Cloud Security — Understand, Mitigate and Manage Risk Types

Cloud use does not result in higher security or continuity failure. It appears to be the opposite. Customer error accounts for most breaches. Properly used, cloud computing is safe and secure.

The strong security delivered by cloud service providers (CSPs) is due to:

• Scale — Delivering service to multiple organizations enables cloud providers to invest in resilience and security.

• The ability to dynamically allocate resources — Cloud providers can deliver encryption, authentication and filtering across their services.

• Competition between vendors — Strong security is a differentiator for providers within a competitive market.

• Standardization of security processes — As providers mature and obtain certifications such as ISO27001, client organizations can potentially replace legacy security technologies without incurring capital expense.

Fewer than 20 globally active CSPs provide the majority of worldwide cloud processing. “Tier 1” CSPs are characterized by over a decade of reliable service and market dominance. When it comes to security, they provide world-class levels.

Second- and third-tier CSPs are somewhat riskier, as evidenced by several data leaks and ransomware incidents that have affected customer organizations in recent years.

That is not to say that there are no risks to using the cloud. Rather, these risks are not limited to cloud security. Many are connected with relinquishing control over governance and compliance. In order of impact, the top risks include:

• Wasted employee time

• Overspend

• Agility risk/technology debt

• Slow time and downtime

The biggest security risks in the cloud include those that are unique to cloud computing — involving resource sharing and remote access to data — and third-party risks.

Shared resource and remote access risks

The shared resource model increases exposure to three key risks:

1. Malicious co-tenants sharing the same computing resources could potentially affect a customer’s access to the resources, leading to data and reputation loss.

2. Isolation failure occurs when the provider fails to separate memory, routing and storage among the tenants of a shared resource model. This can make organizations vulnerable to attacks targeted at other tenants.

3. Ineffective deletion of data can occur when the service provider fails to properly remove data that adds no business value or has outlived its usefulness (separate from the business units being unwilling to part with data, a common problem that is not unique to the cloud).

Third-party risks

Some third-party risks are cloud specific. They include: 

• Conflicting security procedures — When the provider and the customer have conflicting security controls, it can create problems with daily operations.

• Service portability — Technical feasibility and cost concerns regarding portability are a source of risk in part due to the absence of regulatory standards for cloud computing. 

There are three types of cloud delivery models, each with slight differences in the main risks that affect them.

• Software as a service (SaaS) involves an external entity owning, hosting and managing a software application and delivering it as a service to the end customer. Salesforce and Google Docs are SaaS examples. The SaaS customer is a specific end user using it to fulfill business functionality requirements. 

• Platform as a service (PaaS) is a software development platform available as a service that supports the end-to-end software development life cycle, including design, testing and deployment. Examples include Microsoft Azure and Google App Engine. The target market for PaaS is software developers and independent software vendors. 

• Infrastructure as a service IaaS is a service-based model for provisioning core computing power servers, storage and network resources for deployment and execution of externally hosted applications. Examples of IaaS include Amazon EC2 and Oracle Coherence. The target market for IaaS is architects, infrastructure groups and network or system administrators. 

Many sources of cloud security risk are equally high (or low) across SaaS, PaaS and IaaS cloud types. Nonetheless, IaaS has the highest level of risk associated with it, specifically for the following sources: service portability, resource limitations, lack of compliance assurance, IP protection and business continuity planning and disaster recovery security.

Whether these models are deployed on a public, private or a hybrid cloud also affects its cloud security.

Reduce cloud security risk by defining the provider’s security responsibilities and then monitoring the service performance:

• Involve security throughout the deal’s life cycle. This helps clarify the division of responsibilities and ensures security requirements become a contractual obligation.

• Use encryption to protect data in the cloud. Encrypting data during transmission and at rest can help prevent accidental disclosure and incomplete deletion of data.

• Develop a strong auditing approach:

  • Continually assess security capabilities through regular audits to ensure consistent maintenance of security controls.

  • Audit logs, activity reports, system configuration and change management reports to monitor service performance.

  • Select auditors who are familiar with cloud technologies to make the auditing process more efficient.