Several times recently, people have asked for suggestions or warnings I might have about cloud security. What cybersecurity threats should they worry about in the cloud? I’ll share with you what I told them:
Compliance and complacency
No, those aren’t high-tech attack techniques used by elite super-hackers. However, they will cause trouble for you.
Cybersecurity technology is exactly the same, whether in-house or in the cloud. Cloud servers and in-house servers run the same operating systems. Therefore, they have the same configuration issues. Additionally, they speak the same network protocols. Finally, cryptography is the same math and logic wherever it runs. What’s very different is control and visibility. Cloud compliance is tough.
Cloud cybersecurity has a distinctive slogan:
You can transfer responsibility but you can’t transfer accountability.
Yes, that’s trite. That plays games with semantics. I think it’s bad writing, because it relies on the reader interpreting near-synonyms in one precise way. But if you want to pass the ISC2 CCSP or Certified Cloud Security Professional exam, know that slogan! Furthermore, see Learning Tree’s CCSP test-prep course for more insights on passing that tough exam.
Let’s break it down.
That’s the whole point of cloud computing! At the very least, I don’t want to run a data center. Make the building, power, cooling, and network connection be someone else’s problem.
Maybe I don’t want to maintain an operating system. Or, a software platform. Perhaps, not even the application.
Therefore, I pay a cloud provider to run the data center. Maybe they also maintain the OS and programming platform. Possibly, they’re in control all the way up through the application.
It’s their job, their responsibility, to do that.
We have a contract. But …
The information is vitally important and sensitive to someone. Depending on the field, we might call them “customers” or “patients” or “citizens.” There are expectations …
There are requirements. I must protect this information. In particular, I must protect its confidentiality (or privacy), integrity (or accuracy), and availability (or reliability).
I can contract out the work. However, I have to make sure it happens. If it doesn’t, I’m the one in trouble. Ultimately, I am accountable.
My parents own a small office building. They rent it to the state highway department. Four engineers work there, supervising nearby construction projects.
The lease promises that the owners will cut the grass, clear the snow, and maintain the building.
However, they pay a guy to do all that. He mows in the summer. In winter, he plows snow and spreads ice melter. Also, he fixes sticky door locks. He’s responsible for that work.
My parents don’t drive mowers or snow plows. But if the highway department couldn’t get into their office because of snow in the parking lot or a sticking door, they wouldn’t complain to the handyman. The owners are accountable.
In contrast, accountability doesn’t transfer.
When you transfer responsibility, you lose control and visibility. However, compliance may require you to know exactly how things are done. This can become impossible in the cloud. It depends on your service model.
With IaaS (or Infrastructure as a Service), it’s much like a remote data center or a co-location facility. You control and see the patching and configuration.
With PaaS (or Platform as a Service), you have some visibility of the OS and software environment.
Then, with SaaS (or Software as a Service), well… Frankly, you have no idea what’s really going on! You only have the cloud provider’s description of what they’re doing.
Compliance become harder as you move up the SPI stack. That is, from IaaS through PaaS to SaaS.
Complacency is the other hurdle.
People fall into magical thinking. The cloud is enormous. And, it’s enormously powerful. So, what could possibly go wrong?
Lots! To err is human. Although, to lose data at industrial scale, you need large computers out on the Internet.
Some people seem to expect a cloud dashboard to include a “Secure Mode on” button. However, there won’t be one. Ultimately, it’s what I said in the beginning. Cloud computers and networks use the same technology we have in-house.
Therefore, they need the same careful attention. Unless it’s SaaS (e.g., Gmail, Salesforce), you have to do some of this. Later, it’s easy to overlook cloud systems during routing patching and testing because they’re “out there” in the cloud.
We know how to harden servers. What’s more, we know how to control and protect network traffic. Therefore, we have the tools we need.
First, we must plan to use the same defensive technology. Next, decide whose job it is. Ours, or perhaps the cloud provider’s?
Finally, we must remember that we are accountable. If compliance requires us to be in full control, then it may not be a job for the cloud.