With more people using the cloud, and more and more companies offering cloud-based services, the security of such an environment is critical. Cloud security concerns fall into two categories: the security of the cloud service provider and their systems, and the second is the customers’ security issues. The cloud service provider must ensure that the customer data and assets are protected and provide secure infrastructure, while the customer must use secure authentication and access methods.
With the large number of working parts that are needed for cloud service, the number of security holes to be filled is vast. Luckily not-for-profit organizations such as the Cloud Security Alliance (CSA) and the UK government’s National Cyber Security Centre (NCSC) offer advice on what both a company setting up cloud service and customers looking for cloud service providers should have in mind when undertaking such a venture.
Cloud security principles
The NCSC outlines 14 cloud security principles that service providers and customers should have in mind.
- Data in transit protection – Data transfer to and fro from the cloud should be protected against eavesdropping and tampering from external sources. This can be achieved using encryption and network protection. Common encryption algorithms used for cloud services include attribute-based encryption (ABE), fully homomorphic encryption (FHE), and searchable encryption (SE).
- Asset protection and resilience – The storing and processing of data and assets should be protected against loss, damage, seizures, and physical tampering. Things to consider are the physical location of the data, data center security, and any legal jurisdiction surrounding where the center is based. Other issues to consider are data at rest protection, data sanitization, how equipment is disposed of at the end of the life, and the physical resilience and availability of the service.
- The separation between users – One user should not be able to affect the data or service of another user unless they have system admin privileges. Service models such as IaaS, PaaS, SaaS will need to have differing levels of separation, so cloud service providers and customers need to build systems according to their specifications.
- Governance framework – A company should have a documented framework for various aspects of its cloud service. This includes a framework for security governance and protocol for the different services it provides and for different situations such as when there is a security issue when systems need to be upgraded, or how to get rid of old equipment. The framework should also help to comply with legal requirements for where the data is stored and where the service is provided.
- Operational security – The system should be able to detect, impede, prevent, or correct attacks on the service. This usually involves protocols on vulnerability management – issues in components, protective monitoring – detection of unauthorized activities on the service, incident management – response to incidents, and configuration and change management – any changes to the system are tested before authorization.
- Personnel security – The company personnel should have the training and security screening before getting access to customer information. This reduces the likelihood of any compromise, either accidental or malicious.
- Secure development – The service should identify and prevent security threats and evolve to new emerging threats and improve the design, coding, testing, and deployment systems with them.
- Supply chain security – As the cloud service might rely on third-party products and services such as hardware or miscellaneous software for its system, there is a need to follow protocols on how and what information is shared with these parties. This is very important for IaaS or PaaS services which are often built on third-party products.
- Secure user management – Cloud service providers supply tools to authenticate the user before they can access the management of the services, such as reporting faults, requesting changes, managing user accounts, and consumer data. Users should also be kept separate so one user cannot modify anything for another user unless they have administrative privileges.
- Identity and authentication – Access to the service should only be allowed to authorized users. Authentication of the users should be over secure channels and use protections such as two-factor authentication and not over things such as email, HTTP, or telephone.
- External interface protection – Less trusted interfaces, especially external interfaces, should be identified and protected against. This is of particular interest to internet services that accept connections from any locations, as this will increase the risk to the cloud system.
- Secure service administration – As admin accounts have high-level access to the cloud service, any compromise in these accounts will have a significant impact on security. Compromised accounts can steal or manipulate data by bypassing controls. Hence is it vital for the account access to be secure?
- Audit information for users – As a variety of customers will use the cloud system, records are needed to be kept of activities and changes made to the system and data. This audit information along with the monitoring system can then be used to investigate any incidents and to correct any wrong.
- Secure use of the service – Depending on what the cloud service is being used for, different security methods will need to be implemented. In IaaS and PaaS services, for instance, the customer will be responsible for securing the data on workload. Staff will need education and training on how to use the servicer securely.
Depending on what service model they offer/require, the service provider and customer can customize the principles required for their application.
With many companies and customers using the cloud, its security has become an important topic. Setting up a cloud network and its security is a complicated venture with many different aspects to think about. Any cloud company offering services needs to think about all the various risks of setting up and using the cloud. While companies requiring such services need to think about, they can make their end secure to not access rouge elements. It is only the complementary working between these two parts that can lead to a safe environment using cloud security principles.