April 15, 2019
10 Steps to Securing Public & Hybrid Clouds
10 Steps to Securing Public & Hybrid Clouds
Cloud Security: Are you Ready?
Companies are moving toward Cloud Computing
The public cloud computing market (mostly Amazon AWS and Microsoft Azure) is growing rapidly at around 25% per year. However, many obstacles exist and because of those obstacles, companies are moving toward hybrid architectures using both private and public cloud for different types of applications and data. There is a reluctance to use public clouds for critical, regulated and private data due to cloud computing (AWS, Azure or Google security) concerns.
Cloud Computing Security is the Number One Concern when Using Cloud Hosting
Seventy seven (77%) percent of those surveyed in a recent cloud survey said cloud computing security is their number one concern. Securing data in both of the leaders (Amazon AWS security and Microsoft Azure security) infrastructures are of great concern to customers. The customer’s obligation to protect data is no less when using a public cloud, but how to protect that data is confusing at best. Though security solutions do exist to protect these environments, the challenge is higher to protect the cloud.
Security Concerns are causing a Move Toward Hybrid Architectures
Security, governance and other concerns are holding companies back from moving overwhelmingly to the public cloud. The ability to guaranty security in a public cloud environment is challenging and many companies are feeling more comfortable using private data centers for protected data.
Here are some interesting statistics on security motivated cloud migration trends.
- 61% of surveyed companies say they are reluctant to run regulated data or sensitive data in the public cloud
- 14% of survey participants have not begun migrating to the public cloud at all
- 65% have migrated just 20 percent or less of their workloads
- Many companies that have moved to the public cloud are moving some infrastructure back to private or on-premises
- 84% of enterprises now have a multi-cloud strategy almost evenly divided between private and public cloud.
- 70% have hybrid Private/public data centers with an average of 5 data centers making security more challenging.
AWS Security and Azure Security Requirements Depends on Cloud Model Purchased
Cloud data center providers like Amazon and Microsoft offer several models for implementing hosted computing in the cloud. Currently the average customer environment is 53% non-cloud, 23% SaaS (cloud applications), 16% IaaS and 9% PaaS; however, will evolve to only 31% non-cloud within 18 months according to IDC’s 2018 Cloud Computing Survey. The two data center outsourcing models that are the most common are IaaS and PaaS. The services purchases and security requirements are listed below.
- Infrastructure as a Service (IaaS) – In this case the complete infrastructure layer is provided so that you can add your operating system, network controls and applications (Web or other). You are responsible for all software you add and for your data in the Iaas security model. The provider is responsible for security of the infrastructure (see model)
- Platform as a Service (PaaS) – for this service, you purchase the infrastructure plus the platform software layer providing core applications like Websites and web applications. You still must provide your other applications. You are still responsible for securing your data and all of your added applications and you have a shared responsibility for securing the providers applications.
Contrast this with an on-premise or private cloud where you are responsible for all IT and all security.
Confusion on how to deploy cloud security in the Share Responsibility Model
Vendors such as Amazon AWS and Microsoft Azure make it clear that they only provide security for the Amazon/Microsoft provided cloud infrastructure part of your virtual environment. Getting a clear definition of what they can provide outside of their infrastructure is difficult. They have a security model called the Shared Responsibility Model that defines provider and customer responsibilities as it relates to cloud security. The best assumption is to assume you are responsible for all of your controllable infrastructure. Even where the provider indicates they have solutions that may extend to protect your environment, they will not protect your data outside of their cloud environment to your on-premise location or other 3rd party cloud applications or infrastructures.
Cloud Provider’s Responsibility in the Shared Responsibility Model
Amazon AWS and Microsoft Azure definitely provide security for their infrastructure. AWS and Azure security is responsible for protecting the infrastructure that runs all of the services offered in the provided cloud infrastructure. This infrastructure is composed of the hardware, software, networking, and facilities that run the cloud provider Cloud services.
Specifically, the provider part of the Shared Responsibility Model includes:
- Physical Security for their data centers
- Internet, Isolated Network
- Storage (Potentially Encrypted-at-Rest data)
- Shared Multi-tenant Infrastructure (Virtual machines, servers with management tools. Optionally Operating systems, databases and web servers.
- User access control to the Provider’s (AWS security or Azure security) Infrastructure
- High Availability Environment (Internet, Electrical, Cooling, infrastructure redundancy)
- Cloud System Monitoring (Coverage depends on service), but does not include your on-premise infrastructure or 3rd party cloud applications
Customers Responsible in the Shared Responsibility Model
Customers are responsible for providing security for their data and anything that effects the security of that data. You are explicitly responsible for providing security for:
- Your data
- Your Applications Including Websites and Apps.
- Your Internet Gateway and Network
- Your Servers and Clients
- User Accounts and Access Controls for your Applications
- Operating systems and system tools (Including VMware, Azure) In PaaS model O/S and tools are providers responsibility for maintenance
- Your Communications & Network (Including VPN, Site-Site)
10 Steps to Protecting Your Hybrid Cloud & Public Cloud Data Centers
You are responsible for protecting your data, applications, infrastructure, and communications. It does not matter whether your data is in a public cloud, private cloud, on-premise or at a 3rd party cloud application provider’s location. 3rd party cloud data center providers have made it clear that they are responsible for their infrastructure and you are responsible for your data and infrastructure. As a result, you still must have proactive security in the following areas to protect your data, no matter where it may end up.
- Risk Assessments, Vulnerability Scanning, Penetration Tests – Getting a security review of your overall IT infrastructure including the cloud infrastructures is very important to understand the vulnerabilities of the entire system. Penetration testing should be done on all ingress and egress points in your overall IT infrastructure.
- MFA – Multi-factor authentication should be used to control access and authentication of all users for any application or data access. This applies to your cloud data center, as well as your cloud applications and on-premise applications and systems.
- Virtual Firewalls – Virtual firewalls are available from all leading firewall manufacturers to protect your Cloud perimeter, to control access and protect against malware and advanced network attacks. Manufacturers such as Palo Alto, Fortinet and WatchGuard all provide virtual firewalls.
- Server Protection – Servers themselves need to be protected and everything on them. This includes the operating system (VMware, Azure, Linux etc.), your data and your websites and web portals. Examples of solutions for servers would include: Web application firewalls, server EP protection solutions (like Trend Micro Deep Security) providing anti-malware, intrusion protection, file integrity monitoring, log inspection, virtual patching and application control.
- Data Protection – Data protection is a system-wide problem. Granular control files and folder access is necessary on all data servers, cloud applications and certain end points. Solutions providing this capability range from EP data protection to CASB solutions.
- Network Monitoring & Protection – Monitoring your network traffic whether in the cloud or between data centers or cloud application servers is your responsibility. While Cloud providers monitor the overall environment and traffic and manage for high availability and macro threats, they do not claim to monitor your network threats. Multiple solutions exist to monitor and protect your network. These include virtual firewalls, network threat solutions (like Darktrace) and SIEMs.
- Mail Security for Cloud email servers, O365, On Premises – Mail security is also your responsibility. While some providers like O365 claim to provide security, 3rd party test show that they are not as good as dedicated security provider solutions for email. For customers with questions about whether their current solution is sufficient, we can run a one-week test on your email to show you what threats are penetrating your current email set up. With email as still the #1 threat to security breaches, CEO fraud, and credential theft, email security should be emphasized. Don’t assume that free solutions will are good enough… they aren’t.
- Backup and Disaster Recovery – While cloud system usually offer system high availability through redundant systems and real-time backups, what they don’t offer in the base service is the ability to continuously backup with granular restore. They also won’t usually provide any system backups prior to x days ago (often 10 days). So, bottom line is that backup of your data and the ability to restore for any reason, is your responsibility. Backup and disaster recovery solutions that are agnostic of whether your data is on-site or in the cloud or even at a cloud storage site are now available to integrate all of those needs into one solution.
- OS/Application Patching – AWS and Azure will maintain their environment for you, but maintaining, patching, updating your operating systems and applications are your responsibility. So, using some type of patching solutions makes sense as it does for your on-premises IT systems.
- SIEM & Cloud Visibility – AWS and Azure have some tools for monitoring their environments and for an extra fee you can even tap them into some of your systems logs too. But their job is to manage their environment and to give you tools to manage it. Your job is to manage ALL your IT systems, applications, network traffic and data. To do that you need a SIEM that works with all IT systems whether in the private cloud, public cloud, on-premises or in a 3rd party cloud application. Enterprise level SIEM solutions like eSecurity Solution’s SIEM do that. Having a 3rd party manage that can make that easy to do. Recent product like Sophos’ Optix provide visibility and intelligence for your cloud environment.
Key Takeaways About Cloud Security
- Using the public/hybrid cloud does not reduce the need for customer provided security.
- Cloud environments (because most companies are using hybrid infrastructures) make security more complex, not less.
- The need to do completely architect your hybrid infrastructure and to perform risk assessments goes up.
- The need for umbrella monitoring solutions to monitor all your hybrid infrastructure (like SIEM) goes up
- Cloud SaaS solutions have their own problems, but also require customer monitoring and often extra security
Contact us to help.
Data Sources: Stratoscale Hybrid Cloud Survey, CRN/IDC 2018, RightScale 2018