Cloud Security INSIGHTS Archive: September 2021
IT risk is constantly evolving due to changing regulations and shifting IT system designs. Assigning ownership of IT risk is especially difficult which leaves your organization vulnerable to cyberattacks. In this eBook discover how to establish clear guidelines for risk assessment, mitigation, and monitoring—for better visibility and assurance. Download now »
What Your CISO and/or SOC Shouldn’t Miss in Evaluating a Cloud Service Provider
By Vincent Mutongi, CISSP
|Image Credit: Getty Images|
Since the advent of cloud computing, enterprises have struggled with choosing the best cloud service provider based on their unique needs. Common use cases include low cost, security, interoperability, big data analytics, storage, VDI, etc. On the flip side, major cloud service providers (Amazon Web Services, Microsoft Azure, Google Cloud, Alibaba Cloud, IBM Cloud or Oracle Cloud) have been working tirelessly to entice customers into consuming their services.
Then there are decisions around the type of clouds to adopt. Some organizations have tended to play it safe by signing up for “hybrid cloud” architecture where critical workloads hosting sensitive and critical data (e.g., databases, etc.) are left on-premises while less critical applications are migrated to the cloud. Others have gone all-in on either private or public clouds.
IT managers must take time to understand the key differentiators between all the as-a-service models available in the market today—with everything from infrastructure to platforms and software, among others, being offered as a virtual service.
Gartner’s Strategic Planning Assumption predicts that by 2025, more than 80% of public cloud managed and professional services deals will require both hybrid cloud and multi-cloud capabilities from the provider, up from less than 50% in 2020.
With so many options and providers, how can CISOs, CTOs and other IT managers choose the best cloud service provider for their needs?
Shared Security Responsibility Models
Before engaging a cloud service provider, IT managers need to determine who will be responsible for their workloads once they migrate to the cloud. This is where the Shared Security Responsibility Model comes in. Such an arrangement means the cloud provider has certain responsibilities for maintaining a secure and continuously available service, while the organization has its own assigned specific responsibilities to secure its applications.
AWS breaks down this differentiation of responsibility into two parts:
- Security of the cloud – AWS is responsible for protecting its infrastructure, e.g., networking, software, hardware networking, etc.
- Security in the cloud – The AWS customer assumes responsibility for managing operating systems, EC2s instances, S3 buckets, security groups, networking components, encryption, etc.
It is prudent for organizations to read and understand this model, how it applies to their environments and how it meets their specific use cases before signing on with a cloud service provider.
Cloud Service Level Agreements (SLAs)
A service level agreement (SLA) is a contract that guides cloud performance and is negotiated by both the cloud services provider and the customer. The scope for SLAs includes availability of service (e.g., 99.9% uptime), governance, responsiveness, efficiency, etc. David Bartoletti, an analyst with Forrester Research, told TechTarget that cloud providers promote SLAs they are willing to meet, and craft those SLAs to limit their exposure. “The secret to cloud success is to match workload requirements and expectations to what the cloud provider offers,” he says.
That’s why it’s imperative that any SLA be clearly understood and legally reviewed before such an agreement is signed.
Security and Regulatory Compliance
This is the most critical factor to account for before an organization engages a cloud service provider. How does the provider secure the company’s “crown jewels”? Does the cloud service provider comply with appropriate regulations, such as the Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX) and the EU’s General Data Protection Regulation (GDPR)?
It is a no-brainer that enterprises need assurances that a cloud security provider complies with mandated security and regulatory compliance policies before signing up and moving workloads into the cloud. It is the onus of IT managers to make sure that they understand security best practices offered by the myriad cloud service providers. Countries have enacted stringent regulatory compliance laws to curb data loss from compromised cloud deployments.
According to IBM’s Security Programmatic Approach of 2019, security should be embedded at each layer of the cloud stack, with an integrated threat management program and, above all, a holistic cloud security and compliance strategy.
IT managers should choose a cloud service provider with a robust security structure that includes defense-in-depth, better access controls, authentication, auditing and monitoring, encryption, disaster recovery, etc.
A major driver of cloud adoption is cost savings. Everyone on the security team must clearly understand the cost implications of cloud migration—both benefits and potential pitfalls. Stakeholders should realize that the end state is to get a better return on investment (ROI) and a reduced total cost of ownership than if assets remained on-premises.
As an example, Amazon offers the following cost options:
- Pay as you go: Customers are only charged for services they consume, e.g., if a customer provisions an EC2 instance virtual machine, they only get billed when the machine is up and running, not when it’s shut down.
- Reserved capacity: This option is more applicable to Amazon Relational Database Service (RDS) and EC2 instances than other services. Customers can choose the Partial Upfront option and make low upfront payments with discounted hourly rates.
- Volume-based discounts: AWS offers discounted upfront fees when you buy their services in larger amounts going forward.
Cost saving should not be limited to only dollar amounts spent on services; it should extend to technical support, training, infrastructure upgrades, etc., offered by the vendor.
IT managers should meticulously take time to evaluate each vendor’s value proposition and avoid “vendor lock-in,” in which it is difficult to switch vendors without paying penalties and operational costs. The goal here is for organizations to avoid sunk costs, maximize capacity and limit wastage of unused resources.
Cloud Provider’s Track Record
A cloud service provider’s background and track record should be a major consideration. Enterprises should take time to research and understand vendor profiles, core capabilities, strengths and weaknesses before deciding. Customers are likely to be more comfortable hosting their workloads with a provider that has a proven record of protecting its customers’ data than with a vendor with a history of data breaches, legal issues and financial instability.
Here again, analysts like those that comprise the Gartner Magic Quadrant for Cloud Infrastructure and Platform Services can help by doing a lot of homework for decision makers when it comes to evaluating market leaders.
Cloud Security Strategy
In the past 12 months, the United States has experienced a tsunami of cyber and ransomware attacks, including the SolarWinds supply chain attack, Colonial Pipeline ransomware attack and JBS meatpacking ransomware attack. These attacks involved national security and served as a warning that a company is only as secure as its partners.
To achieve a successful cloud security strategy that is in line with the tactical, strategic, operational goals and objectives of an organization, IT managers need to:
- Identify and assess types of data being hosted and processed in their cloud instances and where this data is stored, e.g., EC2 EBS volumes, S3 buckets, Azure blobs, Google Cloud Storage, etc. They should also conduct data categorization based on the confidentiality, integrity and availability (CIA) triad to determine whether their data fits impact levels of high, medium and low data and build guardrails to protect this data.
- Fully understand the shared responsibility models between their organizations and cloud service providers. Who does what, where and when?
- Invest in people with security mindsets and provide required tools for teams to succeed
- Practice and evangelize Agile processes and workflows
- Integrate threat modeling, cyber kill chain, chaos engineering and other relevant models into security practices
- Enforce continuous control monitoring and compliance that will increase transparency and visibility into the network and expose anomalies before getting exposed to adversaries
With a good cloud security strategy, enterprises can stay ahead of the game by thwarting emerging threats and substantially improving cyber hygiene of their cloud deployments while maintaining data compliance and privacy legislation.
Hiring a cloud service provider that meets your organization’s requirements while investing in a holistic cloud security strategy could be a panacea to most cloud migration woes. IT managers should restructure data and analytics to make better decisions that will drive overall enterprise-resilient sustainability and achieve competitive advantage.
Vincent Mutongi, CISSP, AWS Certified Security Specialist, is a senior enterprise cloud security engineer for Leidos Inc., an American defense, aviation, information technology and biomedical research company headquartered in Reston, Virginia. He has more than 20 years of cybersecurity experience supporting federal agencies in the Washington, D.C., area. He is currently working on cyber engineering and architectural projects with specific focus on cloud security strategies.