices.
Although cloud services claim to be more resilient than in-house systems most do not claim 100% availability.
Therefore, it is essential to include cloud use in business continuity plans.
Furthermore, the use of the services necessarily involves multiple pieces of infrastructure such as networks and in-house equipment as well as end user devices.
This makes it essential that the end-to-end components are included as well.
CASBs (Cloud Access Security Brokers) address many of these challenges by providing visibility of use and control over access to cloud services by organizational users.
However, while this is important more is needed to cover all the risks.
CASB solutions have evolved to become an essential component of an integrated approach to cloud security.
These are expected to include CASB, Cloud Security Posture Management (CSPM), Data and User Protection, SWG (Secure Web Gateways), and Zero Trust Network Controls to provide a complete cloud security solution.
Cloud services themselves now feature extensive capabilities for the tenant to use them securely. However, these capabilities are often not used or are not used correctly.
The risks associated with organizational use of cloud services often stem from misconfigurations that leave vulnerabilities which can be exploited by cyber adversaries.
To counter these risks, CSPM (Cloud Security Posture Management) functionality to detect, report and remediate these is now expected.
CASBs have traditionally focussed on controlling user access to SaaS services and the protection of unstructured data.
However, IaaS is increasingly being used to deliver business transformation through new and modernised business applications, CSPM is important to manage the risks from this.
Cloud services must as a minimum provide assurances over how they secure the infrastructure as well as capabilities to authenticate the tenants’ users, and control access to the tenants’ resources held in the service.
Identity as a Service (IDaaS) is fast becoming the new face of Identity and Access Management (IAM) with several vendors now delivering cloud based IAM services to support the growth in cloud-based applications in the enterprise.
Here is an example of the identity and access governance capabilities provided by SAP.
To manage and control access to SaaS clouds CASBs are an important tool.
These provide visibility over which clouds are being used and what data is being held.
A comparison of CASB’s from a range of vendors can be found here.
Most of these vendors also provide CSPM solutions either integrated into or as standalone options.
In episode 36 of the Analyst Chat Podcast: Questions to Ask Your Cloud Provider About Security Alexei Balaganski and Matthias Reinwarth discuss the security challenges for enterprises moving to the cloud and explain why security in the cloud is still your responsibility.
There is also a growing market for the so-called SASE (Secure Access Service Edge) tools.
SASE is the convergence of wide area networking, or WAN, and network security services like CASB, FWaaS and Zero Trust, into a single, cloud-delivered service model.
The objective of this being to secure access to the services.
One area often forgotten is back up and recovery of tenants’ data.
It is often assumed that this is included in the service.
This is a false assumption, for example most cloud storage systems provide limited recovery of data legitimately deleted by the tenant.
So, cloud data protection solutions are usually needed to provide data backup and recovery capabilities.
Organizations now commonly use multiple cloud services as well as on premises IT.
It will provide you with questions to ask vendors, criteria to select your vendor, and the requirements for successful deployments.
This report will prepare your organization to conduct RFIs and RFPs for IaaS as part of a Hybrid IT service delivery model.
The core features and functionalities for that need to be evaluated for IaaS include:
The factors limiting this are management, security, and compliance.
Therefore, to realise this potential it is essential that these factors are addressed.
In response to these challenges, software solutions such as CSPM, and managed services have emerged.
In addition, CSPs are including capabilities within their platforms.
To enable this growth CSPs will need to provide greater transparency of the existence and effectiveness of their controls to support the take up by the highly regulated industries such as finance.
Organizations need an integrated view of their security and compliance posture.
To achieve this much greater integration is needed between the controls provided by and within the cloud service and the organizational GRC tools.
Another challenge is overcoming concerns related to legal requests from governments to turn over or intercept tenant data.
Contractual solutions to this are not sufficient and services will need to offer technical controls for confidential computing.
As well as providing tools for the tenant to use and develop applications using Artificial Intelligence / Machine Learning cloud service vendors will increasingly offer capabilities that exploit these capabilities to improve the tenant’s security and compliance posture.
Some CSPs are already including these capabilities within their services a notable example being Oracle Autonomous Database.
This claims to automatically patch, tune and secure systems.
Machine Learning systems are ideally suited to the tasks of systems management where there are clear rules and well-defined environments.
Looking for Decision-Support in the Field of Cloud Security?