Security in the Cloud

Is the cloud provider solely responsible for security? And what is the role of the customer? In order to transfer to the cloud in a secure and efficient way, some questions must be asked and answered

Security in the Cloud

Illustration: Bigstock

For many organizations, the prospect of migrating their IT infrastructure to the cloud is becoming increasingly attractive. The key benefits being cost savings, scalability and more time to focus on the services and applications important to customers. Many adopters have also realized that moving to the cloud can help them increase their security visibility and effectiveness.  

While the advantages of moving to the cloud are obvious, some questions must be asked and answered in order to do so securely and efficiently.  For example – who owns security at each level?

Positioning Security First

Security should be every reputable cloud provider’s top priority. However, different cloud offerings provide different levels of security, so it is important to understand who has responsibility at each level. 

Software as a Service (SaaS) cloud providers bear the majority of the responsibility for security. Platform as a Service (PaaS) providers have a lesser amount of the security pie, while with Infrastructure as a Service (IaaS), customers and the cloud provider share security responsibilities.

Looking at physical security, the cloud provider is responsible for managing guards, fences, gates, alarms and cameras at its data centers. The provider must ensure each meet stringent guidelines for design and operation. The virtual security of the thousands and thousands of servers, switches, load balancers and virtual machines in those data centers is another area of responsibility that falls to the cloud provider.  

The savvy cloud customer will demand that their cloud providers provide proof that they have achieved certifications and accreditations, proving the security of their offering. These certifications and accreditations are conducted by third-party auditors, who measure security controls outlined by heavily regulated industries like government, healthcare, and finance.

The most widely respected and applicable of these certifications is ISO-27001. Developed by the International Standards Organization, the ISO 27001 controls are accepted by companies around the world. Cloud infrastructure providers should also undergo Service Organization Controls 1, 2 and 3 (SOC 1, 2, 3) audits to ensure they are complying with their own internal policies. The ability of auditors to certify the security of a cloud provider’s technology infrastructure helps Chief Information Security Officers in evaluating cloud technologies. Customers may also like to see certifications and accreditations for their particular industry – one such example being PCI DSS Level 1, applicable to the credit card payments industry.

Your Own Corner of the Cloud 

Some providers, such as Amazon Web Services, also offer customers the opportunity to carve off their own isolated section of the cloud to create what we call a Virtual Private Cloud. In this case, customers have the complete control over their virtual networking environment, including the selection of their own IP address range, the creation of subnets, the configuration of route tables and network gateways, and their associated firewall rules. This service is used by organizations who may want to use the cloud as an extension of their existing data center and it allows them to do this while also allowing the flexibility and low cost of cloud computing. There is nothing inherently at odds about providing on-demand infrastructure while also providing the security isolation companies have become accustomed to in their existing, on-premise or colocation environments.

One company that is taking advantage of this technology is Rail Settlement Plan. The Rail Settlement Plan is part of the Association of Train Operating Companies (ATOC) and is the company that provides IT and retail services to UK rail operators. The company has over 10,000 ticketing outlets across the UK and is responsible for all of the UK’s train tickets. 

The company recently moved their IT to AWS to provide train operators with a flexible cloud-based system that can be scaled up to a billion tickets per annum by 2018 without more capital investment in computer hardware. To secure their system, the Rail Settlement Plan has taken advantage of AWS security tools such as Amazon Virtual Private Cloud and Identity and Access Management and have also applied security design patterns to their infrastructure that best exploit the security measures already built into the AWS cloud.

While the cloud can provide a higher level of physical and logical security than most organizations can afford on their own premises, it is important to note security as a whole is a shared responsibility between the customer and the cloud provider.  

It is important to note cloud providers can be very secure. However, if a customer launches an unpatched or vulnerable application in the cloud, they run the risk of compromise. Conversely, a customer who runs a very secure application in an insecure cloud environment runs the same risk of compromise. The nature of this shared responsibility is to provide the flexibility and control that permits customers to deploy applications that meet their specific needs.

Most organizations do not have the luxury of dedicating resources to physical or virtual security. The reputable cloud provider should be actively investing in security technology, processes, and personnel. Cloud security is achievable at scale, and we look forward to watching organizations continue to innovate on their IT practices and reap the benefits of operating in a secure, highly available and cost-efficient technology environment. 

 

Stephen Schmidt is the Chief Security Officer of Amazon Web Services.