Organisations are swiftly moving their business-critical applications and data to cloud (Microsoft Azure, AWS and Google Cloud) and by the end of 2019, 451 Group predicted that 60% of all workloads is residing in the public cloud. Cloud allows outsourcing of traditional on-premises IT services and in a way, you can look at it as a transformational system as the technology has ability to resolve complex issues like compliance.
With Gartner predicting that by 2020 the cloud market being worth close to $400bn it’s only fair to see cloud spending is rapidly increasing. More and more organisations are adapting cloud services to increase operation efficiency whilst reducing cost. Organisations need to understand with whom compliance responsibility lies when using Cloud services and it differs depending on the service and the Cloud Service Provider (CSP).
For Example, Amazon maintains a responsibility matrix which identifies that they’re responsible for the ‘security of the cloud’ which includes protecting the infrastructure that runs all of the services offered in the AWS Cloud and customer is responsible for ‘Security in the Cloud‘ which includes the amount of configuration work they must perform as part of their security responsibilities.
With all this, what is clear is that the more we adopt cloud the less control we have so the main challenge in my opinion is understanding the risks and implementing the controls needed to manage them.
Regardless of the cloud provider, we need to make sure the security controls are in place addressing governance, access control, asset management, business continuity, incident response and system maintenance. Each of these topics can be addressed to ensure controls and a measurable level of compliance. With a relatively simple approach to each, you can work with cloud providers and maintain a level of compliant and auditable control over your network.
Cloud Security Controls Framework is built on Cloud Security controls and are classified in different categories, each category focusing on a different cloud security area. A detailed assessment across these categories – access control, network security, data encryption, logging and monitoring, inventory and configuration management and compliance would provide an organisation with their current state of compliance level. Below is a high-level diagram we currently use at RiverSafe.
Once the assessment phase is completed it’s essential to have a gap report that will include the findings of the assessment as well as the recommended actions to take to remediate any issues discovered.
Cloud Security controls categories
Access control determines snot only who or what can have access to a specific system resource, but also the type of actions that can be performed on a resource. As part of controlling access to cloud resources, users and processes must present credentials to confirm that they are authorised to perform specific functions or have access to specific resources. The credentials required by the cloud service vary depending on the type of service and the access method, and include passwords, cryptographic keys, and certificates.
Network security in the cloud is very similar to network security on-premises, except that network components are virtual. Cloud customers must ensure network architecture follows the security requirements of their organisation, including the use of DMZ to separate public and private resources, the segregation of resources using subnets and routing tables, the secure configuration of DNS, whether additional transmission protection is needed in for of a VPN, and whether to limit inbound and outbound traffic.
Data stored in the cloud is secure by default; only cloud owners have access to the cloud resources they create. However, cloud customers who have sensitive data may require additional protection by encrypting the data when it is stored on the cloud. For some cloud data storage options, cloud providers provide an automated, server-side encryption function in addition to allowing cloud customers to encrypt on the customer side before data is stored. For other cloud data storage options, the cloud customer must perform encryption of the data.
Logging and Monitoring
Audit logs record a variety of events occurring within an organisation information systems and networks. Audit logs are used to identify activity that may impact the security of those systems, whether in real-time or after the fact, so the proper configuration and protection of the logs is important.
Asset and Configuration Management
Cloud customers are responsible for maintaining the security of anything installed on cloud resources or connect to cloud resources. Secure management of the cloud resources means knowing what resources the cloud customer is using, securely configuring the guest OS and applications on the cloud customer resources, such as secure configuration settings, patching and anti-malware, and controlling changes to the resources.
Cloud customers are required to continue to meet statutory, regulatory, contractual and legal compliance obligations such as data privacy and protection requirements. To help cloud customers to meet these obligations, cloud providers must be able to prove their alignment with the latest standards and regulations. However, cloud customers are the ones who must ensure that their security controls align with industry frameworks.
Identify and prevent vulnerabilities across the entire application lifecycle while prioritising risk for your cloud native environments. Integrate vulnerability management into any CI process, while continuously monitoring, identifying, and preventing risks to all the hosts, images, and functions in your environment. Prisma Cloud combines vulnerability detection with an always up-to-date threat feed and knowledge about your runtime deployments to prioritise risks specifically for your environment
Regardless whether your organisation is using a private or public cloud, there are numerous standards that must be met in order to ensure cloud compliance. Most of the cloud service providers have identified the importance of offering services to their customers in order to achieve compliance and have stepped up in their offering but the fact remains customers are responsible for the ‘security in the cloud’ and this is where companies like RiverSafe can help you achieve the compliance you need to satisfy all your above requirements.