The Cloud Security Landscape
At this point, you’ve definitely heard of the cloud. Everyone, especially businesses, is talking about moving to the cloud, and their concerns about the cloud security landscape. You already use cloud-based services such as Netflix, Spotify, and Amazon. However, like with most technologies, innovation precedes security, and this causes unease in the minds of those who feel pressured to make the move without having a deep understanding of the risks. Well, that’s what I hope to clear up for you today.
In this post, I’ll be breaking down the landscape of cloud security and most of the possible risks in the cloud- in simple terms. Before we dig in, let’s look at some context.
What is the Cloud, and how does it work?
What is cloud computing? Per Tech Crunch, “Cloud computing is a general term for the delivery of hosted services over the internet. Cloud computing enables companies to consume a compute resource, such as a virtual machine (VMs), storage or an application, as a utility — just like electricity — rather than having to build and maintain computing infrastructures in-house.”
When a business (or individual) decides to use cloud services (whether hybrid, multi, or full-cloud) they are trusting their chosen cloud service provider (CSPs) with their data, to a large extent. It’s important that the customer has a transparent talk with the CSPs they’re considering to ensure their data is being protected in a way they are comfortable with.
We’re going to go through many key points one may want to bring up with their possible CSP, but it’s also important that the customer realizes their responsibility in their security, and doesn’t solely rely on their CSP for their data security. As the Cloud Standards Customer Council so eloquently puts it, “Cloud service customers need to take responsibility for situational awareness, weigh alternatives, set priorities and effect changes in security and privacy.” With that in mind, and with further guidance from Cloud Standards Customer Council, let’s look at the risks that lie in the cloud, for businesses.
Risks in the Cloud
In a paper entitled Security for Cloud Computing Ten Steps to Ensure Success Version 2.0 Cloud Standards Customer Council (CSCC) outlines 15 risks in the cloud. Let’s look at what those risks are, and talk about them in some detail.
Loss of Governance
While many do, CSCC points out that some CSPs might not commit to resolving loss of governance issues. So, it’s up to the customer to be sure that the provider is trustworthy and will follow industry standards. Don Sheppard with IT World Canada suggests “Appropriate legal and contractual controls must be in place, security and performance must be monitored, and service providers must be auditable.”
Authentication and Authorization
Most CSPs offer two-factor, and other secure methods, of authentication. However, it is up to the customer to set this up. With so many people (employees, vendors, contractors, etc.) accessing a company’s cloud infrastructure, it is critical that the certainty of the identity of a user is ensured.
Cloud infrastructure, especially public cloud, utilizes shared resources, making it crucial that usage of storage, memory, and routing are separated.
Compliance and Legal Risks
One point that must be discussed with your potential CSP(s) is transparency of the provider’s compliance with industry standards and regulatory requirements. Many of the major players offer compliance reporting. It’s important that the customer asks for evidence of this compliance reporting and ensure the appropriate certifications are in place.
Handling Security Incidents
Security breaches are often understood as being the responsibility of the CSP. However, these breaches affect the customer most. So, as CSCC puts it, “Notification rules need to be negotiated in the cloud service agreement so that customers are not caught unaware or informed with an unacceptable delay.”
Management Interface Vulnerability
Customers often have access to interface management such as self-provisioning, or a system that allows end users to set up and launch apps and services in their cloud environment without CSP or IT intervention. This poses an increased risk when resources are heavily shared.
Workload-centric policies are critical when moving to the cloud. Some CSPs (Microsoft, for instance) offer defense-in-depth security, but others do not. Controls must be put into place at the user, application and data level.
When the responsibility is shared between the CSP and customer, exposure, loss or unavailability of data becomes an increased risk- especially in the case of multiple transfers of data. Taking inventory of all workloads and backing up data onto hard drives, or elsewhere, or only a few of the steps a cloud services customer can take to ensure the protection of their data. To get an in-depth look at the steps to protecting data in the cloud, check out this article from NetworkComputing.com.
Malicious Behavior of Insiders
The risk of malicious, insider behavior is increased in the cloud because the risk exists on both the cloud services customer’s end, as well as the CSP’s side. It’s critical that your organization takes measures to prevent malicious behaviors from within the company to cover your side of the risk. Awareness and technical training, follow-up training, and awareness campaigns are critical to ensuring your employees don’t unwittingly pose a risk.
Business Failure of the Provider
It’s important that the customer chooses a provider they can trust. If the CSP’s business fails, it will leave their customers’ data in limbo, unavailable, until ownership can be mitigated and resolved. Meaning, you may lose access to your data until a resolution occurs.
Service unavailability could render a customer unable to access their data and services. It could be caused by network, hardware or software failures as well as DDoS and ransomware attacks, or other issues making services access unobtainable.
Once a customer chooses a provider, and begins relying on their services, it can pose a challenge to switch providers and access necessary data and services from the new provider. This is why your initial contract with a CSP is critical to your company’s safety moving forward. Since you don’t own your infrastructure, but a seat in the infrastructure, it can be detrimental to business decisions down the road.
Insecure or Incomplete Data Deletion
CSCC describes this item really well, so I’ll share it here: “The termination of a contract with a provider may not result in deletion of the customer’s data. Backup copies of data usually exist and may be mixed on the same media with other customers’ data, making it impossible to selectively erase. The very advantage of multi-tenancy (the sharing of hardware resources) thus represents a higher risk to the customer than dedicated hardware.”
Visibility and Audit
This came up a bit earlier, under compliance, but visibility is a crucial part of the CSP-customer relationship. You need visibility from the CSP as well as your IT team to ensure that the utilization of cloud services is compliant with company policies and practices. Some users may build IT solutions, using cloud services, without approval from the company’s security team. This could be detrimental to a customer’s information privacy and security.
Cloud Security Landscape Wrap Up
I hope this has cleared up some of the risks you face when moving to the cloud. Cloud services are almost inevitable today, and knowing the risks should help bring you ease in your migrations. Awareness of what the risks are, how your company can prevent them and what sort of commitments you expect from a cloud service provider will greatly help you choose which CSP(s) is best for you. With new knowledge of the cloud security landscape, you can go forward in your digital transformation with confidence.
Looking to expand your information security and privacy knowledge? Wanting to better understand how to defend yourself against malicious attacks? Considering starting a career in cyber security? Look no further! Start your education and training today!
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.