Cloud Security Concerns – High-level Overview

Right from the early days of cloud, the overall security of cloud solutions has been one of the biggest roadblocks to adoption of cloud. Potential cloud customers are usually concerned primarily about the security of the data stored off premises, but there are many other security issues to consider.

Security as a Barrier to Cloud Adoption

According to research commissioned by IBM in May 2017 (Figure 1), the biggest barrier to business adoption of cloud solutions is the overall security of cloud services. All other concerns, such as the cost, complexity or integration issues were a secondary cloud acceptance problems.

Clutch survey of IT professionals in mid to large US enterprises showed that “75% of companies implement additional security measures beyond what the cloud service providers offer, suggesting cloud infrastructure is not secure enough on its own, out-of-the-box.” (Clutch, 2017).with only 22% of enterprises rating security as one of the benefits received by the adoption of cloud infrastructure. Additionally, according to the same survey, only 22% of enterprises rated security as one of the benefits received by the adoption of cloud infrastructure.

Figure 1: Market research by TechValidate (sponsored by IBM) – Srinivasan R. (2017)

 

 

Cloud Security Concerns

A potential cloud customer should always consider the overall security of entire cloud operation, as well as vendor’s approach to risk supervision.

Depending on the size of the company, the security concerns widely vary between single users and large enterprises, but the size of the company aside, all clients considering adoption of cloud services should always remain informed about the security of the cloud provider’s infrastructure and network; as well as the security of the multi-tenant environment, cloud vendor’s approach to external attacks, overall applications security, security of the assigned access permissions, and also impenetrability of cloud cryptographic services used by the cloud servicer provider of choice.

Following are some of the cloud security concerns and questions that a client should take into account and ask prior to considering a move to an offsite cloud-based solution:

 

Data Security and Data Protection

  • Data Life Cycle – What is the cloud provider’s approach to data collection, registration, and storage; filtering and preprocessing; analytics; visualization; archiving; delivery and sharing?
  • What are methods of securing the data transfer between the data source and cloud system or cloud storage?
  • How secure overall, is the cloud data, are there any existing precedences? Do your own online research.
  • What Trust, Integrity and Data Protection methods are used by your cloud provider?
  • What methods of Data Access Control, Trust/Key Management & Identity Policies are used?
  • What is the approach to data replication and migration?
  • How does your cloud provider approach the data restoration?
  • What approach is used for Data Synchronisation?
  • Always double check data storage and data availability SLAs?

Cryptographic Security

  • Does your cloud provider support Data encryption during the whole data life cycle?
  • What approach is used for Data Encryption?
  • Is Data Encryption also available in all infrastructure layers?

Cloud Federation and Federated Access Control

  • Which Federated access control mechanisms & Federated identity management tools are available?
  • Control Actors and roles in cloud services provisioning and operation
  • What methods are used in customer-side and provider-side federations?
  • Which inter-cloud federation infrastructure components are used?
  • What type of Federated identity provider and identity management are used by your provider?

There are many other security topics to be considered, such as Security Services Lifecycle Management (SSLM), security of all automatic infrastructure services, the general approach to isolation and safety of the multi-tenant environment and things such as regulatory compliance or SLA security enforcement.

 

Cloud Session Security – Example

Let’s illustrate the issue of cloud security on an example of session handling in the cloud.

Figure 2 shows some of the layers involved in the application interaction between a client using browser and the cloud end deployment.

Figure 2: Security and trust in interaction between cloud services and user client/system – (CCENG, 2017)

As we can see, an application security session is initially created by entering the user credentials, which establishes the identity. In the second stage, a secure channel is created between the client and the cloud infrastructure, typically by employing secure layer certificates. However, this is where we may encounter the first security issue because user sessions can be seized in transit by hackers. So, one of the first things should be, to ensure that a cloud platform can employ “bootstrapping to hardware-based/bound credentials that serve as a root of trust for establishing secure communication between the virtualised cloud environment and remote user system or client” (CCENG, 2017).

This bootstrapping can be realized by Trusted Platform Module (TPM). TPM is one of the parts of the TCGRA (Trusted Computing Group Reference Architecture) that outlines protocols for allowing bootstrapping of runtime environments.

However, as I’ve mentioned earlier, session hijacking is just one of the security worries. There are many other cloud security concerns that should be considered before adopting the cloud solution.

 

Third Party Tools

I’ve mentioned that there are some 3rd party tools that can enhance the security of the cloud, as well as improve visibility and protection of data in the cloud. Following are some of those tools that are more and more often used along the cloud deployments to improve security:
Splunk –  Allows you to gain actionable insights and global visibility to respond quickly and efficiently to threats, making cloud organization more productive. As we know, the threats are evolving and emerging every day. Splunk’s analytics-driven security solution made it easy for PagerDuty to gain end-to-end visibility across their cloud environment.
Threat Stack –  Security and compliance are a must, and the team requires continuous, host-level visibility into who is doing what, where and when – across their ever changing and complex cloud environment. No matter where you are in the cloud security journey, Threat Stack protects your modern infrastructure against external attacks, insider threats, & data loss. Threat Stack does exactly that. Threat Stack allows you to gain host-level visibility across your cloud environment, so you always know what’s going on.
 
Trend Micro –  Allows you to implement a scalable solution that provides maximum workload security with minimal effort leveraging Trend Micro Deep Security.  IT security teams are increasingly pressured to accomplish more, with fewer resources. Trend Micro Deep Security helps organizations understand and overcome their most common cloud security challenges, without having to expand their cloud tool set. Protect your servers across the data center and the cloud without compromising on performance or security.
 
Sophos – Companies need to control user access to resources, whether that be restricting access to certain applications or access to specific web sites, often find it difficult to implement adequate user access controls. Sophos UTM provides organizations with an all-in-one security solution that enables them to easily enforce usage policies, control outbound access, filter content, defend against malware and more.
F5  –  Defend applications against malicious inbound traffic and inspect outbound traffic for anomalies with F5 BIG-IP Virtual Edition.  F5 BIG-IP Virtual Edition (VE) delivers an advanced application delivery controller (ADC) that goes beyond balancing application loads, enabling inspection of inbound and outbound application traffic.

Those of you who’d like to gain some knowledge about these tools and cloud security in general, Amazon AWS always has online webinars about the tools like these. I’ve looked up upcoming Amazon Cloud webinars related to the tools I’ve mentioned and here are dates and times and registration for summer 2017:

Splunk –  July 26, 2017 | 9 am PDT/12 noon EDT – In this webinar, you’ll learn how PagerDuty gained the end-to-end visibility required to respond quickly and effectively to security threats using Splunk on AWS. Register for Webinar »

Threat Stack –  Aug 3, 2017 | 10 am PDT/1 pm EDT – Join the upcoming webinar featuring Interactive Intelligence by Genesis, AWS, and Threat Stack to learn more about the importance of host-level visibility, continuous monitoring, and detection, and increased security operations velocity. Register for Webinar »

Trend Micro –  August 16, 2017 | 10 am PDT/1 pm EDT – Join the upcoming webinar to learn how Essilor, a world leader in the design and manufacturing of corrective lenses, has enabled their IT teams to apply, maintain and scale security across their AWS environments by overcoming these common challenges in cloud migrations.  Register for Webinar »

Sophos –  August 17, 2017 | 10 am PDT/1 pm EDT – Register for our upcoming webinar with AWS to see how ATLO Software uses Sophos UTM to limit the online activities on inmates in the Louisiana Department of Corrections while delivering educational and testing programs via the cloud. Leverage an all-in-one security solution that enables you to easily enforce usage policies, control outbound access, filter content, defend against malware, and more. Register for Webinar »

F5 – August 23, 2017 | 10 am PDT/1 pm EDT – Join our webinar with AWS to discover how F5 was able to help MailControl boost their visibility into the email traffic flowing through their application. By using virtualized F5 services on Amazon Web Services (AWS), the organization increased its application monitoring capabilities and improved security for its customers, while simultaneously automating processes to support its agile DevOps process.  Register for Webinar »

 

Conclusion

A study published by Clutch (2017) that included data collected from 225 businesses (sized 100 to 5,000 employees) found that 57% of all enterprises spent anywhere between $10,000 and $500,000 a year on additional cloud security measures.

In my view, businesses should never blindly trust the claims of the majority of the cloud providers out there. One of the common approaches to ensuring the security of a cloud deployment is to go above and beyond of what is by default offered by these cloud vendors. Following are some of the suggestions:

  • Implement the additional security services, such as third-party security software and management tools.
  • Invest into regular audits of the cloud, as well as on-premise cloud-related deployments
  • Constantly improve internal incident processes for handling cloud-related security issues
  • Do the periodic inspections of all possible changes in the cloud provider security SLAs

 

References

Srinivasan R. (2017). Market research by TechValidate (sponsored by IBM). [online] Available at: https://securityintelligence.com/digital-transformation-means-infusing-identity-everywhere/ [Accessed 8 Jul. 2017].

Clutch (2017). Security and the Cloud: Trends in Enterprise Cloud Computing | Clutch.co. [online] Available at: https://clutch.co/cloud/resources/security-trends-in-enterprise-cloud-computing [Accessed 8 Jul. 2017].

CCENG (2017). Cloud Computing Fundamentals and Cloud-Based Services Engineering. [online] Available at: https://elearning.uol.ohecampus.com/bbcswebdav/institution/UKL1/201760JUN/MS_CKIT/CKIT_523/readings/UKL1_CKIT_523_Week06_LectureNotes.pdf [Accessed 24 Jun. 2017].

Threat Stack, I. (2017). Threat Stack Cloud Security Platform. [online] Get.threatstack.com. Available at: https://get.threatstack.com/threat-stack?gclid=Cj0KEQjwy4zLBRCOg6-4h6vs3cUBEiQAN-yzfuR98rtNldZpt6fSIJiZMJdPAUMOQ2qzNVmJ1_AYcLEaArxI8P8HAQ [Accessed 10 Jul. 2017].

Trend Micro. (2017). Deep Security for the Data Center. [online] Available at: https://www.trendmicro.com/en_ca/business/products/hybrid-cloud/deep-security-data-center.html [Accessed 10 Jul. 2017].