In my last three posts, (Are we missing the point - part 1, part 2 and let’s take an end-to-end view) I discussed the aspects that need to be taken into account to help ensure cloud security. I also addressed how end-to-end scenarios help figure out the potential breaches at the boundaries between the aspects. This allows us to get a good assessment of the risks encountered when placing an application in the cloud or consuming a cloud service.
There is one thing I did not talk about though. How do we make such assessments when we consume services from a service provider? Responsibilities are split, but how do you make sure the appropriate security precautions have been taken end-to-end?
Service Providers will tell you they are more secure than your datacenter and these assertions might well be true. But when you ask for details to confirm their assessments, many are telling you to trust them. Addressing this from a risk management perspective, it’s up to you to assess the risk level associated with that lack of visibility.
Let’s go back through the seven aspects we talked about earlier and identify who is responsible for what in a managed or public cloud.
In principle, client security is the responsibility of the owner of the device. If it’s one of your employees and you are managing their device it becomes your responsibility. However, if consuming SaaS services, with a downloaded application, things become more complex. Obviously, the end-user has accepted the terms and conditions prior to downloading the app, but has he/she read and understood the fine print? The risks associated with such applications are the ones discussed in the previous blog post. But in a public cloud you do not know how the SaaS application provider secures the connection and how the identification between the device and the cloud application is performed. Is there a possibility of identity theft or data leakage?
Increasingly cloud services are accessed over the Internet, often using SSL connections. In some cases, mainly around managed cloud services, you may choose to use VPN connections or even leased lines if you believe those give you higher levels of security. Obviously there is a price attached to those. Again one has to balance risks and costs.
The service provider is obviously responsible for the physical security of his datacenters, so this aspect is no longer of your concern when you consume (public) cloud services. However, as the service provider hosts applications and information from many customers, their facilities become very attractive to criminals and hackers. So, they have to take more precautions than an average datacenter. Now, this also applies to outsourcers and other entities providing IT services to customers, so it’s not unique to cloud. You may wish to audit the facilities prior to consuming their services. That’s typically possible with managed clouds, but more difficult with public clouds. So, again, physical security should become an integral part of your choice criteria.
When you consume services you no longer own the platform (the infrastructure and the software stack required to run cloud services). The security of the virtual machine images, the hardening of the operating system, the patching of the software to avoid security breaches, intrusion detection, etc. are all under the responsibility of the service provider. If you consume IaaS services, you receive a virtual machine (VM) environment deemed secure and you own the responsibility for everything you run within that VM. There are some nuances whether you buy a managed or unmanaged VM, but in essence your responsibility starts at the VM level. You should assess though if the service provider performs the security steps to your satisfaction.
If you consume IaaS or PaaS services, at least part of the application security is under your responsibility. If you consume SaaS services, it’s the responsibility of the service provider. The PaaS case is an interesting one as you have the responsibility of the actual application security, but will make use of libraries and other software tools that are provided by the service provider. Defining the responsibilities of each of the parties is critical in such environments. Make sure you read carefully through the proposed terms and conditions so you know what you are getting into.
Here the term is encryption, but as Ariel Dan commented, if you let the service provider manage your encryption keys, you haven’t won anything. As data is persistent, and as it may not be easy to recoup and erase data stored with a cloud service provider, one should think on what data to put in a third party cloud prior to starting. Remember precautions and educate users as data security breaches happen. Dropbox has been a target lately. It’s actually a good example. Take a minute to read their terms and conditions. They include “Dropbox will have no responsibility for any harm to your computer system, loss or corruption of data, or other harm that results from your access to or use of the Services or Software.” Is this a risk you can bear for the data you expose? Can you set-up additional security protections such as encryption to reduce the risk? If you use Dropbox to share the latest family picnic pictures that’s probably not an issue. If on the other hand, you want to share the papers for the next board meeting, well, you may want to consider your options.
Identity and Access Management
We already discussed the interaction between a mobile device and a cloud service. With hybrid cloud typically comes single sign-on, allowing you to identify yourself once and access multiple services. It makes life easier, but at the same time provides a single point of failure. What if the information vault containing your credentials for all applications gets broken into?
All Cloud Models are not the same, here are five hints to address key security challenges:
- Protect private information before sending it to the (public) cloud
- Don’t replicate your organization in the cloud (mainly in SaaS)
- Keep an audit trail
- Governance: Protect yourself from rogue cloud usage and redundant cloud providers
- Protect your API keys.
These are five key hints. To complement those and think through end-to-end security aspects, let me also share the attached table a couple colleagues and I have created. It looks at responsibility leadership across multiple cloud models. I hope you’ll find this useful.
Thanks for your comments, keep coming with more and obviously don’t hesitate to participate in the discussion on LinkedIn.