Do you find Cloud Security daunting? Do you understand the different cloud relationships? Do you know standards that you can use as references? Do you understand Governance of Cloud Security? If you answered no to even one of these questions, this article will help you gain a better understanding of each of these areas and give you a great overview.
Cloud Security is often not treated as a priority by organizations using the cloud because there is an erroneous assumption, that cloud providers all know how to secure the data in the cloud and this is why they use cloud services so it’s one less thing to worry about. Organizations, that were not prepared for the pandemic and working remotely, rushed to cloud computing. Many of these organizations failed to consider risks or compliance with standards.
In traditional IT, the organization manages all of the levels of integration on its own. There are three main customer cloud relationships. The first is IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. These can be public or private cloud providers.
The National Security Agency (NSA) classified cloud vulnerabilities into four main categories: misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities.
The risks in cloud security must be managed by both the customer and the provider. Organizations that are customers can implement governance, technological, and strategic controls to mitigate risks.
Management should ensure that policies for cloud computing include guidance for implementation. Before developing and implementing the policies, risk concerns should be pondered and discussed. Examples of concerns include access to data in the cloud by cloud providers, what assets are going to be managed by the cloud provider, what processes are going to be multi-tenant, where do the cloud provider servers reside geographically, and many more. These concerns should also be managed with the cloud provider and included within contracts depending on the cloud implementation strategy that is chosen -IaaS, PaaS, and SaaS.
Organizational responsibility for data does not end when using the cloud. Some controls that should be considered and implemented include but are not limited to:
In addition to governance, risk, and compliance(GRC) is a must. Compliance with legal and contractual requirements is essential. These are some International Standards Organization (ISO) standards and National Institute of Standards and Technology (NIST) standards that should be considered.
Bad actors are finding new and better ways of getting access to data and attacking clouds each year such as abuse of cloud services, account or service hijacking, cloud malware injection attacks, denial of service attacks, insider attacks, man-in-the-cloud attacks, side channel attacks, and wrapping attacks, etc. Organizations must be prepared with the better implementation and management of cloud security to deal with bad actors.
There are three relationships you can have with a Cloud Provider: IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. The decision on which one to choose depends on how much you want to manage vs. having it done for you.
Even when the Cloud Provider is managing all levels of integration, there are still many controls that you should consider implementing.
Before developing your policies, a Risk Assessment should be done and controlling these risks should be managed with the Cloud Provider