Part 1: Sharing the responsibility for cloud security

Cloud computing is growing fast because it delivers economical, trustworthy service with minimum downtime. As such, it has become the preferred place to manage applications and offload server infrastructure responsibilities to a cloud provider.

But there’s a catch: you can’t offload security to the cloud.

That’s right. Cloud providers are not solely responsible for the security of your data in the cloud. The three cloud security models share the responsibility between the cloud provider and customer depending on which service model the customer chooses: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or Software-as-a-Service (SaaS). (See Figure 1.)

Depending on the service model, the customer’s responsibility for security might start at the virtual network and include everything up to the people using the service. Similarly, the cloud providers’ responsibility of shared security ranges from the physical network to managed applications.

Figure 1: Three ways to share cloud security responsibilities

Source: Synopsys

Cloud environment security concerns must be managed. The list includes data asset visibility, security controls, adhering to compliance requirements, user and resource access and identities, data and network security, and security risk management.

To address these concerns, cloud providers offer a range of services, including:

  • Data loss prevention (DLP)
  • Web application firewall (WAF)
  • Instance and subnet-level virtual firewalls for virtual networks
  • Centralized identity and access management (IAM)
  • On-cloud hardware security modules (HSM) and key management servers (KMS) for data security
  • Centralized and comprehensive security posture management services such as AWS Security Hub, Azure Security Center, and Google Cloud Platform (GCP) Security Command Center

Combining these services with best practice ensures a strong security posture for cloud solutions. In this blog, we focus on three areas: people, IAM, and data privacy regulations.

  1. People

    People are an integral part of your cloud infrastructure, and human error is one of the most common reasons for cloud security failure. Here are a few best practices to consider for managing people:

    • Document accountability for the areas and components people are responsible for to ensure a safe cloud computing environment.
    • Understand and regularly audit who has access to data assets such as API keys, critical configurations, and customer-managed keys.
    • Minimize human involvement in sensitive tasks by automating the tasks, for example, key and credential rotation, certificate renewal, maintenance, patches, and updates. Automation reduces manual resource tracking and people logging into critical systems. For example, the AWS IAM credentials and key rotation can be managed with Lambda, CloudWatch, Secrets Manager, and Simple Notification Service.
    • Internal staff, stakeholders, and customers must be trained on appropriate adherence to security policies.
    • In-house users must be made aware of the potential risk of shadow IT.
  2. Identity and access management

    Managing users’ Identity and access can be a big problem for organizations with infrastructure from multiple vendors. The cloud simplifies this with a single service that provides all the information in a single IAM window. This consolidation allows each user to have a unique identity with robust Multifactor authentication (MFA) aligned with user groups and specific roles across the cloud services.

    Here is a set of best practice for cloud IAM:

    • Manage cloud accounts using a select group of IAM users with a set of administrative privileges, rather than using a superuser/super admin/root account.
    • Permission groups must be used to delegate permission to users rather than specifying custom or individual-level permission policies.
    • Follow the principle of least privilege (PoLP) when delegating permissions and policies.
    • Provide access to critical resources using well-defined IAM policies and specify policy conditions for extra security.
    • MFA for all IAM users is necessary, especially for privileged or sensitive data.
    • Define and allocate well-defined roles for temporary access by IAM users.
    • A strong password policy must be configured for all IAM users.
    • Establish a schedule of regular reviews to remove obsolete and unnecessary accounts.
    • Define and enforce a policy for password and key rotation.
    • Provision all users with unique credentials and do not allow them to share credentials.
  3. Data privacy regulations

    As the enterprise IT landscape evolves and becomes more agile, cloud is emerging as a preferred choice by all the major IT players. The cloud’s popularity has led to the exponential growth and misuse of personal data in cloud environments. To counter this trend, governments and industry regulators are fighting back with data privacy regulations.

    For example, the European Union’s General Data Protection Regulation (GDPR) dictates that sensitive information may not leave regional boundaries and information must not be exposed to unauthorized parties.

    Protecting sensitive data requires companies to introduce new ways of processing personal data in the cloud, such as:

    • Personal data residency and migration: Organization serving customers worldwide need to comply with national and regional regulations for personal data residency and migration by storing and transferring their personal data within the cloud regions that meet the compliance requirements.
    • Privacy by default: To simplify compliance with most data privacy regulations, all personal data must be equally treated to the privacy-by-default standard regardless of region.
    • Personal data visibility: In the cloud, different storage services are used for different data types, for example, block storage, object storage, big data, and cold storage. Hence, maintaining visibility and control of all the data can be tedious. Using services like AWS Macie and GCP DLP, you can gain visibility and control over sensiLve data at scale.
    • Right of access requests to personal data: Given the new privacy laws, the customer has the right to access, change, or delete their personal data. Maintaining an accurate and up-to-date data inventory ensures a quick and efficient response to such requests, in addition to maintaining compliance.
    • Personal data security: Using cloud for your application means sharing responsibility for data security with your cloud provider. While your cloud provider ensures physical security, it is essential to remember your obligations to maintain robust data protection.

      There are two techniques used to protect personal data in cloud: anonymization, where anonymous data replaces personal data, and pseudonymization, where personal data is modified to no longer be attributed to a specific data subject without additional information.

      Pseudonymization can be achieved in many ways, including:

      • Encryption: The original representation of the information, known as plaintext, is converted into an alternative form known as ciphertext using a key. Ideally, only authorized parties with a valid key can decipher the ciphertext back to plaintext and access the original information.
      • Tokenization: A new method predominantly used in the Payment Card Industry Data Security Standard (PCI-DSS) replaces data with tokens. The mapping of the tokens with the data is maintained offsite.
      • Hashing: The data is irreversibly transformed into another piece of data or “hash value.” Hashing is a weaker form of pseudonymization than encryption and tokenization, as it risks the re-identification of personal data.

Summary

Part 1 of this blog series describes how important it is to document, manage, audit, and train people involved in cloud management. Also, it is necessary to properly configure the IAM services and adhere to data privacy regulations. These areas are the foundational pillars for establishing robust cloud infrastructure security.

Part 2 of the series will explain data security, operating systems, instances, applications, and network security.

For an in-depth report on cloud security, download the latest Capgemini Engineering white paper:
“BEST PRACTICES FOR SECURE CLOUD MIGRATION.” The paper provides up-to-date insights for keeping your cloud operations secure, plus ten of the most important actions you should take to ensure the migration from on-premises to the cloud is smooth and safe. [ DOWNLOAD HERE ]

 


References

  1. Shared responsibility model: Who owns cloud security?,” Nov. 6, 2018, Synopsis
  2. AWS Security Best Practice,” Aug. 2016, Amazon Web Services
  3. Carlton, Kevin, “Cloud Compliance and Data Privacy: What You Need to Know,” Dec. 3, 2019, NetApp
  4. Miller, Mae, “Cloud Security Best Practices,” Jan. 11, 2018, Beyond Trust
  5. Samuelson, Anders, “Security best practices in IAM,” Oct. 2016, Amazon Web Services

Author

John Ye
Ashish Dhiman
Senior Technical Leader,
Ashish is an MTech from BITS Pilani with over eleven years of experience in cybersecurity, including threat modeling, security design, secure system development, cryptography, testing, and security tools and frameworks. He is an avid reader and gamer and likes to travel and explore.
Contact US Capgemini Engineering

MEET OUR EXPERTS

You can work with a company built for now,
or you can with one engineering the virtual networking software of tomorrow.

GET IN TOUCH