In my recent blog post, we introduced the topic of cloud security and described tips to understanding a cloud environment. For this blog, I want to explain how a company can incorporate security into the cloud.
As more and more companies adopt the cloud service model and migrate their critical data to the cloud, security must rise to the forefront. If you neglect security in the beginning phases of adopting the cloud, then you are setting yourself up for failure.
Enhance control layers for cloud security
First, let us describe some control layers that you should look for when examining different cloud providers and also have installed on your current systems. (Please refer to image below)
If we take these control layers and apply them to a cloud environment, we can map the two models together and enhance our cloud security. Below describes how you can enhance each control layer:
- Application Layer: Establish the right policies for industry adoption security standards. For example, for Web applications, utilize the OWASP standards. Whichever policy you put in place, the applications should meet and comply with the appropriate regulatory and business requirements for your business.
- Information Layer: Every company should develop and document an information security management program, including administrative, technical and physical safeguards to protect information against unauthorized deletion, access or modification. This is just as true with the cloud. If you adopt the cloud, you cannot depend on your cloud provider to meet each and every safeguard. You are still responsible for the security of your data.
- Management Layer: This layer can cover administrative cloud tasks. It can allow continued and effective services from the cloud. Consumers should be examining management policies to locate better and more efficient services.
- Network Layer: This layer deals with various measures and policies that a network administrator can use to monitor and prevent illegal access, misuse or denial of network accessible resources. Utilizing identity management policies, network monitoring and access controls can aid in securing the network layer.
- Trusted Computing: This layer defines the secured computational environment that implements internal controls, auditability and maintenance to ensure the availability and integrity of operations in the cloud.
- Computation and Storage: A cloud service provider may not be able to manage your data due to the lack of physical control. The cloud is merely a series of computers, spread across various geographic regions, with inherent security risks. Your cloud provider must establish policies and procedures for data storage and retention. There should be appropriate back-up mechanisms to provide you, the client, with reliability and the ability to meet statutory, regulatory, contractual and business requirements.
- Physical Layer: This layer includes security measures for cloud infrastructure, data centers and associated physical resources. Think fences, guards, access points, etc. As a customer of a cloud provider, you should inquire about the physical security of their facilities.
When it comes to the cloud, security is a shared responsibility. Both the provider and the client must take the appropriate steps to ensure that security is built into the entire cloud system. Depending on which cloud model you decide to use, you should ensure that your service level agreement (SLA) and terms of service with the cloud provider are clear and unambiguous. Make sure that they cover the areas listed above and provide adequate protection and meet the regulatory standards that your business already has to meet. Just because you are utilizing a cloud provider doesn’t preclude you from these standards. HIPAA and PCI still apply to your data, even if it resides in the cloud!
Here are some tips to help you establish best practices for cloud security:
- Enforce data protection, backup and retention mechanisms.
- Enforce SLA’s for patching and vulnerability remediation.
- Prohibit user credential sharing among users, applications and services.
- Implement strong authentication, authorization and auditing mechanisms.
- Monitor the client’s traffic for any malicious activity.
- Ensure the proper logs are stored securely and are able to be examined, if needed.
- Conduct a tabletop exercise prior to cloud implementation to test your internal team on cloud Incident Response activities. Learn more about how to be proactive for cloud security with NTT Security.
The cloud appears to be here to stay. Bring security into the cloud and don’t leave it stranded on the ground.
Contact us for more information on how to enhance your cloud security!