Cloud Security Assessment
What is cloud computing in terms of Information Technology?
Cloud computing can be simply defined as a service for hosting data on the internet rather than the traditional data centers in an organization. There are different types of services offered in the cloud these days, namely:
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
All these different types of data hosting services on the internet provides with different capabilities to the organizations ranging from a ready to use software with minimal responsibilities of maintenance to just the computing resources heavily relying on the organization’s capability and expertise to maintain the infrastructure. While going from SaaS to PaaS to IaaS, the responsibilities of organization increases compared to the services provided by the vendor providing cloud infrastructure. It would certainly be necessary to look at what the business and security needs of an organization are before making a decision to choose the type of hosting service from the cloud vendors.
You know now how the infrastructure can be built into the cloud, but it would also be helpful to get some information around what different types of cloud deployment models exist. Provided below is a list of models generally used in this era of cloud computing:
- Private Cloud
- Public Cloud
- Hybrid Cloud
Again, as mentioned earlier each model has its own pros and cons and depending on the needs of an organization, it would be beneficial to choose the right strategy of hosting data on the cloud. As the name itself suggests, Private cloud offers the convenience, flexibility, and scalability of the cloud while still preserving the traditional security and management of an on premise data center. The public cloud will host the data of multiple organizations in a third party data center virtually segregated from each other. Hybrid cloud is a combination of public and private data hosting service, in a case where you would like to protect your mission critical data on the private cloud and the rest on the public cloud.
There are definitely advantages of storing the data on cloud that provides a lot of elasticity, low cost, and high availability. But as we all know every coin has two sides and so has the usage of cloud. All these benefits on the cloud comes with its own risks. Let’s talk a bit around how to do deal with this buzz word – ‘Cloud’ in terms of security. What areas do you think we need to look at while hosting the data on the cloud regardless of the type of hosting services an organization decides to go with? The same application security architecture design controls that we looked at in the previous blog Application Security Architecture Assessment, right? – Well, you are partially correct because there is much more to it. Let us discuss each of those areas briefly to give you a very high level understanding around performing the security assessment of data hosted on the cloud:
1.Appropriate segregation of data, if hosted outside the firm’s infrastructure – in a multi tenancy environment.
2. Authentication and Authorization of users maintaining the cloud environment. It could include the administration users and the support staff of an organization, and service providers.
3. Access controls for users accessing the cloud environment from internal and external to the firm’s infrastructure to minimize the risk of unauthorized data leakage.
4. Definition of roles and responsibilities for the users managing the cloud environment – so called appropriate segregation of duties and GRC (Governance Risk and Compliance) to provide access to the data based on the principle of least privilege.
5. Enabling Multi-factor Authentication (MFA) for any administrative actions being carried out in the cloud environment by support / admin staff.
6. Reviewing the processes used by third parties while developing / managing the platform for an organization – this includes a wide range of controls from security background checks of their employees before hire, to their change management procedures.
7. Encryption of data at rest and in transit. To see if any outdated technologies or algorithms are used to encrypt or hash the data.
8. Ownership / Management of encryption keys and Digital Certificates.
9. Reviewing the high level Data Flow and Architecture Diagrams of the cloud environment hosting firm’s data.
10. The Service Level Agreements for Availability and Disaster Recovery of the cloud environment. Ensure it meets / exceeds the expectations of the business. Perform Business Impact Assessments to identify the Recovery Point Objectives (RPO), Recovery Time Objectives (RTO), and the Maximum Tolerable Downtime (MTD) for the solution.
11. Organization should also review the controls and processes followed to perform testing of Disaster Recovery Data Centers.
12. Review controls provided to production data in the test environment, if any, and the segregation of those environments. Also ensure to identify the process used to promote the code from Dev / Test / Non-prod to Prod environments.
13. Review capabilities provided by service providers and the existing capabilities internal to the firm to identify if enough controls are in place to perform forensics investigation using logs captured by the application on the cloud. Ensure all the logs from the cloud are moved to an appropriate security and event monitoring tool (SIEM) for further analysis, and last but not the least,
14. Review controls around data life cycle management, data retention, migration, etc. to fit your business needs while still complying with regulatory obligations. The examples could be complying with GDPR, PCI, PIPEDA, etc.
Let me stop here for now and provide you guys an opportunity to reflect upon. Have you ever had thought of using cloud to store and manage your data? – I am sure, you did. Well then, any thoughts about securing it? If not, you’ve got it now. Get back till we come back with a new blog post, and rethink about your approach to ensure you have right controls in place while still being on the cloud irrespective of the service provider you are with.
Keywords: Information Security, Cloud Security, Securing the Cloud , Cloud Computing, Application Security, Risk Assessment
Thank you so much guys for taking the time to read this post. Please let us know how we did and make sure you: LIKE, SHARE, SUBSCRIBE, and COMMENT.
Your feedback will be highly appreciated and feel free to let us know about any requests you have regarding the topics we should include in our upcoming posts. We will be more than happy to prioritize and accommodate your requests!