By Will Pulsifier, Mediant Director of Security Operations
Cloud computing has transformed the way organizations store, access and share information; collaborate; and manage computing resources. Cloud computing services can be private―building and maintaining your own IT infrastructure or data center, or public―renting storage and computing resources or accessing software programs from a cloud services provider.
Although cloud computing allows you to automate manual security tasks, data security is a major concern for companies today especially when it comes to financial information. Cloud vendors offer advanced security features like authentication, access management, data encryption and more to ensure sensitive data in the cloud is securely handled and stored, but access to these is not configured by default. You need to understand and configure security and monitoring tools as appropriate to your business. You should also be aware of the potential risks of transferring your data to the cloud services provider. Just “putting it in the cloud” is not an adequate strategy for protecting your data.
Even though someone else is hosting the data or services you use with a cloud vendor, the same risks apply as when you build and maintain your own IT infrastructure or data center. Your security team maintains some responsibilities for security as you move applications, data and workloads to the cloud, while the provider also takes some responsibility, but not all. This is called the shared responsibility model. Defining your responsibilities and those of your provider is paramount for reducing the risk of introducing vulnerabilities into your cloud environment.
In some cases, this shared responsibility is well defined by regulation or a standard. For example, the Payment Card Industry Data Security Standard (PCI-DSS) is a comprehensive set of guidelines aimed at securing systems involved in the processing, storage and transmission of credit card data. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) provide prescriptive documentation on securing and validating the security of cloud services and workloads.
You also need to determine if you can transition from protecting data and systems you control to data and systems partially out of your control. Responsibilities between you and your cloud services vendor depend on selected services and the terms of those services. You are always responsible for securing what’s under your direct control including information and data, application logic and code, and identity and access. Furthermore, you maintain responsibility for securing everything in your organization that connects with the cloud, including your on-premises infrastructure stack and user devices, owned networks, applications, and the communication layers that connect your users, both internal and external, to the cloud and to each other. You and your cloud provider never share responsibility for a single aspect of security operations. The areas of ownership you control are yours only and your provider does not dictate how you secure your systems.
Finally, ascertain if your company is staffed with people who understand how to monitor secure cloud resources. This is different than traditional on-premises environments and should be considered carefully before making the change. Aside from understanding how to use the tools from your cloud services provider, things like data sovereignty, contractual obligations, and the right to retrieve or delete your data at the end of a contract all require people who understand risk and compliance as well as cybersecurity. A one-size-fits-all solution does not exist so working with a third-party vendor to manage these new risks can be worthwhile and cost-effective.
If you’re not already, start doing this now
Once you are in the cloud, understand that moving your systems or data to the cloud is not the same thing as just doing an upgrade. Misconfiguration or lack of attention leaves you vulnerable to losing your data or experiencing a breach. To help you keep your data and systems secure, consider the following strategies:
- Complete an inventory of data and infrastructure because it is the foundation of good cloud security. If you don’t know you have it, how can you secure it? Determine who “owns” data in your cloud; is someone responsible for delegating responsibilities around confidentiality, integrity and accountability?
- Establish a well-defined and approved change control process. Tracking changes in a central ticketing system, defining approval processes and having management review change requests all work to limit unauthorized or rogue changes.
- Use the tools you bought from your cloud services provider. One of the most important things to come out of cloud computing is the availability of security tools that are part of subscriptions. These tools take advantage of the massive amounts of data flowing through the cloud services to give amazing insights on the threat landscape of your environment.
- Hire or train existing staff in cloud monitoring and security practices. As mentioned above, on-premises environments are not the same as ones in the cloud. If possible, train your IT and security pros and encourage cloud-specific security certifications. Then contract with a third party that has experience managing and securing customer cloud environments. Also be sure that everyone is up to date on current rules and regulations.
- Monitor events in real time. Within your cloud service, capture every action performed and manage these in a centralized log source. This gives security teams the ability to see trends and pull out events for further review or investigation.
At Mediant, we have trained and dedicated security teams with specific cloud experience and certifications. We adhere to strict sets of controls and use third-party auditors to review how we maintain our controls. Best-in-class tools are also leveraged for monitoring and finding potential issues. Working across departments, we maintain the highest degree of data privacy and confidentiality.