<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=522217871302542&amp;ev=PageView&amp;noscript=1">
Top-banner_960x202_Blog_envision-enable-execute.png

Securing the Cloud

Jul 1, 2019 4:11:06 AM Bart Van Moorsel Cybersecurity, Cloud Security, cloud solutions

What is the Cloud all about?

IT today sounds a bit like the weather forecast, you keep on hearing about the Cloud. Although everything seems to have its sunny and rainy days, the cloud we will discuss today has nothing to do with the weather. The Cloud in IT terms stands for the assets you use over the internet. So for a users’ point of view they are ‘somewhere out there’. And out there is referred to somewhere in the sky, we cannot touch or see the systems that are involved.

The IT industry is on a shift to a new phase. More and more systems also outside the typical business administration and web domains get automated. Think about audio visual devices, IoT/OT, etc. What we also see, is that organizations start offering new business models where they specialize on a subset of the IT need. From a nostalgic terminology you can call this outsourcing. A company specialized in offering a hosted CRM solution is a good and known example, you probably know what I am talking about.

From another angle companies are also looking to use the infrastructure components hosted externally. The company then no longer needs to worry about the hardware, software, network infrastructure, licenses, maintenance, you name it. The capacity is flexible and so is the pricing.

The technical viewpoint is that you are running still the same IT systems, but no longer in your own premise but in someone else’s. There is no magic happening, there are still servers, routers and the other usual IT stuff running – it is just not running in your premise anymore. The cloud services that are offered publicly, using a shared environment is called the Public Cloud. When the environment is dedicated for you, it is called a Private Cloud. In the Private Cloud you have more control. And if you have a bit of both, including still having your own on-prem systems, it is called Hybrid Cloud.

Responsibility

OK, so now we understand that the Cloud is about moving the IT systems to an external company. In this paragraph we will look a bit deeper to the flavours of Cloud. You can make technical layers conform the OSI model that you might have heard of. This layered view starts with running everything on-premises, just like what we have done over the past decades. The model that has the most layers being run outside your company is the Software as a Service (SaaS) model. SaaS is referring to for example a hosted CRM application that you can take a subscription and access through a web portal.

There are two models in between, let me briefly explain those also to you. The first one is about devices and a network that runs elsewhere. We are already used to virtualize devices and in this Cloud model we call this Infrastructure as a Service (IaaS). This is particularly used to transition the metal from internal to external, with some benefits like cost of ownership and flexibility. This stage is often mentioned as one of the first steps into cloud maturity. The other model is called Platform as a Service (PaaS), referring to the Platform that enables a company to build upon API’s, middleware and the logic on top of all infrastructure. This platform typically offers services around the whole lifecycle of the applications, so that the company still has full control over the application, this being the main difference with SaaS.

Another thing that is happening is the freelance sysadmin person that you hired for years, is now a called Managed Service Provider (MSP). In fact the MSPs form a new market on their own. They tend to specialize on IT topics, because let’s face it, who can afford to acquire and maintain all the necessary IT skills nowadays?. It also means that not only the IT equipment is coming from external parties, but also the human competencies.

 

But what does this mean for the responsibilities regarding all these IT assets? There are some wrong beliefs on that subject. First and maybe most important is to note that you remain responsible for your own IT environment, no matter where it is resided. Off course, as also the below picture shows, there are responsibilities taken out of your hands. The responsibility of your business always remains yours.

[1]

While cloud environment features and functionalities are expanding beyond what we could have dreamed of, we need to stay in control. You need to choose on how you want your cloud to look like, you need to choose how secure it is.

WHAT? Are you saying that the Cloud is not secure? Well, what I say is that you need to stay in control and make wise considerations. As Cloud platforms will give you a lot of options, all with a certain price tag, but you need to choose. Yes, yes, I know that I am repeating myself but from the Teletubbies I learned that repetition works.

What security does your cloud need?

Given the landscape that was sketched for you in the previous part, you might understand that this landscape shows to many variations to have one answer to the question ‘what security is needed in the cloud?’. But let me give you some directions.

For a starter, we now know that no matter what Cloud model you have, you understand that in the end there are still computer systems, networks, cables, etc. That means that – no matter where these IT resources are – the security that already existed needs to be applied here as well. You need to have end point security, you need to protect your perimeter, you need to filter out spam mails, and so on. There is nothing changed on that part. So check this part, first things first.

What is different? What has changed is that your IT systems and data are more scattered around the world, no longer being in your own house. Let us go over the topics that require your attention regarding protection in the Cloud.

First topic is data. Especially in the public cloud, your control on where your data is actually stored, on what type of disk, making sure who can actually have their hands on it. Or even more: controlling that the shared environment may mistakenly share your data, you want to have high levels of liability for GDPR and intellectual property reasons. Your Data Loss Prevention solution needs to work over all the environments. Your encryption methods need to be transparent over all the environments. Your data availability comes into new challenges, after you have implemented backup and recovery in the cloud, you suddenly realize that you must trust on these external systems to really work in times when the disasters really happen. If the cloud datacentre gets hit by ransomware, are you sure that your data is safe?

Ok enough around data. What about identity? Identity has also some challenges to think about. Logging on to a system that is not controlled by you, means that you are relying on the access control options that the cloud partner is offering you. You will have – and keep – your on-prem users most probably and ideally those same accounts provide access to the cloud. Unfortunately this is not (always) the case. Some platforms have their own accounts, some use identity provider A other identity provider B, some offer SAML, is short there is a lot of variation. That will result in a situation where the identity landscape becomes scattered and giving you not the guarantees you need. And what do you think about authorization levels? You want to apply the least privilege principle, and that is for likewise reasons very hard to configure. On top of that you have to deal with a mixture of users, internal and external.  How will you give appropriate permissions to MSP persons working remotely in your systems but also in others? Will the Cloud provider not misuse their root and physical level access?

My third and last topic for today is Monitoring, Control and Governance. Again, with the topology scattered here and there over the world, you will want to have control and visibility on the security situation in your organisation. You want to create company policies and apply them centrally and consistently.  Multi-nationals are familiar with this situation. It is simply impossible to have control on what you cannot see, feel and control. If we take this to the level of the fully automated DevOps situation, where we try to achieve continuous improvement and continuous delivery and automate everything, we also have a need to implement security. In the DevOps is developed by the speed of light and security might be felt being a blocker of this process. That is why security needs to be automated as well. This means for example that every piece of code complies to your company security standards and before the release it will be assessed on vulnerabilities. Having a system or a service in place that controls all the above items, will help keep you in compliance.

Conclusion

In this article I explained what ‘the cloud’ actually means in all its flavours. You know now what the responsibilities are of your organisation in the cloud models such as IaaS, PaaS and SaaS. We have discussed the responsibilities that you need to be aware off and the security topics that deserve your attention. If you need support in your journey to the cloud, Tech Data is somewhere you can go for help.

 

[1] Source: https://blogs.technet.microsoft.com/yungchou/2010/11/15/cloud-computing-primer-for-it-pros/

Bart Van Moorsel

Written by Bart Van Moorsel

subscribe-3.png
catagories.png

see all