With Cloud vulnerabilities again in the news this week, we present our best-practice guidance to help ensure your environment is appropriately secured.
As a business, you must know precisely where your data is stored and ensure that you comply with all legislation that governs that data storage and transfer in the countries in which you operate. When it comes to Cloud data, you also need to make sure that your cloud provider offers tight security and has protocols to follow in case of a data breach, or in case you need to destroy any data. This is where your choice of cloud technology and cloud service provider can make a huge difference in the life of your business—and your data.
Cloud computing is seeing an ongoing explosion in growth, with Cisco claiming as high as 94% of all workloads are now being processed via cloud data centres. According to Gartner, "Global end-user spending on public Cloud services is expected to exceed $480 Billion next year". The COVID-19 pandemic has pushed the hybrid working model to the point where remote work and collaboration is the norm rather than an exception, with cloud services at its core. Gartner also predicts that public cloud spending will exceed 45% of all enterprise IT spending by 2026. To put that into perspective, current levels are at 17% for 2021.
Whilst the move to the Cloud is rapid, security concerns and the emphasis thereof are equally growing. Check Point reports that 94% of organisations surveyed say that they are "moderately to extremely concerned" about cloud security. Cloud cybersecurity incidents now surpass the on-premise ones for the first time, and by a lot. This is according to the annual report from Verizon Data Breach Investigations report (DBIR). Incidents involving cloud assets accounted for 73% of the total, compared to just 27% in the prior year. IBM, in their annual report of 2021 say that businesses face as much as $4.24 million per typical data breach incident.
The challenge for CISOs is to understand how cloud providers differ in their approach and practice to securing and ensuring resilience on their respective platforms, particularly the best-known 3 (Microsoft Azure, AWS and Google). There’s no argument that these big players don’t do a decent job in securing and protecting the cloud itself, with the occasional issue like a database vulnerability promptly dealt with by their extensive security teams, but they do also form a rather large target.
Whilst the Physical security and Technical or Infrastructure security is the cloud vendor's responsibility, access and encryption of data and control of that access is primarily the responsibility of the data owner or customer in the shared responsibility model. According to Gartner, they predict that up until 2025, 95% of cloud security failures will be due to a fault attributed to the customer. As we author this piece, at this very moment, millions of android users' personal data remain exposed due to various misconfigurations of third-party cloud services, even after Google was alerted by researchers, according to Check Point Research.
The recent DoControl report, “Quantifying the Immense Risk of Unmanaged SaaS Data Access”, highlights how “vast amounts” of sensitive data in enterprises is at risk, with 40% of data in Cloud (SaaS) platforms unmanaged. Along with the rising adoption of SaaS applications, the threat of related data leaks is “growing exponentially” and “To date, security practitioners have focused on enabling SaaS access in a secure manner, but now is the time to prioritise the relevancy of this data access internally and externally.”
Whilst every cloud provider has a slightly different approach, the core principles, security control objectives and best-practice advice remains the same. Each of the providers have amalgamated service specific guides that cover the exact settings to be managed to achieve a secure cloud within their particular platform:
Microsoft offer an in-depth introduction to securing their Azure cloud platform.
Microsoft have also teamed up with the Center for Internet Security (CIS) to provide a number of preconfigured secure operating systems as ready-to-go packages.
Google's contribution to the security of their cloud services comes in the form of a document catering towards enterprise organisations.
Amazon Web Service
Amazon offer a number of comprehensive guides for securing Amazon Web Services (AWS) distributions. They also provide the ability for users to purchase and share additional security modules through the AWS Marketplace.
Another great resource is A Cloud Guru, who provide training and resources to develop cloud skills including security. For example, How to audit and secure an AWS account
The National Institute of Standards and Technology (NIST) Cloud Computing Standards Roadmap (NIST-SP 500-291) along with the technology- and implementation-agnostic Cloud Computing Reference Architecture (NIST SP 500-292) identifies the main cloud Actors, their roles, and the main architectural components necessary for managing and providing cloud services.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) joint committee on Cloud Computing and Distributed Platforms also developed a reference architecture standard, derived from NIST SP 500-292: International Standard ISO/IEC 17789 | Recommendation ITU-T Y.3502 “Information technology - Cloud computing - Reference Architecture”, which outlines security components as part of multi-layer functions.
These reference architecture standards provide a common language and model with which to design, manage and communicate cloud solutions, including high level recommendations on how security should be dealt with. Specific configuration details for different platforms require the translation of these standards into guidelines and procedures.
Cloud Security Hardening - Configuration Guidelines
The Center for Internet Security has maintained carefully curated and up to date guides for a large number of operating systems and services. The security guides cover the big cloud players and go into detail on how to secure each instance to an acceptable level.
Despite the different platforms that they cover, the CIS hardening benchmarks share a number of similar key areas and points:
Identity and Access Management:
Logging and Monitoring:
Establishing appropriate security controls as cloud solutions are designed and implemented is vital, but how can we assess existing solutions and configurations? The Cloud Security Alliance provides a set of sector-specific controls for cloud service providers in their Cloud Control Matrix (CCM). There is also a set of questions a cloud consumer and auditor may wish to ask a cloud provider to ascertain their compliance to the CCM called the Consensus Assessment Initiative Questionnaire (CAIQ).
The CAIQ offers an industry-accepted way to document what security controls exist in cloud services, providing security control transparency and to some extent assurance.
No matter what cloud platform is being used, visibility is key, and it should form the foundation of any cloud security strategy. Whether security revolves around compliance, policy governance or risk remediation, visibility into infrastructure security is one of the most pressing cyber security challenges within cloud security. As businesses grow, merge and acquire, visibility gaps widen due to the implementation of a variety of deployment processes and technologies. Being able to accurately see and comprehend your organisation's cloud footprint is the first crucial step in defending it.
In Assess we review your existing cloud and its alignment with your business risk. We also consider:
Based on the results of the Assess phase, Tannhauser will build and Enhance your cloud security operations:
To understand what cloud security means for you and your business, we are on hand to help address any questions and assist in the implementation of improved controls.