Migrating to a cloud has several advantages such as flexibility, increase in efficiency and added security. But if you think a Cloud migration is your best solution for cybersecurity, think again. Although a cloud partnership with service providers such as Amazon Web Services (AWS) and Microsoft Azure bring high levels of security, you are not off the hook just yet.
Security of the Cloud is the responsibility of both the organization and the service provider. For a robust cloud security, organizations must have additional security controls supplementing the inherent controls offered by the cloud platform. In this article we discuss cloud security basics and your responsibilities for a holistic security model.
To Begin With
Although you may be transferring some or most of the operational responsibilities to the cloud provider, you should have a clear understanding of the scope of monitoring responsibilities that is shared between you and the provider. The level of responsibilities will vary depending on your service delivery model (SPI) and Service-level agreement (SLA). Several organizations tend to overlook the fine print leaving them vulnerable to disruptions. Efficient cloud security is a joint partnership and the management framework of security processes should be clearly identified.
In addition, security protocols are continually being revised depending on operational needs and continuous service improvements. Given the dynamic nature of cloud computing, security essentials, people, and processes, it is important to have a thorough understanding of what systems and tools are protected by your provider and what remains the responsibility of your internal IT team.
As an organization that has made the transfer to the cloud, there are several ways you can ensure tighter controls and reduce risks. We discuss some ways you can make sure you have dotted the i’s and crossed the t’s as it relates to cloud security basics.
Platform as a Service (PaaS) Health Monitoring
Generally speaking, PaaS applications are web-based and hosted on the PaaS Cloud Service Provider’s (CSPs) platform. This makes it crucial to monitor all applications on the PaaS as well as third-party web services. Your team would need to have knowledge of the web services protocol (HTTP, HTTPS) to monitor its health. There are several options available to organizations such as checking the CSP health dashboard or utilizing internal and external service monitoring tools.
Security as a Service (SaaS) Health Monitoring
SaaS providers are responsible for applications, business continuity, and infrastructure security management processes. This means giving your internal security controls to a CSP that could in turn create new challenges of governance since security services provided by CSPs are not customized to your organizational needs. Rather they are standardized for most customers creating gaps in efficiencies. Storage, memory, CPU, and network resources are usually not allocated fairly leading to poor user experience and making it crucial to monitor your SaaS health. Options available again, include checking the CSP service health dashboard and utilizing internal or third-party service monitoring tools to periodically check SaaS provider health.
Infrastructure as a Service (IaaS) Health Monitoring:
IaaS delivery model should include both a computing and storage cloud infrastructure. Other services provided by CSPs could include account management, identity authentication, billing and monitoring services and message service queues. These could be vital services to you which means keeping on top of its functionality would be a good strategy. Similar to PaaS and SaaS health monitoring, you could check the CSP health dashboard or have an internal or third-party service monitor your IaaS health.
A cloud computing model provides users access from anywhere and to any device. It’s a no brainer then that user access should be controlled and revised on a regular basis. To start with, periodic audits of user access would help in granting and revoking permissions where needed. Access should be limited to job functions. Another great strategy is to limit the duration of access to avoid giving accidental prolonged permissions to users that no longer need it. It’s also good practice to have a policy on user access outlining user responsibilities, including privileged and end-user access.
The above security measures are just the basics for any organization that works with the cloud. The cloud is not immune to security breaches and outages and the severity and scope of the impact to an organization can vary. The more business-critical your data, the more security measures you should have in place even if it is on a cloud platform. Even a few minutes of disruption could have a serious impact on your revenue, compliance, productivity and customer satisfaction. Needless to say, cloud security basics should not be overlooked.