Understanding Cloud Security and GRC
- GRC
- 05 May 21
Introduction
Do you find Cloud Security daunting? Do you understand the different cloud relationships? Do you know standards that you can use as references? Do you understand Governance of Cloud Security? If you answered no to even one of these questions, this article will help you gain a better understanding of each of these areas and give you a great overview.
Cloud Security is often not treated as a priority by organizations using the cloud because there is an erroneous assumption, that cloud providers all know how to secure the data in the cloud and this is why they use cloud services so it’s one less thing to worry about. Organizations, that were not prepared for the pandemic and working remotely, rushed to cloud computing. Many of these organizations failed to consider risks or compliance with standards.
In traditional IT, the organization manages all of the levels of integration on its own. There are three main customer cloud relationships. The first is IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. These can be public or private cloud providers.
Levels of Integration
- IaaS, the organization manages applications, data, runtime, middleware, and the operating system. The cloud provider manages virtualization, servers, storage, and network.
- PaaS, the organization manages applications and data. The cloud provider manages runtime, middleware, operating systems, virtualization, servers, storage, and network.
- SaaS, the organization manages none of the cloud computing. The cloud provider manages application, data, runtime, middleware, operating systems, virtualization, servers, storage, and network
Vulnerabilities
The National Security Agency (NSA) classified cloud vulnerabilities into four main categories: misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities.
The risks in cloud security must be managed by both the customer and the provider. Organizations that are customers can implement governance, technological, and strategic controls to mitigate risks.
Governance and Policies
Management should ensure that policies for cloud computing include guidance for implementation. Before developing and implementing the policies, risk concerns should be pondered and discussed. Examples of concerns include access to data in the cloud by cloud providers, what assets are going to be managed by the cloud provider, what processes are going to be multi-tenant, where do the cloud provider servers reside geographically, and many more. These concerns should also be managed with the cloud provider and included within contracts depending on the cloud implementation strategy that is chosen -IaaS, PaaS, and SaaS.
Controls
Organizational responsibility for data does not end when using the cloud. Some controls that should be considered and implemented include but are not limited to:
- Access control for network services
- Asset management including classifying information that is being stored in the cloud, and assigning responsibility for assets based on the category of cloud service that is chosen, and labelling of information.
- Communications security for the network and transfer of information
- Human resource security prior to employment, during employment, and when an employee changes position or is terminated.
- Incident management
- Information access restrictions by using controls such as password management, secure log on procedures, and privileged utility programs
- Information security related to business continuity management
- Key management
- Management of privileged rights through authentication techniques such as multi-factor authentication
- Management of secret authentication information and ensuring the cloud provider meets the requirements of the organization
- Operations security such as backups, logging, and monitoring technical vulnerability management
Compliance
In addition to governance and risk, compliance is a must. Compliance with legal and contractual requirements is essential. These are some International Standards Organization (ISO) standards and National Institute of Standards and Technology (NIST) standards that should be considered.
- ISO/IEC 17788:2014, Information technology — Cloud computing— Overview and vocabulary
- ISO/IEC 17789:2014, Information technology — Cloud computing— Reference architecture
- ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls
- ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018:2014, Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- NIST SP 500-292, Cloud computing reference architecture
- NISTIR 7956, Cryptographic key management issues & challenges in cloud services
Summary
Bad actors are finding new and better ways of getting access to data and attacking clouds each year such as abuse of cloud services, account or service hijacking, cloud malware injection attacks, denial of service attacks, insider attacks, man-in-the-cloud attacks, side channel attacks, and wrapping attacks, etc. Organizations must be prepared with the better implementation and management of cloud security to deal with bad actors.
Top 3 Takeaways
There are three relationships you can have with a Cloud Provider: IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. The decision on which one to choose depends on how much you want to manage vs. having it done for you.
Even when the Cloud Provider is managing all levels of integration, there are still many controls that you should consider implementing.
Before developing your policies, a Risk Assessment should be done and controlling these risks should be managed with the Cloud Provider
