Who Is Responsible for Cloud Security?

Uploaded on 2017-08-10 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, TECHNOLOGY--Resilience

When implementing cloud projects, security is one of the most important issues. It requires companies to identify and understand the risks inherent to digitisation, public networks and outsourcing of infrastructure components. Companies still fear that their data is insecure with cloud systems.

IT professionals want to apply the same level of security to their cloud deployments as they do to internal resources. Many business leaders view this as the provider’s responsibility, but true cloud security requires a collaborative effort.

Understanding Cloud Security Objectives

The security objectives of confidentiality, integrity, availability, authenticity, accountability, liability and privacy form the basis for IT security in general. These objectives also apply to cloud systems. However, they cannot be applied to cloud systems 1:1, since various concepts and application architectures have different requirements.

According to the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework, essential IT resources are divided into four control levels:

1.    People;
2.    Information;
3.    Applications; and
4.    Infrastructure.

Both general and cloud-specific security measures are defined by these control levels.

Cloud application architectures are made up of elements of the three cloud reference models: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS).

With IaaS, the cloud vendor provides only the physical or virtual infrastructure. From this level, the user is the administrator of the network and system infrastructure, applications and data.

With PaaS, the cloud provider manages the entire infrastructure, including middleware components such as databases. The application and data content comes from the cloud consumer.

SaaS means that a cloud provider provides everything from the infrastructure to the application — the cloud consumer only adds the data and accesses it.

Access Management and Data Protection

Responsibility for the aforementioned cloud models is roughly divided between users and providers. In principle, cloud providers are more accountable for securing the transition between IaaS to SaaS, while the user assumes more responsibility in the IaaS model.

The basic security measures for the control level user are:

•    Access management;
•    Identity management; and
•    Privileged identity management.

Identity and access management is essentially the responsibility of the cloud consumer in the IaaS model, since the provider only operates the physical or virtual infrastructure.

There is more of a shared responsibility with PaaS and SaaS: While access management is the domain of the user, the provider is responsible for application program interface (API) security and auditing.

Identity management, including privileged user management, is also a shared responsibility between cloud provider and consumer.

Basic security measures for the controlled data include:

•    Data collection and classification;
•    Data encryption and masking;
•    Monitoring of data and file activities;
•    Data access control; and
•    Secure data erasure.

In the IaaS model, the responsibility for these data protection measures can clearly be assigned to the cloud consumer.
With PaaS, the cloud provider must secure the provided database using sophisticated tools to monitor and protect access. The user is responsible for the content and data itself.

Application and Infrastructure Security

In a SaaS environment, we see a shared responsibility again: Although the user controls the data, the cloud service provides the application and, therefore, must apply the necessary application security measures.

These include:

•    Security by design and source code analysis;
•    Security and vulnerability testing;
•    Secure deployment; and
•    Protection against manipulation and threats during runtime.

For applications in the SaaS model, the cloud provider is tasked with developing and operating the application and delivering it to consumers.

By delivering secure application development and operation with features such as application code scanning, application security management and vulnerability detection, vendors can provide a high level of security for cloud services.

In IaaS and PaaS models, the application belongs to the cloud consumer. As a general guideline, companies should consider the possible use of cloud services during the design and development of new company-specific applications and apply appropriate security measures.

The security-layer infrastructure includes basic measures for:

•    Endpoint security;
•    Network security;
•    Communication encryption; and
•    Physical security.

Cloud consumers must always ensure the security of the endpoints that are used to access cloud services. In the SaaS model, this is the only responsibility of the cloud consumer regarding infrastructure security.

With IaaS, the cloud user is responsible for network security and, if necessary, communication encryption. In PaaS and SaaS, this accountability is transferred from the cloud consumer to the provider, since the provider has the appropriate security technologies in place. Meanwhile, the provider must ensure the physical security of the cloud system.

Security technologies do not necessarily have to take the form of tools, or be developed and operated in a customer-oriented infrastructure. Cloud providers also offer services for various IT security levels, such as identity and access management.

Cloud providers can help organizations comply with security guidelines and regulations through appropriate certifications such as SOC-2, COBIT and more. These standards require security controls to be built in during the development of cloud applications, effective access management, regular vulnerability and security checks, compliance verification and penetration testing.

Cloud Security Is a Team Effort

When using cloud services, you should implement all the same security measures you would apply to classic IT infrastructures. Since IT resources are also used in cloud systems, the previously described security objectives have to be addressed with regard to people, information, applications and infrastructure.

It is equally crucial to determine who controls the various components of the cloud infrastructure. This defines where and how security measures should be applied, with a special focus on the data. At the end of the day, both providers and users need to keep cloud data safe. Cloud security must be a team effort.

Security Intelligence

You Might Also Read:

Cyber Attacks Demonstrate  Why The Cloud Is Safer:

Cloud Security Analysed For Management (£):

 

« Dangers Of Betting On Hybrid Cloud
North Korean Cyber 'tunneling' In New Zealand »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Acumin Recruitment

Acumin Recruitment

Acumin is an internationally established Cyber Security recruitment specialist.

RSA Insurance Group

RSA Insurance Group

RSA is one of the world’s leading multinational quoted insurance groups. Commercial services include cyber risk insurance.

Government Communications Headquarters (GCHQ)

Government Communications Headquarters (GCHQ)

GCHQ defends Government systems from cyber threat, provide support to the Armed Forces and strive to keep the public safe, in real life and online.

Digital Defense Inc (DDI)

Digital Defense Inc (DDI)

DDI offers vulnerability scanning, penetration testing, web application testing, social engineering and additional security assessments.

PureCyber

PureCyber

PureCyber (formerly Wolfberry Cyber) is an award-winning cyber security consultancy whose goal it is to make cyber security accessible, understandable, and affordable for any organisation.

Assertion

Assertion

Assertion secures your collaboration (UC/CC) systems from cyber risks. Enforcing the right set of controls and monitoring them continually brings down risk to acceptable levels.

Lifespan Technology

Lifespan Technology

Lifespan Technology provides the full range of IT Asset Disposition services. This includes hardware recycling and disposal, data destruction, and hardware resale.

Prolimax

Prolimax

Prolimax deliver innovative solutions to IT Manufacturers, Distributors, Resellers and End-users including Data Erasure and secure IT Asset Disposition (ITAD)

Korn Ferry

Korn Ferry

Korn Ferry is a global organizational consulting firm, synchronizing strategy and talent to drive superior performance for our clients in key areas including cybersecurity.

IQ4 - Cybersecurity Workforce Alliance (CWA)

IQ4 - Cybersecurity Workforce Alliance (CWA)

Cybersecurity Workforce Alliance, a division of iQ4, is an organization comprised of a diverse range of professionals dedicated to the development of the cybersecurity workforce.

DoControl

DoControl

DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation.

SecureTeam

SecureTeam

SecureTeam are a UK-based information security practice, specialising in all areas of cybersecurity.

Agile Defense

Agile Defense

Agile Defense is an Information Technology services provider, delivering leading-edge Digital Transformation solutions to the Federal Government.

VeriBOM

VeriBOM

VeriBOM is a SaaS security and compliance platform that helps protect you and your customers through automation, documentation, and transparency for every software application you build or run.

Anthropic

Anthropic

Anthropic is a Public Benefit Corporation, whose purpose is the responsible development and maintenance of advanced AI for the long-term benefit of humanity.

SITS Group

SITS Group

SITS Group excel in delivering a comprehensive range of Cyber Security consulting and managed services, from cloud transformation to risk management.