Cloud security is not just the cloud vendor’s responsibility

A lot has been said about the security risks of moving your data or systems to the cloud. Choosing trustworthy cloud vendors, preferably with the right security certifications or independent assurance reports, has become indispensable. However, somehow many organizations seem to forget their own security practices and responsibilities once they start moving to the cloud.

The rise of cloud services

The average organization today has multiple and very diverse cloud services in play. According to the Fortinet Threat Landscape Report for Q3 2017, organizations now use a median of 58 different cloud solutions.

This number will only increase in the future:

• According to research by Computerworld, organizations that transition to Software as a Service (SaaS) subscriptions from capital-heavy, on-premise infrastructure installation, maintenance and upgrades enjoy an IT spending reduction of more than 15%.
• Application landscapes in many business areas are moving gradually to 80% or more cloud based. Per Gartner, the acceleration in SaaS adoption can be explained by providers delivering nearly all application functional extensions and add-ons as a service.
• Many organizations have, or plan to implement, some cloud-based infrastructure to make use of the scalability and elasticity of Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), or do things like consolidating datacenters.

Most organizations now have sensitive or otherwise critical data stored in the cloud. And of course, the ease of cloud adoption has also resulted in shadow IT; cloud applications and services that IT does not even know about, and it is a growing security concern.

Cloud security is not only the vendor’s responsibility

A lot has been said about the security risks of moving your data or systems to the cloud. Choosing trustworthy cloud vendors, preferably with the right security certifications or independent assurance reports has become indispensable.

However, somehow cloud service customers seem to forget their own security practices and responsibilities once they start moving to the cloud. Probably out of some misconception that all security related aspects will be handled by the vendor.

As a result, I have encountered quite some examples where a cloud service – whether PaaS, IaaS or SaaS – is insecure because of an insecure use or setup by its customer. I.e. while the cloud vendor offers all the means to securely set up or use his cloud service, the customer has not used or activated these security measures, or has misconfigured the service making it vulnerable.

Examples of what I have personally seen include:

• Not activating data encryption for sensitive data even though the option existed and would not have hindered operations.
• Working with end-user managed access control lists (ACL) even though a simple interface to the company’s Active Directory or IAM solution was possible.
• End-users creating and using public share directories open to anyone on the Internet even though that option could have been disabled.

I am not the only one noticing this, recent security news is full of reported cloud vulnerabilities or worse, actual security breaches, due to wrong and insecure customer configuration:

• Pentagon security fail left massive trove of data on Amazon server (17 Nov 2017)
• Organizations are not securing their AWS, Azure and Google Cloud Platform systems, allowing hackers them to steal processor cycles for mining bitcoins (17 Oct 2017)
• personal information of millions of Time Warner Cable subscribers were left exposed online in an unsecured cloud repository by a third party company (9 May 2017)
• Wrongly configured cloud service exposes thousands of job seekers citing top secret government work (2 September 2017)
• Hundreds of companies expose PII, private emails through Google Groups error (24 July 2017)

What can you do about this?

Define your cloud security architecture

Define a security architecture baseline for different cloud scenarios. Predefining minimum baseline security architecture for the main cloud scenarios in your organization will help address some of the key security concerns from the start. It will ensure a minimum level control, taking into account aspects such as identity access management, integrating security alarms in an existing Security Operations Center (SOC), secure connections between the cloud service and the internal network, back-up and recovery, etc.

The security architecture will also help identify where security tools are needed to help protect against the cloud risks. Tools that can help secure dynamic and evolving cloud-based applications, platforms and infrastructure. Existing, traditional solutions may be unable to secure the distributed, diverse and dynamic cloud environment. That being said, you also don’t want separate security solutions for each different cloud environment or deploy specialized security tools that operate in isolation. Defining your security architecture in function of that will be key.

Identify your (new, dynamic) perimeter

Understand where the responsibilities of the cloud vendor end, and where your own security responsibilities begin. Organizations not only need to understand how data and workflows will move between their own network and the cloud services, but also how these move across and between different cloud services. They need to clearly articulate where risks exist and who is securing what, where and how.

Follow vendor security guidance

Reputable and mature cloud vendors offer security standards, baselines or similar guidance on how to securely set up and use their cloud service. Following their guidance during the design of your cloud solutions seems like a no-brainer, however unfortunately its often still ignored.

Just like on-premise applications and infrastructure, cloud service threats and vulnerabilities evolve. Therefore, as part of your standing threat and vulnerability management practices, you should also follow up on any updates and amendments to the security guidance of cloud vendors.

Include a security expert in the setup

Even though you’re not designing or building a system yourself, but buying an external cloud solution, you still need some level of security design. Including a security expert will help you identify how the cloud solution should integrate with your existing (security) architecture. He or she can also identify the security risks that are specific to the cloud service at hand and business processes it supports, as well as the counter measures needed to manage such risks.

Find that shadow IT

Cloud solutions have made it easy for the lines of business to circumvent their IT department and directly buy their own cloud-based IT solutions. This is often referred to as rogue or shadow IT. Circumventing IT more often than not implies circumventing security and other requirements (e.g. privacy, compliance, etc.). As such, shadow IT is a root cause of insecure (cloud) computing. Finding it and correcting it will be key. Analyzing your proxy logs or using a dedicated cloud security tool help you find what cloud solutions are being used on your network. A comparison with the authorized ones should provide plenty of insight.