Cloud security, to those who are new to this type of technology, can seem a bit like a black box. How can you secure something that is virtual? And how exactly do these security measures actually work? There are multiple security measures that cloud providers and clients can take. These primarily work to secure their infrastructure and these measures work together to create something robust, giving clients peace of mind.
But why does cloud technology appear to pose a security risk? Cloud technology involves some of a client’s data and applications being externally hosted. This is done by a cloud provider, who is a third party vendor. This may set off alarm bells. External hosting means that sensitive information is not stored solely with the client.
A vendors' cloud resources may also be shared between multiple clients. This includes storage, computing power, networking, and so on. This can pose a risk if a cloud vendor does not have secure separation techniques, which are important in separating different clients’ data and applications. This means that they can’t be accessed, or have an effect, on other users. After all, you don’t want an attack on another customer affecting your operations.
In Oracle and KPMG’s 2020 Cloud Threat Report, they asked cloud users what they would feel would improve the security of their organization’s use of public cloud. Out of the respondents, 29% said identifying software vulnerabilities and remediation, 28% said bringing up workload configurations to meet compliance standards and 27% audit trails of system activity. So, with security risks and lack of visibility, why would you want to migrate to the cloud?
The answer is because there are sound security benefits that come from moving to the cloud. Cloud providers prioritize keeping their systems safe. They provide a service, and as such, it’s vital that they keep their infrastructure up-to-date and secure. This business need for cloud providers can result in some of the most secure infrastructures available. Cloud security does involve trusting your vendor. However, the long term benefits that cloud technology can offer are worth it.
There’s not one, single ‘thing’ that secures cloud operations and infrastructure. Rather, it’s a range of different security measures and strategies that work together in tandem. Some of these security measures are offered by the cloud vendor, some are services from third parties and some are the responsibility of the client.
It’s also important to note that not all cloud providers offer all of the security measures that we’ll be discussing. There are some standard protocols that are common. However, some solutions are out-of-the-box services. We recommend investigating the security services your cloud provider offers. They may, or may not, offer the security solution you are looking for. There’s also the option to bring in security services from third party providers.
The security approach you need depends on the cloud service and environment you have. For instance, a SaaS product in a hybrid cloud will require different security measures than an IaaS product in a private cloud. If you're not sure what you need for your solution – chat to your provider, your developers, and if you're a client – chat with us! You can discuss infrastructure requirements, the risks you're concerned about, and potential suitable solutions.
In this article, we’ll be introducing cloud security and explaining how different cloud security measures work. Here’s what we’ll be covering:
What does cloud security work to protect?
What are the implications of a security breach?
What are the responsibilities of a cloud vendor?
How does cloud security work?
What are different types of cloud security technologies?
What are the client’s responsibilities?
A final note before we get started: different cloud providers use different terminology for the same security measures. It’s worth getting up to speed on the specific terms they use, as they might be different from those used in this article. Let’s begin.
Cloud security measures protect the following:
Confidentiality – ensuring the organisation’s sensitive data and applications remain private.
Integrity – so that the organisation can maintain their reputation.
Accessibility – such that the organisation’s applications remain online and accessible to users.
So how can these factors be compromised? Attackers – also known as malicious agents, malicious actors, or cyberattackers – may intercept communications or breach systems. Compromised security may also be the result of accidental negligence by employees. All of the following may be the subject of security breaches.
Networks – These are used to communicate data between clients and the cloud, as well as between cloud machines. In the cloud, these are often digital.
Data storage – these are services or hardware where the client’s data is stored.
Servers – these are the cloud machines that host a client’s application.
Virtual machines – these provide the functionality to run a client’s application. They’re digital, rather than physical.
Operating systems – this is what manages all the functions and programmes that are being run on a cloud server.
APIs – this is a programme that functions in allowing other programmes to communicate with each other.
Applications – the software that runs in the cloud.
Hardware – these are physical components, like computers, data centres, and physical servers.
A cloud security breach, depending on what has happened, can have a wide range of consequences. On the severe end of the spectrum, it can lead to:
Exposed and leaked data, including that which is private and sensitive.
Unauthorised access to external and internal users.
Malicious attacks that can result in the above, as well as downtime.
As part of the Service Level Agreement, cloud vendors have the responsibility to provide the following security services:
Protecting the cloud infrastructure from threats.
Patching and configuring networking, storage, and computing power.
Keeping all resources updated and accessible.
Undergoing continual risk assessment.
What these measures entail depend on what types of service a client is using, whether it is a SaaS, PaaS, or IaaS. The more responsibility the client has over their service, the more responsibility they have over their security. We’ll discuss this further later in the article.
It’s in a cloud vendor’s best interests to keep their product secure. After all, their business model relies on a robust product. This in turn results in the following benefits:
Cloud vendors have more security resources, especially when compared to an on-prem data center for a single business.
Cloud vendors can identify vulnerabilities and create patches far more quickly. They have teams who solely focus on this.
Cloud vendors are dedicated to keeping the infrastructure secure.
Cloud vendors’ serverless patching (fixing or improving the service) is routine and effective.
According to the PwC’s 2019 cloud security report, of the cloud users they interviewed:
58% said cloud security measures result in higher availability.
45% said cloud security measures result in more effective patches and updates.
Depending on what service you use, these are all things you don’t need to personally keep on top of. The result? Best in class security measures and more of your time freed up. However, it is recommended that you maintain visibility on your cloud infrastructure’s security systems.
So how exactly does cloud security work? It focuses on the following:
Keeping safe what is inside the trust barrier. This is a conceptual space that contains private data and applications. Only certain people in your organisation should be able to access this. Think of this as an invisible outline around highly sensitive information. You don’t want many people to be able to access this!
Minimising the attack surface. This is where malicious attackers will try and compromise your systems. Think of this as a wall. You want to keep this wall reinforced, as well as make it bigger and more robust.
Keeping on top of new attack vectors. These are what malicious attackers do to try and compromise your systems. This can involve DDoS attacks, phishing scams, social engineering, and so on.
If there has been an unsuccessful, or successful, attempt to compromise your infrastructure – these security measures can help. They work to deter the severity and impact of the effects. This can include:
The recovery of data if there has been data loss.
The protection of storage and network functionality.
The mitigation of potential human error or negligence.
We’ve discussed how cloud security measures can benefit your cloud infrastructure. But what actually are these measures? And how do they work? Here, we’ll go through a selection of common cloud security technologies, tools, and frameworks. We'll discuss what they are and how they protect your systems.
Shortened to IAM, this is a framework of security protocols. Simply put, it looks at how to verify a user's identity, and in turn what this can give them access to. This approach is all about giving permissions based on identity, not devices or location.
This can involve:
User tracking programmes.
Authorisation protocols on what specific users can and can’t access. This can be based on their roles, the teams they work on, and any specific factors that impact what data they need to access to complete their work. This aspect requires client input.
Preventing sensitive data from being accessed is a pillar of cloud security. This can be achieved through data loss prevention (DLP). This is a selection of processes, policies, and technologies that track data. It involves monitoring, inspection, encryption and sharing settings. DLP can help you implement barriers that’ll mean you know where your data is, who can access it and how visible it is. These processes will involve a level of client input.
A critical element of DLP is evaluating the location of data. It’s worth investigating where it is stored. How is it organized in this storage? How is sensitive data defined and classified? How is this reviewed? Who can access it? Is the storage process automated? If so, how is it monitored? Does the data flow system have potential for data leakage?
Once you have established this, there are other measures you can undertake when implementing DLP. These can include securing:
Data-in-motion – this is when data is on the move.
Endpoints – these are where data are received.
Data-at-rest – this is where data is stored.
The above can be achieved by monitoring inbound and outbound data transfers, access controls, encryption, data retention policies and network traffic analysis.
Let’s investigate some more data and network security measures.
You may have already heard of ‘zero trust’. This is an important approach when it comes to controlling access to sensitive data. Employing a zero trust approach means trusting no one and verifying everything. Essentially, access credentials should be implemented on a least privilege basis. Employees – no matter their role or status – should only be given access to resources (and data) needed to complete their tasks. Even systems administrators shouldn’t be given full run of the gamut!
Cloud provider’s responsibility
This is a technology that scrambles data. If a malicious attacker were to come across this data, they would not be able to understand it. Ideally, data should be encrypted at rest (when it is stored), as well as when it is in transit. Encrypted data needs a decryption key to unscramble it. This can only be given to authorized users. This may involve the implementation of key management services. These will generate, store, use, and destroy keys and their material.
Data can also be encrypted, and decrypted, using the transport layer security (TLS) protocol. You might recognise this through the HTTPS in URLs.
Cloud provider’s responsibility
Following on from encryption, virtual private networks (VPNs) can support encryption processes. They can protect data when it’s in transit, encrypting the data between clients and cloud vendors. They work by setting up dynamic data flow rules on your service’s underlying network. This means that confidential packet data – we'll discuss packets in a bit – only travels between your resources. There’s also the option to set up a protocol called an Application Layer Network. This again allows you to establish specific data flow rules.
Network protections are a key security tool. This is because data moves between so many spaces on the cloud. Think of all the different services, as well as virtual and physical databases it can move between! The impact would be huge if any of this sensitive and critical data was intercepted, or breached.
Another measure that focuses on network security is network segmentation. In network segmentation, a network is divided into different parts, or segments. This is where specific ‘segments’ – like data centres or work loads – are secured through policies that affect what type of traffic can access them. These spaces can be known as trust barriers, and they fit in effectively with the zero trust approach. Only employees who need to be in the trust barrier have access inside it. This process establishes multiple trust barriers within other trust barriers. This strictly controls the traffic that can enter.
This can be particularly valuable for cloud infrastructures that either need to have specific data isolated, or any that handle particularly sensitive data. It’s worth noting that administrative workloads need to be secure. Network segmentation could be an effective protocol here.
Cloud provider’s responsibility
Along with network segmentation, data segmentation uses isolation as a security technique. We referenced this back in the introduction to this article. Different data sets need to be separated between compute, storage, and data flow/networking services. Specifically, data sets between different clients using the same cloud vendor must absolutely be separated. This is the cloud provider’s responsibility to establish given that multiple clients use their resources. Their data should be segmented, so that clients can only access their own particular services and no one else’s.
When discussing this with a cloud provider, ask how your data will be separated and how it will be protected.
Cloud provider’s responsibility
Packet data protocols are another network security tool. In this instance, we’ll be discussing internet protocol (IP) packets – or network packets – protocols. Packets are small units of data that travel across networks. These units of data are then interpreted as a larger message when received. Packets mean that large amounts of data can be moved across networks in smaller chunks and by multiple computers.
Network packet protocols ensure that packets end up in the right destination. These contain details on the structure of the packets, including the header. The header features specific information to do with where the packet originated, where it’s going, how many packets are being sent, and other relevant information. You may see terms like source and recipient IP address, protocol number, packet number, MAC address, and port number. The second part of the packet structure is the payload. This is the content, or the data, of whatever is being sent.
Routers along a network will check packet details, and send them to their correct destinations. This ensures that the data contained in the packet is only accessible to the IP address it is being sent to.
Packet data capture is a security monitoring technique. It reviews and analyses packets from a network’s traffic, and looks for security threats. This can include intercepted packets, accessible sensitive data (such as passwords and usernames), and incomplete metadata.
Enforcing packet data controls is another security technique. This technique looks at what is being sent in packets along a network. It then looks for attack surfaces and/or vulnerabilities. Code can then be written to either disable, or reinforce, certain functionalities that restrict points of entry for attackers.
Cloud provider responsibility
Firewalls are a form of network security. They work by monitoring inbound and outbound traffic. They do this using a set of security protocols. Any traffic or data packets that look suspicious are blocked from entering a network and into a trust barrier. Firewalls are hosted in the cloud. As such, they create a virtual barrier around an infrastructure.
Cloud provider and client’s joint responsibility
CSPM stands for Cloud security posture management tools. These are an automated set of tools that identify and resolve security risks. This can include policy violations, human/manual errors, security misconfigurations, incomplete/incorrect metadata, open ports, and unauthorised changes.
These tools aren’t for catching malicious attacks. Rather, they catch accidents made internally that create vulnerabilities or breaches. They offer an overview on what cloud services you are using, along with security configurations. They work by comparing your configurations to established benchmarks. They then apply automatic fixes based on guardrails.
These tools may be provided by cloud vendors, but need to be managed by clients. They may also be available as a third party integration.
Cloud provider and client’s joint responsibility
Guardrails are a security tool that automates security and/or policy protocols. This can increase the speed and effectiveness of a solution. This is because it does not depend on human intervention. For instance, the authorisation of a new resource can be done automatically through a guardrail system. Through this process, this resource can have the correct security configurations applied. However, not everything has to go through automatically. Certain changes can be blocked.
Guardrails can be used for a wide range of purposes, not just authorisation. They can automate data protocols, packet controls, and more. Cloud providers can offer this technology. However, it needs to be configured and monitored by clients.
Cloud provider and client’s joint responsibility
The above is also known as SIEM – or security information and event management. This involves taking and analysing security logs in real time, and sending out alerts for any risks. These can help you protect against attacks quickly.
They can also be used to establish protocols – including automated guardrails – that log and alert against security threats and monitor vulnerabilities. They also can be used to set up audit trails, which can help with future security analysis.
Monitoring, logging, and alerting helps you maintain visibility on all your applications and services. These can be particularly difficult to lose track of if you use multiple services. For this to be successful, it’s essential that you have transparency from cloud vendors. You need to be able to access your security logs for internal analysis.
SIEM tools are provided by some cloud providers, and third party providers. Depending on the service, they may need to be configured and monitored by the client.
The SLA typically offered by cloud vendors shares a joint responsibility model. As such, the client will have certain security responsibilities that they’ll need to act upon. It’s a proactive approach on both sides. What the client is responsible for comes down to the type of service they use. For instance:
SaaS – The client is responsible for securing data and user access.
PaaS – The client is responsible for securing data, applications and user access.
IaaS – The client is responsible for securing data, applications, operating systems, virtual network traffic, and user access.
Whatever service is in use, the client should establish security policies, protocols, and frameworks. Here are some measures to consider:
Security breaches can be accidental and a result of human error. As such, it’s important to keep on top of educating employees about security best practices. This includes password protection, phishing scams, malware scams, and so on.
Ensuring that your systems are correctly set up and frequently updated is critical for cloud security. These measures can include:
Switching on security controls supplied by the vendor.
Changing default settings.
Closing cloud storage buckets when finished with them.
Installing the latest updates.
Ensuring any legacy IT systems that are used remain secure.
Some of these may seem simple, but can make a big difference.
According to the PwC’s 2019 cloud security report, 50% of the cloud users they interviewed considered compliance as a relevant security threat. Compliances are not just a legal or standardised requirement. Implementing them can improve the security of your cloud infrastructure too. These include:
Data masking policies – This is a process that can be used to protect your organisation’s data, and can be used to adhere to compliances. Data masking makes fake but realistic versions of data that can be used to protect sensitive information. For example, if your organisation needs data for sales demos or training exercises. This set of ‘fake’ data is robust, and cannot be used to decipher the original data. There are different techniques that can be used for data masking, including scrambling, substitution, nulling, and shuffling.
Data retention policies – This covers how your organisation stores data, for how long, and how it disposes of it.
GDPR – The General Data Protection Regulation is part of EU privacy law. It affects the European Union, as well as the European Economic Area.
HIPAA – The Health Insurance Portability and Accountability Act is part of USA Federal law. It covers privacy rules for healthcare providers.
For more information on this topic, read our beginner’s guide to compliance here.
These are the backup plans if anything goes wrong.
This essentially covers all of the above, but in policy form. These are protocols and procedures required for maintaining a secure cloud system. These can include:
Regular employee training.
System integration protocols.
Scheduling security audits and action plans.
Disaster recovery plans.
Ensuring legacy IT systems being used are secure.
Ensuring the inconnectedness and communication between teams is effective.
Maintaining visibility across all operating systems.
The question shouldn’t be ‘is cloud secure?’ but rather ‘how do we use it securely?’ It’s a complex system with layers, and it’s easy to lose track of if security best practices aren’t put in place. Due diligence by users is key. Cloud vendors do have security measures in place, but the responsibility is shared with the client. It’s important for clients to maintain visibility of their cloud security systems, even if this requires additional steps. It's all about continuous risk management monitoring and analysis.
Are you looking for a secure cloud solution for your web application? The Divio Platform is an ISO compliant PaaS that meets GDPR standards. We take security very seriously. Find out more about how we fortify our customer's web apps by chatting to us about all things cloud security.
Cloud Security Challenges Organizations Need To Overcome
Migrating on-premise infrastructure to the cloud is a top priority for many organizations today. The cloud offers a number of benefits, including scalability, flexibility and cost savings. However, many organizations are unprepared for the security challenges that come with cloud adoption. In this blog post, we will discuss some of the cloud security challenges that organizations need to overcome.