Maksim Kabakou - Fotolia
Security Think Tank: The cloud needs security by design
Misconfigured cloud environments are increasingly identified as the source of damaging data breaches and leaks, raising serious questions for enterprises. Where does responsibility for data security in the cloud lie, and how can security professionals best work with their teams and cloud providers to resolve the problem?
Cloud environments and the storage of business-critical data within them carry inherent risk. These risks have been exacerbated by the rise of shadow IT, which makes it easy and inexpensive for anyone in the organisation with discretionary spend to purchase cloud-based applications to support their business operations, without necessarily subjecting them to the same level of rigour that is applied before enterprise-level cloud services are selected and implemented.
Defining data responsibilities
As with all data security risks, the responsibility lies with the organisation that has collected the data (the data controller in a General Data Protection Regulation [GDPR] world) to ensure it is processed, stored and transmitted securely. Outsourcing IT work and functions does not mean the risk is automatically outsourced.
However, there is some variation on responsibilities, based on the nature of the cloud service provided by a third party. There is little onus on data security for the supplier of cloud-based IT infrastructure (IaaS), for example, because it offers only the basic system structure on which the customer builds its own IT environment. While the provider might be responsible for general maintenance and the overall security of the IT system, it is not in charge of the data itself. The story is similar for cloud platforms (PaaS), which supply tools to further facilitate the customer’s needs.
Where the situation becomes more fluid is at the application level, as the cloud provider has a more active role in the operation of the service and may therefore have access to the data contained within it.
And while many of the cloud provisioning services take great pains to secure the information they are processing, storing and transmitting, an organisation cannot be complacent when it comes to protecting the data it has in the cloud.
Doing the groundwork
The first step is to undertake the appropriate level of due diligence on the cloud service supplier to ensure that data will be managed securely so that the interests of both the customer and its clients will be protected. Front of mind from the outset should also be having the right controls – both process and technical – in place to manage any risks that do exist, particularly where data held may be of a sensitive nature, such as personal information.
Privacy regulations must also be taken into account. For example, the personal data of EU citizens comes under the jurisdiction of the GDPR (currently the most prevalent legislation). Responsibility for this personal information is placed on the data controller (the customer) to ensure that processing of data is compliant, while the data processor (the cloud provider) must take accountability for some of the information being handled – because data stored in the cloud is shared more widely than that in traditional on-premise environments – and the ultimate liability remains with the controller.
The focus should be on appropriate data classification up front, defining the correct level of responsibility and ensuring that those requirements are communicated clearly as contractual responsibilities. Once everyone is aware of the need to protect the information, appropriate measures to do so can be identified, documented and tested to protect the information stored. This includes processes for notification in cases of breaches and response plans in case the worst case happens.
Public cloud and shared responsibility
Many organisations opt to use a public cloud provider, rather than a private one, for some or all of their requirements, and this can change the responsibility dynamic.
Amazon Web Services (AWS), for example, is transparent that responsibility for data security and compliance is shared between it and the customer. AWS operates, manages and controls the components from the host operating system, while the customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS-provided security group firewall. Further responsibility divides are determined by the services used.
AWS also provides a number of in-built tools that the customer can use to remediate and mitigate any potential risks. There is also a level of support provided, which can remediate most security risks and provide feedback as to how the customer can improve their security and compliance, if required.
Building security by design into the supplier lifecycle
Security by design ensures that IT security is inherent in an organisation’s operations and is an approach that can be adopted when outsourcing services to the cloud. The following checklist covers the key points to address:
- Internal understanding: The customer needs to be aware of the types of information it is storing in the cloud environment and its sensitivity.
- Pre-contract checks: Confirmation that the cloud provider has the basic security elements in place that enable it to meet required standards, such as handling the data being stored/processed/transmitted, and so on, in a way that is appropriate to its sensitivity.
- Contractual clauses: Predefined clauses covering issues such as breach notification, breach of contract in the event of incidents, metrics that the cloud provider must report, and possibly right to audit, can be inserted.
- Ongoing contract: Key performance indicators (KPIs) on which the cloud provider needs to report (number of people/locations with access, risks the third party manages behalf of the customer, confirmation of vulnerability scans/patches, for example) and that the actions (especially closing leavers accounts) are performed quickly.
- Business dialogue: Internal customer discussions to understand whether business users have adopted applications or services outside IT’s remit (shadow IT) that require additional steps to be taken to secure organisational data.
- Audit reports: SoC 2 audit reports should be received and reviewed where relevant.
- Contract changes: Controls and the contract need to change as the cloud provider adapts the service over time to meet the customer’s needs.
- Offboarding contract: Confirmation of data disposal and the return of intellectual property (IP) to the customer.
Everyone is responsible for data security
IT security professionals have a significant role to play in ensuring that the right standards are met in all aspects of cloud service provision so that it benefits the organisation without introducing risk that is, at best, unnecessary and, at worst, counterproductive.
From a technical perspective, this includes undertaking thorough testing of cloud services and putting the right controls in place to mitigate the risks that do exist. But it is also about fostering understanding throughout the business so that people see how their individual actions, such as using unauthorised applications, can have a direct impact on the overall enterprise.
Regardless of where data is stored, information security is everyone’s responsibility.