Security Think Tank: Adapt security posture to your cloud model

Using public cloud is now “normal” for many organisations and today, running both test and enterprise workloads in the cloud is commonly accepted practice. Ovum’s ICT Enterprise Insights 2019/20 – Global: IoT, Cloud, AI and 5G survey reveals that the cloud currently supports about 20% of workloads.

However, the shift in the type of workload moving to the cloud is creating different expectations of what cloud service providers (CSPs) must deliver. The move is now clearly toward core business systems and mission-critical workloads, and these workloads are more demanding in terms of reliability, service quality, security and data protection.

Using a CSP for workloads isn’t a shift in responsibility for an organisation. Data protection remains the responsibility of the enterprise. Boards are concerned about security incidents and breaches, the potential for reputational damage, not to mention fines and lost revenue. For example, compliance with the EU’s General Data Protection Regulation (GDPR) means that knowing what data the organisation is responsible for, where it is, and how it is maintained, is a priority for enterprises.

Irrespective of location – on-premise, public cloud, private cloud, via a managed service – data that the enterprise has is data that it must look after. Yes, CSPs provide a highly secure environment, but how an enterprise’s use of the cloud is configured is all-important.

The challenges that enterprises face, particularly with public cloud, was more than amply highlighted in July 2019 by the well-publicised Capital One data breach. Capital One had used the AWS (Amazon Web Services) public cloud and misconfigured the web application firewall (WAF), leaving an entry point for an attacker to exfiltrate data. According to reports, more than 100 million records of personally identifiable information (PII) were exposed.

AWS had provided the promised security of its public cloud, but Capital One did not configure its use appropriately, and a data breach ensued.

This is not an isolated incident – too many configuration errors are being made when cloud services are set up, and data is being put at risk.

The shared responsibility model was originally developed by Microsoft back in 2016 and has now become broadly accepted to identify, at a high level, where security responsibility lies in public cloud. For software-as-a-service (SaaS), most responsibility lies with the CSP, through platform-as-a-service (PaaS) where around 60% of security responsibility is the cloud provider’s, to infrastructure-as-a-service (IaaS), where that figure is around 30%. Without fail, however, data classification and accountability lie with the enterprise, not the CSP.

Although the shared responsibility model is gaining broad acceptance, there are still many organisations unaware of where their security and data protection responsibilities lie when it comes to cloud environments. Security and the protection of data in the cloud can only be achieved through the shared responsibilities of customers and cloud services providers. Gaining this understanding must be the first port of call for an enterprise.

Within the enterprise, individuals and groups responsible for the use of cloud services will need to provide regular assurance that these environments consistently adhere to the organisation’s security policy. For SaaS, this is where cloud access security broker (CASB) technology can help. CASB aims to give the enterprise control over its use of cloud services, sitting between the organisation’s IT infrastructure and utilised cloud infrastructure.

Cloud security posture management (CSPM) is a relatively recent software group designed to continuously assess cloud platform configurations for the enterprise. This is suitable for IaaS, where CASB doesn’t yet really play, and definitely worthy of investigation alongside CASB.

Enterprises should also engage closely with their chosen IaaS and PaaS providers on the security capabilities of today and what is on the roadmap for the near future. Gaps can then be identified, and remedies put in place.

Ultimately, an organisation should take the same care and effort with security and data protection when using cloud as it would with its on-premise infrastructure, platforms and software. Understand your responsibilities, look at supporting technologies, and work with the CSPs.