Maksim Kabakou - Fotolia

Security Think Tank: Cloud security is a shared responsibility

Misconfigured cloud environments are increasingly identified as the source of damaging data breaches and leaks, raising serious questions for enterprises. Where does responsibility for data security in the cloud lie, and how can security professionals best work with their teams and cloud providers to resolve the problem?

Many organisations, large and small, are moving their data and processing to the cloud to take advantage of the flexibility, efficiency and cost savings it can bring. 

However, there is sometimes a misconception that the move to cloud also relieves the organisation from responsibility for security. Also, the security management of cloud instances is different from fixed infrastructure and can be complex and unfamiliar.

As a result, there have been many examples of security breaches caused by misconfiguration of cloud services, and these are rising year on year.

Responsibility for cloud security varies depending on the type of cloud service, and each provider has a different model. However, at a high level, the following can be applied:

  • For infrastructure as a service (IaaS), the physical infrastructure, network interfaces, processing and hypervisors are managed by the provider, with the customer being responsible for securing and managing the virtual network, virtual machines, operating systems, middleware, applications, interfaces and data.
  • For platform as a service (PaaS), the provider takes on more responsibilities, but the customer is still responsible for applications, interfaces and data.
  • For software as a service (SaaS), the customer’s responsibility is reduced to the security of interfaces and data.

In all cases, the customer is responsible for access control, which is where most of the misconfigurations materialise. Also, most enterprises will operate more than one of these models, depending on their business.

Take care in choosing a cloud provider

There will, of course, remain some on-premise infrastructure that needs to be protected, as well as remote users. 

Small to medium-sized enterprises (SMEs) will typically allow remote users to connect direct to the cloud so they have virtually no infrastructure of their own. In fact, very small organisations may, in effect, only have remote users, with everybody connecting directly to the cloud via 4G or Wi-Fi. 

However, for larger enterprises, particularly those retaining on-site infrastructure, many prefer to have remote users connect back into their home site so that they can be fully authenticated using multifactor authentication before going on to access cloud or other resources using a single sign-on system. The same would apply to any external suppliers, or partners that are allowed access. Here, a cloud access security broker which sits between the cloud service provider and the service consumer can also help extend the controls of the on-premise infrastructure into the cloud.

As the shared security responsibilities will be different for different providers, it is important to identify your security needs before approaching cloud providers so that you can make a proper assessment of what your share of the responsibilities will be for each provider. 

Once you have chosen a provider, the key message to get across is that cloud configuration is security critical and must be controlled. At the same time, it is important not to kill the benefits of cloud with overzealous controls. The best approach is to bring together information security, infrastructure management organisations, the security operations team and representatives of any DevOps teams. They can then be briefed, and an agreement can be reached on how the problem will be managed, and identify contributions from each team.

Prepare a comprehensive cloud configuration plan

Cloud configuration can be complex, so it is essential to prepare a comprehensive plan and ensure that those responsible for configuration are fully trained and that appropriate support is available.

Before going live, the configuration should also be verified to ensure it is in line with the planning and that it is effective and achieving your security aims. This could be done using third-party tools or by external security testers. The latter often add value by finding things that were missed in the original security plan.

Due to the cloud being standardised, there are several third-party tools that will allow monitoring of the configurations constantly. This will help early identification of any misconfigurations. Network traffic monitoring and user behaviour analytics (UBA) can also be used to identify anomalies and misconfigurations, as well as issues that arise due to misconfigurations.

In summary, as with any infrastructure, security must be planned in from the start. This starts before the selection of a provider. You can only secure something you understand, so training and support are essential to enable the system to be configured securely. Finally, verify, test and monitor to ensure the security controls are achieving their objectives.

Read more on Cloud security