Versions Compared

Version Old Version 2 New Version 3
Changes made by

Jane Waterfall

Jane Waterfall

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For the IaaS model, the cloud service provider only provides the hardware, all of the security and backing up is the user organisation’s responsibility.
Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.

What are the security risks

...

to cloud services?

Most data breaches in the cloud occur when criminals are able to gain access through badly configured accounts and interfaces to locate valuable data. This is usually due to weak user access control and misconfiguration and is the responsibility of the cloud service customer.

...

For more information see NCSC's guidance on MFA

Working with a cloud provider can be unfamiliar and new for some organisations and it is helpful to outline from the start where the line is between the cloud provider’s security responsibilities and those of the user organisation. Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards and different contact points. Putting all these details together and creating a coherent multi-cloud security strategy is a vital process.  It is a good idea to have security in mind  when researching a cloud service product in the first place, and to document a named point of contact to help and support your organisation if there are difficulties.

Although the potential cost saving, flexibility and scalability attracts many modern businesses to cloud computing, it also represents a paradigm shift for business owners and their staff who need to understand new services, tools and processes. When using cloud services, it is necessary to set up separate policies on each individual service and ensure that all access is controlled. It may be necessary to update staff about the functions and responsibilities in the cloud with training and information courses on each chosen cloud service.

The business owner or IT manager should reference their service-level agreements, and clear up any confusion with the provider when necessary to ensure a successful security strategy.

Google, AWS and Microsoft all offer a range of certifications and cloud computing training programs for their platforms. The goal is to get companies that aren’t as familiar with cloud to be comfortable with modern techniques and practices.

For Infrastructure as a Service, the user organisation is responsible for maintaining their operating system, data use and applications and are therefore in control of the implementation of all 5 Cyber Essentials controls.

With Platform as a Service, the cloud service provider manages the security of the underlying infrastructure and operating system and the user manages their data use and applications, this would mean the user needs to control the secure configuration, user access control and security update management.

For Software as a Service, the user organisation is usually only responsible for secure configuration and access control, and the cloud service provider usually takes care of the malware protection, firewalls and security update management.
Where the cloud provider implements a control, the user organisation must satisfy themselves that this has been done to the required standard. Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres.
The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management. With smaller providers or SaaS products, however, these details may be less explicit, but they will still need to be accounted for.

Understanding your security responsibility is essential to keeping your data safe in the cloud.

The five core controls

Secure configuration
The responsibility of the user organisation to all cloud services
An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges ) and pre-installed but unnecessary applications or services. All of these present security risks. Where you are able to do so, remove or disable all the software that you do not use on your cloud services.

*Check your cloud services and disable any services that are not required for day to day use.
*Ensure that all your cloud services only contain necessary user accounts that are regularly used in the course of your business.
*Remove or disable any user accounts that are not needed in day-to-day use on cloud services.

User access control
The responsibility of the user organisation to all cloud services
User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. When these privileged accounts are accessed by attackers they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes. Special access includes privileges over and above those of normal users.

Privileged access — Identify all possible forms of access that privileged accounts may have to your data and applications, and put in place controls to mitigate exposure. It is not acceptable to work on a day-to-day basis in a privileged “administrator” mode.

(See guidance about accounts.)Enable multi-factor authentication (MFA) to all user accounts and all administrator accounts on all of your cloud services
(See guidance applying MFA to access cloud services.)

Security update management
The responsibility of the user organisation for IaaS and PaaS cloud services.
To protect your organisation, you should ensure that all your software is always up-to-date with the latest security updates.
(See guidance about software.)

Malware protection
The responsibility of the user organisation for IaaS and PaaS cloud services
Malware (such as computer viruses) is generally used to steal or damage information. Malware is often used in conjunction with other kinds of attack such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focused attack on an organisation. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages. Malware is continually evolving, so it is important that the supplier includes both malware signatures and heuristic detection facilities which are updated as frequently as possible. Anti-malware products can also help confirm whether websites you visit are malicious.

Prevent malware from entering cloud services using techniques such as file-scanning, application whitelisting, machine learning-based malware detection, and network traffic analysis.
(See guidance about malware.)

Firewalls
The responsibility of the user organisation for IaaS.
(See guidance about firewalls.)

The cloud is a term used for a series of remote access services that exist on the internet. When you access services or store information in the cloud, they are not located on your own personal device (e.g. the hard drive on your laptop, your phone or external drives), but on a computer owned by someone else and located somewhere else.  The computers used for cloud services are usually housed in massive data centres and can be anywhere in the world. 

Benefits of cloud services 

When a business signs up for services with a Cloud Service Provider (CSP), they must initially transfer their business data to the cloud computers located in the data centres.  They will not have to look after the servers themselves (which includes updating them regularly), because the data centre does this for them. Using a CSP not only allows the business to access the very latest technology, but it also gives them the flexibility to try out applications offered by the CPS. The latest applications are already bought and installed in the data centre and this provides options for a  business without them needing to invest in change upfront. With a pay as you go model, cloud applications can simply be cancelled if they don’t perform as hoped.

Another benefit of the ‘as a service’ model is that because a professional company is managing your technology, their level of support and maintenance, means more of your budget and time can be spent on business strategy and less on IT and security. Cloud services provide access to automatic updates which can be included in your service fee.

As long as you ensure that you choose a reputable CSP, their cyber security expertise and investment will most likely be much higher than anything you could afford.  For this reason,  data is usually more secure in cloud data centres than on the computers of small companies. Having your data stored in the cloud can help with business continuity, as system and infrastructure backups prevent data loss from natural disasters, power failures and other crises.

Your business can scale up or scale down your operations and IT systems to suit your situation, allowing for more flexibility as your needs change.  If you start off by buying quite a small amount of cloud services, you can simply increase this as your company grows, without needing to change and invest in your IT infrastructure yourself.   

Security risks of the cloud 

As seductive as it is to relax in the hope that your CSP is managing all the security risks, this may not be the case. It is vital that organisations adopting cloud technologies and choosing cloud services and applications fully inform themselves about the ever-changing threats, risks and vulnerabilities associated with the cloud. It is also vital that they properly research their CSP to ensure that the security policies adequately reflect their business’ requirements.

A cloud environment experiences the same threats as traditional companies. Hackers will always be trying to exploit vulnerabilities which can be found in all software, wherever it is run. In cloud computing, responsibility for mitigating these security risks is shared between the CPS and the cloud customer.  

Minimising the risks 

...

Use two factor authentication or multi-factor authentication – If you can access your data remotely, so can cyber-criminals. Multi-factor-authentication (MFA) gives a crucial layer of added security when logging into your cloud accounts. Instead of just a password, MFA asks a user to provide another form of authentication. This might be a password plus a code received as an SMS or a fingerprint scan.

...

Limit and monitor the access of your users. Limiting access can limit the impact when account information like user-names and passwords are stolen or a disgruntled employee wants to cause harm. (see guidance about accounts)

...

Encrypt data – Encryption is the process of encoding information so that only people with access to a secret key can understand it. This helps provide data security. 

...

Provide anti-phishing and security training. It is important that the individuals who use the system are educated about best practice behaviour and the tactics used by people who send phishing emails. Phishing attacks are a common way that hackers access even the most secure cloud databases.

...

Cloud customers are advised to develop a thorough understanding of the services they are buying and to use the security tools provide by the CSP. If you are not confident in this area, it is advisable to ask an IT consultant to help you check the security policies of your CSP.

...