Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Properties
hiddentrue
idKH_PropertyPage

Area

Tech & Cyber Basics

Page Type

Content Page

Page Name

Securing your cloud services - streamlined

Last Updated

3016/0412/24

Update Notes

Reviewed

2416/0612/24

Reviewer

JC

Next Review

2416/0612/25

Links checked

16/0912/24

The below will appear on the Refined page at Securing your cloud services

Excerpt
nameM_TCB_SecuringYourCloudServices

What is meant by cloud services?

Different components of computing are available to users remotely over the internet and payable on demand or by subscription. Cloud services is the collective name for these externally managed services. Examples are: Microsoft 365, Dropbox, Google Drive, AWS and Citrix Workspace.

Most organisations use a great many cloud services, it allows for a flexible and collaborative use of a resource without having to make the large outlay for ever changing technology. Cloud computing has revolutionised working models by allowing workers to access and share company information from any location and deliver services online.

Where is ‘the cloud’?

Most servers used for cloud services are owned by private organisations such as Amazon, Microsoft or Apple, they keep millions of peoples’ data that is made accessible to them via the internet. The biggest data storage servers in the world are located in China, USA and India, some are even situated at the bottom of the ocean.  The location of the computers in ‘the cloud’ that hold your data is very important. This is the legal location of the data, and if that is ‘personal data’, you may be breaking the law if it is located outside the UK or the European Union.  It is also important to know something about the company that is hosting the cloud service and looking after the computers which hold your data.  Many data centres are kept up to date and secure, but some are not, and may put your data at risk. 

How does cyber security apply to cloud services?

If workers can access organisation information over the internet from any location, so can criminals, and this has resulted in an increasing number of attacks on cloud services, using techniques to steal user's passwords to access their accounts. For this reason, it is important that these services are set up correctly and have the essential security controls in place.

Cloud services are not secure by default, it is crucial that organisations understand their role and responsibilities in the security of the cloud services they use. The five core controls of Cyber Essentials apply to all cloud services.

Most cloud providers attempt to create a secure cloud for customers and aim to prevent breaches and maintain public trust. Most invest a significant amount of resources to keep their services secure, however, that said, not all cloud service providers understand or value security.  It is essential that the user organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service.

When talking about security, cloud service providers often reference a 'shared responsibility model'. This means that for some security controls, it is the cloud provider that is responsible for implementation, whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to. In the Cyber Essentials requirements, it specifies that where the cloud provider implements a control, it is your responsibility to satisfy yourself that this has been done to the required standard.

See guidance on the shared responsibility model : Explaining the Shared Responsibility Model

What is the difference between public, private and hybrid cloud? 


Public cloud services are the wide spread and commonly used cloud computing model. All the resources needed to run the infrastructure (servers, storage, networking components, and supporting software) are owned and managed by the third-party provider, and accessed by the users within organisations over the Internet via a web browser. In a public cloud,  companies share the infrastructure with other organisations, but data and workloads are usually kept isolated from each other in a safe and secure virtual space. Rather than having to own and operate the hardware, organisations pay only for the services they actually use.
A private cloud service is a computing infrastructure devoted to use by a single organisation. It can be housed in a privately owned data centre facility or at that of a third-party service provider. The defining characteristic is that the IT resources are run and maintained on a private network for one user organisation only and consequently, the security controls are under their full management.
Hybrid cloud is any environment that uses both public and private cloud.

For the purpose of this guidance, we are talking about public cloud services.

Where to start?

In order to protect your organisational data that is located in the cloud, start by creating a list of all the cloud services used within your organisation.

The three main categories of cloud computing

There are three major cloud service models. The aaS letters stand for ‘as a service’ which means organisations can rent facilities that are physically elsewhere for a range of different purposes.

Software as a Service ( SaaS)

SaaS cloud service providers host the applications and make them available to users over the internet. With SaaS, organisations do not have to download any software to their existing IT infrastructure.

SaaS is used by most organisation for everyday tasks such as creating and sharing files, signing and sending contracts and project management. The tools and applications are highly scalable and easy to access remotely which is particularly helpful for distributed global teams who don’t work in close proximity.
Examples of SaaS include Microsoft 365, Jira, Dropbox, Gmail.

Platform as a Service (PaaS)

Platform as a service offers developers a platform for software development and deployment over the internet, enabling them to access up-to-date tools. A person or company might use PaaS if they needed a collaborative development and deployment environment to create and manage custom applications, without the need to build and maintain the underlying infrastructure themselves.
Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda.

Infrastructure as a Service (IaaS)

An IaaS cloud service provider hosts the infrastructure components that typically exist in an on-premises data centre including servers, storage and networking hardware as well as the hypervisor or virtualisation layer. A company might use IaaS if they need to develop bespoke applications and programmes but are not equipped to handle the infrastructure that this requires. The user organisation would access, configure and manage the resources using a dashboard or Application Programming Interface (API).

In addition to program development and testing purposes, IaaS is also a solution for disaster recovery or backup solutions, hosting complex websites, high computing performance and big data analysis.

For the IaaS model, the cloud service provider only provides the hardware, all of the security and backing up is the user organisation’s responsibility.
Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.

What are the security risks to cloud services?

Most data breaches in the cloud occur when criminals are able to gain access through badly configured accounts and interfaces to locate valuable data. This is usually due to weak user access control and misconfiguration and is the responsibility of the cloud service customer.

According to research by Microsoft, there are over 300 million fraudulent sign-in attempts to their cloud services every day.  Most data breaches involve weak, default or stolen passwords which highlights the requirement for comprehensive password policy and strong authentication. It is estimated that 99.9% of attacks can be blocked with multi-factor authentication (MFA).

Another threat to data stored with cloud services is from the unintentional mistakes or malicious intent from employees, also known as the ‘insider threat’. A rogue employee can use their knowledge and access to company information to steal data or commit fraud.

Access to sensitive resources needs to be limited to employees that require that information to perform their job. Administrator accounts usually give the most access to the system and it is essential that they are protected with MFA. Privileged accounts, such as these, need to be created, restricted and controlled with a comprehensive policy.

As well as providing extra protection for passwords that are not protected by other technical controls, multi-factor authentication should always be used to provide additional protection to all accounts that are accessible from the internet. No matter how an attacker acquires a password, if multi factor authentication is enabled, it will act as a safeguard on the account.

When you are setting up your cloud service account, you will be asked to set a password, this must have at least 8 characters. You must also enable MFA on your account (if available), this means that in addition to the password, account holders will be asked to prove their identity with one or more other ways. This could be through a code sent to another device such as a text message to a mobile phone or a single use code generated by an authenticator app or physical token. There are four types of additional factor that may be considered for businesses:

  • A managed/enterprise device

  • An

    The NCSC recommends the following forms of MFA, in order of effectiveness:

    • Using a physically separate extra factor - such as a FIDO2 key

    • Using an authenticator app on a trusted device

    • A physically separate token

    • A known or trusted accountas an extra factor - such as Google Authenticator or Microsoft Authenticator

    • Using an app-based code generator - an app is used to generate a one-time code

    • Using a hardware-based code generator - a physical token is used to generate a code

    • Using a message-based method - an email, SMS message or voice call

    For more information see NCSC's guidance on MFA

    ...