Protecting The Cloud: Industry Perspectives on Cloud Security
By Byron Aris, Vice President, Cloud Security Advisor, SunTrust
Byron Aris, Vice President, Cloud Security Advisor, SunTrust
The cloud is one of the most revolutionary technologies of our times. Today, at least 81% of enterprises cutting across all industries have implemented cloud strategies, while 67% will have based all their infrastructure in cloud platforms. This is a huge number by all means, and it has led to an increase of cybercrimes targeting cloud users. Enterprises hence require to understand cloud security concerns, how they impact their security practices, and their responsibilities in providing security to their cloud environment.
Cloud security is a shared responsibility
Cloud consumers and providers share the responsibilities of securing the cloud. Users access cloud services through shared infrastructure and software. The providers have the responsibility of securing all shared infrastructure. This includes firewalls, hypervisors, load balancers, cloud APIs, storage networks, etc. Implemented security measures ensure multitenancy does not allow malicious users to access the data and infrastructure used by others.
On their part, cloud consumers manage all security aspects related to the cloud platforms. Enterprises must ensure that employees observe sufficient security practices to prevent security incidences caused by ignorance and simple mistakes. As such, an organization must ascertain employees use secure devices to connect to their cloud accounts, and they maintain efficient password management practices. Notwithstanding, enterprises should adopt acceptable controls for authorizing and authenticating users. They are also responsible for encryption techniques to secure data at rest and in transit.
All said and done, cloud providers and consumers play a collective role to realize maximum protection of cloud activities. The image below depicts the security responsibilities of both cloud users and providers.
Cloud security architectures
Enterprises access cloud resources and services at three levels. These are infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (Saas). The shared security responsibilities must cut across all three models for efficient security. The following figure is a representation of a typical cloud security architecture.
In IaaS security, cloud providers secure infrastructure and abstraction layers. SaaS security is a collaboration between service providers and cloud users. Whereas the provider provides security for most of the PaaS model, the enterprise has to ensure security for applications accessed through the cloud platforms.
Enterprise’s response to security challenges
Cloud security has a lot of challenges that an enterprise must navigate to conduct business functions. Here are some of the challenges and the means organizations respond to ensure global business functions.
1. Audit and compliance: Enterprises must maintain compliance regulations when using cloud services. This introduces challenges in evaluating cloud security compliance with its internal security needs and policies.It Ischallenging to deliver, measure, or communicate compliance due to the numerous compliance requirements spread across different jurisdictions. Besides, whenever audited, an enterprise must be able to prove full compliance at any given time. Since non-compliance attract hefty fines, not to mention the lack of proper security controls, organizations conduct assurance campaigns aimed at creating awareness for observing compliance regulations. They also use compliance management tools which are offered through software applications.
2. Governance and risk management: Key security challenges include identifying and implementing suitable enterprise structures, controls, and processes. These are required to maintain adequate governance in regards to information security, compliance, and risk management. Information security must include the entire information supply chain customers, providers, and third-party vendors. Enterprises deal with the challenges through well-developed processes for governing information security. The processes must scale with business operations, be replicable across the enterprise, improve continuously, sustainable, and be measurable.
3. Data security and information management: Transitioning from on-site premises to cloud environments introduces new challenges in securing information. Traditional techniques for protecting information on-site are incapable of addressing challenges brought by cloud architectures, including multi-tenancy, elasticity, and abstracted controls requiring specific data security strategies. A data security life-cycle provides most of the solutions for securing data and maintaining its integrity, confidentiality, and availability. An example of a common data security lifecycle program consists of secure guidelines for creating, storing, using, sharing, archiving, and deleting data.
4. Interoperability and portability: These are not new concepts in cloud computing. They allow information to be exchanged across platforms and to be processed from any device, thus increasing productivity and efficiency. However, information flow in shared cloud resources in multitenant platforms causes security challenges in preserving data integrity, confidentiality, and availability. Applications with insecure API's may be used to process data, thus increasing security risks. As a security measure, organizations rely on data encryption, and a thorough investigation of APIs used to handle data. An enterprise must also fully understand the Service Level Agreements to better comprehend their roles and those of the provider in securing information.
"Cloud providers and consumers play a collective role to realize maximum protection of cloud activities"
Sophisticated cyber threats influencing security practices
Cybercriminals are relentless in creating new attack tools and techniques. This has caused cybercrime to be more sophisticated, forcing enterprises to re-think their security practices.
1. Increased account compromise: As the cloud positions itself as an integral technology today, cybercriminals are more determined to compromise organizational cloud accounts. Enterprises are forced to implement powerful cybersecurity policies for identifying malicious activities within their cloud environments.
2. Crypto jacking: This is an attack where attackers are only interested in compromising the cloud resources processing power to mine for virtual currencies. It causes slow system response thus lowering productivity. Since the malware is often delivered through phishing, organizations must raise awareness among users regularly and conduct frequent training.
To address the above threats and other sophisticated attacks, organizations are incorporating artificial intelligence in their security practices to track the threats better and respond to them in real time.
Cloud security principles requiring evaluation
1. Personnel security: Requires cloud provider staff to be screened and educated regarding their roles. Should be evaluated to include enterprise cloud security staff.
2. Supply chain security: The provider must vet supply chain providers to ensure they satisfy security requirements. This should extend to the entire product development lifecycle as cybercriminals have taken to planting malware during the software development process.