And how to mitigate them

Cloud security is a big topic. The Cloud is not just one thing, but a concept that comes in many different forms. Each form has its own security intricacies that need to be dealt with.

No matter which aspects you look at, Cloud computing has been steadily increasing in popularity for years. Most recently, the global lockdowns in 2020 have brought its business rewards and security risks into even sharper focus. Cloud-based services like Microsoft 365 and G Suite are now mainstays of British business.

The big question often asked of the Cloud is whether it is more or less secure than on premise. The only viable answer is, “it depends.” Cloud computing has the potential to be more secure if managed and implemented well and a disaster if it is poorly managed or implemented.

Security responsibilities in Cloud Computing

One of the key differences between Cloud and on-premise computing is that businesses cannot control many parts of the Cloud. To understand Cloud Computing Security, we first need to understand who is responsible for what.

We can break Cloud offerings into seven areas:

• Governance: how is the Cloud offering managed to remain consistent with corporate policy?

• Data: the core asset managed by the Cloud.

• Application: the tool with which the user interacts to access and manipulate the data.

• Platform or operating system: Windows, Linux, or proprietary developer tools.

• Communications: access to the application and data, i.e. through a wide area network as opposed to local infrastructure.

• Infrastructure: network switchers, routers, firewalls.

• Physical: the hardware on which it all runs.

The table below, taken from our whitepaper on enabling Secure Information Exchange in Cloud environments, shows where responsibilities lie for these seven areas when it comes to the three main Cloud Services: IaaS, PaaS and SaaS.

In short you, as the data owner, remain accountable for the governance and security of your data in every scenario. The Cloud Service Provider (CSP) may take some responsibility for provision of the technical controls, but you are always responsible for the appropriate processes to ensure these controls mitigate your risks, and that the controls are configured and managed correctly.

The NCSC’s Cloud Security Principles

Because the responsibility for governance always lies with the enterprise and not the CSP, it is essential to be certain that the Cloud technology used to manage your data is trustworthy. The NCSC’s 14 Cloud Security Principles outline considerations for CSPs that will help keep their solutions secure. Enterprises can use these principles to see if potential CSPs offer a trustworthy Cloud solution.
The principles are listed below in brief, but you can see definitions and a more complete breakdown in our dedicated blog post.

1. Data in transit protection

2. Asset protection and resilience

3. Separation between users

4. Governance framework

5. Operational security

6. Personnel security

7. Secure development

8. Supply chain security

9. Secure user management

10. Identity and authentication

11. External interface protection

12. Secure service administration

13. Audit information for users

14. Secure use of service

As a business looking to remain secure when using Cloud technology, the principles instead provide a checklist of what you should be looking for in your services. You are responsible for your data security, so you need to be certain that your CSP is implementing their controls to the level that you require.

Using these principles

When assessing the suitability of CSPs, Nexor recommends that you draw up a table for each principle with the following headings:

• Risks you need to mitigate;

• Your responsibility;

• CSP’s responsibility;

• How you will evidence the CSP is meeting that responsibility (governance).

These principles also do not absolve the end user of all responsibility. In fact, the 14th principle makes it clear that Cloud services can only be expected to be secure when used properly. CSPs who are aligned with the NCSC’s principles should provide audit records that allow you to monitor Cloud access and usage, but it is your responsibility to use that data to spot potential issues.

To mitigate the risks of Cloud computing, the businesses using the technology must take steps like the assessment shown here to ensure that their suppliers are secure and trustworthy and that their own employees are using the technology responsibly. Read our blog post for more practical information.

The Data Lifecycle model in Cloud Computing

To understand the security risks of Cloud computing, we must acknowledge that the technology is different to on-premise solutions. Successful management and mitigation of that risk requires a different way of thinking.

We have found the Data Lifecycle Model a very useful tool in understanding and thinking through the new risks that Cloud computing brings. For example, the risk of what happens to your data when you no longer require the Cloud service; how can you be sure the data is deleted? (The answer, by the way, depends on the Cloud type and service model).

• Create: Data can be created both inside and outside of the Cloud by both humans and machines. The key challenge is to attest the integrity of the data before ‘accepting’ it.

• Store: Where and how is the data being stored? Check the controls that are applied to ensure that only authorised users can access it later in the lifecycle.

• Use: Human users and machine analytics may require access to data in the Cloud. Core controls should ensure only authorised access.

• Share: Again, core controls should ensure only authorised access when and if data is shared outside of the specific Cloud environment.

• Archive: Effectively sharing the data with a long term storage solution, sometimes offline.

• Destroy: Consider upfront how to keep track of where data is stored and how to erase it.

Although the diagram illustrates the lifecycle as a linear progression, it is normal for data to bounce around the different stages, or to miss some of them out altogether. For example, not all data is archived.

Risks in the Data Lifecycle

The data lifecycle exposes certain points of risk for data stored in the Cloud. These are encompassed in the NCSC’s 14 principles, but are useful to extract when looking at the data model:

• Data at rest. Data needs to be protected where it is stored by access control and encryption.

• Data in motion. Data needs to be protected when it is moved between, into and out of Cloud systems and systems need to be protected from rogue data. Solutions include encryption, data or transport layer considerations, data transformation and data validation. Nexor’s SIXA, based on NCSC architectural models, is concerned with this element of risk.

• Data in use. Data being used by humans or machines also needs to be protected. Access control and identity management are crucial for maintaining security, and there is overlap with the data in motion controls.

Who is responsible for mitigating the risks?

Once you know the risks, you can consider mitigations and, most importantly, who is responsible for them.

If you are responsible for mitigation, then it should be business as usual. Manage it with the same processes you would with an on premise system (as part of your ISO 27001 compliant iSMS). Note the focus on processes – the technical controls to mitigate the risk may be different, but the security management process the same.

If the CSP is responsible for mitigating these risks, you need to determine how you will assess their effectiveness at providing the control so that you can hold them accountable. The NCSC’s principles provide a starting point for you, but you ultimately need to ensure consistency with your corporate policy, as mentioned in our brief discussion of governance above.

To summarise, the simple principles/responsibility matrix mentioned in our section on the NCSC’s Cloud Security Principles will clarify what the risks are, who is dealing with them, and how you can be sure they are managed.

Is Cloud computing less secure than on premise?

The answer depends on the business processes that the CSP and you, as the customer, have put in place. If these are working together effectively then the Cloud can be more secure.

If either party gets these processes wrong, you should have a business contingency plan for being the next data breach headline!

Nexor offers Cyber Resilience as a Managed Service (CRaaMS), to help businesses respond to the new threats they may be facing from the adoption of Cloud technology. It is process-focused, taking into account business objectives, threat identification, mitigation and recovery in accordance with our underlying CyberShield Secure® methodology. To speak to our consultants about any of our services, including remote delivery, get in touch today.