Cloud and security — are they oxymorons or synonymous with each other? Actually, they’re both. Assuring the security of your cloud environment starts with knowing who is doing what. It begins by mapping everyone’s area of responsibilities; the shared responsibility model in cloud computing. Shared responsibility is a key part of any cloud discussion and all cloud providers should be able to provide you guidelines for what are your areas of responsibility and what are the provider’s areas of responsibility (which are very limited, by the way). In this blog and my follow-up post, I’m going to walk through some basic requirements for securing your cloud deployment.
Cloud Can’t Be Avoided
The first hurdle an IT and security organization needs to get over is the idea that it has complete control of its cloud presence. Cloud platforms are usually driven more by business entities within an organization rather than the IT team. I have seen IT organizations insist that they are doing nothing in the cloud and that they have a policy in place for the organization to do nothing cloud-based. If you believe that you are fooling yourself and putting your job and your corporation at risk.
The more draconian an organization is about this, the less control, visibility and security it will have, as business units will decide to do something utilizing their budget that they feel better serves the business. So, accept the cloud and be willing to work with the business units to allow them to be flexible, efficient and the numerous other business reasons there are for going to the cloud. If you are willing to work with your business units, educate them on the risks involved and help them mitigate those risks, the IT organization, the business and the company itself will be better off.
Establishing Shared Responsibilities
Now that we have accepted the cloud, what do we do next? It’s important to realize that pretty much everything you do from a security standpoint in your own controlled data center you can do in the cloud. How you do it and with what vendors may be different, but once you understand the shared responsibilities of the platform(s) you chose and what data is going to reside there and what access will be needed, you can start to formulate a security plan around launching the service to the business.
Your organization should have an internal security policy that you can easily adjust and modify for cloud enforcement. This includes who has access, what type of data can reside where and in what condition (e.g., encrypted, not encrypted, etc.).
One overlooked item with cloud services you need to consider is the cloud provider’s disclosure time frame following a compromise. This impacts your liabilities and disclosures too, which can be as strict as the European Union’s General Data Protection Regulation (GDPR), which states 72 hours (that includes holidays and weekends), to as broad as Massachusetts’ recent law, which states, “Within a reasonable amount of time after either the discovery of a breach or knowledge that personal information was obtained.” Most cloud providers take no responsibility for your data or any liability in their standard contracts; it is all on you to handle and take on that liability.
Understanding that the cloud provider is, in fact, liable for very little, you quickly recognize that you have a lot of responsibilities in keeping your data safe in the cloud. My next blog post will touch on establishing some security fundamentals to help address those responsibilities.
This blog post brought to you by: