The accessibility and scalability of the cloud make it an invaluable resource for businesses in storing data, building applications, consuming infrastructure and working collaboratively. However, with a complex platform comes complex security requirements.
In this guide, Softcat covers the key challenges in cloud security and outlines a back-to-basics model for developing and maintaining secure cloud platforms.
Cloud security vs traditional cybersecurity
Managing cloud security and traditional cybersecurity typically involves the same best practice strategies.
Whether a business operates on-premises or cloud, the principles remain the same – applying access control, managing credentials & permissions, identifying and protecting against relevant threats and above all, maximising existing investments, not just being convinced you need the latest cyber technologies.
The differences come in how these strategies are applied and ensuring everyone is responsible for security.
How does cloud security work?
The basic premise of cloud security involves protecting both the data and applications within it while, in most cases, relying on the provider's certifications to guarantee the security of the elements within their remit.
The demarcation between the provider and customer is governed by a shared responsibility model to ensure transparency. But note; the demarcation of responsibility between the provider and customer varies based on the type of Cloud; IaaS, PaaS and SaaS.
Infrastructure-as-a-Service (IaaS); in its simplest form, the provider takes care of the security of all the physical infrastructure (datacentre, hardware etc.), the virtualisation and the segregation of customers.
The customer is responsible for perimeter access control, network separation (of their systems), application / middleware, data and operating system security.
Platform-as-a-Service (PaaS); very similar to IaaS, except application/middleware and operating system (these don’t really exist in PaaS solutions) security shifts to the provider’s responsibility.
Software-as-a-Service (SaaS); very similar to PaaS, except perimeter access control, network separation and end-to-end software security shifts to the provider’s responsibility. However, the security is fundamentally very different to IaaS and PaaS, where the customer responsibility is typically much more straightforward and limited to identity management and data protection.
However, here in lies a key difference between cloud vs on-premises security – the consumption and procurement layer, aka the control plane:
In an on-premises world, procurement and physical hardware installation is typically a closed process or one that cannot be easily compromised.
However, cloud is publicly accessible, with most duties performed over the Internet, meaning the procurement and infrastructure installation can be, and in some cases, easily compromised if the control plane is not properly secured with means such as; multi-factor authentication (MFA), role-based access control, privileged identity management and budget management (thresholds, alerts).
If such controls are not implemented, the consequence could be intruders weakening your infrastructure, application and data controls and/or spinning up additional infrastructure for criminal activity, which could result in double, triple or worse cloud bills.
Cloud security – advantages and disadvantages
The growth of the cloud marks a move away from traditional on-premises models of network hosting and data storage and comes with its benefits and pitfalls regarding security.
The proliferation of modern security threats brings about some different techniques to ensure overall security;
Zero Trust; a popular security approach that assumes anyone requesting access is untrustworthy by default and therefore requires additional security measures to be completed for authentication.
An example of this in practice is how the conventional on-premises networking concept of VLANs is not applicable in the Public Cloud. For instance, in AWS, a common mistake is creating subnets (AWS term) for each VLAN as organisations perceive subnets as the boundary. However, in AWS, security access control is enforced on each virtual machine/instance, which means that multiple instances often share subnets, unlike on-premises. In this context, zero trust is implemented on each virtual machine/instance.
Another example is securing the cloud provider control plane. This is paramount, as any breaches may lead to criminal activity using your cloud provider environment, weakening of the security controls you've established for your infrastructure, applications or data, or the creation of unnecessary and expensive extra infrastructure.
Cloud Security Skills; in modern and mature organisations, each employee is expected to consider and manage security as their responsibility. Specifically, for those working in the Cloud, it's crucial to comprehend the differences between on-premises and Cloud security controls (as illustrated in the previous point). There are several excellent learning and development opportunities available to gain a thorough understanding, such as:
- AWS Certified Security – this cloud security certification is designed to support students in becoming proficient in AWS cloud security, including implementing secure protocols, understanding the network’s specific security operations and encrypting data within the network.
- Microsoft Certified Azure Security Engineer Associate – businesses using Microsoft’s Azure cloud computing services may consider this certification, which tests skills including configuring secure access in Azure Active Directory, implementing platform protection and securing data and apps within the environment.
- Certified Cloud Security Professional (CCSP) – this advanced certification validates credentials in cloud architecture and design and related security, risk and compliance skills.
Privacy Concerns; the shared responsibility model of cloud security leaves many businesses with privacy concerns when it comes to the integrity of their data stored in platforms managed by a third-party provider. Even at the time of writing this blog, we often receive common questions such as “will the cloud provider replicate my data to other regions without my consent or how do I stop them doing this”. The answer is no, but nonetheless, gaining a baseline understand of cloud data security, as part of a robust learning & development plan is the key to ensure you make informed decisions.
Cloud security with Softcat
Softcat’s expert team and industry-leading cloud and security specialists support businesses in keeping their data safe as they reap the rewards of the cloud. To find out more, contact our team.