* Yuri Carneiro
The use of cloud computing technology changed the scenario of provision of infrastructure services. It is built as an on-demand resource that allows you to share computing capabilities to run applications, databases, virtual machines, servers and other IT infrastructures as needed.
Types of cloud technology
Today, three types of cloud technology are available:
• Public Clouds: are provisioned for open use and hosted on the premises of cloud service providers. They are generally accessed by internet browsers, so identity management, authentication and access control are essential;
• Private clouds: are generally dedicated and accessible only to an organization. They can be managed and operated by the organization, a partner or in shared mode, and they can be inside or outside the company's facilities. It is important to note that they are still vulnerable to access violations, social engineering and other exploitation;
• Hybrid clouds: combine various aspects of public and private clouds, allowing organizations to exercise more control over their data and resources than in a public cloud environment, yet still be able to take advantage of the scalability and other benefits of the public cloud when needed. With hybrid clouds, workloads can run in their ideal environment.
Cloud service categories
Cloud services can be classified into three categories:
• IaaS: it is a cloud model that allows self-service to manage the virtualized infrastructure of the Data Center. You pay for on-demand access to preconfigured computing resources, such as network, storage and operating systems. This can involve automating the creation of virtual machines at scale, so it is critical to consider how virtual machines are provisioned, managed and retired. In this modality, the onus of protecting and generating reports on the infrastructure falls on the provider, but all responsibility for the operating system software for the application is the customer's responsibility;
• PaaS: it is a cloud layer model that provides tools and other computing infrastructures, allowing organizations to focus on creating and running Web applications and services. PaaS environments primarily support developers and operations. Here, managing and configuring self-service rights and privileges is essential to control risk. In this category, the service provider is responsible for protecting the infrastructure and the platform, and the application is the responsibility of the customer;
• SaaS: consists of applications hosted by third parties and usually delivered as software services in a web browser accessed on the client side. While SaaS eliminates the need to deploy and manage applications on end-user devices, potentially any employee can access web services and download content. Therefore, it is important to have adequate visibility and access controls to monitor the types of SaaS applications accessed, usage and cost. In this modality, the service provider is responsible for most aspects of security.
What about Information Security?
Cloud security it is the discipline and practice of applying security controls in cloud-based environments. It is used to protect cloud environments from unauthorized access, attacks and other risks inherent to the technology. For this, cloud security strategies use policies, processes, best practices and technologies.
When using cloud-hosted solutions, it is necessary to follow some guidelines for greater protection guarantee regarding the confidentiality, integrity and availability of the information that is hosted on them. The level of security controls to be used must be equal to or greater than those used in traditional infrastructure.
On the market, there are some frameworks created specifically for assessing security risks in cloud environments. We can cite the norms ISO / IEC ISO27017, O CSA STAR (Cloud Security Assessment) it's the Center for Internet Security (CIS) 7.1 control framework.
In general, the main aspects to be evaluated in a cloud security program are as follows:
• Audit: The periodic and independent audit of the environment is of paramount importance for surveying risks in the environment. The goal is to ensure that information security controls meet business requirements.
It is recommended that the cloud service provider is certified to international standards, such as ISO / IEC 27001, CSA STAR, or ensure the delivery of the SOC 2 Type II report, facilitating the audit process. At least annually, it is recommended to conduct the execution of pentests in the network layer and application of the cloud platform, in order to guarantee the identification and treatment of non-conformities and technological risks;
• Identity Management: The cloud service provider must enable the management of roles and authorization levels for each of its users and apply the principle of least privilege. These roles and access authorizations must be applied by resource, service or application. The service provider must also have a secure identity provisioning and management system, ideally integrated with the client organization's access control solution;
• Data and information protection: Data is a critical business asset and the center of concerns in Information Security, regardless of the type of infrastructure that is used. Cloud computing does not change this paradigm, and it poses new challenges due to the nature of the service being distributed and the responsibilities shared with service providers.
Security must be concerned with both static data (such as that stored in storage) and data in transit (such as that which is transiting a network). The risks of theft or unauthorized disclosure of data, risks of undue alterations, risks of data loss or unavailability and the risk of keeping data available for longer than necessary must be considered. Thus, the data must be classified and its retention time established according to business rules;
• Secure provision of applications: The critical application infrastructure must be proactively protected against internal and external threats throughout its entire life cycle, from specification to implementation in a production environment. Clear security policies and processes are essential to ensure that applications are generating business value, rather than new risks. For cloud solutions, the same diligence used in the security of traditional infrastructures must be applied, because if an application is compromised, it can generate financial impacts and reputation problems for both the provider and the customer;
• Security on networks and connections: The cloud service provider must authorize legitimate network traffic and block malicious traffic, just as any other internet provider does. However, unlike traditional IT organizations, the cloud provider will not necessarily know what traffic the customer plans to send and receive. Thus, it is expected that the provider will provide tools for segmenting and protecting systems, as well as performing traffic control, ensuring protection against DDoS attacks, spam, viruses and recording audit logs and notifications;
• Cloud service agreement: As cloud services typically involve at least two organizations, the responsibilities of each party must be clearly described. These terms are formalized through the Cloud Service Agreement (CSA), which specifies the services to be provided and the terms of the contract between the provider and the customer. It is recommended that you are on the CSA and that all requirements imposed on your cloud service provider are also passed on to any provider that you can use to provide any part of your services. The CSA must explicitly document that the service provider notifies the customer in a timely manner if there is any kind of breach in the service, regardless of the parties or data involved;
• Withdrawal process: From an information security perspective, it is important that once the contract with the provider is terminated and the machines are destroyed and that this process is irreversible. The contract must ensure that any copies of data are permanently deleted from your environment, wherever they have been stored (including backup copies and online storage tools). However, there is an exception: if necessary, the service provider must maintain data derived from the cloud service, such as logs and audit trails. Thus, the withdrawal process must allow this data to be recovered properly, backups must be retained for agreed periods before being deleted, the associated event logs and reporting data must also be retained until the exit process completed.
To assist in the implementation of security controls in cloud environments, service providers have made available on the Cloud Management platform tools that measure the security level of the environment. An example of this is Microsoft's initiative to create a security baseline (called the Azure Security Benchmark) inspired by the Center for Internet Security (CIS) 7.1 and NIST, integrating these controls in the Azure Security Center. In this way, the customer checks items that do not comply with best practices and make improvements to the environment.
With the advent of Cloud technology, Information Security has never been more necessary.
The possibility of creating virtual infrastructures on a large scale multiplies the possibility of creating risks in the environment, leaving your organization exposed to a series of threats. Therefore, security requirements must be raised and their application guaranteed throughout the development cycle and the provision of new infrastructure.
It is also recommended to use the tools made available by the manufacturers to assess the safety of the environment and implement the suggested controls.
* Yuri Carneiro is a GRC and Information Security Specialist
SAFEWAY is an Information Security consulting company, recognized by its clients for offering high value added solutions through projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 20 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people. SAFEWAY can also help your organization by validating compliance and maturity with GDPR (General Data Protection Regulation) and GDPR (General Data Protection Law) considering the business environment to which it is inserted, in order to identify the main action plans for compliance with the regulations, aiming at process improvements and gains for your organization.