While cloud computing is far from a magic bullet for all your data storage and security woes, organizations are enjoying meaningful benefits in the form of cost-efficiency, on-demand scalability, heavy upfront capital shifted to recurring operational expenses, augmented resources and skills now at their fingertips, and more.
The predecessor to cloud, shared/multitenant computing, goes all the way back to our early history of using mainframes, including time-sharing, virtual machines and remote access. Cryptography and encryption techniques are nothing new to us; they’ve been used repeatedly throughout history. Some of us may even be old enough to remember the now-retired subscription-based hosted frameworks, such as Compuserve and Prodigy, and email and portal frameworks such as [email protected] Today, these all could be referred to as cloud-based software-as-a-service (SaaS) offerings. So what makes today’s shared computing frameworks different?
First of all, it’s plainly too expensive to maintain brick-and-mortar frameworks today compared to eliminating all such costs through shared hosted environments. We’re seeing this not only in enterprises, but also in consumer-oriented areas such as retail. By moving to the public cloud, organizations can focus on the core competencies supporting their specific business model. The interesting twist is that many non-IT businesses today, with their considerable investments and IT overhead, now appear as though IT is their core business.
We can agree that shared computing models are now widely accepted culturally, and it has become difficult to justify holding onto costlier on-premises models. This is especially true when you consider the indirect cost of maintaining data centers and consistent challenges in scaling and aligning resources and finances to demand, which increases and decreases periodically.
To facilitate wider acceptance, the remote access barriers of yesteryear have been removed. We’re all happy to have evolved from slow, dial-up remote access to our high-speed internet access from myriad devices. In fact, there’s likely no recognizable difference in performance from a consumer’s point of view between on-premises access and remote access. This will keep us all in multitenant computing models for many years to come. So where’s the rub?
Remote Users, Fast Access and Shared Frameworks Increase the Risk
With high-speed remote access to shared multitenant computing environments comes increased risk. I’ve heard several chief information security officers (CISOs) indicate that cloud computing has widened their attack surface to all in the public testing their fences. Leaning on a false sense of — as I like to call it — “security by obscurity” is no longer an effective strategy.
While cloud customers are entrusted with and liable for the protection of confidential customer information, the cloud provider controls much of the security. In fact, providers often do not disclose their security controls or open them to audit. Doing so is considered an unnecessary risk; for example, openly sharing details about their architecture and security products could expose known vulnerabilities and attack surfaces to threat actors (there’s that outmoded idea of security by obscurity once again). While the cloud provider is responsible for physical security, business continuity, disaster recovery and network security, additional security controls and responsibilities shift depending on the type of cloud service model chosen.
Before diving into who owns what and when, let’s think about the fundamental security responsibilities you are entrusting to the cloud provider. Remember that you as a cloud customer carry the ultimate liability for securely maintaining your customer’s confidential information, and you make the final call on whether it should be maintained securely on your premises or placed elsewhere. Moving your entrusted data or services to the cloud equates to moving to a shared/multitenant environment in the sense that you are blindly trusting your cloud provider to adequately isolate and secure your data — not only your data at rest while in storage, but also in transit and in memory.
Of course, you’d hope the cloud provider’s employees and third parties, whether in physical proximity to your environment or able to access it remotely, are properly vetted, trained and trustworthy. Throughout the history of IT, we’ve relied upon cryptography to keep prying eyes from our confidential information. The cloud is no exception.
You Can’t Eliminate Cloud Security Risk
There are three ways to deal with risk: accept it, avoid it or share/transfer it. Unfortunately, none of those options involve eliminating the risk altogether. An example of accepting risk is deciding to live with it because the cost of protection outweighs the potential cost associated with the threat. You may decide to avoid the risk entirely by scrapping the initiative, or otherwise transfer the risk to an insurance agency or other firm so that liability is shared.
When deciding whether to place your trust in a cloud provider, consider the service-level agreement and/or any regulatory assertions on the part of the vendor. There could be third-party audits that you have access to, for example, or you may be able to collect analytics from your own isolated environment within the public cloud. These are just a few of the many things to consider during negotiations.
Understanding the 3 Most Common Cloud Offerings
While there are many cloud models and offshoots of models to choose from, let’s look at the three most common: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS). The customer is still liable for protecting confidential customer data, but how do other cloud security responsibilities differ between them?
The cloud customer is typically responsible for installing, securing, patching and upgrading the operating systems. Cloud providers typically only provide a bare-bones virtual computing environment of central processing units (CPUs), memory and storage within a shared computing environment.
The benefit is basically a scalable computing environment maintained on your behalf at lower cost than if you architected it yourself. The cloud provider is commonly responsible for physical access, networking to and from your environment, and remote access. You are responsible for the rest of the security controls, including installing and hardening the operating systems, patching vulnerabilities, granting individuals appropriate permissions in the environment, and, of course, any errors or omissions your team may have introduced.
The cloud vendors for this model provide a hosted infrastructure within a shared computing environment (including CPUs, memory and storage) and typically secure, patch and upgrade the operating systems. Based on the contract, the provider may also oversee databases and other data modeling capabilities. The customer may give IT professionals appropriate access to the platforms, including privileged access. Again, any errors or omissions are on you.
This is by far the most hands-off environment for cloud customers when it comes to securing the hosted environment. Think about your free cloud-provided email; it’s safe to assume we’re all using them. You just provide an email account and access it by submitting a user ID and password. Enterprises using similar SaaS models commonly give authorized users access to the services within the environment, and you as customers grant your users/constituents appropriate permissions to specific services.
We sometimes refer to the adding and deleting of user accounts as provisioning and deprovisioning, or onboarding and offboarding. While it may be clear that you are responsible for adding and authorizing your new users to the service, remember that you’re equally responsible for removing them when they should no longer require access to your services and the environment. Potential errors and omissions associated with this model include who you let in, what you authorize those users to do, and whether you remove them when they move on from the company or no longer require access.
What Can We Control When We’re Not in Control?
When it comes to responsibility for security, the lines may blur among different cloud offering models, but cloud customers are ultimately liable for the confidentiality, integrity and accessibility of sensitive data. There will always be blind spots in public cloud environments — areas cloud customers are simply not permitted to control. Instead, they must simply trust that the provider and any third parties are doing their due diligence.
The most effective cloud security measure — if not the single most paramount security measure cloud customers can take — is to encrypt confidential data in the public cloud. This includes data at rest inside the cloud and archived and backed-up data, regardless of whether it stays in the cloud storage area or is ported elsewhere.
Encryption is necessary to protect data in transit as well. This way, should your data be exposed due to blind spots, it remains unreadable and confidential based on your encryption decisions.
Considerations for Selecting a Cloud Provider
When choosing a cloud provider, look for a vendor that’s recognized for its experience in securing, separating and isolating multitenant data from exposure. Sophisticated data encryption and protection offerings are always valuable features. Consider uncovering public cloud blind spots wherever you can using advanced tools such as artificial intelligence (AI)-powered analytics and monitoring.
Since most cloud customers will use more than one solution, align yourself with providers that do not lock you or your data in. Providers that support sharing of information in and out of their cloud without breaking your bank are good candidates. Otherwise, moving from one provider to another could be costly — and the worst time to become aware of this surprise expense is during a crisis situation.
Cyber Security Advisor, IBM
IBM Cyber Security Advisor and recognized subject matter expert in Identity Access Governance, Access and Authorization architectures, and Security Intellige...