Securing the cloud can feel a bit like eating an elephant. How do you eat an elephant? One bite at a time. The same is true for cloud security – the challenges become a lot more manageable if you break the process down into four clear and practical steps: Assess, Analyse, Act and Assure.
Cloud services adoption is being driven by digital transformation and the promise of greater agility, flexibility, scalability and cost efficiency. But cloud related breaches are rising in parallel. The Department for Digital, Culture, Media and Sport reported in its Cyber Security Breaches Survey 2018 that businesses using cloud computing were more likely to have faced breaches than those who do not (52% vs. 43%).
About the author
Nathan Britton, Cloud Security Practice Lead at NTT.
The Uber breach came as a result of the company storing AWS credentials in a Github repository, which were subsequently retrieved by hackers and used to access Uber’s AWS account. Another high profile breach occurred at Verizon, where a misconfigured S3 bucket owned and operated by supplier NICE Systems exposed the names, addresses, account details and PINS of as many as 14 million US customers.
The cloud is not inherently more insecure than on-premise IT infrastructure. Most breaches are down to errors in misconfiguration, or a misunderstanding of expected cloud security. So why is data more likely to be exposed in the cloud?
Many security teams find it difficult to keep up with the fast pace of cloud deployments. The ‘lift and shift’ of security controls can also leave gaps. Cloud applications do not always mirror their on-premise version, so controls may need to be revisited to support business apps that have been rehosted, re-platformed or refactored.
Another potential issue is a lack of cloud-specific security policies or guidelines to drive ‘secure by design’ cloud adoption. Shared security models can also leave data vulnerable, if it is unclear whether the responsibility for protecting data lies with the business, cloud provider, consumer, or combination of the three. The cloud model – whether it is IaaS, PaaS or SaaS – may affect the lines of responsibility.
The 4 As to cloud security
This four-stage process will help organisations to understand how to secure cloud deployments, gain visibility of their cloud footprint, understand pain points and risks and – most importantly – use that knowledge to drive a roadmap for improving cloud security.
You cannot secure what you do not see. Assessing and auditing cloud solutions will provide visibility over the assets and workloads deployed there. It will also highlight potential threats, gaps in security and the overall security posture. This is the right time to look at where security is ‘built in’ by the Cloud Solutions Provider (CSP) itself, and where it needs to be added or augmented. It is a good idea to seek out tools and processes that will help you to assess where there may be gaps. The findings of the assessment can then be used as a benchmark to capture where you are today, and build a cloud security roadmap for the future.
This begins with identifying how a cloud deployment measures up against good security practices or frameworks – including requirements for regulatory compliance. Next, examine the security gaps this analysis highlights, and quantify the potential risks and threats that result from them. From there, you can then map threats to the right security controls to re-mediate the gaps, and prioritize the order in which you implement them.
The knowledge you gain in this Analyse stage will help you make informed decisions on your cloud security design and controls implementation in a way that ensures consistency across the deployment.
Once you have a clearer picture of the security posture of a cloud deployment and visibility of the assets, you will be in a position to address security issues by designing and implementing the required security controls. This will ensure a consistent approach to deployment to the cloud, and that security is ‘by design’.
It is a good idea to start with the CSP’s native security controls and configurations, using these as a foundation to create a minimum viable security template that can be applied to build future cloud resources securely and consistently. These can then be complemented with embedded cloud native security controls.
When it comes to securing cloud deployments, the work is never done. Your cloud security will need to grow as deployments increase and more workloads are migrated to the cloud, or built in the cloud. To maintain regulatory compliance and address evolving threats cloud deployments need to be continually monitored, with any deviation from agreed security standards alerted upon. Automation is vital here to guarantee fast remediation of issues.
To get the most from this stage of the process, you will require the support of security monitoring and compliance tools and platforms, which are aligned with your security operational requirements.
By breaking down cloud security using this proactive ‘four As’ approach, organisations can benefit from increased visibility of cloud workloads and assets, and the risks and threats that need to be addressed. This will provide the insights they need to build a prioritized roadmap of remediation and improvement, and ensure that security is consistent across and ‘baked in’ to all current and future deployments.