Managing cybersecurity risks in the cloud

Cybersecurity is a broad topic, and as such there are many facets a company must understand to properly implement it into your business. This article is the first part in a series that will cover how to properly manage your risks in the cloud, read part two.

The great migration

While the idea of cloud-hosted infrastructure may seem new, organizations have been outsourcing management of their infrastructure for decades. Organizations that no longer wanted to manage the physical aspects of their computing and network infrastructure moved to outsourced datacenters that co-located their infrastructure with other customers separated by metal cages. While the organization retained responsibility for the management of their own servers, they no longer needed to focus on the day-to-day administration of internet connectivity, power, back-up generators and physically securing the data center facility.

As technology companies saw their demands for computing resources exponentially escalating, a new business opportunity arose. Technology companies could plan and build far greater capacity than they needed, then sell that excess capacity to other organizations – a concept now known as Infrastructure-as-a-Service (IaaS) solutions. Organizations could purchase on-demand computing and network resources without building their own on-site data center or committing to a long-term co-location agreement. Thus, the great migration to the cloud began.

Understanding the cloud’s unique capabilities

There is a multitude of aspects to cloud-based services; we outline three of the greatest and most unique capabilities below:

• Invisible hardware – When you setup your cloud account, what may seem strange at first is that the hardware layer to building a data center has become invisible. You still must select the computing specs for your server (number of CPU cores, GB of RAM), but you do so within a web interface that automatically builds your server. It is the same when you select your storage capacity; once selected, it is provisioned automatically to your server instance through the invisible hands of your cloud provider’s backend management services. What used to entail racking-and-stacking of multiple, different physical components now all occurs after a few drop-down selections. The physical aspect of data center operations now becomes invisible to the end user.
• Auto scaling – Along with the invisible hardware comes a semi-new idea of auto scaling. Those of you that are familiar with system architectures will understand that system and network engineers have been building scalability into their designs for years. Scalability was mostly performed through load balancing and clustering of systems to create a more resilient and efficient system architecture. However, cloud-based solutions have made this easier with the ability to auto deploy (or suspend) new server instances on an as-needed basis. No more tedious capacity planning, no more human interaction required to add a new system to the cluster or set up a new IP in the load balancer because the cloud provider’s native services allow you to set thresholds that will scale in or scale out based on predetermined metrics. This creates a more efficient and cost-effective system.
• Non-standard computing solutions – Taking the idea of invisible hardware and auto scaling one step further, cloud services introduced us to server-less computing services that no longer require the user to set up an operating system or even install an application. Server-less services are similar to auto scaling as they are triggered based on a predetermined set of factors; however, they do not stand up a new server instance in order to process a transaction. These server-less functions are one of the most powerful new tools within a cloud-based solution because they only execute when triggered and the organization only pays for the computing power when the function is used.

Securing the cloud

Even with all the new tools, services and capabilities provided by cloud service providers, risk remains. We hear about data breaches frequently, and many breaches occur within organizations that migrated their environment to the cloud. So, what does security look like in the cloud?

We need to understand that there is a shared responsibility between the cloud service provider and the end-user organization. The cloud service provider is responsible for the physical security of the data center, administrative access to networking and server infrastructure, updating of networking and server infrastructure and the resiliency of their data centers from a disaster. However, when an organization is adopting Infrastructure-as-a-Service (IaaS) this leaves everything else from the operating system layer and up in the hands of the end-user organization. This is the difference between security-of-the-cloud and security-in-the-cloud. Let’s explore three aspects of security-in-the-cloud today:

• Management console access – AWS centralized the management of your computing and networking resources through a management console accessible through a web interface. There is also a command-line interface as well, but most organizations that are new to cloud start with the web-based management console. This console is protected by default through standard username and password management. Organizations should consider enhancing this security by requiring the use of multi-factor authentication. Additionally, organizations should establish a federated access model between their own identity platform and AWS to more effectively and efficiently manage provisioning and de-provisioning of user accounts.
• Security and privacy by design – When developing a system in the cloud, you need to build security and privacy into the architecture starting with the design phase. Most older architectures bolted-on security and privacy requirements after the design of the system was completed. This created a less efficient and less secure operating environment. Security and privacy by design starts with understanding that you do not own or manage the hardware related to the cloud-hosted systems. Since you do not own the underlying infrastructure, or access to that infrastructure, you need to design your security and data protection capabilities from the moment that data enters your cloud provider’s environment.  
• The second aspect of securing your data by design is that cloud-based solutions are meant to be internet accessible, which increases the potential for accidental data loss. Many of the data breaches you hear about from cloud-hosted applications occurred due to a misconfigured storage site. It is your responsibility to securely configure any access point at which data may be shared over public networks.
• Establish a cloud native mentality – One of the mistakes organizations make when they move into a cloud-hosted environment is to treat the environment as if it was still an on-premise or co-location data center. One of the greatest benefits to cloud-hosted solutions is that the service providers have created native cloud services that can be easily integrated into your network and system architecture. These native cloud services are specifically built to take advantage of cloud capabilities including triggering Lambda functions based on alert thresholds and other aspects to make the administration of the environment easier. There are native services for threat detection and response, logging and monitoring, DDoS protection, web application firewalls, key management, disaster recovery and more services being added every day.

Supporting your cloud and cybersecurity journey

The question isn’t whether your organization is going to move to the cloud, it is when. Cloud-service providers have changed the way organizations can use and deploy computing and networking resources, but these new services come with their own risks. Organizations need to still focus on the basic blocking and tackling of security and privacy. This includes managing access to administrative services, encryption of sensitive data, and securely configuring cloud-services. Cloud providers have created their own set of services to enable faster adoption of cloud solutions and ways to make security-in-the-cloud more effective and easier to manage. The power and responsibility still remains in the hands of the end-user organization to secure their cloud-hosted environment. Our Baker Tilly professionals are knowledgeable in the cybersecurity and cloud technology, contact our specialists today.