Today’s technology is fast addressing business challenges and creating a multitude of newer opportunities for economic growth. Cloud computing is enabling us to realize better efficiencies across provisioning, deployment, and monitoring of Information Assets. With these rapid technologies, changes come the risk of Security as the Enterprises strive to be ahead of the Hacker communities and protect one’s assets. Security has become a critical factor for the business growth and sustenance apart from Agility, Scalability, Availability, and Reliability of the Services. The buzz is about the persisting need for a calibrated security monitoring and control system insulating against varying asset usage patterns based on customer needs or market dynamics.
Top 3 major cloud security threats
The 2018 Cloud Security report* (published by Information Security Community in partnership with Cybersecurity Insiders) highlights the growing security threats across Data, Systems and Services in the Cloud. The stalking realization is the wide gap between the availability of requisite cyber security expertise and the velocity with which cloud is adopted by the Industry. The existing legacy security solutions are not comprehensive enough and have limited capabilities for Cloud-based services.
The top 3 major Cloud Security threats identified are related to:
- The configuration of Cloud platforms
- Access Controls
- Security of the APIs and Integrations
Inconsistent policies and standards
Moreover, it is observed that Enterprises have inconsistent security policies and encryption standards between on-premises and cloud environments. The security concerns run across the different architectural components of a microservices based cloud systems, such as containerization, heterogeneity, elasticity, multi-tenancy, connected resources sharing and mobility.
CIA(Confidentiality, Integrity, and Availability) Triad
All the technology start-ups are surging ahead with Cloud adoption for the sake of real benefits in terms of productivity and total cost of ownership. In a recent survey on Cloud security, over 60% of respondents have confirmed that their organizations evaluate the security capabilities of the Cloud Service Provider prior to engagement. Having said this, every Cloud customer must realize that primarily it is their responsibility to protect enterprise data and information within the cloud and this does not rest with the Cloud service provider. As such, there is no out-of-box solution and every enterprise should implement comprehensive design rules addressing different security vulnerabilities. All the security controls are to be mapped against potential vulnerabilities ensuring the triad – Confidentiality, Integrity, and Availability of the data and information within the Cloud. The controls relating to Authentications, Authorizations, Encryptions, Access, and Key Management and Integrations are to be robust with industry best practices to enable effective cloud governance.
Encryption and Tokenization
The need is to have proactive conformance to Security as the traditional IT functions in the Enterprise, have limited controls on Cloud security, as typically the project or program teams are directly facilitating build deployments and usage of cloud services. In this context, there got to be documented controls relating to sharing of sensitive information to third parties. It is important that data is secured both in flight and at rest with proper encryption algorithms along with tokenization of the all sensitive data within cloud applications.
Another important aspect is to have a robust authentication rule to access data stored in the cloud. Enterprises must consider multi-factor authentication controls for secure access.
ISO standards on compliance management for cloud computing
The distinction comes from the level of Security conformance within the enterprise, rather than limiting to a mere compliance against the identified security controls. On the conformance perspective, ISO 27001 standards provide a prescriptive set of features for an effective information security management system. The code of practice for Information security controls is covered in ISO 27002 Standards, along with Information Security Control Objectives and generally accepted good practices.
The emphasis in a process approach is on continual improvements and effectiveness based on the quantified information. The new standard ISO / IEC 27017:2015 specifies the additional security controls needed for Cloud services to be implemented by both Cloud Service Providers and their Customers, over and above the security controls specified in ISO 27002 standards. This technical standard covers globally recognized best practices as applicable to the provision and use of Cloud services along with implementation guidance, aimed at educating cloud service customers on what they should expect from their Service provider.
Today, any customer related data is recognized as Business assets by the Enterprises and thus protected from possible pilferage from the data centers. ISO 27018 : 2014 focuses on the privacy controls for Cloud Computing. The security controls are required to protect personally identifiable information (PII) on the cloud by the Cloud service providers. Auditing tools based on these ISO best practices will assist in quick baselining of the status and risk mitigation.
Efficient MTTD and MTTR for best security automation
The new developments always bring new challenges and got to be addressed proactively. It is important to review Security policies and procedures when contemplating any upgrades or changes in technology. The security program shall focus on possible Security Automation with the ability to initiate actions and mitigate threats. The automation should enable auto-trigger of alerts to the concerned personnel. The efficiency is derived based on two key metrics, Mean Time to Detect (MTTD) and Mean time to Respond (MTTR). A resilient security system always boosts business growth and customer loyalty.
Upgrade and manage your technology
The transformations in the Cloud security landscape influence the usage in terms of storage and transfer of data/workloads /applications. The focus has to be on the Process and upgradation of the Skills required to manage effectively while conforming to the defined security policies consistently across all environments.