Is Cloud Security Possible?

Gwen BettwyMon, 02/19/2018 - 08:39

Is cloud security possible? In a word yes, although it will take a little longer to explain.  Possibly a lot longer for everyone involved in acquiring and configuring cloud to get it right.

The Problem

When we move to cloud services it is possible to secure that environment as well as we secure our business’s and data centers, seriously it is.  It requires a well flushed out contract with the proper service level agreements (SLA) and privacy level agreements (PLA) from the start.  In order for that to happen care must be put into moving to the cloud. I believe that it is very important that everyone that is involved with cloud service establishment to become as knowledgeable about how today’s cloud functions as possible.  This includes security professionals, application developers, IT professionals, server administrators to name a few.    We are already behind the curve on learning how the cloud works before putting any of our valuable data into the cloud.  A good (bad) example would be the Emory Healthcare Data breach reported on www.PrivacyRights.org.  Emory Healthcare stored patient information on Google Cloud and a MongoDB which was compromised by a hacker who removed patient information and then held it for ransom.  The total number of records breached is thought to be 80,000. http://www.databreachtoday.com/emory-healthcare-database-breach-what-happened-a-9745

It is becoming increasingly important for organizations to maintain positive control over the data and to safeguard that data in a way that protects not just the company, but more importantly the customers whom that data is about.  New laws and regulations are being created at an increasing rate requiring organizations to do so and if they fail to properly protect the data, these laws come with hefty fines and penalties.  Consider the General Data Protection Regulation (GDPR) from the European Parliament.  This new and updated regulation becomes enforceable in May of 2018.   If Emory Healthcare had been subject to GDPR the fine could have been up to €20 million or 4% of global turnover, whichever is greater.  With fines like that all of us need to pay attention.

It is a big challenge for organizations to properly protect data when it is in their own possession.  The challenge becomes exponential when the cloud is used to store and process that data.  To help you address that challenge I offer these key points to consider.

Education and Understanding

The cloud is this nebulous concept that everybody wants to use (due to considerable cost savings and ease) yet few understand.  Before one can begin to safeguard data in the cloud, there needs to be a basic level of knowledge such as knowing the different deployment models and architectures.  Public/Private/Community/Hybrid and Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). You can find more about that here: http://tacticalsecurityinc.com/what-is-the-cloud-anyway/.   Understanding the language of cloud and then interpreting what cloud providers are offering is a critical start. 

Contracts

Even with a very basic level of cloud knowledge, it becomes clear that the cloud is just somebody else’s computer (I love that T-shirt).  We’ve asked somebody to allow us (the cloud customer) to store and process our data using their (the cloud providers) computing hardware and software.  When selecting a cloud provider, it is very important to understand where our data lives, where it is being processed, who has access to it, what security controls are present, how to configure the security controls and so on.   The parameters of this relationship are too complex to be agreed upon over a simple handshake.  All of these details will be worked out in various contracts such as Privacy Level Agreements (PLA) and Service Level Agreements (SLA).  Even a “simple” activity such as using  Office 365 as a SaaS solution must carefully consider the terms of use contract.  One of the most difficult things to do is to protect your data when you do not know where it is and it is not under your direct control.

Fundamentally security does not change when the cloud is involved.  At the same time, it is very different regarding where the controls are and who configures them.  In all solutions, the cloud provider is responsible for the security of the physical environment including the real network infrastructure and security devices. 

In IaaS the cloud customer is responsible for configuring their own virtual network and security appliances.  This would be in addition to any virtual device configuration that the cloud provider has to create the customer’s virtual environment.

In PaaS, the cloud customer is responsible for the security applications that are added to the cloud provider supplied server of some kind.  This means that the cloud provider has the responsibility for the virtual network and security devices.

In SaaS, the cloud customer is responsible for the security configurations and user accounts within the provided application.  Everything else is the responsibility of the cloud provider.

Cloud Access Security Broker

When a customer needs assistance to negotiate their contract or if they require help to configure their portion of the virtual security environment, there is a solution that is growing in popularity and strength.  It is the Cloud Access Security Broker (CASB).  The CASB, as described in Gartner’s Magic Quadrant report number G00318532 from November 2017, has “become an essential element of any cloud security strategy, helping organizations govern the use of cloud and protect sensitive data in the cloud”. https://info.skyhighnetworks.com/WP-Gartner-CASB-Magic-Quadrant-2017_BannerCloud.html?Source=Website&LSource=Website

Garnet predicts “By 2020, 60% of large enterprises will use a CASB to govern cloud services, up from less than 10% today. Through 2020, at least 99% of cloud security failures will be the customer's fault.”

The CASB can assist with security of data, threat protection and compliance with policy or law.  Check out my next blog for more details on CASBs.