Outsourcing is becoming an increasingly popular business strategy. By carving off business processes and giving them to outside vendors companies save money and resources. Outsourcing enterprise computing processes using cloud services, for example, allows you to hand off the cost and responsibility of maintaining on-premise hardware and software. However, just because you outsource your enterprise infrastructure does that mean your cloud service provider assumes total responsibility for your network? What about issues such as cloud security, which is a major concern for every IT manager and CIO? Can you hold your cloud service provider accountable for providing watertight data security?
As the use of cloud continues to grow, concern for data security grows with it. When data is an important business asset, management is hesitant to surrender control. However, it has been demonstrated over and over that cloud-based services tend to be more secure than on-premises systems. Most cloud services providers maintain rigorous security protocols for disaster recovery and protection from cyber-attack. Since providing secure and stable computing services is their primary business, cloud service companies use sophisticated tools to continuously monitor systems, identify vulnerabilities, and plug holes in cloud security. They also have service-level agreements (SLAs) to assure customers that security problems are remediated quickly.
So when you engage a cloud services provider you no longer have to worry about data security, right? Wrong!
Enterprise computing is more than just hosted enterprise hardware and services. Your cloud service provider is responsible for securing the foundation of your enterprise infrastructure; the computing systems, power, data storage, database, and networking. As the customer, you are still responsible for securing applications and related services.
Your cloud provider is generally responsible for cloud security at the network layer, including network segmentation, perimeter services, DDOS spoofing, and so forth. As the cloud customer, you are responsible for threat detection, security monitoring, and incident reporting. In other words, your provider offers cloud security for hosted switches and networks, but your responsibility is to secure the network applications and data traffic. Most SLAs are structured to make it clear that the customer is responsible for host layer data traffic, such as access management, patch management, security monitoring, and log analysis, i.e. any application security elements.
Finger Pointing Doesn’t Stop Attacks
Assuming that your cloud service provider will include comprehensive cybersecurity as part of their contract is a mistake. There are areas where they have control over the infrastructure and therefore can take responsibility for data security, but there are other areas that have to be the enterprise customer’s responsibility. Developing a collaborative cloud security strategy is the best approach to address risk management and deal with security threats.
Let’s consider some of the most prevalent security threats and where they tend to compromise enterprise networks. According to the 2018 Verizon Data Breach Report security issues affect both enterprise network owners and cloud service providers:
- 73 percent of attacks were perpetrated by outsiders but 28 percent were by insiders, usually employees. Maintaining internal security is largely the responsibility of the cloud customer, since attacks tend to be mounted against corporate targets and not cloud providers.
- 17 percent or one in five data breaches were from phishing attacks, which includes employees being spoofed into surrendering sensitive information such as passwords – again, the responsibility of the network owners, not the cloud service provider.
- Malware, especially ransomware, is one of the most insidious types of cyberattack. Ransomware attacks have grown 56 percent in one year, and many of these attacks are targeting file servers and databases, locking them until a ransom is paid. These types of attacks tend to target end users, but MIT experts predict that more ransomware is targeting the cloud.
- Inadequate identity and credential management is a universal threat. Stealing the right credentials is like having the keys to the kingdom for both corporate computers and hosted resources.
- Account service hijacking has become commonplace and affects cloud services and in-house systems. With the right account credentials, cybercriminals can eavesdrop on activities and transactions, return falsified data, and send users to bogus web sites.
- Infiltrating cloud services directly is also becoming more common. Bad actors are increasingly leveraging cloud resources to target end users or other cloud providers.
No matter what the nature of the threat, everyone has a role in protecting data assets. A data breach can originate from anywhere, and once the infrastructure is compromised the damage can spread to infect applications, hosts, and network systems. That’s why it’s vital that corporate customers and cloud service providers understand their areas of responsibility when it comes to cyber security.
Develop Collaborative Cloud Security Strategies
To appreciate the respective responsibilities for cloud security, it’s best to start by understanding the cloud service model. Cyber-attacks will happen, so you need to know where your cloud service provider has responsibility and where you need to take charge of enterprise security.
For example, applications are completely your responsibility so it’s vital to secure your code. Whether you are supporting a DevOps coding environment or simply maintaining a basic website, you need to have security in place for the entire development lifecycle. Code that has not been thoroughly tested before it’s deployed could contain vulnerabilities. Use code encryption, testing libraries, and software to scan for bugs to make sure your code is secure.
Patch management is important, both for enterprise customers and cloud service providers. It’s the best way to address known vulnerabilities in software and production systems Cloud service providers will maintain patches for their systems, but you also need to have your own patch management protocols. Automated patch management and security scanning will help, but you need to have an established protocol to update systems software regularly.
Access management is another essential part of systems security. In addition to managing passwords and data access, you need to define roles and responsibilities to control sensitive data and systems. Defining roles and limiting access reduces the risk if someone’s credentials are stolen. Integrating your active directory (AD) and your lightweight directory access protocol (LDAP) authentication model into your cloud infrastructure will help contain data access. Also consider using two-factor authentication.
Ongoing monitoring and log management are important for regulatory compliance as well as for security. Reviewing logs provides an overview of data access and traffic patterns that could highlight suspicious activities. Logs also are useful for conducting forensic investigations.
Matching Security to Different Cloud Services
When working with cloud service providers, you need to match your security protocols to the types of cloud services provided. Public cloud services, for example, are offered over the Internet and tend to be less secure, since resources such as computing time and data storage are shared. A private cloud offers dedicated connectivity and resources and is completely customizable, making it easier to manage systems security. Private clouds tend to be more secure but they also require the corporate IT department to manage more aspects of cloud services, which means more staff, more management, more maintenance, and more accountability for data security.
Depending on your cloud service needs, consider developing a cloud vendor checklist.
For Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service, cloud vendors are responsible for securing the infrastructure and customers secure the applications. With Software-as-a-Service (SaaS) and Applications-as-a-Service (AaaS) the cloud provider is responsible for securing the applications as well as the infrastructure. However, SaaS and AaaS vendors often use third-party IaaS cloud services, which makes security more complicated. Be sure that your security policies and procedures (e.g. authentication, inspection, and monitoring) can be integrated with SaaS and AaaS services.
Hybrid cloud strategies that combine on-premise, private, and public cloud services are becoming more popular which means standardizing security across environments can be an issue. Security protocols will have to vary to accommodate each environment. Ideally, end users should be able to view and manage security across the entire infrastructure using a common set of tools, i.e., a single pane of glass. Unfortunately, that kind of security transparency isn’t always available.
When considering cloud service providers, be sure you are working with vendors that understand cloud security. That means they have cloud-based versions of security solutions, centralized security management, centralized event management, etc. Also look for vendors who work with leading cloud service vendors such as Amazon Web Services (AWS), Microsoft Azure, IBM Cloud, Oracle Cloud, and others. Cloud service contracts change and you want to make sure your security procedures follow you wherever your data resides.
Achieving security in the cloud is possible, but it isn’t guaranteed. Organizations need to implement their security policies and procedures in conjunction with their cloud provider to provide the highest levels of protection against cloud security risks.
Not sure where to start? Contact OneNeck IT Solutions to speak with our cloud security experts.