Cloud Computing Security: Provider & Consumer Responsibilities
Cloud Computing growth in recent years
I will be surprised, if I come across any techie who does not mention “Cloud” during the course of his conversations today. That’s the growth of cloud computing in the market. Here’s another classic example. The number of searches in Google for the term ‘Cloud Computing’ has drastically increased from 20% in 2009 to around 95% in 2015.
Not only the techies, but Global Industries too are turning to Cloud, given its inherent advantages like No CapEx, Pay-as-You-Go pricing model, absence of need to manage IT infrastructure and options like ‘Cloud as a service’.
Not surprising that based on Enterprise interest in Cloud, leading technology vendors like Oracle, Redhat, Windows and Symantec have also migrated their products to the Cloud Model. The Cloud Model works on a subscription basis instead of the traditional license model.
Recent attacks on Cloud Computing
It is a known fact that the number of attacks on Cloud environments has increased in recent years.
To cite a few examples, the Cloud environment of Home Depot (HD), JPMorgan Chase (JPM) and even the White House, were breached in 2015. Reconnaissance increased significantly in 2014. Some of the most common scans we detected included ZmEu, Morfeus, VNCScan, and Nessus scans, as well as multiple generic scans.
According to Health Information Trust Alliance (HITRUST), the number of security breaches around healthcare data alone has been immense.
- Total Breaches: 495
- Total Records: 21.12 million
- Total Cost: $4.1 billion
- Average Size: 42,659 records
- Average Cost: $8.27 million
- Average Time to Identify: 84.78 days
- Average Time to Notify: 68.31 days
The Cloud Security Alliance Report cites insider attacks are the sixth biggest threat in cloud computing.
Cloud always comes as a Shared Responsibility model between a service provider (example Amazon, Azure Google) and customers using this service.
Provider’s Security measures:
The first step Cloud Service Providers take, is to secure the Data Center where they host their IT hardware (Compute, Network, and Storage) for the Cloud. This is to secure the DC against unauthorized access, interference, theft, fires, floods and so on. The Data Center is also secured to ensure redundancy in essential supplies (Example power backup, Air conditioner) to minimize the possibility of service disruption. In most cases, Provider’s offer Cloud applications from ‘world-class’ data centers.
The Cloud Provider ensures that their Infrastructure and the Services comply with Critical Protection Laws such as data protection laws, Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services(CJIS) , the Sarbanes-Oxley Act, the Federal Information Security Management Act of 2002 (FISMA) and so on.
Along with Data Security, in order to ensure business continuity and data recovery, they also maintain resilient Recovery Time Object (RTO) and Recovery Time Point (RTP) and Failover in their Tier 3 or Tier 4 Data Centers which hosts their Cloud Services. In addition, continuous log audits keep them aware of all the activities under their radar.
Secured Cloud Design
Consumer’s Security measures:
The key player in Cloud Security is the Solution Architect. While the Solution Architect makes sure the security measures on the Customer’s Cloud Space are met, the Cloud Service provider ensures whether or not adequate security measures have been taken, on premise.
Security measures focus on securing End user access and end-to-end protection of the enterprise’s Cloud environment.
1) Identity Management:
Organizations prefer all-in-one authentication which can be extended to Identity Federation. Identity Federation includes Identity Access Management (IAM) with single sign-on (SSO) and centralized AD account for secure management.
Multi Factor Authentication (MFA) is enabled for the Cloud root account and for individual users created under that account. It is also used to control access to Cloud service APIs. However, the best option is to go for either Virtual MFA or a hardware device.
2) Data Encryption:
This relates to translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text while encrypted data is referred to as cipher text.
Volume encryption: – Native volumes provided by the Cloud Provider has the option to encrypt the volume for securing the data residing at the 1st level. The following types of data can be encrypted:
- Data at rest inside the volume
- All snapshots created from the volume
- All disk Input/Output
The encryption occurs on the servers that host the Virtual Machines (VMs). The VMs provide encryption of data-in-transit– VMs to Volumes.
3) Network Protection:
Though the Cloud Providers ensures Network Level Protection as part of Native Cloud Services (example AWS’s Security Group, NACL | Azure’s End Point, NSG), it is highly recommended that they use an additional layer of Network layer Protection with Palo-Alto, Barracuda Solutions of WAFand Firewall.
4) Secured Solution Design:
The first question asked by any Enterprise Customer is “How secure are my Servers in the Cloud set-up?”. The answer lies in the Model Cloud Solution Design given below which is also aligned to Industry Best Practices. We, as Architects make sure the Servers / Services are kept in the respective layers –Management, Public, Private, DMZ.
Though there have been many incidents of data breach, it can’t be denied that there is a gradual rise in cloud computing adoption in the global market. Enterprises need to bear in mind just two issues to avoid unwanted security issues in Cloud:
Customer should undertake detailed due-diligence before moving to a Cloud environment.
Solution Architect is the ultimate Guide for the customer in terms of Security, Compatibility and Performance and in making the Cloud Journey successful.
Only if both the aspects are kept in mind can Enterprises truly enjoy the benefits of Cloud Computing without fear of security violations.
To schedule a meeting with our experts or for more information, please write to us at [email protected]