Who Is Responsible for Cloud Security?

Uploaded on 2017-08-10 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Resilience

When implementing cloud projects, security is one of the most important issues. It requires companies to identify and understand the risks inherent to digitisation, public networks and outsourcing of infrastructure components. Companies still fear that their data is insecure with cloud systems.

IT professionals want to apply the same level of security to their cloud deployments as they do to internal resources. Many business leaders view this as the provider’s responsibility, but true cloud security requires a collaborative effort.

Understanding Cloud Security Objectives

The security objectives of confidentiality, integrity, availability, authenticity, accountability, liability and privacy form the basis for IT security in general. These objectives also apply to cloud systems. However, they cannot be applied to cloud systems 1:1, since various concepts and application architectures have different requirements.

According to the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework, essential IT resources are divided into four control levels:

1.    People;
2.    Information;
3.    Applications; and
4.    Infrastructure.

Both general and cloud-specific security measures are defined by these control levels.

Cloud application architectures are made up of elements of the three cloud reference models: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS).

With IaaS, the cloud vendor provides only the physical or virtual infrastructure. From this level, the user is the administrator of the network and system infrastructure, applications and data.

With PaaS, the cloud provider manages the entire infrastructure, including middleware components such as databases. The application and data content comes from the cloud consumer.

SaaS means that a cloud provider provides everything from the infrastructure to the application — the cloud consumer only adds the data and accesses it.

Access Management and Data Protection

Responsibility for the aforementioned cloud models is roughly divided between users and providers. In principle, cloud providers are more accountable for securing the transition between IaaS to SaaS, while the user assumes more responsibility in the IaaS model.

The basic security measures for the control level user are:

•    Access management;
•    Identity management; and
•    Privileged identity management.

Identity and access management is essentially the responsibility of the cloud consumer in the IaaS model, since the provider only operates the physical or virtual infrastructure.

There is more of a shared responsibility with PaaS and SaaS: While access management is the domain of the user, the provider is responsible for application program interface (API) security and auditing.

Identity management, including privileged user management, is also a shared responsibility between cloud provider and consumer.

Basic security measures for the controlled data include:

•    Data collection and classification;
•    Data encryption and masking;
•    Monitoring of data and file activities;
•    Data access control; and
•    Secure data erasure.

In the IaaS model, the responsibility for these data protection measures can clearly be assigned to the cloud consumer.
With PaaS, the cloud provider must secure the provided database using sophisticated tools to monitor and protect access. The user is responsible for the content and data itself.

Application and Infrastructure Security

In a SaaS environment, we see a shared responsibility again: Although the user controls the data, the cloud service provides the application and, therefore, must apply the necessary application security measures.

These include:

•    Security by design and source code analysis;
•    Security and vulnerability testing;
•    Secure deployment; and
•    Protection against manipulation and threats during runtime.

For applications in the SaaS model, the cloud provider is tasked with developing and operating the application and delivering it to consumers.

By delivering secure application development and operation with features such as application code scanning, application security management and vulnerability detection, vendors can provide a high level of security for cloud services.

In IaaS and PaaS models, the application belongs to the cloud consumer. As a general guideline, companies should consider the possible use of cloud services during the design and development of new company-specific applications and apply appropriate security measures.

The security-layer infrastructure includes basic measures for:

•    Endpoint security;
•    Network security;
•    Communication encryption; and
•    Physical security.

Cloud consumers must always ensure the security of the endpoints that are used to access cloud services. In the SaaS model, this is the only responsibility of the cloud consumer regarding infrastructure security.

With IaaS, the cloud user is responsible for network security and, if necessary, communication encryption. In PaaS and SaaS, this accountability is transferred from the cloud consumer to the provider, since the provider has the appropriate security technologies in place. Meanwhile, the provider must ensure the physical security of the cloud system.

Security technologies do not necessarily have to take the form of tools, or be developed and operated in a customer-oriented infrastructure. Cloud providers also offer services for various IT security levels, such as identity and access management.

Cloud providers can help organizations comply with security guidelines and regulations through appropriate certifications such as SOC-2, COBIT and more. These standards require security controls to be built in during the development of cloud applications, effective access management, regular vulnerability and security checks, compliance verification and penetration testing.

Cloud Security Is a Team Effort

When using cloud services, you should implement all the same security measures you would apply to classic IT infrastructures. Since IT resources are also used in cloud systems, the previously described security objectives have to be addressed with regard to people, information, applications and infrastructure.

It is equally crucial to determine who controls the various components of the cloud infrastructure. This defines where and how security measures should be applied, with a special focus on the data. At the end of the day, both providers and users need to keep cloud data safe. Cloud security must be a team effort.

Security Intelligence

You Might Also Read:

Cyber Attacks Demonstrate  Why The Cloud Is Safer:

Cloud Security Analysed For Management (£):

 

« Dangers Of Betting On Hybrid Cloud
North Korean Cyber 'tunneling' In New Zealand »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Panda Security

Panda Security

Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions.

CERT-In

CERT-In

CERT-In is a functional organisation of the Ministry of Information & Electronics Technology, Government of India, with the objective of securing Indian cyber space.

Chubb

Chubb

Chubb is the world’s largest publicly traded property and casualty insurer. Commercial services include Cyber Risk insurance.

KFSensor

KFSensor

KFSensor is an advanced 'honeypot' intrusion and insider threat detection system for Windows networks.

Guidewire

Guidewire

Guidewire Cyence™ Risk Analytics is a cloud-native economic cyber risk modeling solution built to help the insurance industry quantify cyber risk exposures.

RedSeal

RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events.

California Cybersecurity Institute (CCI) - Cal poly

California Cybersecurity Institute (CCI) - Cal poly

The CCI provides a hands-on research and learning environment to explore new cyber technologies and train and test tactics alongside law enforcement and cyberforensics experts.

6point6

6point6

6point6 is a technology consultancy with strong expertise in digital transformation, emerging technology and cyber security.

International Cybersecurity Institute (ICSI)

International Cybersecurity Institute (ICSI)

ICSI is a UK company offering specialized and accredited professional qualifications in cybersecurity for young IT graduates as well as mature professionals.

SHIELD

SHIELD

SHIELD are the world’s leading cybersecurity company specializing in cyber fraud and identity solutions.

Porto Research, Technology & Innovation Center (PORTIC)

Porto Research, Technology & Innovation Center (PORTIC)

PORTIC brings together several research centers and groups from P.PORTO in a single space, forming a superstructure dedicated to research, technology transfer, innovation and entrepreneurship.

Ostrich Cyber-Risk

Ostrich Cyber-Risk

Ostrich Cyber-Risk is a risk management company that helps organizations reduce the complexity of identifying financial and operational risks related to your cybersecurity posture.

Parablu

Parablu

Parablu is a leading provider of data security and resiliency solutions for the digital enterprise.

Astran

Astran

At Astran, we revolutionize data security by introducing a groundbreaking solution for data confidentiality headaches.

Cyabra

Cyabra

Cyabra is leading the fight against disinformation. Our AI shields companies and the public sector by uncovering malicious actors, bot networks, and GenAI content.

RedLattice

RedLattice

RedLattice are at the cutting edge of tool development and AI-assisted vulnerability research in cybersecurity.