In its broadest term, Cloud Computing can be defined as the practice of using a network of remote servers hosted by a provider on the Internet (“the Cloud”) to store, manage and process data. In the current enterprise landscape, organizations (called tenants) are steadily migrating technologies to and services into the Cloud looking for a competitive advantage that will enable the business to set themselves apart from the rest of the pack. These advantages of Cloud computing include a reduction in start-up costs, lower capital expenditures, utilization of on-demand IT services, and the dynamic allocation of computing resources and capacities. Along with these and other benefits comes the ubiquitous security effort of protecting the data that is stored and processed in the Cloud.
Even though companies are moving these technologies and services to a third-party entity (the provider) the responsibility for ensuring the integrity and confidentiality of the data still resides with the tenant. It does not change the fact that preventative and detective controls must be in place and corrective activities defined. The move only changes how information security is governed. In this article, we will look at some of the challenges surrounding Cloud Security.
Types and Uses of Cloud Computing
Before we jump into the myriad of topics that make up Cloud computing security let’s look at the types of Cloud computing and their uses. Most Cloud computing services fall into three categories: infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS).
The most basic category of Cloud computing services is Infrastructure-as-a-Service, termed as IaaS. With IaaS, an organization is renting IT infrastructure; servers, virtual machines, storage, and networks.
This category of Cloud computing provides a platform and environment for developers to develop, test and deliver software applications.
This category provides applications and software solutions on demand over the internet, accessible to the user, usually via a web browser.
When moving services and data to the Cloud, an organization needs to understand that security and compliance are a shared responsibility between the tenant and the provider. This is referred to as a shared responsibility model. Depending on the Cloud service that is being utilized, the security responsibility of the tenant includes patching operating systems as well as the applications (IaaS). But as the Cloud service changes, so does the responsibility. Example: when a tenant subscribes to an IaaS offering they are responsible for the OS, application and data security. If the tenant moves to a PaaS offering they are no longer responsible for the OS maintenance and the patching of that OS. Figure 1-1 graphically depicts the boundaries and ownership of security responsibilities. Regardless of the services utilized, the tenant is always responsible for their data security.
An oft-used phrase when discussing cloud security is “the tenant is responsible for security IN the cloud and the provider is responsible for security OF the cloud.” As you can see in Figure 1-1 the security of the data is ultimately the responsibility of the tenant.
Moving to the Cloud?
Is your organization looking to moving to the Cloud? Are you evaluating providers to find out what service will work best for your requirements? If so, there are a few questions/issues that should be clarified to make an informed decision before committing to a move.
· What controls does the Cloud provider already have in place and can attest to?
· Will the provider be willing to submit to external audits and security certifications?
· Where will your data be located? Regulatory requirements might dictate where the provider must process and store data.
· What oversight does the provider have over the hiring of administrators who will be operating in their Cloud environment? You may require the provider to follow your hiring criteria.
· What is done to ensure the segregation of your data if the provider is servicing your data in a multi-tenant environment? Find out what controls or protocols are used to segregate your data and verify that these controls are being enforced. “Trust but verify”
· What is the process for reclaiming your data in the event of a separation or acquisition? What happens if the provider gets acquired by a different third party? Make sure that your data will be in a format that can be exported and usable.
· Will the provider be able to completely restore your data or service in the event of a disaster? How long will it take to restore your data?
· Will they support eDiscovery and the investigative process?
Your Data/Your Responsibility
Don’t fall into an “out of sight, out of mind” mode about your data when you move to Cloud services. It’s your data and the security of that data is, and always will be your responsibility regardless of where it is stored or processed.
Breaches can cause serious damage to your reputation and significant expense for your company. Cyber Liability insurance is not enough. In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.
SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.
ENISA – Cloud Computing Risk Assessment
Cloud Security Alliance – Security Guidance for cloud computing