Created on 2019-11-01 12:27
Published on 2019-11-01 12:56
In 2015 I wrote that potential cloud security threats were numerous and similar to what we faced in traditional network environments. Since then, the technology has significantly matured and proven—due to the low occurrence of cloud-related breaches—it is very secure and worthy of inclusion in all IT strategies. The top cloud providers (Amazon, Microsoft, Google) have incredibly secure architectures, significantly minimizing the risk of a direct attack. I applaud the early pioneers; those companies who took the risk and moved their existing infrastructures to the cloud and those startups who implemented a cloud-first strategy. For those of you who have stayed away for reasons of fear, uncertainty or doubt (FUD), it is time that you reconsider. Not only will you save money and resources, but you will also find an increase in security.
Since 2015, cloud-based security issues were primarily availability-related (i.e., DDoS, internal equipment failures, etc.) This has mostly held true. There have been several instances where subscribers did not properly secure their environments and related storage containers; however, barring a few DDoS attacks and attacks of specific SaaS solutions, overall, the environments have proven to be fairly resilient. I think this is because of the investments of providers in their infrastructure; holistic and plentiful built-in security services; marketing and awareness of threats, risks and solutions; inexpensive [and frequently no-cost] professional education and training; and the overall security-mindedness and competence of cloud service providers. Let’s face it… cloud providers knew that it would take more than a “build it and they will come” attitude to gain customers; they had to be very serious about security and I believe they absolutely are.
The top cloud providers have a plethora of security controls generally “baked in”—including those to prevent and deter, detect and respond to attacks—to lower the overall risk. Providers are implementing strong physical/personnel security processes and procedures; significant up-time through distributed locations; integrated identity and access management (IAM) tools; enhanced authentication; distributed denial of service (DDoS) attack mitigation; advanced firewalls (network and web-based); network segmentation with access control; transaction-level logging, auditing and SIEM tools; object, file and block-level backup/recovery; automated compliance solutions; and encryption to ensure privacy of data at rest / in motion. Note some controls—like patch and configuration management—are optional, so be sure to understand all options while you are shopping around. Truly, cloud providers are becoming more of a one-stop-shop than ever for your secure and resilient application delivery needs.
With the help of NIST, the Cloud Security Alliance (CSA) and regulated clients, cloud providers have significantly matured their security controls and as a result, steadily increased their client base. In April, Gartner said the worldwide public cloud services market is projected to grow 17.5% this year to total $214.3 BN, up from $182.4 BN in 2018. In 2016, Gartner said the spend for 2015 was $175 BN; up 13.7% from 2014. The greatest area of growth has been Infrastructure-as-a-Service (IaaS), which has been in the 30 percent range since 2015 and expected to move into the 40’s, 60’s and 70’s within the next three years. This will be a significant and unprecedented increase, proving the continued maturity and security of cloud computing and shift to “cloud only” attitude for most organizations.
In 2015 I suggested using the NIST Cybersecurity Framework (CSF) and Special Publication 800-144 (Guidelines on Security and Privacy in Public Cloud Computing) for securing cloud environments but failed to mention the Cloud Security Alliance (CSA). CSA has been around for over ten years now, with its security controls, the Cloud Controls Matrix (CCM) and the Certificate of Cloud Security Knowledge (CCSK) for around nine. Of course, NIST [especially SP 800-53] and other frameworks are referenced and mapped by CSA CCM; however, these do not address all the necessary controls required in my opinion for cloud environments, especially those related to virtualization, mobile and supply chain. At the end of the day, NIST CSF will be helpful for performing a more general security assessment; however, as it does not yet include the CSA controls as a reference, you should use the CCM as well as seeking input from a professional cloud security architect, when developing and selecting controls to secure your cloud environment and applications.
Clearly, cloud is not right for all. Some larger banks, healthcare and others [dealing with a high degree of personal private information], may decide against it. Others will continue to host their more sensitive data on-prem and outsource the rest; the “hybrid approach”. This is a great strategy in my opinion and one which I have seen increasingly used over the past few years. It provides a great balance of risk vs. reward and continued expense reduction. Whatever your strategy, if you are not utilizing the cloud in some way, shape or form, I think it is time to reconsider. The risk should be clearly understood before moving anything to the cloud; you must perform in-depth risk assessments, design effective controls and clearly understand and manage the risk that remains.
At the end of the day, there is likelihood of breach regardless where your data resides (on-prem or in the cloud). Depending on how you architect your solution, when a breach does happen, your reputation will be impacted differently. To help you decide, you should prepare for the most appropriate breach response; either, “We had a breach against our network and your data was accessed”, or, “We gave your data to a third-party provider who had a breach and your data was accessed”. Clearly as time goes on and more and more move to the cloud—when the solution is the standard—the second response will be the norm and more accepted than I think it is today. Whichever route you decide to take, do your homework, assess your risk and ensure your security controls are designed appropriately and are operating effectively. Enhance where necessary, accept the residual risk, invest in cyber insurance, rinse and repeat.