No matter which type of cloud services you choose, you are the ones who are the owners of the data and therefore responsible for the control of access and monitoring them. Further, in IaaS and PaaS model, you are responsible for application layer in the sense of access control, hardening, configurations, encryption, etc.
Safety is a primary concern for most organizations migrating to cloud services, but who is in fact responsible to ensure that these solutions are meeting security requirements?
It is one of many questions, but very important, because security in the cloud is still a mystery to many companies.
Researches show that most companies are migrating to cloud to reduce costs, and negligible percentage of them believe that they will enhance security. After a certain period of time and the use of cloud services, many of these companies have realized that cloud providers offer better security then their internal departments for IT security.
A lot has been said about the security risks of data migration or systems into cloudplatforms so I will not dwell in this blog on that subject. The list of tested and certified cloud providers has became necessary, however, it seems that many organizations forget their own security practices and responsibilities when migrating to cloud solutions.
We have here a key question, who is responsible for data security in the cloud?
The answer that arises here, as approach of the world’s leading cloud providers to this challenge, is that responsibility is shared between them and the users of their services (Shared Responsibility). The division of responsibilities depends on the type of cloud service you choose: whether it is Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS)?If you, for example,choose IaaS, cloud service provider is responsible for the physical protection, location of Data Center and basic infrastructure security with the exception of the operating system. As you move from IaaS model to SaaS or PaaS, the accountability of the provider will be greater, and your responsibility lower.
No matter which type of cloud service you choose, you are always the ones who are the owners of data and therefore are responsible for access control and its monitoring. Further, in IaaS and PaaS model, you are responsible for the application layer in the sense of access control, hardening, configurations, encryption, etc.
It is disturbing that many IT professionals from companies that use cloud services still consider that they are not responsible for the security of their data, which is in complete contradiction with the rules prescribed by Providers, and therefore are exposing their organizations to unnecessary risk.
When using cloud services, you should apply all the same security measures you would apply to classic IT infrastructure. Given that IT resources are also used in the cloud, security objectives must be defined in relation to the people, information, applications and infrastructure.
It is equally crucial to determine who controls the various components of cloudinfrastructure. This defines where and how to implement safety measures, with special focus on data. At the end of the day, both, providers and users need to ensure data security. Security in the cloud has to be teamwork!
Key items which as user of cloud services you need to fulfil in order to improve security at the highest level are:
– To define your security architecture in cloud
– To define basics of security architecture for different scenarios of using cloudservices.
Predefined minimal basic security architecture for the main scenarios of cloud usage in your organization will help to address some of the key security problems from the start. It will provide a minimum level of control, taking into account aspects, such as access and identity management, integration of security alarms into existing Security operations center (SOC), secure connections between the services in cloud and internal networks, backup and recovery, and so on.
The security architecture will also help in identifying where additional security tools are needed to help protecting them against security risks in the cloud.
– Set limits. Understand where service provider responsibilities end and where your own start. It is not enough just to understand how data between your network and cloud will move, but how they will move across various cloud services. You need to clearly determine where there are risks and who provides what – where and how.
– Follow service provider instructions regarding security
– Engage IT security expert
– Although you do not design or construct the system yourselves, but are buying ready-made cloud solution, you still need a certain level of security design. Including IT security expert in designing security will help you to identify how cloud solution integrates with your existing (security) architecture.
– Discover Shadow IT
Cloud services that fall into this category are those for which IT department had no role in the selection and implementation, and maybe does not even know that they are used.
Some workers, teams and even entire organizational units can use a variety of cloud services to become more productive in their jobs, bypassing IT department’s approval, leading to security risks and other problems.
Analyzing your proxy logs or usage of dedicated security solutions in the cloud will help you to find out which cloud solutions are used on your network. Comparison with authorized cloud services within the organization should provide full insight into the current situation.
In dealing with this issue, I cannot neglect the coming GDPR (General Data Protection Regulation) Act, which comes into force this year, which has specific requirements on this issue. The law legislate items for which cloud services provider is not responsible, and each organization that stores / handles private data must be aware of it and prepare accordingly to be in compliance with GDPR. With these items in the law, the thesis of shared responsibility is additionally reinforced.
The main GDPR requirements for cloud services are:
– Familiarize with the location on which cloud providers process or store data.
– Protect your personal data
– Use strong authentication (multifactorial authentication)
– Data encryption.
– Data Processing Agreement (DPA):
Sign an agreement on data processing with service providers in the cloud, to make sure that personal information is properly protected and to undertake that they will not move data outside the EU.
Cloud services are something that is becoming more common in enterprise systems and looking from security perspective, it has been shown in practice that if your people from IT security department are doing a good job in providing current on-premise systems, they will be even better in securing cloud services, because they can fully focus on the safety of certain items thanks to the model of shared responsibility.