If your organization is migrating resources to the public cloud, you are probably looking to benefit from the cloud’s flexibility, scalability and high-speed performance, all while reducing expenses.
However, when it comes to security in the cloud, keep in mind that you are not off the hook. All public Cloud Service Providers (CSPs) employ the Shared Responsibility Model, with the provider generally responsible for securing access to the physical servers and the virtualization layer, while your organization is left in charge of security for the hosted operating systems, the applications, and the data itself. Here are seven security issues to clarify to enable you to safely migrate resources to the public cloud.
1. Who manages the encryption keys?
Encryption is key to security, both for data at rest and for data in motion. While most cloud providers ensure encryption of data at rest, the picture for data in motion is less defined and most often requires a third-party solution. Therefore, maintaining ownership over the encryption, end-to-end is only possible if you control all the keys – at all points.
Controlling the keys also limits exposure to malicious insider attacks that come from the CSP’s employees or partners. As additional levels of “as a Service” live in the cloud, insider attacks are potentially more lethal. Since not all CSPs concur about who should control the keys, it is essential to clarify this issue before signing on the dotted line.
Related issues include determining whether the CSP provides the framework to leverage existing credentials and password policies. This may boil down to ensuring that you can import Active Directory or a similar system, instead of recreating all users from scratch which can greatly simplify any migration.
Also, check out whether Security Assertion Markup Language (SAML) SSO capabilities are available for authentication. Speaking of authentication, since single factor authentication is definitely not sufficient to protect your resources, ensure that multifactor authentication is supported, and if so, which flavor.
2. Does the CSP implement controls to segregate your data from other customers?
The multi-tenant paradigm of cloud computing introduces a significant avenue of attack. For instance, if a multi-tenant cloud service database is not properly secured, a flaw in one client application could allow an attacker access to other tenant’s data.
Additionally, check that the vendor is not using system-wide administrator accounts with “super admin” access to their entire cloud environment. Usage of such accounts should be minimal and must be monitored.
3. What level of Network Security does the CSP offer?
Network security includes a number of components, such as data encryption, firewalls and identity-based firewall rules, anti-virus detection and more. In the public cloud, isolation of the cloud servers can be obtained using private IP addressing and firewall rules. Data in motion between a private subnet in the cloud and a private subnet in another cloud or another location requires a secure connection. IPSec can be utilized to route and transport the IP packets with private IP addresses.
The network must be monitored constantly and the monitoring system must generate alerts when suspicious events take place. When migrating to the cloud, ensure that you understand the level of visibility you can expect, and the type of event monitoring, routine security audits and alerts provided.
Furthermore, if you are currently utilizing a Security Information and Event Management (SIEM) system, or you would like to incorporate a SIEM down the road, ensure that you will be able to integrate this into your cloud deployment.
4. Where will my data be stored?
It’s in the cloud, so who cares where the data is living? Actually, in many cases the location of the data and backups may not only affect performance, but more importantly have legal implications. For compliance, you may be required to keep certain types of data within your native country, and other locations may be off limits. Ensure that you know where your data should be stored and where it is replicated, and are the data protection options affected by the permitted locations for your data. In addition, you also should look into the physical security of the CPS’s facilities, and how the structure is protected from natural disasters, including fires, floods, earthquakes and storms.
5. Does the CSP encrypt and regularly test its backups?
Although it seems obvious that information must be protected across its entire lifecycle, unless the backups are also tested and secured to the same level as the production environment, your data is not sufficiently protected. The CSP should also test its disaster recovery plans that minimize the length and impact of the disaster.
6. What is the SLA for availability? What safeguards are present for disaster recovery?
Availability to your data is critical, and ideally the cloud, with its geographically distributed separate and redundant computing resources can provide higher availability. Check to see that the CSPs locations fit with your business’s requirements.
Four nines (99.99%) uptime means that your data could be unavailable for about 50 minutes per year. Investigate the compensation that is offered if the CSP does not meet its availability targets as defined in the SLA.
Another benefit of the cloud is how efficiently it can be used to deploy a disaster recovery solution. SANless clustering is a new option, providing a relatively simple, highly cost-efficient disaster recovery solution. However, failures in cloud instances and outages in public cloud provider service do occur, therefore a careful examination of the SLA is critical.
7. Does the CSP provide APIs to automate tasks?
One of the advantages in moving to the cloud is its scalability – expanding or reducing usage dynamically, which often results in lower costs as you only pay for what you use. An additional benefit of cloud scalability is reducing IT Admin tasks. However, only with sufficient automation will this be truly realized. APIs are commonly used for cloud provisioning, management, orchestration, and monitoring. You’ll want to ensure that your CSP has APIs to launch and stop services, launch VMs (instances), configure security parameters and related settings, and so on.
During the migration, any tasks that can be automated will simplify the transfer of information. For example, if you are using RADIUS or Active Directory, a smooth import of these systems will quicken the uptake of identity-based authentication and authorization procedures.
Shared Responsibility Model
With the Shared Responsibility Model a significant portion of cloud security concerns lie with the customer. Look carefully at what the CSP is offering; you may have to supplement with third-party solutions if the native offering does meet all your requirements.