The National Institute of Standards and Technology (NIST) describes cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Cloud Service Providers (CSP) offer three types of services:
- Software-as-a-Service (SaaS)
- This category provides applications and software solutions on demand over the internet, accessible to the user, usually via a web browser. The cloud provider is responsible for nearly all security since the cloud user can only access and manage their use of the application and can’t alter how the application works.
- Platform-as-a-Service (PaaS)
- This category of Cloud computing provides a platform and environment for developers to develop, test and deliver software applications. The cloud provider is responsible for the security of the platform, while the user is responsible for everything they implement on the platform, including how they configure any offered security features.
- Infrastructure-as-a-Service (IaaS)
- The most basic category of Cloud computing services is Infrastructure-as-a-Service. With IaaS, an organization is renting IT infrastructure; servers, virtual machines, storage, and networks. The provider is responsible for foundational security, while the cloud user is responsible for everything they build on the infrastructure. Unlike PaaS, this places far more responsibility on the user.
Organizations have taken advantage of the benefits of cloud computing which include reduced capital expenses, high availability, agility, resiliency, and redundancy.
When moving services and data to the Cloud, an organization must understand its security and compliance requirements as there is a shared security responsibility model between the organization and the Cloud Service Provider as described above. The user is responsible for security IN the cloud and the provider is responsible for security OF the cloud. Depending on the Cloud service that is being utilized, the security responsibility of the user includes patching operating systems as well as the applications. This is the case in the Infrastructure-as-a-Service offering. If the user moves to a Platform-as-a-Service offering they are no longer responsible for the Operating System maintenance and the patching of the Operating System.
Figure 1 graphically depicts the boundaries and ownership of security responsibilities. Regardless of the services utilized, the user is always responsible for their data security.
Moving to the Cloud?
Is your organization looking to move to the Cloud? Are you evaluating providers to find out what service will work best for your requirements? If so, there are a few questions that should be clarified to make an informed decision before committing to a move.
- What does the Cloud Service Provider offer for Identity and Access Management?
- This includes identification, authentication, and authorizations (including access management).
- This is how you determine who can do what within your cloud platform or provider.
- What security standards are supported by the Cloud Service Provider?
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA/HITECH)
- National Institute for Standards and Technology (NIST) SP 800-171
- Where will your data be located?
- Some regulatory requirements may dictate where the data is stored and processed
- What type of automation is offered by the Cloud Service Provider?
- Automation aids in reducing human configuration errors
- Do you always “own” your data?
- Can you encrypt, move, or destroy data at your discretion?
- How does the Cloud Service Provider handle these five parts of the cybersecurity lifecycle?
Your Data/Your Responsibility
Don’t fall into an “out of sight, out of mind” mode about your data when you move to Cloud services. It’s your data and the security of that data is, and always will be your responsibility regardless of where it is stored or processed.
Cyber Liability insurance is on the rise and there is an expectation that there are measurable efforts devoted to keeping information secure. Breaches can cause serious damage to your organization not only financially but from a reputation standpoint as well.
SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.
If you are interested in a complimentary strategy session, contact us here.
Cloud Security Alliance – Security Guidance for Critical Areas of focus in Cloud Computing