In spite of its nebulous name, ‘cloud migration’ has arguably been the most tangible development in digital technology in recent years. The shift of applications and data storage to cloud deployments has allowed many organizations to free themselves from the constraints involved in housing and maintaining physical infrastructure.
By stripping out hardware and personnel costs while conferring massive scalability and global access, cloud deployment has transformed the operations of many organizations while creating entirely new sectors of cloud-delivered services and applications.
In fact the sector is still showing strong growth: according to Research and Markets, the global cloud computing market will grow over 15% by 2026, reaching nearly $950 billion in total annual revenues.
But what about security?
Early uptake of cloud solutions was slowed by the reluctance of potential users to cede control of their IT operations to a vaguely defined ‘cloud deployment’ whose physical location could not be identified with any certainty. There was the understandable feeling that applications and data under lock and key in the company data center were far safer than those outsourced to a cloud provider.
Stop worrying and love the cloud
But the emergence of public cloud suppliers like Amazon Web Services (AWS) and Microsoft Azure gave credibility to the idea that the specialist skills and economies of scale achievable by a professional cloud operation could offer greater security and stability at lower cost than any on-premise hosting.
Slowly, CTOs around the world learned to “stop worrying and love the cloud."
Some risks remain
Nevertheless, in spite of the undoubted expertise and experience of cloud providers, cloud deployment of assets and applications may still be vulnerable to attack if the deployment to the cloud is not managed properly. Some of the threats involve the same factors as those of on-premise deployments, but others are peculiar to cloud hosting.
Let’s take a look at some examples:
1. Weak identity and access management
Like on-premise installations, cloud deployments are vulnerable to attacks exploiting human error on the part of those with authorized access to the system. Robust identity and access management (IAM) is fundamental to maintaining the security of the operation using strong approaches such as Multi-Factor Authentication (MFA) and the principle of least privilege (PoLP).
2. Poor configuration
In 2020, the U.S. National Security Association (NSA) released a report on mitigating cloud vulnerabilities which identified the “misconfiguration of cloud resources” as the most common risk to cloud services.
The report noted that many misconfigurations are due to an insufficient understanding on the part of the customer of the ‘shared responsibility’ model for cloud security. The cloud provider guarantees the security of the physical hosting and infrastructure, but protection of applications and data is the responsibility of the customer.
Service provider Edafio explains the SR concept: “The vendor provides the tools you need to secure your data, but it is up to the customer to set up the security tools. This is where a good partner can help your company make sure that your responsibilities are met to help keep your data secure.”
3. Unsecured APIs
Application programming interfaces (APIs) are used to communicate and exchange data between internal or external systems. But if these APIs do not implement the proper security and authentication factors, the cloud system is opened up to potential data breaches.
The most famous example of “permissive APIs” causing trouble was when Cambridge Analytica non-consensually accessed millions of Facebook users’ data to inform political ads for Donald Trump’s 2016 presidential campaign.
Best practices for cloud security
As a mature technology, cloud deployment has evolved a series of best practices to safeguard customer data and applications.
- Robust Identity and access management — As mentioned above, unauthorized access is the major source of cloud data breaches. Multi-factor authentication (MFA) is a powerful method of controlling access to cloud resources and is fast becoming standard for cloud deployments. In fact, Info Security reports, MFA can “prevent as much as 80–90% of cyber-attacks.”
- Correct configuration ¬— Cloud customers must be clear about where their cloud provider’s responsibility ends and theirs begins (usually with applications and data in transit). They should also be aware that the provider’s default settings may not be optimal for their setup and may need to be modified.
- Full visibility – ‘Out of sight, out of mind’ is not a desirable status for a cloud deployment, yet outsourcing to the cloud can result in reduced visibility of the system. Those responsible for the security of the platform should have the necessary tools and alerts to provide a complete overview of the deployment and its key parameters in order to intervene in a timely manner.
- Encryption — Cloud deployments should aim to protect data “in use, in transit and at rest”. In practice the best way to do this is end-to-end encryption which protects the organization’s assets at every point in the processing cycle, both within the cloud and during external exchanges via encrypted HTTPS/TLS connections.
- Data loss prevention (DLP) tools — Cloud DLP tools specialize in ensuring data is not lost, corrupted, or vulnerable to unauthorized access. Their value cannot be overstated and the market is responding accordingly; cloud DLP is projected to reach $11 billion by 2028, a CAGR of 27.9%.
- Undelete and versioning — Some risks to the integrity of data are internal and take the form of erroneous operations by authorized users. That’s why many cloud providers have added “undelete” and/or “versioning” functions. Undelete is a Windows-style ‘recycle bin’” which keeps data for a time in case it was mistakenly deleted. Versioning is where a new copy of the file is saved when changes are made lets the user revert to an old version to recover from erroneous editing or corruption.
Certifying the cloud - ISO/IEC 27017
Developed by a joint committee of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), ISO/IEC 27017 is a code of practice specifying information security controls for cloud operations.
Eidosmedia cloud operations have recently obtained this certification, extending its earlier ISO/IEC 27001 certification to the cloud deployments it manages for its customers.
Financial services – a gold standard for cloud security
While cloud deployment is now widely adopted in most industries, there are sectors in which security concerns are so critical that uptake of cloud solutions has had to wait for the availability of more stringent data protection protocols. One of these is the banking and financial services sector which is only now beginning to migrate its non-core data and application activities to the cloud.
As a supplier of solutions for the creation and distribution of investment research by investment banks, ratings agencies and asset managers, Eidosmedia has developed cloud deployments of exceptional robustness for this demanding application area.
Financial services in the cloud – a use case
A recent cloud deployment for a global investment research provider included the following advanced security technologies and protocols:
- Worldwide disaster recovery — AWS hosting in two different regions, chosen by the customer. Each consists of multiple AZs (availability zones) - isolated and physically separate group of data centers within a geographic area. This solution provides a complete DR failover facility in active-passive and active-hot standby modes.
- Beyond ISO 27017 — Eidosmedia operations are certified to ISO 27001 and 27017 standards. Nevertheless, before adoption, the solution had to satisfy the customer’s more detailed and demanding internal security audit.
- State of the art SR — In addition to the ISO/IEC 27001 and 27017 controls, as part of the Shared Responsibility model adopted on AWS, the deployment complies with the policies defined by the CIS AWS Foundational Benchmark and AWS Foundational Security Best Practices standards.
- MFA and SAML 2.0 support — User access is controlled through SSO (single sign-on) supporting SAML 2.0 identity providers and MFA (multi-factor authentication).
- Data in-transit are encrypted across the entire stack using TLS/mTLS (mutual TLS)
- Public and private X509 certificates are used for securing services
- Data at-rest are encrypted across the whole lifecycle using AWS infrastructure capabilities
- Secrets are stored in encrypted format
AWS services used for managing encryption
- ACM (Certificate Manager) for managing public certificates
- Private CA (Certificate Authority) for managing private certificates
- KMS (Key Management Service) for managing cryptographic keys
- CloudHSM (Hardware Security Module): dedicated key store for KMS, certified up to FIPS 140-2 Level 3.
- ALE (Application Level Encryption) – Content is encrypted at rest by the application, in addition to the infrastructure layer, leveraging customer managed keys from KMS/HSM.
In addition the project deploys security products and protocols that include Vulnerability Management, SIEM, CloudTrails, Managed Endpoint Detection and Response, Compliance verification, Privileged access management etc.