25 Aug Using Cloud Services Securely
Dan Norman, Regional Director, EMEA, ISF, explores how organisations in the Middle East can securely and confidently deploy cloud services.
Cloud computing has evolved at an incredible speed and, for many organisations globally, has already become entwined with the complex technological landscape that supports critical daily operations. The scalability and efficiency of cloud services has been a tremendous incentive for organisations that are aiming to drive competitive advantage. But like most other technological innovations, information security is playing catch-up. Particularly in the Middle East, businesses are facing many unique challenges when considering whether the adoption of cloud services is the right option to drive digital transformation, such as regulations pertaining to data residency.
The challenges associated with effective cloud service implementation are multi-dimensional and complex. There are a variety of tiers of service that a cloud service provider may offer, including software-as-a-service (saas), platform-as-a-service (paas) or infrastructure-as-a-service. There are many obstacles to overcome when onboarding onto a cloud service provider too, such as identifying and maintaining the appropriate security controls; balancing the shared responsibility for security between the cloud service provider and the cloud customer; and meeting regulatory requirements to protect sensitive data in the cloud environment.
Avoiding Data Breaches
The rapid explosion of cloud usage has accentuated these challenges and, in some instances, left organisations insufficiently prepared to tackle the security concerns associated with using cloud services. There is a misconception that cloud services are automatically more secure than internal services, but in practice, there is a different story. For example, the misconfiguration of cloud services is a significant contributor to data breaches for organisations globally. The deployment of cloud services must be carefully planned and expertly delivered to requirements, or vulnerabilities may emerge that cyber-attacks will compromise. Protocols that must be considered include strong password management, as compromised user accounts may lead to exposure. Several previous cloud outages have been caused by human errors or natural disasters: in February 2017 one of Amazon’s regions, us-east-1, was taken offline due to human error. This had a direct effect on iot devices which use Amazon’s cloud services, such as the smart home app hive. A number of high-profile websites were also taken completely offline, resulting in lost revenue. In July 2018 google cloud also experienced an outage, affecting users’ ability to access Snapchat and Spotify. These incidents exemplify the potential impact of cloud outages.
Surveying the risk landscape
Another industry-wide concern is the market monopolisation by large cloud providers and the apparent ‘single point of failure’ for many organisations dependent upon a small number of popular providers. If a cloud provider was to be systematically targeted via traditional DDoS, physical attacks or other means, there would be significant disruption to its services and dependent organisations. Some organisations have tried to offset this risk by investing in services provided by multiple cloud providers to underpin individual systems, but in doing so have actually created multiple points of failure that have to be continuously monitored. The risk landscape and subsequent mitigation plans are a real challenge to overcome, but it is totally dependent on the organisation’s appetite to manage risk themselves or be comfortable outsourcing it.
From the cloud service provider perspective, they optimise their services by using common technologies, such as virtualisation. Vulnerabilities discovered in these homogeneous technologies could have a wide-reaching impact across multiple cloud providers. Issues of this kind have been seen previously with the spectre and meltdown security vulnerabilities, which affected a significant number of organisations.
So, how can organisations in the middle east make effective decisions on whether to invest in cloud services or not? This is a challenging question to answer in the first place – a large portion of organisations have already chosen to leverage cloud services so security is somewhat of an afterthought. Many security practitioners have to subsequently weave security controls in, or update contractual agreements, such as those covering business continuity management, disaster recovery, back-ups, Etc. However, for organisations embarking on the journey, they must:
Develop an effective governance
framework internally so that technological
development and innovation is risk
assessed and subsequently managed
Deploy a set of core cloud security
controls with an understanding of their
responsibilities as the cloud customer,
Network security, e.g. cloud
connections, network segmentation,
– Access management, e.g. identity and
access management, secure sign-on
– Administrator access
– Data protection, e.g. data
management, data encryption, data
– Secure configuration, e.g. API
– Security monitoring, e.g. vulnerability
management, security event
management and security incident
Select the right security products and services to support the successful implementation of the core controls.
Organisations that operate securely in the cloud environment can achieve a competitive advantage and drive forward their business by maximising the elasticity and scalability that cloud services offer. However, the responsibility for security and wider risk management is a personal choice for organisations and must not be an afterthought in the transformation plan. Security practitioners must take real caution before embarking on a cloud-based digitisation journey.