Making sure that cloud services are secure is more complicated than you might think. Shifting applications and infrastructure over to cloud computing services can make life easier in some ways, it doesn’t automatically mean you can give up all responsibility for keeping your organisation’s data secure.
Cloud computing continues to grow at a fantastic rate, the most recent data from tech analyst Gartner shows that the infrastructure as a service market grew more than 40% just last year and noted that ‘cloud-native becomes the primary architecture for modern workloads.
Cloud security is the fastest growing segment of the security market, with spending jumping from $595 million in the US in 2020 to $841 million in 2021, largely because companies are discovering that it’s a more complicated topic than they realised.
There are 4 main types of cloud computing: private clouds, public clouds, hybrid clouds, and multiclouds. There are also 3 main types of cloud computing services: Infrastructure-as-a-Service (IaaS), Platforms-as-a-Service (PaaS), and Software-as-a-Service (SaaS).
Choosing a cloud type or cloud service is a unique decision. No two clouds are the same and no two cloud services are used to solve the same problem. Here at bva, we assist our clients in understanding the pros and cons of cloud computing types and cloud services to figure out the right solution for your business needs.
Most businesses use multiple cloud services and providers. A hybrid approach that can support security options where vital data is kept close (perhaps in a private cloud) while less sensitive applications run in a public cloud to take advantage of big tech’s economies of scale.
The hybrid model introduces new complications, as every provider will have a slightly different set of security models that cloud customers will need to understand and manage. It’s also a dynamic environment; applications and data are often switched between on- and off-premise and between cloud services, all of which are opportunities for errors and data leaks.
All of this can extend the enterprise threat surface, while making it harder for organisations to ensure their assets are secured. As a result, misconfigured services are high on the list of root causes for security incidents, along with even more basic failures like poor passwords and identity controls.
According to one recent piece of research half of companies had experienced some kind of cloud security breach in the last 12 months, while almost one in three had been forced to issue a breach notification to a government agency, customer, partner or employees.
Many companies are evaluating tools to automate much of this, leading to interest in new technologies such as Cloud Security Posture Management (CSPM) tools, which can help security teams spot and fix potential security issues around misconfiguration and compliance in the cloud, so they know the same rules are being enforced across their cloud services.
Another area of growth has been Cloud Access Security Brokers (CASBs), which aim to guarantee that an enterprise’s security policies are being enforced across its portfolio of services. Other security technologies that cloud users are interested in, include zero trust and artificial intelligence, and machine learning. However, many technologies that hold out the promise of improving cloud security are still at an early stage.
Since cloud vendors have the scale to invest in skills and capabilities that are beyond the reach of most customers, cloud services and applications are likely to become more secure. The following are a good set of general principles for cloud computing security that’re worth considering to help you judge the security posture of a supplier.
The 14 Principles Include:
- Data in Transit Protection: Your data should be protected against tampering and eavesdropping as it transits networks inside and external to the cloud. This should be achieved using a combination of encryption, service authentication and network-level protections.
- Asset Protection and Resilience: Your data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure. Protections should include cover for the legislation that your data is subject to, as well as mitigations such as encryption, data centre security, secure erasure and service resilience.
- Separation Between Customers: A malicious or compromised customer of the service should not be able to access or affect the service or data of another. It will need to implement effective security boundaries in the way it runs code, stores data, and manages the network.
- Governance Framework: Should have a security governance framework which coordinates and directs its management of the service and information within it.
- Operational Security: The service needs to be operated and managed securely in order to impede, detect or prevent attacks, using vulnerability management, protective monitoring, configuration and change management.
- Personnel Security: If service provider personnel have access to your data and systems, you need a high degree of confidence in their trustworthiness and the technical measures in place that audit and constrain the actions of those personnel.
- Secure Development: Cloud services should be designed, developed and deployed in a way that minimises and mitigates threats to their security, including a robust software development lifecycle
- Supply Chain Security: The service provider should ensure that its supply chain meets the same security standards that the organisation sets for itself.
- Secure User Management: Your provider should make the tools available for you to securely manage your use of their service, preventing unauthorised access and alteration of your resources, applications and data.
- Identity and Authentication: All access to service interfaces should be constrained to a securely authenticated and authorised identity, which may belong to either a human user or a machine.
- External Interface Protection: All external or less-trusted interfaces of the service should be identified and defended appropriately, including external APIs, web consoles and command line interfaces.
- Secure Service Administration: The design, implementation, and management of the cloud service provider’s administration systems should follow enterprise good practice, recognising their high value to attackers.
- Audit Information and Alerting for Customers: You should be able to identify security incidents and should have the information necessary to find out how and when they occurred. The service will need to provide you with audit information, and issue security alerts when attempted attacks are detected.
- Secure Use Of The Service: Your cloud provider should make it easy for you to meet your data protection responsibilities. Services should be secure by design and by default.
Developing the right security posture is hard: some companies worry about sophisticated hacking groups, others struggle to stop staff using ‘1234’ as a password. Covering the fundamentals of security, understanding where the market is going, and asking cloud providers tough questions about their own security, is a good path to follow.
Here at bva we can deliver an exceptional suite of cloud computing solutions that can simplify IT processes. As our client’s cloud service provider, we establish and manage clouds, and offer on-demand cloud computing services.
We perform an assessment to determine the best cloud solution customized to fit our client’s specific business needs. Cloud Computing can be very confusing and having guidance is key in architecting the correct solution for your business.