|
| Credit image: theconsultingreport |
When some enterprises migrate to the cloud, they wrongly assume that workload security is now in the hands of their cloud provider.
In reality, most cloud vendors enforce what's called a shared responsibility model. This model varies depending on the cloud computing service category -- SaaS, PaaS or IaaS -- but, in all cases, security responsibilities are split to some degree between the cloud provider and its users.
Cloud computing is the delivery of hosted services, including software, hardware, and storage, over the Internet. The benefits of rapid deployment, flexibility, low up-front costs, and scalability, have made cloud computing virtually universal among organizations of all sizes, often as part of a hybrid/multi-cloud infrastructure architecture.
Cloud security refers to the technologies, policies, controls, and services that protect cloud data, applications, and infrastructure from threats.
When applications and servers are hosted in-house, IT operations admins' security responsibilities are clearly defined; teams can physically see, or at least have direct control over, the IT resources that run in their data center. With cloud computing, however -- where users essentially "rent" compute resources from a provider -- admins must drastically change how they manage workloads. And, in some cases, this creates gaps in security coverage.
While SaaS and PaaS each present unique cloud security considerations, admins can also apply some key best practices from their days of securing on-premises resources.
IaaS.
The cloud provider is responsible for services and storage -- the basic cloud infrastructure components such as virtualization layer, disks and networks. The provider is also responsible for the physical security of the data centers that house its infrastructure. IaaS users, on the other hand, are generally responsible for the security of the OS and software stack required to run their applications, as well as their data.
PaaS.
When the provider supplies a more comprehensive platform, the provider assumes greater responsibility that extends to the platform applications and OSes. For example, the provider ensures that user subscriptions and login credentials are secure, but the user is still responsible for the security of any code or data -- or other content -- produced on the platform.
SaaS.
The provider is responsible for almost every aspect of security, from the underlying infrastructure to the service application, such as an HR or finance tool, to the data the application produces. Users still bear some security responsibilities such as protecting login credentials from phishing or social engineering attacks.
What is the Cloud?
The cloud is commonly used to refer to several servers connected to the
internet that can be leased as part of a software or application service.
Cloud-based services can include web hosting, data hosting and sharing, and
software or application use.
‘The cloud’ can also refer to cloud computing, where several servers are
linked together to share the load. This means that instead of using one
single powerful machine, complex processes can be distributed across
multiple smaller computers.
One of the advantages of cloud storage is that there are many distributed
resources acting as one – often called federated storage clouds. This makes
the cloud very tolerant of faults, due to the distribution of data. Use of
the cloud tends to reduce the creation of different versions of files,due to
shared access to documents, files and data.
What is a Cloud Server?
A cloud server is a pooled, centralized server resource that is hosted and
delivered over a network—typically the Internet—and accessed on demand by
multiple users.Cloud servers can perform all the same functions of a
traditional physical server,delivering processing power, storage and
applications.
Cloud servers can be located anywhere in the world and deliver services
remotely through a cloud computing environment. In contrast, traditional
dedicated server hardware is typically set up on premises for exclusive use
by one organization.
What are the benefits of Cloud Server?
You get scalability with cloud servers. It is very easy and quick to upgrade
by adding memory and disk space, as well as being more affordable.
A cloud server gives the business user stability and security because any
software problems are isolated from your environment. Other cloud servers
won’t impact your cloud server and vice versa. If another user overloads
their cloud server, this will have no impact on your cloud server, unlike
with physical servers.
Cloud servers are stable, fast and secure. They avoid the hardware issues
seen with physical servers, and they are likely to be the most stable option
for businesses wanting to keep their IT budget down.
Cloud servers provide a faster service for your money. You’ll get more
resources and a faster service than you would for a similar price of a
physical server. A cloud-hosted website will run faster.
Cloud Security is a Shared Responsibility
Cloud security is a responsibility that is shared between the cloud provider
and the customer. There are basically three categories of responsibilities
in the Shared Responsibility Model: responsibilities that are always the
provider’s, responsibilities that are always the customer’s, and
responsibilities that vary depending on the service model: Infrastructure as
a Service (IaaS), Platform as a Service (PaaS), or Software as a Service
(SaaS), such as cloud email.
The security responsibilities that are always the provider’s are related to
the safeguarding of the infrastructure itself, as well as access to,
patching, and configuration of the physical hosts and the physical network
on which the compute instances run and the storage and other resources
reside.
The security responsibilities that are always the customer’s include
managing users and their access privileges (identity and access management),
the safeguarding of cloud accounts from unauthorized access, the encryption
and protection of cloud-based data assets, and managing its security posture
(compliance).
The customer's typical cloud security responsibilities
In general terms, a cloud customer is always responsible for configurations
and settings that are under their direct control, including the following:
- Data. A user must ensure that any data created on or uploaded to the cloud is properly secured. This can include the user's creation of authorizations to access the data, as well as the use of encryption to protect the data from unauthorized access.
- Applications. If a user placed a workload into a cloud VM, the user is still fully responsible for securing that workload. This can include creating secure (hardened) code through proper design, testing and patching; configuring and maintaining proper identity and access management (IAM); and securing any integrations -- the security of connected systems such as local databases or other workloads.
- Credentials. Users control the IAM environment such as login mechanisms, single sign-on, certificates, encryption keys, passwords and any multifactor authentication items.
- Configurations. The process of provisioning a cloud environment includes a significant amount of user control through configuration settings. Any cloud instances must be configured in a secure manner using the provider's tools and options.
- Outside connections. Beyond the cloud, the user is still responsible for anything in the business that connects to the cloud such as traditional local data center infrastructure and applications.
The provider's typical cloud security responsibilities
Public clouds present a vast and complex infrastructure, and cloud providers
will always be completely responsible for that infrastructure, including the
following components:
- Physical layer. The provider manages and protects the elements of its physical infrastructure. This includes servers, storage, network gear and other hardware as well as facilities. An infrastructure typically includes various resilient architectures such as redundancy and failover, as well as redundant power and network carrier connectivity. Infrastructure management also frequently includes backup, restoration and disaster recovery implementations.
- Virtualization layer. Public clouds are fundamentally do-it-yourself environments where users can provision and use as many resources and services as they wish. But such flexibility demands a high level of virtualization, automation and orchestration within the provider's infrastructure. The provider is responsible for implementing and maintaining this virtualization/abstraction layer as well as its various APIs, which serve as the means of user access and interaction with the infrastructure.
- Provider services. Cloud providers typically offer a range of dedicated or pre-built services such as databases, caches, firewalls, serverless computing, machine learning and big data processing. These pre-built services can be provisioned and used by customers but are completely implemented and managed by the cloud providers -- including any OSes and applications needed to run those services.
Divided cloud security responsibilities
Although many security responsibilities have clear delineations, there are
some responsibilities that might be unclear or changeable depending on the
service or provider. Users must pay particular attention to provider SLAs
and understand the lines of responsibility precisely in the following areas:
- Native vs. third party. The one who builds a service is responsible for it. For example, if a cloud customer uses a database offered by a cloud provider, the provider is responsible for deploying, managing, maintaining and updating that service -- though the customer is still responsible for managing and securing any data generated or accessed by that service. However, if a cloud user deploys a database as a workload in a cloud instance, the user is responsible for managing and running that application and its data -- the provider is just responsible for the infrastructure and virtualization layer.
- Server-based vs. serverless computing. If a cloud user selects a traditional server-based VM, the user is responsible for OS selection, workload deployment and any associated security/configuration settings. If a cloud user selects a serverless (event-based) computing option, the user is responsible for the code uploaded to the service, as well as any user security/configuration options provided through the control plane.
- Network controls. Consider a network service such as a firewall. Regardless of whether the user deploys the firewall or uses a provider's firewall service, the user is responsible for setting the firewall rules and ensuring that the firewall is configured properly to guard the user's associated applications or other network elements.
- OSes. Whether a user brings their own OS or deploys an OS supplied by a provider, the user generally gets to decide which OS to use, and this decision brings a host of other security issues. The user is responsible for ensuring that the OS is properly configured with appropriate security settings and adequately patched for security requirements.
Notable shared responsibility model examples
The rule of thumb for shared responsibility is that "if it belongs to you or
you can touch it, you're responsible for it." This generally means that a
cloud provider is responsible for securing the parts of the cloud that it
directly controls, such as hardware, networks, services and facilities that
run cloud resources. At the same time, a user is generally responsible for
securing anything that they create within the cloud, such as the
configuration of a cloud workload, selected services and infrastructure
involved in the desired cloud environment. But the actual line isn't always
clear and varies depending on the cloud model and provider, as in the
examples below:
- AWS, a major IaaS provider, explains its shared responsibility model as users being responsible for security in the cloud -- including their data -- while AWS is responsible for the security of the cloud, meaning the compute, storage and networks that support the AWS public cloud.
- Microsoft Azure is similar, noting that users own their data and identities. Users are responsible for protecting their data and identities, on-premises resources and any cloud components that users control -- which can vary by service. But users are essentially responsible for data, endpoints, accounts and access management.
- Google adopts a similar posture, and generally divides responsibility categories into content, access policies, usage, deployment, web app security, identity, operations, access and authentication, network security, guest OS data, networking, storage and encryption, and audit logging.
Although the wording might be similar, users must understand the details
of the shared responsibility model that apply to each specific cloud
provider. This ensures that no aspect of security is accidentally
overlooked, leaving vital business workloads and data exposed.
Best practices for shared responsibility cloud security
Cloud security typically involves an array of resources and services that
might require some level of security intervention from both cloud providers
and users. Although it's impossible to describe proper security measures for
every possible circumstance, there are several best practices that can help
to foster better security, such as the following:
- Understand SLAs. Because user responsibilities differ depending on cloud service model and provider, there is no standard shared responsibility model. To understand their cloud security responsibilities, users should reference the SLAs they have with their providers. Every cloud provider uses a master SLA, and many services and resources will likely include a separate SLA. Users must understand the security responsibilities for every resource and service included in their architected infrastructure. This can help avoid assumptions and misunderstandings that might leave security gaps or vulnerabilities.
- Focus on data. Cloud users are universally responsible for their data in the cloud, so they must ensure proper policies for data security. Many organizations classify and categorize data, and then implement security measures that are appropriate for each respective category -- using stricter security measures for more sensitive data.
- Focus on credentials. Cloud users are universally responsible for credentials in the cloud -- that is, defining who has access to what cloud resources, services and data. Combined with the sheer number of resources and services available in a public cloud, IAM complexity can become overwhelming. Use the tools offered by providers to help manage IAM and develop policies and processes to use those tools properly and consistently.
- Watch communication. Pay particular attention to communication and update notes from the cloud provider. Even seemingly mundane communication can include vital notifications of service updates and changes that can affect security responsibilities, such as API updates or patches to existing services.
- Consider tools. Some cloud users can benefit from cloud management tools designed to distill complex cloud environments into easier-to-digest dashboards and alert for cloud security issues. Tools can provide automated correction for undesired security changes. For example, if a user makes a storage instance public, a tool can potentially detect the change, send alerts and automatically make corrections according to established policy without human intervention.
