Cloud computing has many benefits for business and government – it is cost-effective, easily accessible and scalable and infinitely customisable. However, the growth of cloud computing has also created new security challenges. An understanding of what the cloud actually is and how it works is crucial to understanding the security risks which it poses and how these risks can be managed.
The Australian Government has adopted the US National Institute of Standards and Technology’s definition of cloud computing, which states that it is a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”.  Most cloud services are directly accessible over the internet and are offered on a pay-as-you go basis, meaning that the systems are flexible and easily adaptable depending on usage.
Cloud computing is provided through three service models. Software-as-a-service (SaaS) is a software distribution model where applications are delivered to customers over the internet. Examples of SaaS are office software used to track sales and invoice clients. Platform-as-a-service (PaaS) is the set of tools and services designed to make coding and deploying SaaS applications quick and efficient. PaaS is the platform where developers create and manages the SaaS software and database. Infrastructure-as-a-service (IaaS) is the virtual computing hardware and software that powers the servers, storage, networks and operating systems. A simple way to think of the service models is in a pyramid, where the SaaS sits at the top, PaaS in the middle and IaaS on the base.
There are also four types of deployment models which represent the types of cloud environment, primarily distinguished by ownership, size and access. Each deployment model has different security risks and benefits associated.
The public cloud is provided for open use by the general public which means data is stored with other tenants, by the cloud provider in a physical location of their choosing. There are inherent risks in ceding control of data to a third party, crucially that access to the data is controlled by the provider. This can raise issues when wanting to switch cloud providers or delete data. On the other hand, data stored in a public cloud may be more secure as a public cloud provider would be more concerned with efficiently guarding against and dealing with security breaches of their customers’ data, especially as cloud security has become a major market differentiator. Either way, a rigorous examination of the features of the offering and the terms of agreement with a public cloud provider prior to contracting is essential.
In contrast, organisations have far greater control over private clouds, not only because they can physically host the infrastructure, but also because only they have access to that private cloud. However, as private cloud users are less dependent on their cloud provider for security, risks can go overlooked exposing the private cloud to data breaches and other vulnerabilities.
Somewhere in between is the community cloud, in which the infrastructure is mutually shared between many organisations that belong to a particular community and share similar computing concerns. A community cloud may be internally managed or it can be managed by a third party provider. It can be hosted externally or internally. The security concerns will depend on these deployment choices.
Finally, a hybrid cloud is an integration of two or more deployment models used together where some data and applications require different and more secure deployment. Hybrid clouds are beneficial in that an organisation’s data and applications can be moved between deployment models, for instance to mitigate the security risks depending on the need and demand of the organisation’s workload and requirements. In this context, hybrid clouds make the most sense for many businesses. In fact, 71% of respondents to RightScales’s 2016 State of the Cloud Report were using a hybrid service, compared with 6% which were solely using a private cloud and 18% using a public cloud.
At the RSA Conference in March 2016, the Cloud Security Alliance (CSA) released a report on The Treacherous 12 – Cloud Computing Top Threats in 2016. No matter the service model or deployment model, the CSA warned that the shared on-demand nature of cloud computing poses new security risks that can easily eliminate any benefits made by the switch to cloud technology. The top 12 critical issues to cloud security, with some suggested mitigation strategies, are:
- Data loss – CSA says adequate data backup measures are essential, as well as adhering to best practices in business continuity and disaster recovery. Daily data backup and off-site storage remain important with cloud environments.
- Advanced Persistent Threats (APTs) – Regularly reinforced awareness programs keep users alert and less likely to be tricked into letting an APT into the network. IT departments also need to stay informed of the latest advanced attacks.
- Malicious insiders – CSA recommends that organisations control the encryption process and keys, segregating duties and minimising access given to users. Effective logging, monitoring, and auditing administrator activities are also critical.
- Account hijacking – CSA suggests prohibiting the sharing of account credentials between users and between services, as well as enable multifactor authentication schemes where available. Accounts, even service accounts, should be monitored so that every transaction can be traced to a human owner.
- System and application vulnerabilities – CSA recommends basic IT processes including regular vulnerability scanning, prompt patch management, and quick follow-up on reported system threats.
- Insecure Application Programming Interfaces (APIs) – APIs and interfaces tend to be the most exposed part of a system because they’re usually accessible from the open Internet. CSA recommends adequate controls as the first line of defence and detection as well as security-specific code reviews and rigorous penetration testing.
- Weak identity, credential and access management – CSA suggests that multifactor authentication systems such as one-time passwords, phone-based authentication, and smartcards as well as rotation of cryptographic keys, passwords and certificates protect cloud services because they make it harder for attackers to log in with stolen passwords. Monitor and management of any centralised storage mechanism containing data secrets should be a high priority.
- Data breaches – A cloud environment is subject to the same threats as a traditional corporate network. Cloud providers often have good security for aspects they take responsibility for but, ultimately users are responsible for protecting their data. CSA suggests the best protection against data breach is an effective security program. Two important security measures that can help companies stay secure in the cloud are multifactor authentication and encryption.
- Insufficient due diligence – CSA recommends organisations that are moving to cloud technology model to perform extensive due diligence to understand the risks they assume when they subscribe to each cloud service.
- Abuse and nefarious use of cloud services – CSA suggests a cloud provider must have an incident response framework to address misuse of resources, as well as a means for customers to report abuse originating from a cloud provider. A cloud provider should include relevant controls that allow a customer to monitor the health of their cloud workload.
- Denial of Service (DoS) – CSA says cloud providers tend to be better poised to handle DoS attacks than their users. The key is to have a plan to mitigate the attack before it occurs, so administrators must be able to immediately access resources when they need them.
- Shared technology issues – CSA recommended a defence in-depth strategy, including multifactor authentication on all hosts, host-based and network-based intrusion detection systems, applying the concept of least privilege, network segmentation, and keeping shared resources patched.