Why security in the cloud is a shared responsibility relationship between the infrastructure provider and the customer
By Paul Farrall, CISO at Skytap
Organizations moving workloads to the cloud must make sure that those workloads remain secure, especially organizations that handle sensitive customer data (such as financial or health records) and must comply with regulatory requirements as well as security frameworks like the Payment Card Industry Data Security Standard (PCI DSS). Security in the cloud is a shared responsibility relationship between the cloud infrastructure provider and the customer purchasing computing resources, however many organizations get confused about who is responsible for what. These misunderstandings can lead to insecure systems, data breaches and the loss of sensitive data with all the negative consequences that go along with them.
To help simplify, here are five steps organizations should take before and during a cloud migration to make sure their data remains secure.
- Conduct a risk assessment of existing systems
The first step is determining which of your organization’s systems need the most protection. For example, HR data on employees and financial information is very sensitive and needs to be well-protected. Marketing documents that are publicly available don’t need as much protection, so your time is probably better spent focused on other systems. Conducting a risk assessment will help you understand your current security posture and vulnerabilities. With this information, you can prioritize which systems and data need the most protection. This will be helpful when you start evaluating cloud providers. Are you looking for a cloud provider to host your marketing brochures? Security assessment of the cloud provider can be relatively lightweight. Are you migrating HR data to the cloud? Then you need to do a more careful evaluation of the provider’s security to ensure they meet your security control requirements.
- Interview cloud infrastructure providers and ask about their certifications and infosec program
Certifications like PCI DSS and ISO 27001 indicate that a cloud infrastructure vendor offers a safe, secure and standards-compliant foundation for business-critical applications. At a minimum, any cloud provider should allow customers to view their annual SOC 2 Type 2 audit report (which should be prepared by an independent third-party audit firm). Beyond SOC 2, ask the vendor if they are compliant with other security standards that are applicable to your business. This will depend on the high-priority systems that you identified in Step 1 along with any regulatory and contractual requirements you are subject to (for example, if you are an ecommerce company, you may need to be compliant with PCI DSS and should look for a cloud provider that possesses PCI certification; if you are a U.S. government agency, you may be restricted to only cloud providers who possess FedRAMP certification). Remember that vendors may be working towards compliance with a standard and meet most requirements even if they’re not fully compliant. Depending on your needs, this may be good enough for your purposes.
Also, ensure that the cloud vendor has a documented information security program led by an experienced security professional (the most common title for this is Chief Information Security Officer). These are indicators that the vendor takes security seriously. Again, remember to prioritize and scrutinize vendors that will be storing sensitive information more closely than ones that will be storing non-critical information.
- Understand the Shared Responsibility Model
This step is critical. Cloud infrastructure providers will specify which aspects of the overall security framework they are responsible for and the aspects that the customer must manage on their own. Generally speaking, infrastructure providers are responsible for protecting the infrastructure itself, including the people, hardware, software, networking and physical facilities that comprise the hosting platform. Customers are typically responsible for securing their own environments, including the guest OS, applications and data. The vendors should provide you with a copy of their shared responsibility matrix if you ask. Make sure you understand this thoroughly so you don’t assume the vendor will secure something that is actually your responsibility.
For example, cloud infrastructure providers do not typically patch servers running in customer VMs or prevent weak passwords from being used on those servers – these are customer responsibilities. Similarly, don’t assume data backups are a service that cloud infrastructure providers include by default. Depending on the type of cloud service offered, backup of customer data might be included as a standard service or it might require custom contract terms. Make sure you understand these nuances and don’t just assume that the vendor will secure everything for you in the cloud.
- Secure Your Own Virtual Machines
Now that you understand what the vendor will secure, you need to step in and secure the rest. As stated above, cloud infrastructure providers protect their platform and protect customers from each other. You, the customer, are responsible for application security and for configuring your cloud environment correctly. IaaS providers won’t fix your coding mistakes for you! If you introduce a security flaw into a virtual machine that leads to a breach, there may be nothing that the infrastructure provider can do about it.
- Find Out What’s Exposed to the Internet
If you do not implement strong configuration management and server hardening procedures, you may find that you have accidently exposed your virtual machines and cloud services to the internet. This is the root cause behind most of the Amazon S3 buckets breaches you may have read about over the past few years. There are even search engines to find exposed S3 buckets. The risk from configuration errors is magnified in the cloud because the pool of attackers on the public internet is larger by orders of magnitude than what a server in a data center behind a firewall would normally face. An unpatched server with a weak password exposed to the public internet will be hacked in minutes.
To make sure this doesn’t happen to you, spend the time and effort needed to determine exactly which services are exposed to the public internet, cut off any that do not need to be exposed, and harden those that do.
Moving workloads to the cloud can produce solid benefits like reductions in cost and potential for application modernization. But misunderstandings around cloud security can leave your data exposed and open your organization up to serious consequences. Make sure to follow these steps to reduce your risk, and don’t be afraid to use a consultant if your team doesn’t have the necessary expertise.
About the Author
Paul Farrall is the CISO at Skytap. He has spent the past fifteen years in executive cybersecurity roles at Skytap, Big Fish Games and Intelius and serves on the IT Advisory Board at the University of Washington. He holds CISSP and CISA certifications. Paul can be reached online at @paulfarrall and our company website https://www.skytap.com/.