Securing Your Cloud Environment – Who is Responsible?
The speed at which technology progresses is truly staggering. I am old enough to remember having to load 9-track magnetic tapes to install a patch, and marveled at the lightning fast 384k connection for an entire organization, thinking we had finally made the big time. I point this out not to just show how old I have become, but to emphasize that the only thing that remains the same in information technology (IT) is change.
Currently, I am seeing a mass exodus from on-premise data centers. The cost to upkeep and protect them rises every day in a world where 24/7 access is now the norm. New hardware, new software, new security, and new insurance all cost money. To make lives easier and cut costs, many organizations have started migrating to a cloud solution.
Clouds provide great flexibility and scalability, and if set up properly can be very secure. However, in the haste to take advantage of new services and the advantages that the cloud brings, we are finding that when we conduct security assessments of these environments, things that you would normally make sure were in place in an on-premise environment have not always been set up in the cloud. We find this most often when an organization hasn’t started in the cloud but is in the process of migrating applications and data off the old legacy hardware.
One thing that many people are unsure of when building a cloud environment is what the cloud vendor is responsible for, and what the client is responsible for. A great way to answer this question is that the vendor is responsible for the security OF the cloud, while the client is responsible for security IN the cloud. What this means is that the cloud vendor is usually responsible for the physical infrastructure and security such as hardware, physical access, and facilities. For example, the cloud vendor controls all physical access to the environment, so you would be dependent on the cloud vendor for that control. On the other hand, any data you place in the cloud, any access to that data, and any security on any software or application is the responsibility of the client. For example, if you have a database in the cloud, the ability to get to that data is the responsibility of the client.
Keep in mind that from a compliance standard, whether it’s HIPAA, PCI, SOC, GDPR, or any other requirement, the location of the data or application is irrelevant. The same controls must apply to assessments regardless of location. If you need a penetration test as part of your environment onsite, you will more than likely need that same test running the application in the cloud. If logging and event alerts need to be run locally, they need to be run in a cloud environment as well.
The good news is that many of the most popular cloud vendors provide services and partner with other vendors to accomplish these goals and more. Amazon Web Services, Microsoft Azure, and Google all have tools to assist in making sure you are adhering to any mandatory local and federal requirements, as well as any security standards necessary for your clients and internal needs.
Based on what we have seen, there are a few areas that you might want to look at right away if you have a cloud environment. These include:
- Asset Control – Onsite environments often have hardware and software asset policies requiring the tracking of all physical assets and software. Because hardware is more provisioned than bought, in many cases we find organizations no longer track how many servers and licenses are in use. This can lead to extra costs, unwanted sprawl, and uncertainty of the environment just like in an on-premise environment. Make sure to track cloud assets just as you would physical assets
- Identity Access Management (IAM) – Because the cloud can be accessed from anywhere, making sure that cloud admin activity is monitored and logged is more important than ever. Multi-factor authentication (MFA) should be used for elevated privilege access, and that access should be tracked and be able to be reported on as needed
- Cloud Vendor Security and Compliance Responsibilities – Cloud vendors go through many security assessments and should tell you what they will be responsible for, and what your responsibilities are. Some frameworks such as PCI require that you know who is responsible for what. Make sure you understand this, because we have found in most cases that the majority of security controls have a “shared responsibility” at best with the cloud vendor, with many controls still resting 100% with the client
This post is in no way an attempt to scare you off the cloud! There are many advantages, including business resiliency and availability, much shorter times to implementation of new systems, and lack of the need to have dedicated rooms or buildings full of technology to maintain. However, it should be treated like any other new project or initiative. Security and compliance concerns should be addressed at the start of the planning stage to ensure that what has taken years to build locally through policies, process, and practice isn’t lost by migrating to the cloud.
Compass IT Compliance can assist your organization with answering some of these questions and concerns through our cloud security assessment. Compass will identify weaknesses within the configuration, policies, and access controls of a cloud environment. We will also provide detailed remediation recommendations for any gap or finding which will assist organizations when mitigating issues to an acceptable risk level. Our assessment includes reviews of both the data and the applications in the cloud to determine common weaknesses in installation, configuration, policies, and object access control. Following the recommendations from this assessment will help to minimize the potential of a data breach or a compromised account. Contact us today to learn more!
Contact Us
Share this
You May Also Like
These Related Stories
No Comments Yet
Let us know what you think