Cloud Security: Key Concepts, Controls, and Strategy for Business

Cloud security is a cybersecurity discipline dedicated to securing cloud computing systems. This discipline includes keeping data private and secure across infrastructure, applications, and online platforms.

Securing these systems involves efforts from cloud providers and the customers who use them, whether they are an individual, a small or medium-sized business, or an organization.

Businesses use a variety of terms to highlight their products, rather than NIST's more technical descriptions; from DBaaS (disaster recovery) to HSMaaS (hardware security module) as well as DBaaS (database) and finally XaaS (anything). Depending on what a company is promoting/selling, it can be difficult to determine if a product is SaaS or PaaS, but in the end, it is more important to understand what the contractual responsibilities of the cloud provider are.

Cloud providers extend their contracts to add security in cloud formations through services such as HSMaaS (hardware security module) or DRMaaS (digital rights management).

Cloud deployment models

• Public cloud: A public multi-tenant offering such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).
• Private cloud: A cloud environment dedicated to a single business entity (but typically shared by many organizations within that entity).
• Hybrid cloud: A mix of public and private cloud services on-premises.
• Multicloud: A combination of cloud services; It typically includes various types of services (compute, storage, etc.) hosted on multiple public and private clouds.

Cloud services types 

• Infrastructure as a Service (IaaS):
  On-demand underlying computing, storage and networking services.

• Platform as a Service (PaaS):
  Cloud-based application development environments and frameworks.

• Software as a Service (SaaS):
  On-demand solutions such as Salesforce or Office 365 offered as cloud-based applications with subscription-based licensing models.

Cloud architecture is the organization of components and subcomponents into a logical, efficient, and effective structure. This structure should allow the components to work together to achieve a goal, maximizing strengths and minimizing weaknesses.

The basic components required to create a cloud include networks, routers, switches, servers, and others such as firewalls and intrusion prevention systems. The cloud also includes all the elements inside the servers: the hypervisor, the virtual machines and, of course, the software. Cloud architecture also requires a cloud provider, a cloud architect, and a cloud broker to create, manage, sell, and buy cloud services.

Many terms related to cloud architecture just add the word “cloud” to an already familiar term, such as “cloud consumer”. If you understand the definition of "consumer," then the new term is clear: it refers to a consumer of cloud services rather than, say, phone services.

Basic terminology found in NIST SP 500-299 includes:

• Cloud Consumer: The person or business that uses a service provider's cloud service.
  
• Cloud provider: The person or company with the resources to offer the services that consumers require. This involves the technology necessary to create the servers, virtual machines, data storage or any other resource that the consumer needs.
  
• Cloud Broker: The person or company that manages the delivery, use, and performance of the cloud for the consumer, negotiating the relationship with the provider on behalf of the consumer.
  
• Cloud carrier: The carrier is the service provider that connects the business to the cloud, for example, your Internet service provider. For a business, this would usually be a MPLS connection (multiprotocol label switching).
  
• Cloud Auditor: The person or company that performs the audit of a cloud service provider's environment. These audits include privacy and security.

Cloud security is a shared responsibility between the cloud provider and the customer.

Cloud security practices are similar in many ways to traditional network and computer security practices, but there are some key differences. In contrast to conventional IT security, cloud security is often governed by a shared responsibility model where the cloud service provider is responsible for managing the security of the underlying infrastructure (e.g., cloud services), cloud storage, cloud computing services, cloud networking services), and the customer is responsible for managing the security of everything above the hypervisor (e.g., guest operating systems, users, applications, data).

What makes cloud security different?

Traditional computer security has undergone an immense evolution due to the shift to cloud-based computing. While cloud models allow for greater convenience, always-on connectivity requires new considerations to keep them secure. Cloud security, as a modernized cybersecurity solution, differs from legacy computing models in a few ways.

1. Data Warehousing – The biggest distinction is that older IT models relied heavily on on-premise data warehousing. Companies have long discovered that creating all of the internal computing platforms for granular and custom security controls is costly and rigid.
   
2. Speed of scaling: Similarly, cloud security demands unique attention when scaling enterprise IT systems. Cloud-centric infrastructure and applications are highly modular and rapidly mobilized.
3. End User System Interface – For both businesses and individual users, cloud systems also connect to many other systems and services that need to be secured. Access permissions must be maintained from the end-user device level to the software level and even the network level.

Solving most security problems in the cloud means that both users and cloud providers, in both personal and business environments, must be proactive about their own cybersecurity roles.

What are the security issues in cloud computing?

If you are unaware of its existence, how are you supposed to take the appropriate action? After all, weak cloud security can expose users and providers to all kinds of cybersecurity threats. Some common cloud security threats include:

• Cloud-based infrastructure risks, including incompatible legacy computing platforms and outages to third-party data storage services.
• Internal threats due to human error, for example, misconfigured user access controls.
• External threats caused almost exclusively by malicious actors, such as malware, phishing, and DDoS attacks.
• The biggest risk posed by the cloud is that there is no perimeter. Traditional cybersecurity focused on protecting the perimeter, but cloud environments are highly connected, which means insecure application programming interfaces (APIs) and account hijackings can pose real problems.

Interconnection also poses problems for networks. Malicious actors often access with compromised or weak credentials. Once a hacker gains access to a network, he can easily spread and use the cloud's poorly protected interfaces to locate information in different databases and nodes.

Storage of data by third parties and access via the Internet also pose their own threats. If, for any reason, these services are interrupted, access to data may be lost. For example, an outage in the telephone network could mean that access to the cloud would not be possible at an essential time.

Security Best Practices for Cloud Customers

Cloud customers must institute various measures to protect both cloud-based applications and data and mitigate security risks. Common cloud security best practices include:

• Protect the management console in the cloud. All cloud providers provide management consoles for managing accounts, configuring services, troubleshooting, and monitoring usage and billing.
  
• Protect virtual infrastructure. Virtual servers, data stores, containers, and other cloud resources are also a common target for cybercriminals.
  
• Protect API SSH keys. Cloud applications often call APIs to stop or start servers, instantiate containers, or make other changes to the environment.
  
• Secure DevOps management consoles and tools. Most DevOps organizations rely on a number of CI/CD tools to develop and deploy applications in the cloud.
  
• Protect code from DevOps processes. Attackers can also try to exploit vulnerabilities in cloud applications throughout the development and delivery process.
  
• Protect admin accounts for SaaS applications. Each SaaS offering includes a management console to manage users and services.

Cloud compliance

Businesses must observe various laws, regulations, and contracts. When you put your data and services in someone else's possession, the audits required to confirm compliance can become more complicated.

Ask yourself: “What worries me the most?”

This will help you determine what questions to ask your cloud provider. From a legal point of view, organizations must comply with:

• EU GDPR (European Union General Data Protection Regulation),
• SOX (Sarbanes-Oxley - US financial data protection),
• HIPAA (Health Information Portability and Accountability Act - US healthcare),
• PCI-DSS (Payment Card Industry - Data Security Standard),
• Among other regulations, laws locally.

Once the subject of compliance is identified, several actions can be taken, one of which is auditing. This should be conducted using a standardized approach and proven methodology, such as Accountants' SSAE 18 (Statement of Standards on Attestation Agreements, No. 18.)