If you are looking to host your IT systems in the cloud, security will be high on the list of concerns. It can be a daunting prospect to hand over your data to a cloud supplier, losing a level of control that has become comfortable over many years.
Every cloud supplier will talk a good game about security, but how can you be sure that it is taken seriously and your data will be protected?
Conversations about security can feel like going down a rabbit hole, from high-level down to minutiae, there are a myriad of considerations, mitigations, tools, and buzz words. It can be a big job just to identify what security controls are relevant and important to your business before you even get to the detail of how security is managed.
This blog attempts to demystify cloud security and help you make an informed decision.
What Are The Threats
Threats to data can take multiple forms. Typically, we talk about Information Security threats in three main areas:
- Confidentiality – ensuring that only those who should have access to the data have that access.
- Integrity – the data itself is unsullied and “correct” so decisions made upon it are reliable.
- Availability – the data is protected from loss and is sufficiently available for access when required.
We can ignore Integrity when selecting a cloud for our data. The integrity of the data is largely at risk if the application is poorly written or because of unauthorized access/manipulation of the data. The application itself is not in scope of this discussion and unauthorized access is covered under the banner of “confidentiality”. So, we just need to consider confidentiality and availability.
“How will you protect my data from unauthorized access?”
This is probably the area where there is the most confusion. Technology has come a long way from basic firewalling to, for example, Web Application Firewalls (WAF), DDoS protection, Open Web Application Security Project (OWASP) and Intrusion Detection/Prevention (IDS/IPS).
So, what should we chose for our solution in the cloud? Unfortunately, there is no one right answer here. The best approach is to identify the likely threats and risks they pose. The Open Web Application Security Project (OWASP) top 10 is a good place to start. We can then formulate a risk assessment looking at the likelihood and impact associated with these risks and identify what security is required.
However, technology alone is not sufficient. For example, a WAF may be required to protect against code injection. But simply having a WAF is not enough. The WAF must be configured for the specific application and possible injection attacks. It is extremely beneficial if the cloud supplier understands the solution so they can configure the WAF (and other security measures) appropriately.
Cloud suppliers have a multitude of security options at their disposal. Economies of scale enable them to invest in the latest technologies . But, it’s critical to focus on how the supplier manages Information Security rather than what technologies are available. Accreditations the supplier holds, such as ISO 27001, should be taken into consideration, but the scope of such certifications must be understood as well as how the services that underpin those accreditations. This is not just a box-ticking exercise and customers should ask questions like:
“How will you configure security systems to protect my specific application?”
“How will you prevent unauthorized access from other customers you host?”
“Can you guarantee my data will be UK based?”
“What is your Information Security Breach response plan?”
The aim is to bring to life what the supplier DOES with regards security, not just what is in their kit bag.
“How will you maintain system availability/uptime?”
This area is well understood by IT managers. However, there are some specifics to draw out in relation to cloud.
The big difference is with networking. An on-premise solution will be reliant on the local networking, whereas a solution in the cloud requires additional connectivity.
Key considerations here are locale, latency and reliability of cross-country/cross-continent connectivity. For many customers an IPSec VPN is fine. However, this relies on the internet availability and can leave the solution vulnerable to periods of unavailability outside the control of either the supplier or the customer. A more robust solution such as an MPLS can be used, but will cost more, so this should be factored in as part of the requirements capture.
We also need to consider the services provided around the solution. For example, what SLAs/KPIs are provided and what service credits are available in the event of un-planned downtime? While service credits are financially beneficial, a supplier willing to offer service credits is clearly confident about their ability to preserve system availability.
“How will you protect against data loss?”
Backups and disaster recovery are generally well understood, but there are specific considerations regarding the cloud.
If the cloud supplier provides a backup service, we need to ensure we understand how this backup is managed. For example, is backup success monitored? Are backups tested regularly? Where is the backed-up data stored? Is there a “two-step” RTO/RPO in the event of restoring backup rather than invoking DR?
If the cloud supplier provides a DR solution, how is this managed? How will the DR solution be tested? How will DR integrity be monitored? Is the DR solution, upon being invoked, as secure as the live solution? Is the DR solution sufficiently distant (geographically) from production?
Once again, the key thing here is service. What will the supplier do to manage business continuity? Having a business continuity solution is one thing, managing it is quite another.
Security in the cloud is a big subject. However, with some thought and consideration we can break this down into simple bite-sized chunks to help take an informed view as to how security is managed in the chosen cloud.
Security in the cloud is typically very good. Cloud providers put in place modern technologies such as WAFs, IDS/IPS and DDoS protection to mitigate against many threats.
But it is more important to consider the credentials and services provided by the cloud supplier. It’s one thing to have an arsenal of tools available to deploy, but unless they are configured correctly and appropriately, they will have little value.