Who’s afraid of the Big Bad Cloud? Part 1 Cloud & Security

Indeed, the outsourcing of applications and data to Cloud platforms introduces new security issues. Opening up of these platforms to the Internet increases the scope of attack and imposes reinforced and more rigorous security management. The new models of distributed architecture using managed services are driving a review of existing security models:

• Authentication and access control must be strengthened. A simple login/password authentication becomes insufficient.
• Application access APIs must be highly secure.
• Network security rules and best practices must be implemented using the platform’s services (Software Defined Network).
• Traceability and auditability of accesses and administration actions become critical.

In addition, regulatory requirements particularly concerning the location and protection of personal and sensitive data must be met. Storage of data outside the company is a cause for concern and requires reinforced protection and control mechanisms to be put in place:

• Stored and transmitted data must be encrypted.
• Data integrity must be guaranteed.
• Access to data must be traceable and auditable.
• The managed services used must be certified in order to guarantee protection of the data accessed through these services (SOC2 Certification for example).
• Data must be backed up and archived in accordance with regulatory requirements.
• Data availability must be ensured. The systems set up must ensure that the defined SLAs will be respected.
• The patching of systems and middleware must be automated.
• The destruction process of storage media (Used Disks) containing the data must ensure the confidentiality of the data stored on such media.

This may suggest that it is more dangerous to put your applications and data in the Cloud than to host them on-premise. This is indeed the mindset of many CISOs and decision-makers who eye the cloud with mistrust. But this is a misconception! Indeed, the major Cloud platforms today offer all the security services that enable the simple construction of totally secure architectures using security mechanisms that are natively integrated with all the platform’s services. In just a few clicks, it is thus possible to encrypt all data repositories (Disks, Databases, Object Stores), to secure encryption keys in key vaults and manage their life cycle, to centralise all access logs, to set up an identity federation, to publish regular audit reports on observed vulnerabilities, to have patched system images available at any time, to benefit from Anti DDOS (Distributed denial-of-service) protection systems, etc. The implementation of such on-premise mechanisms is often very expensive. As a result, these security mechanisms are often only partially implemented, leaving open certain loopholes that can be exploited to penetrate systems. The level of confidence in Cloud platforms generally increases with maturity, and security possibilities appear when architects and security teams have acquired sufficient expertise in the use of these platforms. The cloud is first considered a threat and then quickly becomes an opportunity, firstly leading to the deployment of non-critical systems using less confidential data and then to the deployment of applications using sensitive business data. When this first level of confidence in the Cloud’s ability to enable the construction of state-of-the-art secure architectures has been acquired, a second change in mentality must be achieved in order to be able to obtain the expected benefits and agility in particular. In the first approach, the Cloud provider is not considered as a trusted partner, which particularly leads to a desire for encrypting data with keys stored on-premise in order to prevent the provider from accessing such data. This approach leads to complex and costly security architectures that do not allow large-scale deployments and, above all, impose strong constraints that prevent the expected agility from being achieved. To take full advantage of Cloud services and achieve real gains in agility, the Cloud provider must be considered a trusted partner! It is then necessary to agree to store the encryption keys in the key vaults provided by the Cloud platform, which makes it simple to build scalable and secure architectures that make full use of all the services offered and benefit from all the natively integrated security mechanisms.

In a future article, we will discuss the control and audit mechanisms that must be implemented to detect and eliminate non-compliance as early as possible and ensure that safety and compliance rules are respected.