Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Title of Content

Primary Category

Secondary Category

Date Last Reviewed

Author

Graphic

cloud services

streamlined requirements

Cyber Essentials

Date created:

Date approved:

Date published:

What is meant by Cloud services?

Different components of computing are available to users within an organisation remotely over the internet and payable on demand or by subscription. Cloud services is the collective name for these externally manged services. Examples are: Microsoft 365, Dropbox, Googledrive, AWS and Citrix Workspace.

Most organisations use a great many cloud services, it allows for a flexible and collaborative use of a resource without having to make the large outlay for ever changing technology. Cloud computing has revolutionised working models by allowing workers to access and share company information from any location and deliver services online.

Where is ‘the cloud’?

Most computers used for cloud services are owned by private organisations such as Amazon, Microsoft or Apple, they keep millions of peoples’ data that is made accessible to them via the internet. The biggest data storage servers in the world are located in China, USA and India, some are even situated at the bottom of the ocean.  The location of the computers in ‘the cloud’ that hold your data is very important.  This is the legal location of the data, and if that is ‘personal data’, you may be breaking the law if it is located outside the UK or the European Union.  It is also important to know something about the company that is hosting the cloud service and looking after the computers which hold your data.  Many data centres are kept up to date and secure, but some are not, and may put your data at risk. 

How does cyber security apply to cloud services?

If workers can access organisation information over the internet from any location, so can criminals, and this has resulted in an increasing number of attacks on cloud services, using techniques to steal user's passwords to access their accounts. It is important that these services are set up correctly and have the essential security controls in place.

It is crucial that organisations understand their role and responsibilities in the security of the cloud services they use. The five core controls of Cyber Essentials apply to all cloud services.

Most cloud providers attempt to create a secure cloud for customers and aim to prevent breaches and maintain public trust. Most invest a significant amount of resources to keep their services secure, however, they cannot control how their customers use the service, what data they add to it, and who has access.  It is worth bearing in mind that not all cloud service providers understand or value security.  It is essential that the user organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service.

When talking about security, cloud service providers often reference a 'shared responsibility model'. This means that for some security controls, it is the cloud provider that is responsible for implementation whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to. In the Cyber Essentials requirements, it specifies that where the cloud provider implements a control, it is your responsibility to satisfy yourself that this has been done to the required standard.

(See guidance on the shared responsibility model)

What is the difference between public, private and hybrid cloud? 


Public cloud services are the wide spread and commonly used cloud computing model. All the resources needed to run the infrastructure (servers, storage, networking components, and supporting software) are owned and managed by the third-party provider, and accessed by the users within organisations over the Internet via a web browser. In a public cloud,  companies share the infrastructure with other organisations, but data and workloads are usually kept isolated from each other in a safe and secure virtual space. Rather than having to own and operate the hardware, organisations pay only for the services they actually use.
A private cloud service is a computing infrastructure devoted to use by a single organisation. It can be housed in a privately owned data centre facility or at that of a third-party service provider. The defining characteristic is that the IT resources are run and maintained on a private network for one user organisation only and consequently, the security controls are under their full management.
Hybrid cloud is any environment that uses both public and private cloud.

For the purpose of this guidance, we are talking about public cloud services.Where to start?

In order to protect your organisational data located in the cloud, start by creating a list of all the cloud services used within your organisation.

The three main categories of cloud computing

There are three major cloud service models. The aaS letters stand for ‘as a service’ which means organisations can rent facilities that are physically elsewhere for a range of different purposes.

Software as a Service ( SaaS)

SaaS cloud service providers host the applications and make them available to users over the internet. With SaaS, organisations do not have to download any software to their existing IT infrastructure.

SaaS is used by most organisation for everyday tasks such as creating and sharing files, signing and sending contracts and project management. The tools and applications are highly scalable and easy to access remotely which is particularly helpful for distributed global teams who don’t work in close proximity.
Examples of SaaS include Microsoft 365, Jira, Dropbox, Gmail.

Platform as a Service (PaaS)

Platform as a service offers developers a platform for software development and deployment over the internet, enabling them to access up-to-date tools. A person or company might use PaaS if they needed a collaborative development and deployment environment to create and manage custom applications, without the need to build and maintain the underlying infrastructure themselves.
Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda.

Infrastructure as a Service (IaaS)

An IaaS cloud service provider hosts the infrastructure components that typically exist in an on-premises data centre including servers, storage and networking hardware as well as the hypervisor or virtualisation layer. A company might use IaaS if they need to develop bespoke applications and programmes but are not equipped to handle the infrastructure that this requires. The user organisation would access, configure and manage the resources using a dashboard or Application Programming Interface (API).

In addition to program development and testing purposes, IaaS is also a solution for disaster recovery or backup solutions, hosting complex websites, high computing performance and big data analysis.

For the IaaS model, the cloud service provider only provides the hardware, all of the security and backing up is the user organisation’s responsibility.
Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.

What are the security risks with cloud services?

Most data breaches in the cloud occur when criminals are able to gain access through badly configured accounts and interfaces to locate valuable data. This is usually due to weak user access control and misconfiguration and is the responsibility of the cloud service customer.

According to research by Microsoft, there are over 300 million fraudulent sign-in attempts to their cloud services every day.  Most data breaches involve weak, default or stolen passwords which highlights the requirement for comprehensive password policy and strong authentication. It is estimated that 99.9% of attacks can be blocked with Multi-Factor Authentication.

Another threat to data stored with cloud services is from the unintentional mistakes or malicious intent from employees, also known as the ‘insider threat’. A rogue employee can use their knowledge and access to company information to steal data or commit fraud.

Access to sensitive resources needs to be limited to employees that require that information to perform their job. Administrator accounts usually give the most access to the system and it is essential that they are protected with MFA. Privileged accounts, such as these, need to be created, restricted and controlled with a comprehensive policy.

As well as providing extra protection for passwords that are not protected by other technical controls, multi-factor authentication should always be used to provide additional protection to administrative accounts and user accounts that are accessible from the internet. No matter how an attacker acquires a password, if multi factor authentication is enabled, it will act as a safeguard on the account.

When you are setting up your cloud service account, you will be asked to set a password, this must have at least 8 or more characters. You must also enable MFA on your account (if available), this means that in addition to the password, account holders will be asked to prove their identity with one or more other ways. This could be through a code sent to another device such as a text message to a mobile phone or a single use code generated by an authenticator app or physical token. There are four types of additional factor that may be considered for businesses:

  • A managed/enterprise device

  • An app on a trusted device

  • A physically separate token

  • A known or trusted account

For more information see NCSC's guidance on MFA

Working with a cloud provider can be unfamiliar and new for some organisations and it is helpful to outline from the start where the line is between the cloud provider’s security responsibilities and those of the user organisation. Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards and different contact points. Putting all these details together and creating a coherent multi-cloud security strategy is a vital process.  It is a good idea to have security in mind  when researching a cloud service product in the first place, and to document a named point of contact to help and support your organisation if there are difficulties.

Although the potential cost saving, flexibility and scalability attracts many modern businesses to cloud computing, it also represents a paradigm shift for business owners and their staff who need to understand new services, tools and processes. When using cloud services, it is necessary to set up separate policies on each individual service and ensure that all access is controlled. It may be necessary to update staff about the functions and responsibilities in the cloud with training and information courses on each chosen cloud service.

The business owner or IT manager should reference their service-level agreements, and clear up any confusion with the provider when necessary to ensure a successful security strategy.

Google, AWS and Microsoft all offer a range of certifications and cloud computing training programs for their platforms. The goal is to get companies that aren’t as familiar with cloud to be comfortable with modern techniques and practices.

For Infrastructure as a Service, the user organisation is responsible for maintaining their operating system, data use and applications and are therefore in control of the implementation of all 5 Cyber Essentials controls.

With Platform as a Service, the cloud service provider manages the security of the underlying infrastructure and operating system and the user manages their data use and applications, this would mean the user needs to control the secure configuration, user access control and security update management.

For Software as a Service, the user organisation is usually only responsible for secure configuration and access control, and the cloud service provider usually takes care of the malware protection, firewalls and security update management.
Where the cloud provider implements a control, the user organisation must satisfy themselves that this has been done to the required standard. Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres.
The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management. With smaller providers or SaaS products, however, these details may be less explicit, but they will still need to be accounted for.

Understanding your security responsibility is essential to keeping your data safe in the cloud.

The five core controls

Secure configuration
The responsibility of the user organisation to all cloud services
An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges ) and pre-installed but unnecessary applications or services. All of these present security risks. Where you are able to do so, remove or disable all the software that you do not use on your cloud services.

*Check your cloud services and disable any services that are not required for day to day use.
*Ensure that all your cloud services only contain necessary user accounts that are regularly used in the course of your business.
*Remove or disable any user accounts that are not needed in day-to-day use on cloud services.

User access control
The responsibility of the user organisation to all cloud services
User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. When these privileged accounts are accessed by attackers they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes. Special access includes privileges over and above those of normal users.

Privileged access — Identify all possible forms of access that privileged accounts may have to your data and applications, and put in place controls to mitigate exposure. It is not acceptable to work on a day-to-day basis in a privileged “administrator” mode.

(See guidance about accounts.)

Enable multi-factor authentication (MFA) to all user accounts and all administrator accounts on all of your cloud services
(See guidance applying MFA to access cloud services.)

Security update management
The responsibility of the user organisation for IaaS and PaaS cloud services.
To protect your organisation, you should ensure that all your software is always up-to-date with the latest security updates.
(See guidance about software.)

Malware protection
The responsibility of the user organisation for IaaS and PaaS cloud services
Malware (such as computer viruses) is generally used to steal or damage information. Malware is often used in conjunction with other kinds of attack such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focused attack on an organisation. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages. Malware is continually evolving, so it is important that the supplier includes both malware signatures and heuristic detection facilities which are updated as frequently as possible. Anti-malware products can also help confirm whether websites you visit are malicious.

Prevent malware from entering cloud services using techniques such as file-scanning, application whitelisting, machine learning-based malware detection, and network traffic analysis.
(See guidance about malware.)

Firewalls
The responsibility of the user organisation for IaaS.
(See guidance about firewalls.)

The cloud is a term used for a series of remote access services that exist on the internet. When you access services or store information in the cloud, they are not located on your own personal device (e.g. the hard drive on your laptop, your phone or external drives), but on a computer owned by someone else and located somewhere else.  The computers used for cloud services are usually housed in massive data centres and can be anywhere in the world. 

Benefits of cloud services 

When a business signs up for services with a Cloud Service Provider (CSP), they must initially transfer their business data to the cloud computers located in the data centres.  They will not have to look after the servers themselves (which includes updating them regularly), because the data centre does this for them. Using a CSP not only allows the business to access the very latest technology, but it also gives them the flexibility to try out applications offered by the CPS. The latest applications are already bought and installed in the data centre and this provides options for a  business without them needing to invest in change upfront. With a pay as you go model, cloud applications can simply be cancelled if they don’t perform as hoped.

Another benefit of the ‘as a service’ model is that because a professional company is managing your technology, their level of support and maintenance, means more of your budget and time can be spent on business strategy and less on IT and security. Cloud services provide access to automatic updates which can be included in your service fee.

As long as you ensure that you choose a reputable CSP, their cyber security expertise and investment will most likely be much higher than anything you could afford.  For this reason,  data is usually more secure in cloud data centres than on the computers of small companies. Having your data stored in the cloud can help with business continuity, as system and infrastructure backups prevent data loss from natural disasters, power failures and other crises.

Your business can scale up or scale down your operations and IT systems to suit your situation, allowing for more flexibility as your needs change.  If you start off by buying quite a small amount of cloud services, you can simply increase this as your company grows, without needing to change and invest in your IT infrastructure yourself.   

Security risks of the cloud 

As seductive as it is to relax in the hope that your CSP is managing all the security risks, this may not be the case. It is vital that organisations adopting cloud technologies and choosing cloud services and applications fully inform themselves about the ever-changing threats, risks and vulnerabilities associated with the cloud. It is also vital that they properly research their CSP to ensure that the security policies adequately reflect their business’ requirements.

A cloud environment experiences the same threats as traditional companies. Hackers will always be trying to exploit vulnerabilities which can be found in all software, wherever it is run. In cloud computing, responsibility for mitigating these security risks is shared between the CPS and the cloud customer.  

Minimising the risks 

  • Use two factor authentication or multi-factor authentication – If you can access your data remotely, so can cyber-criminals. Multi-factor-authentication (MFA) gives a crucial layer of added security when logging into your cloud accounts. Instead of just a password, MFA asks a user to provide another form of authentication. This might be a password plus a code received as an SMS or a fingerprint scan.

  • Limit and monitor the access of your users. Limiting access can limit the impact when account information like user-names and passwords are stolen or a disgruntled employee wants to cause harm. (see guidance about accounts)

  • Encrypt data – Encryption is the process of encoding information so that only people with access to a secret key can understand it. This helps provide data security. 

  • Provide anti-phishing and security training. It is important that the individuals who use the system are educated about best practice behaviour and the tactics used by people who send phishing emails. Phishing attacks are a common way that hackers access even the most secure cloud databases.

  • Cloud customers are advised to develop a thorough understanding of the services they are buying and to use the security tools provide by the CSP. If you are not confident in this area, it is advisable to ask an IT consultant to help you check the security policies of your CSP.

  • Most CSPs give significant guarantees against loss of data, however no system is perfect. Major cloud service providers have accidentally lost customer data. Ensure that your chosen CSP has data backup and recovery processes that meet your organisation’s needs.

 

  • No labels