Top of Page

March 2017

7 Ways to Build Cloud Resilience within Your Organization

By Duncan Greaves

Cloud computing is here to stay. The amount of infrastructure, applications and storage being used continues to grow rapidly. The provision of infrastructure, platform and software services has not only revolutionized where computing is being carried out, but it is also changing the face of systems management and security.

The very size of cloud data storage makes it a potential target for a really large breach. A great deal of investment has been made to protect cloud systems against attack. It is essential for cloud security suppliers to provide customers confidence in uploading their information.

When compared to in-house hosted systems, many cloud providers have strict security. However, it is unlikely that the provider will indemnify you against the costs of a breach and the subsequent negative publicity.

Protecting Your Data is Your Business, Not Just Theirs

In many ways, the cloud is an extension of using a trusted third party as a systems host, but threats appear to be more difficult to deal with and guard against. The Cloud Security Alliance (CSA), as reported in the March 14, 2016 (ISC)2 blog, reveals that only 16 percent of organizations have fully implemented policies and controls around using the cloud.

In this ocean of information, the data you store on the cloud is your own and, regardless of the responsibilities of your cloud-hosting provider, your organization is responsible for the active management and protection of your data and availability of your core applications.

Every public cloud supplier will have hundreds or thousands of company tenants. Private cloud suppliers may have fewer, usually as part of an industry vertical or cluster of related organizations. Your company will usually only deal with a single main cloud provider. This is the relationship you must work on to make your security goals a success.

The role of cloud provider is likely to be a privileged one, in the way that a normal third party is not. It may be the public face of your systems and provider of infrastructure and platforms. You should aim to build shared on-premises and cloud resilience strategies against attack through a coordinated response and seek to build into agreements a shared approach to security with responsibilities on each side of the cloud "fence."

Prepare to be Resilient

The Torrens Resilience Institute (TRI) of Australia characterizes resilience as the ability to rebound or recoil and defines resilience as having the ability to counteract negative effects with positive countermeasures. Consider the following:

Negative Countermeasure
Threats Being prepared
Sudden shock Desire/commitment to survive
Stress Adaptability
Overwhelming events Collective and coordinated response and interdependency

Resilient business systems should be able to withstand significant shocks or stresses while being able to maintain all essential functions. A resilient enterprise should have the "ability to anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to survive and prosper," as defined by BSI Group, the UK standards body. Resilience can appear to conflict with competitive pressures, but is critical to the survivability, recovery, adaptability and sustainability of the organization under exceptional circumstances.

Get your cloud strategy prepared in advance of any implementations.

  • Assess and audit your cloud footprint across the organization, including prototypes and trials underway by various departments and users. The IT department should be fully aware of any off-premises data storage and systems. The CSA states that 80 percent of companies with more than 5,000 employees fail to know how many cloud applications are used within their organizations.
  • If your industry is regulated, ensure that your provider is accredited to comply with legislation such as HIPAA, PCI DSS, etc.
  • Cloud providers should be accredited or working toward emerging standards for cloud providers, including ISO 27018.
  • Ask a lot of questions about compliance, certification and the processes employed by the cloud provider.
  • Know the precautions taken by your cloud provider to secure their systems, and ensure you have full visibility and monitoring tools available to check the health of your investment.
  • Develop pattern recognition awareness. Check that you can review intrusion attempts and behaviors that may go under the radar before they have the potential to go large.

Data loss threats from a hybrid (on-premises and cloud-based) architecture can fall into two main categories: the threat posed from a data breach due to the actions of the cloud supplier, or the threat of a data breach from the customer side.

The cloud provider generally will have responsibilities to ensure the security of the infrastructure and availability of service, but the customer should pay special attention to the storage and protection of data because, ultimately, loss of your company data and information is what will get you into trouble.

On-premises security should be reviewed where the internal systems and cloud systems are to be used alongside each other. On-premises systems contain the systems of record and the company's most sensitive intellectual property (IP), which need protection from both external and internal threat vectors as well as from the cloud gateway.

As companies move toward the cloud, the impact and two-way dependencies between on-premises and cloud systems need to be mapped and understood.

Seven Crucial Principles of Resilient Systems

The seven principles of resilient systems ensure that a strategy for cloud brings together the best features of people and technology to maintain service levels in the event of attack.

  1. Maintain diversity and redundancy. You might begin by considering whether the sensitive data that you hold is necessary at all. For data that passes that test, ensure that you have storage segregation on- and off-premises to provide redundancy in the event of attack. Ensure that sensitive data and backups held off-premises are encrypted and that you have an effective encryption key rotation and handling process. Cloud systems can assist in these tasks by providing inexpensive, encrypted, geo-located and redundant storage and key vaults to help you adopt an assertive security stance.
  2. Maintain connectivity. Ensure that you, your regional teams and your customers are able to maintain communication by considering the scalability of systems (for example, in a denial-of-service communication attack). Talk to your ISP to see if there are mitigation measures you can take (e.g., DNS, load balancing and bandwidth problems) and prioritize action to protect your business- critical systems. Consider prioritizing connectivity to your biggest customers and educate them on your cyber-resilience processes.
  3. Manage slow variables and feedbacks. Shocks are rarely a complete bolt out of the blue. Identify emerging risks that could present problems in the future. At one organization where I worked a data center was flooded because a nearby drain became blocked in a storm. Take action early on to treat "benign" risks to ensure they do not cause problems.
  4. Create adaptive systems.
    • Use role-based access-control methods and ensure that the principle of least privilege is used; however, make certain that, in the event of a sustained attack, there are sufficient personnel available to step in and cover the critical roles
    • Determine whether you can offer reduced service in times of stress (by selectively disabling non-critical functions on websites, for example)
    • Use data loss prevention tools to see who is downloading data.
    • Produce a device security policy and dynamically prevent unauthorized access to the cloud. Flexible organizational structures and supply chains help organizations adapt to changed or restricted circumstances.
  5. Encourage learning and collaboration. Ensure that your personnel are familiar and engaged with the most common security incident responses and foster trust between those who will be at the forefront of response. Ensure that you have contacts with others who may be called into these "business not as usual" scenarios such as law enforcement, legal teams, regulators or investors.
  6. Participation. Active participation in your community will pay dividends in times of crisis. Consider the support given by common industry groups, chambers of trade and local business networks. Resilience is built through your interactions and the help of others.
  7. Multicentric governance. Consider the physical locations of your people, assets and storage capabilities and the data protections this affords. Build teams that are able to self-organize when resources are unreachable or not available. Ensure that there is out-of-hours decision empowered management available (few attackers work 9 to 5).

A business response to a cloud data breach should be structured in the same way as on-premises:

  • Put safety first.
  • Assemble a cybersecurity response team.
  • Devise and work through the consequences of a breach.
  • Dovetail your business continuity with that of the supplier, as per electricity outage planning.
  • Secure the data.
  • Communication is key when handling an incident. Establish communication channels with regulators, customers, shareholders and the board.
  • Logs, alerts and audit trails should be secured in event of attack (both in the cloud and on-premises) and to reconstruct events afterward.
  • Ensure that systems of record are protected.
  • Proactively strengthen security assurances on your websites and in your communication channels. Let customers know that you value their security.
  • Give customers a second channel to communicate about sensitive matters, e.g., via a help line.

Short List to Resilience

  • Do not cede any security ground to the fact that you are choosing to go to cloud to make the most of the opportunities and cost savings this offers.
  • Ensure that your own on-premises installation does not become the back door that is used by intruders. Cloud implementations can be compromised through on-premises gateways. Consider the implications of a hacked internal account accessing the data on your cloud installation, and guard against this threat by strengthening your access controls.
  • Apply data loss protection (DLP) software and controls to information to ensure that remote access users and devices do not lead to sensitive information leakage.
  • Know where your processes are becoming tied to the cloud and always take steps to rigorously protect your sensitive data and business IP.

Finally, do not become complacent. Just because there are not yet any examples of major business disruption and data loss purely because of cloud does not mean this will never happen. Remember that the confidence of companies in their abilities is highest just before a crisis.

Duncan Greaves, CISSP, is based in the United Kingdom. This is his first article for Cloud Security Insights.