Today, doing business without a cloud seems like implementing a handicap. You can do it but don’t expect a lot of flexibility and options. With pay-per-use approach and multiple services available from top cloud providers, you can scale your business in a reasonable timeframe. The problem – it also has to be secure. How to introduce cloud to your organization and make it safe at the same time? Here’s some tips on cloud security.
Top cloud providers like Amazon and it’s Amazon Web Services (AWS) is a first choice for companies that needs scalability. It’s also safe, which we have covered in the article about AWS security. OK, but what we are exactly talking about?
What is cloud security?
Cloud security refers to the infrastructure, technology, services applications, data and policies that are exposed to the risk of getting hacked, damaged or destroyed. Either electronically (through the break in) or physically.
One of key aspects of this topic, present in AWS, for example, is something called “shared responsibility”. In this model, a cloud provider is partially responsible for the safety. When it comes to infrastructure, hardware, power supply and physical space occupied by the servers, the ball is in their court. Operating system and virtualization is also their domain. The rest is up to you.
There are several areas in which cloud security can be measured:
- Software development life cycle (including version management)
- Providing network connectivity and high availability
- Assuring physical security of hardware and access to the infrastructure
- Usage of encryption keys and password management
- Security auditing, measuring, and testing
These are typical domains for the topic. The real question is: how exactly can you measure them.
How to measure cloud security?
The security of the cloud must be audited in two ways: internally by the cloud provider and by an independent thirty party. It’s a good practice to ask any provider for their audit results and latest certificate.
There are many standards of quality in that field but few of them are most recognizable. It’s especially important for the FinTech industry and financial software development services that aim to aid it.
PCI-DSS – confirms the compliance of all (or some) services with the Payment Card Industry Data Security Standard.
CSA STAR Level 2 – confirms the compliance with the Cloud Security Alliance STAR requirements for high-risk data processing.
ISO/IEC 27001 together with the declaration of compliance with ISO/IEC 27017 and ISO/IEC 27018 – confirms implementing standardized Information Security Management System along with security and privacy controls dedicated for public cloud providers.
SOC 2 Type II – confirms the compliance with US AICPA’s SOC 2 requirements in the following areas: network and physical security, data availability, data processing integrity, data confidentiality, privacy.
Cloud security challenges
There are some undeniable challenges that your company will have to tackle sooner or later.
- DevOps and automation. Organizations that have embraced the highly automated DevOps CI/CD culture must ensure that appropriate security controls are identified and embedded in code and templates early in the development cycle.
- Visibility (or lack of) and tracking. In the Infrastructure-as-a-Code (IaaS) model, the cloud providers have full control over the infrastructure layer and do not expose it to their customers. The lack of visibility and control is further extended in the PaaS and SaaS cloud models. Cloud customers often cannot effectively identify and quantify their cloud assets or visualize their cloud environments.
- Risk of attacks. The public cloud environment has become a large and highly attractive attack surface for hackers who exploit poorly secured cloud ingress ports in order to access and disrupt workloads and data in the cloud.
- Key management and the granular privileges model. Often cloud user roles are configured very loosely, granting extensive privileges beyond what is intended or required. One common example is giving database delete or write permissions to untrained users or users who have no business need to delete or add database assets. At the application level, improperly configured keys and privileges expose sessions to security risks.
- Compliance. All the leading cloud providers have aligned themselves with most of the well-known accreditation programs such as PCI 3.2, NIST 800-53, HIPAA and GDPR. However, customers are responsible for ensuring that their workload and data processes are compliant. Given the poor visibility as well as the dynamics of the cloud environment, the compliance audit process becomes close to mission impossible unless tools are used to achieve continuous compliance checks and issue real-time alerts about misconfigurations.
What, as the client, are you responsible for?
Despite cloud provider being responsible for the heavy lifting around the hardware, it is you, who takes the responsibility for widely understood management of cloud security. Let’s break it down.
- PaaS security. In Platform-as-a-Service (PaaS) cloud model, clients must take care of application’s maintenance and security. This includes data backups, machine learning for threat detection, secured and high-level network connections, covering potential vulnerabilities of used databases, libraries, etc., security of the code itself.
- IaaS security tools. You must apply these security measures: high availability, network security, updated and patched operating system, configuration and data backup, data storage scalability.
- Identity and access management. Again, especially important for all FinTech businesses out there. Cloud provider’s client should generate reports on user permission nad related services. They should also prepare reports on the usage of credentials (passwords, API keys, etc.). Clients are also faced with machine learning-supported reports on possible sensitive data storage and conditional access to applications (based on user’s behavior or detected environment).
- Logging and monitoring activities. Here we have: reports on operations regarding any kind of confidential data (creation, modifications, and deletion), granting and revoking user permissions, creating, altering and deletion of accounts, groups and roles, failed attempts of signing-in (especially multiple), successful signing-ins, modifications of configurations (especially related to disabling security controls).
Latest cloud security developments
In its 2022 report on cloud security Checkpoint pointed out that cloud adoption continues to grow, but so does threat levels. 27% of organizations experienced public cloud-related security incident in the last 12 months. That’s a lot. 14% of them was exploitation-related, 15% was linked to compromised attacks, also 15% to inappropriate used or share data, 23% came from wrongly configured resource of account. Conclusion? Cloud security should be treated as a common good.
This more or less corresponds with current cloud priorities in interview companies: 20% want to prevent cloud misconfigurations, 16% would like to secure major cloud apps already in use, and reach regulatory compliance, 13% will defend against malware.
It’s also interesting to see what security measures companies take to defend their cloud infrastructure. As it happens, 72% of them use access control, 60% anti-virus and anti-malware protection, 53% application protection and 53% multi-factor authentication.
The report also points out additional threats regarding multi-provider cloud model, in which companies use at least two vendors. That seems complementary but it also increases risks. The report clearly shows it, too. 46% lost visibility and control over their cloud data, 50% don’t understand how different solutions fit together (sometimes they don’t!), 56% lack skills to deploy and manage a complete solution across all cloud environments, and 57% want to ensure data protection and privacy for each environment.
That’s why at Code & Pepper we recommend limiting ourselves to one provider. We have chosen Amazon for their experience, huge number of cloud-related services and applications and our skills in implementing their solutions.
When it comes to cloud security, you can’t second guess your team or business partners’ capabilities. That’s why we recommend our AWS development services. We can help you and guide you on your way to scalable business. No matter if you’re deep in FinTech or unrelated industry. We are here to answer all your questions. Contact us, let’s talk!