The transition to cloud services provides many advantages to the organization, including scalability, flexibility, efficiency, reducing cost and enjoying an enterprise grade level of security that meets the highest standards. However, cloud services also entail various risks that the organization must recognize and mitigate before the transition to the cloud.
1. 11
Cloud Security
Keep your data and services secured in the Cloud
Baruch Menahem, CISSP, CCSK
InfoSec Strategy Manager, Comsec
2. 2
2
Challenges to Cloud
• Lack of control over resources:
Concerns related to lack of physical control, data and applications.
• Less security visibility and control capabilities:
The IT is not able to dictate things such as version control, patch
frequency and code reviews. Therefore they will be forced to update their
development, QA, administration and operations processes.
• Internet dependency - performance and availability:
Cloud computing services relies fully on the availability, speed, quality and
performance of the internet.
• Difficult to migrate:
It is not very easy to move the applications from an enterprise to cloud
computing environment or even within different cloud computing platforms.
3. 3
3
Critical Threats to Cloud Security
Cloud Security Alliance (CSA) has identified 8 critical threats to cloud
security:
1. Enterprise cloud services are not enterprise-ready
95% of cloud services used in the average enterprise are not enterprise-ready
from a security standpoint.
2. Data breaches
Due to the huge amount of data stored on cloud servers, providers are an
increasingly attractive target to cyber criminals.
3. Lack of encryption
Encryption is one of the most basic methods for securing data, but many
enterprises make the mistake of failing to encrypt sensitive data in the cloud.
4. 4
4
Critical Threats to Cloud Security
4. Weak authentication and identity management
A lack of proper authentication and identity management is responsible for
data breaches within organizations. Cloud provider are usually support
2FA/MFA mechanisms but unfortunately, clients are not making use of it.
5. Insider threat
An insider (a former employee, system administrator, contractor, or business
partner) could destroy infrastructure or permanently delete data. Systems that
depend entirely on cloud service providers for security are at greatest risk.
6. Account Hijacking
Techniques like phishing and fraud are well known cyber threats, but cloud
adds a new dimension to these threats as successful attackers are able to
eavesdrop on activities and modify data.
5. 5
5
Critical Threats to Cloud Security
7. Lacking due diligence
Due diligence is the process of evaluating cloud vendors to ensure that best
practices are in place. Part of this process includes verifying whether the
cloud provider can offer adequate cloud security controls and meet the level
of service expected by an enterprise.
8. DDoS attacks
DDoS attacks often affect availability and for enterprises that run critical
infrastructure in the cloud, this can be debilitating and systems may slow or
simply time out.
DDoS attacks also consume large amounts of processing power – a bill that
the cloud customer (you) will have to pay.
6. 6
6
Critical Threats to Cloud Security
In order to reduce the risk of using cloud services, the following should
be considered:
• Use of encryption to protect data at rest as well as in transit.
• Manage encryption key via HSM system.
• Use MFA for accessing cloud resources.
• Create and enforce dedicate security policy for cloud usage.
• Monitor cloud accounts to make sure that every transaction can be traced
back to a human owner.
• Review accreditations and standards gained by cloud providers, including
ISO 9001, DCS, PCI and HIPAA.
• Use dedicated security systems such as IPS, WAF and DDoS protection to
protect against external attacks.
• Conduct security assessments and penetration tests.
Remediation
7. 7
7
Cloud Trends
Centrally manage security from a private cloud
Using a private cloud (either on premise or
external) to centrally manage endpoint
security.
Especially useful when working with
distributed networks (multiple branches /
sites) or when distributed users are required
to be protected according to the standard
used in the organization.
Can also reduce maintenance and licensing
cost (managed by the cloud provider).
8. 8
8
Cloud Trends
Using the cloud as a front-end DMZ network
Using the cloud as the internet gateway
of the corporate network to transfer the
handling of network attacks from the
internet to the cloud provider.
The cloud is used as a network
extension (the Front-End DMZ) of the on
premise network and used to host all
internet facing services, while the on
premise external network becomes the
mediating layer (Back-End DMZ) which
connects the two networks (by VPN /
Direct Line connection).
This implementation can also reduce
cost to the organization by using
managed cloud security services.
9. 9
9
Cloud Trends
Implementing a Cloud Stack
Enjoy cloud benefits (e.g. scalability,
flexibility, efficiency, cost and security)
without relying on cloud vendors, by
building an on premise private cloud
using OpenStack, Azure Stack or any
other cloud platform.
Very useful for organizations that can
not use cloud services due to regulatory
and security constraints that do not
allow them to store sensitive information
in the cloud or to transfer core systems
to the cloud.