The adoption rates of the cloud are steadily increasing. Organisations that swore never to touch public infrastructure and platform cloud are fast becoming converts. As the industry continues to recognise the benefits of cloud maturity, many more organisations are looking to engage with the cloud in a bid to outperform the competition.
However, cloud security threats continue to be on the rise. According to the latest Cloud Threat Report from KPMG, around 20% of cloud users suffer security attacks daily – with 51% of those having financial implications and 66% resulting in interruptions to business operations.
That being said, users are recognising the importance of security with cloud confidence leading to the meaningful migration of sensitive data from private data centres. What is being misunderstood (and overlooked) is the shared responsibility model of cloud security.
A New Dilemma
Typically, cloud service providers deliver what is referred to as security of the cloud. This is underpinned by an alphabet soup of standards, such as SOC-based certifications to FedRAMP in the US, IRAP in Australia.
Allied to the need for security of the cloud is the need for security in the cloud. This relates to the need to secure the software components, processes, identities and data that reside in the cloud. Rather than being the responsibility of the service provider, these elements sit ‘above’ the service boundary and remain the responsibility of the customer.
The challenge is that this implies both a clear understanding of where this service boundary sits and an appreciation of what, precisely, the cloud consumer is responsible for.
Security in the cloud
To help customers deploy and manage cloud services, cloud service providers typically provides a service “control plane” that includes APIs and exposes certain functions. Additionally, in some cases the cloud applications or services deployed in the cloud may come with a set of accompanying security-related services.
This seems straight forward. However, a major security issue lies with the individual end user engaging with the cloud service as if it were a traditional on-premise environment. Until recently, they have known no other paradigm and it shouldn’t be something the end user interacts with.
Within a cloud environment, virtualisation of networking and infrastructure is implicit in the architecture itself. This provides a level of dynamism that can be difficult to replicate with on-premise environments. However, one consequence of this architecture is that the cloud administrator may be just three or four clicks away from exposing data within a given cloud service to the public internet – whether through accident, malice or via the compromise of a cloud administrator’s credentials by some adversary.
What is to be done?
Although not directly responsible for customer’s security in the cloud, cloud providers can help their users navigate security in this complex domain. Broadly speaking, there are three things customers should look for from their cloud providers:
- Security services externalised as cloud services in their own right - One example is IDaaS (Identity-as-a-Service). The fundamental goal here is to remove the need for developers to bake their own security controls into their code.
- Embedded security technologies – to allow such technologies to be configured and operated by a customer in the cloud. Examples would be provision of controls that enforce the segregation-of-duties at the database layer, on-disk encryption, etc.
- Tools to monitor all access to enterprise resources – whether cloud or on-premise based. In short, whilst preventive controls are necessary, they are not sufficient. Increasingly, given the “low and slow” nature of modern threats, the game is one of detection rather than mere prevention. Specifically, who is accessing (or has proximity to) the information (of value) to the organisation.
The last requirement is key in today’s hybrid cloud environment, given that that each individual cloud service may touch other cloud services as well as other on-premises systems. This amplifies the downsides of any mistakes and reinforces the need for end to end visibility wherever identities and assets reside.
Transparency is key
The basic principles underlying this three-pronged approach to a cloud security control framework are clear; clarity on the division of security responsibilities between cloud consumer and provider, augmented with a robust approach to dealing with the risk that resides in the cloud.
What is clear is that companies with security strategies that permit an acceleration of the organisations’ cloud initiatives, aided by an approach to risk and compliance both of and in the cloud, are benefiting and steaming ahead. On the other hand, traditional organisations that lack a deeper understanding of key security aspects of the new paradigm will find that full benefits of the cloud will not be realised, or that it will drive cloud usage underground opening the organisation up to new risks. Neither of these outcomes is likely to be profitable.