The appeal of cloud computing is undeniable. The cloud has eliminated traditional IT barriers to market entry, inspired innovative business models, and improved business efficiency.
It allows for cost savings by reducing the investment required to build, operate and maintain a data center coupled with the flexibility to easily scale operations up or down as needed. According to a report by Global Industry Analysts the global cloud computing services market will reach $127 billion by 2017.
However, despite the substantial benefits, there are still executives reluctant to deploy a cloud strategy. A recent ISACA/CSA cloud market maturity study revealed that 54% of respondents cited security as the top fear factor for cloud adoption. High-profile vulnerabilities like the “Venom” bug discovered in 2015 don’t help to quell these fears.
When considering cloud security risks and controls it is important to understand that your security requirements will vary depending on your cloud deployment and service strategy. For instance, in a Private or Hybrid cloud deployment you would be responsible for the physical and environmental security of the data center. However, in a Public cloud deployment this would likely be the cloud service providers responsibility. If you deploy a Platform as a Service (PaaS)or Infrastructure as a Service (IaaS) service model your responsibilities would include data encryption and software licensing however in a Software as a Service (SaaS) model this would most likely be the service provider’s responsibility. In some instances security responsibilities such as OS hardening and system monitoring are shared between you and your service provider in an Infrastructure as a Service (IaaS) cloud service model.
Here are some of the security risk and controls to keep top of mind when considering a cloud deployment strategy:
- Application Programming Interfaces (APIs) - In cloud computing, software interfaces known as APIs are exposed to customers and are used to instruct computing resources in performing certain actions. These API’s can be used by attackers if not secured properly. API security breaches have troubled many social media companies like Facebook, Twitter, Buffer, and Snapchat. Even the Internal Revenue Service (IRS) suffered a security breach last year due to an insecure API.
- Web Browsers – Browsers are usually the main point of contact between you and your cloud service. Browsers have been shown to be vulnerable and attackers focus on exploiting them.
- Account Hijacking – This occurs when an attacker steals account credentials and impersonates the account owner. This could allow the attacker access to your company data which can have a devastating impact on your organization.
- Shared Environments – In the cloud it may appear that you have dedicated resources, however you are most likely sharing these resources with other customers. While this allows cloud service providers to offer scalable services you may not have visibility around other customer’s security measures or lack thereof. A vulnerability or misconfiguration in another portion of the cloud could compromise the entire cloud and all of the underlying environments hosted on it.
- Legal and Regulatory – Legal and regulatory responsibilities apply to your organization whether you use service providers or not. A common concern when using a cloud service provider is data location as many providers store data in multiple physical locations which sometimes cross international borders.
- Governance, Risk and Compliance – Build a robust governance, risk and compliance program and establish policies and procedures to include cloud services. Consider the following:
- Data storage and disposal policies should be enforced and if the cloud service provider handles your data destruction you should ensure that the process meets your organizations standards. Consider the applicable legal and regulatory requirements when defining data storage and disposal policies.
- Formalized access management policies and procedures should be integrated with your cloud services. Access controls such as multi-factor authentication, strong passwords, periodic access reviews, account activity logging, prohibition of account sharing, and limited administrator access should be enforced. Even aside from a cloud deployment strategy, an effective access management policy will help to prevent hackers from gaining access to your data as well as preventing unauthorized access from within your organization.
- API Security – Ensure that your cloud provider has appropriate documentation around the security of API’s including authentication, access control, monitoring, and logging. Make sure that the API has been adequately tested for potential bugs and vulnerabilities.
- Up to date software - Be sure to keep software up to date and patched regularly. This includes hypervisor software, operating systems, web browsers, and antivirus software definitions. This limits attacker’s ability to exploit software vulnerabilities. Limiting browser plug-ins may reduce the risk of web browser attacks.
- Awareness and Training – It is important to ensure that users understand basic security concerns. Frequent user awareness and training can help reduce the risk of account hijacking.
- Encryption – Ensure that you encrypt data using industry best practices for both data at rest and in transit to reduce the risk of unintentional data disclosure.
While most security risks are not unique to the cloud environment, it is important to remember that using a cloud service does not absolve you from all the associated risk and responsibilities. Your security responsibilities may vary depending on the deployment or service model your organization has chosen. Be sure to create a comprehensive security framework combined with regular vulnerability testing and security reviews to ensure that your organization is secure.