Securing your IaaS Cloud
While the major CSPs (Cloud Service Providers) go to great lengths to secure the services that they provide it is up to the client of the Cloud service provider to secure their use of these services. The responsibility for security and compliance is shared. This report describes the approach that clients (or in other words tenants) of Cloud infrastructure need to take to ensure that they use IaaS services in a way that is secure and compliant, including examples of how to realize this with Amazon Web Services. In our recent independent 2021 "Kuppinger Cole Market Compass report on Global IaaS Providers Tenant Security Controls", AWS was evaluated as an outstanding provider. This report also contains an extract of our evaluation of AWS from the Market Compass report.
1 Introduction / Executive Summary
The cloud has established itself as an important enabler of digital transformation. It has changed the way organizations do business and the events of 2020 have dramatically accelerated this digital transformation. Retailers had to increase their online presence, manufacturers had to reorganize their shop floors and employees worked remotely for large stretches of time to name just a few examples. This was only made possible by the way in which cloud services provide the ability to respond rapidly to changing business needs. The cloud has now become an integral part of business-critical operations where security and compliance are essential considerations.
The major CSPs (Cloud Service Providers) go to great lengths to secure the cloud infrastructure underneath the services that they provide but it is up to the cloud clients (or Cloud Infrastructure tenants) to secure the way they use them. When companies use the cloud, they must ensure that they meet their responsibilities and verify that the CSP meets theirs. Many of the security related incidents around the use of cloud services that have been reported result from failures by the cloud client to meet these responsibilities.
This report describes common security related business risks that can arise from the use of cloud services and covers the approach that cloud clients should take to mitigate these risks. Some of the risks that can be mitigated with the right strategy include using backups to protect data, preventing public access to sensitive data, and removing well-known technical vulnerabilities that can be exploited in cyber-attacks. It also provides examples of the support and building blocks that Amazon Web Services offers to help their clients to achieve this. In our 2021 independent "Market Compass report for Global IaaS Providers Tenant Security Controls", Kuppinger Cole ranked AWS as an outstanding vendor for the range of the security capabilities it provides to help its clients run their cloud workloads. An excerpt of the AWS profile from the Market Compass report can be found at the end of the document.
Most organizations now have a hybrid IT environment. The best approach to meeting the security and compliance challenges of this is good governance with a consistent approach to the security of IT services regardless of how they are delivered. When using the Public Cloud, the responsibilities for security and compliance are shared between the cloud client and the CSP. The client does not manage or control the underlying cloud infrastructure but is responsible for managing everything above the service provided. The client is also responsible for compliance with laws and regulations governing the processing of data.
Governance sets measurable business-related objectives for IT services and monitors how well these objectives are being met. This approach allows the organization using the IT service to focus on their business and the service providers to focus on delivering the required service.
This governance-based approach to the use of a cloud service means that clients of the cloud must clearly set out their business, security, and compliance objectives for the service. This provides benefits that stretch beyond governance and compliance.