Who Is Responsible for Cloud Security?

When implementing cloud projects, security is one of the most important issues. It requires companies to identify and understand the risks inherent to digitisation, public networks and outsourcing of infrastructure components. Companies still fear that their data is insecure with cloud systems.

IT professionals want to apply the same level of security to their cloud deployments as they do to internal resources. Many business leaders view this as the provider’s responsibility, but true cloud security requires a collaborative effort.

Understanding Cloud Security Objectives

The security objectives of confidentiality, integrity, availability, authenticity, accountability, liability and privacy form the basis for IT security in general. These objectives also apply to cloud systems. However, they cannot be applied to cloud systems 1:1, since various concepts and application architectures have different requirements.

According to the Information Systems Audit and Control Association’s (ISACA) Control Objectives for Information and Related Technologies (COBIT) framework, essential IT resources are divided into four control levels:

1.    People;
2.    Information;
3.    Applications; and
4.    Infrastructure.

Both general and cloud-specific security measures are defined by these control levels.

Cloud application architectures are made up of elements of the three cloud reference models: infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) and software-as-a-service (SaaS).

With IaaS, the cloud vendor provides only the physical or virtual infrastructure. From this level, the user is the administrator of the network and system infrastructure, applications and data.

With PaaS, the cloud provider manages the entire infrastructure, including middleware components such as databases. The application and data content comes from the cloud consumer.

SaaS means that a cloud provider provides everything from the infrastructure to the application — the cloud consumer only adds the data and accesses it.

Access Management and Data Protection

Responsibility for the aforementioned cloud models is roughly divided between users and providers. In principle, cloud providers are more accountable for securing the transition between IaaS to SaaS, while the user assumes more responsibility in the IaaS model.

The basic security measures for the control level user are:

•    Access management;
•    Identity management; and
•    Privileged identity management.

Identity and access management is essentially the responsibility of the cloud consumer in the IaaS model, since the provider only operates the physical or virtual infrastructure.

There is more of a shared responsibility with PaaS and SaaS: While access management is the domain of the user, the provider is responsible for application program interface (API) security and auditing.

Identity management, including privileged user management, is also a shared responsibility between cloud provider and consumer.

Basic security measures for the controlled data include:

•    Data collection and classification;
•    Data encryption and masking;
•    Monitoring of data and file activities;
•    Data access control; and
•    Secure data erasure.

In the IaaS model, the responsibility for these data protection measures can clearly be assigned to the cloud consumer.
With PaaS, the cloud provider must secure the provided database using sophisticated tools to monitor and protect access. The user is responsible for the content and data itself.

Application and Infrastructure Security

In a SaaS environment, we see a shared responsibility again: Although the user controls the data, the cloud service provides the application and, therefore, must apply the necessary application security measures.

These include:

•    Security by design and source code analysis;
•    Security and vulnerability testing;
•    Secure deployment; and
•    Protection against manipulation and threats during runtime.

For applications in the SaaS model, the cloud provider is tasked with developing and operating the application and delivering it to consumers.

By delivering secure application development and operation with features such as application code scanning, application security management and vulnerability detection, vendors can provide a high level of security for cloud services.

In IaaS and PaaS models, the application belongs to the cloud consumer. As a general guideline, companies should consider the possible use of cloud services during the design and development of new company-specific applications and apply appropriate security measures.

The security-layer infrastructure includes basic measures for:

•    Endpoint security;
•    Network security;
•    Communication encryption; and
•    Physical security.

Cloud consumers must always ensure the security of the endpoints that are used to access cloud services. In the SaaS model, this is the only responsibility of the cloud consumer regarding infrastructure security.

With IaaS, the cloud user is responsible for network security and, if necessary, communication encryption. In PaaS and SaaS, this accountability is transferred from the cloud consumer to the provider, since the provider has the appropriate security technologies in place. Meanwhile, the provider must ensure the physical security of the cloud system.

Security technologies do not necessarily have to take the form of tools, or be developed and operated in a customer-oriented infrastructure. Cloud providers also offer services for various IT security levels, such as identity and access management.

Cloud providers can help organizations comply with security guidelines and regulations through appropriate certifications such as SOC-2, COBIT and more. These standards require security controls to be built in during the development of cloud applications, effective access management, regular vulnerability and security checks, compliance verification and penetration testing.

Cloud Security Is a Team Effort

When using cloud services, you should implement all the same security measures you would apply to classic IT infrastructures. Since IT resources are also used in cloud systems, the previously described security objectives have to be addressed with regard to people, information, applications and infrastructure.

It is equally crucial to determine who controls the various components of the cloud infrastructure. This defines where and how security measures should be applied, with a special focus on the data. At the end of the day, both providers and users need to keep cloud data safe. Cloud security must be a team effort.

Security Intelligence

You Might Also Read:

Cyber Attacks Demonstrate  Why The Cloud Is Safer:

Cloud Security Analysed For Management (£):

 

« Dangers Of Betting On Hybrid Cloud
North Korean Cyber 'tunneling' In New Zealand »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Pondurance

Pondurance

Pondurance is an IT Security and Compliance company providing services in Cyber Security, Continuity, Compliance and Threat Management.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

Yubico

Yubico

Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts.

MixMode

MixMode

MixMode's PacketSled platform delivers network monitoring, deep forensic analysis and incident response.

MKD-CIRT

MKD-CIRT

MKD-CIRT is the national Computer Incident Response Team for Macedonia.

GeoLang

GeoLang

GeoLang’s Ascema platform protects sensitive information at the content level by identifying, classifying and tracking data across the corporate infrastructure.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

FifthDomain

FifthDomain

We are a specialist cyber security education and training company tackling the global cyber security skills shortage.

Curity

Curity

The Curity Identity Server brings identity and API security together, enabling highly scalable and secure user access to digital services.

BlueAlly

BlueAlly

BlueAlly helps clients scale, optimize, and manage their IT resources to reach their business goals.

Zeva

Zeva

Zeva solves complex identity and encryption challenges for the federal government and corporations around the globe.

Cyber Unit

Cyber Unit

Cyber Unit offer next level protection from cyber attacks in packages and pricing options that are accessible to smaller organizations.

SecurEyes

SecurEyes

SecurEyes is a leading cybersecurity firm that provides specialised services, including cybersecurity assessments, managed services, and governance risk and compliance services.

Tryaq

Tryaq

Tryaq are a group of cybersecurity experts and enthusiasts who share the mission to make the world feel safer online.

Grey Market Labs

Grey Market Labs

Grey Market Labs is a special place. It is a data privacy and security skunkworks.

Wirespeed

Wirespeed

Managed Detection & Response (MDR) has never been faster or easier: Onboard in minutes, Respond in seconds, Secure instantly.