Updated: Jul 23, 2019
As more and more organizations move to cloud, it is our responsibility as security professionals that we ensure effective security in place right from migration to operations.
To re-cap, 10 steps to effective cloud security (by Cloud Customer Council) are:
Ensure effective governance, risk and compliance processes exist
Audit operational and business processes
Manage people, roles and identities
Ensure proper protection of data and information
Enforce privacy policies
Assess the security provisions for cloud applications
Ensure cloud networks and connections are secure
Evaluate security controls on physical infrastructure and facilities
Manage security terms in the cloud service agreement
Understand the security requirements of the exit process
Today, we will discuss Step 1 and that is, how to ensure that we have effective governance, risk and compliance processes in place when we move our infrastructure to cloud.
Let us begin with understanding our existing infrastructure which in on-premises and uses traditional computing. Most of our organizations already have established security policies and procedures at place. We have defined risk management process and whole compliance program exist based on risk and controls that we have. We may be compliant to one or more standards like ISO 27001, PCI DSS, HIPAA to name a few. In nutshell, we have full IT GRC function in place.
Now, how does that change when we decide to adopt cloud for various IT processes /functions and move our applications to cloud?
Let us start with Governance. Cloud adoption does affect governance as it introduces third party (cloud service provider) into the picture. Introduction of CSP, also, brings with it, the shared responsibility model (A shared responsibility model refers to how security responsibilities of the infrastructure and data will change with change in the service models – IaaS, PaaS & SaaS).
But one must remember that under no circumstances, you, as an organization can outsource responsibility of the governance. It will always remain with the cloud customer. What does change, in context of cloud environment, are responsibilities of implementing and mechanisms of managing governance and this will require your watchful eyes.
Cloud service providers tend to create extremely standardised services to leverage the economies of cost and therefore, try to provide standard (one fit all) services to all its customers and that includes contracts and SLAs as well. You need to make sure that every element of security that you are concerned should be part of contracts.
According CSA security guidelines V4.0, following are the major tools of governance in the cloud environment:
Contracts: This is defined as primary tool of governance and is the only guarantee of any level of service or commitment
Supplier (cloud provider) assessment: These are the assessments done by customers using available information. That information can vary from financial position of the CSP to things like history, existing clients, existing technical research done on CSP etc.
Compliance Reporting: This is an important tool as it includes provider’s all internal and external compliance assessments. It may include compliance reports for ISO 27001 or PCI DSS, SOC2, HIPAA etc.
Before we start discussing risk management, we need to understand that security controls in cloud (whether it is firewall or IAM solution) are same as they are in traditional computing but it is the risk which changes when adopting the cloud. Primary reasons for such change is
the division of responsibilities between cloud customer and cloud service provider
Technical design and operation control are with cloud service provider
The interface (or, we can say API) that exist between cloud customer and cloud provider
Therefore, it is very important for the cloud customer to understand the risk that will arise due to cloud adoption. These risks should be compared with the existing risk tolerance of the organization and then relevant security control strategy should be established.
Risks in the cloud can be divided into several domains (and it definitely needs another article to explain them in detail, I will give a broad categorisation here.
Governance, Risk Management and Compliance
Delivery Strategy and Architecture
Identity & Access Management
Business resiliency & Availability
Compliance is one thing that really gets complicated when you plan to move to cloud. And for simple reason that shared responsibility model comes back into the picture. Another important aspect in terms of compliance is location of data and jurisdiction. For eg, if you look at personal identifiable information (PII), every country (one which have privacy laws in place) have different laws and one has to adhere to laws where PII is collected and where PII is stored. Therefore, it is important for you to understand where your data will be stored and what jurisdiction shall be applicable. It will not be a bad idea if this also is part of your contract. Contract should have provisions, like, CSP will report breach of data and penalties thereof. I would like to highlight here that in case of PII, it is the customer who is ultimately and legally liable for all the data that is stored in the cloud.
Secondly, we need to look at various regulations and standards that are applicable and how to comply with them. I will put ISO 27001 in the forefront because it is a true international standard and most recognized one.
As we all know that ISO 27001 has set of controls (in Annexure A) to which an organisation need to comply with. Details and methodologies of same security controls are given in ISO 27002. Now, if you are already ISO 27001 certified, it means that you have security controls in place that are given in ISO 27002. What happens when you move to cloud?
For cloud adoption, ISO has two more standards which has been designed specifically for cloud services and they are ISO 27017 and ISO 27018. Both contain additional security controls which supplement ISO 27002 security controls and will get you ISO 27001 certified.
ISO 27017 is “Code of practice for information security controls based on ISO/IEC 27002 for cloud services” and ISO 27018 is “code of practice for protection of person identifiable information (PII) in public cloud acting as PII processors”
So, this will help your organisation get ISO 27001 certified. But what about the cloud service provider? Remember, you have a shared responsibility model and there is a division of security controls as well and CSP is, at least, responsible for infrastructure in all service models. Therefore, security controls (in ISO 27001) like physical controls, network controls incident management, etc will fall on shoulders of CSP. You need to make sure that your CSP is also ISO 27001 certified. I will add a piece of advice from my experience here. CSPs like AWS, GCP, Azure have loads of services in offering and their ISO certification is based on services. So, make sure, your CSP is certified for the services that you plan to buy from that CSP.
So, we have seen one example above how you can extend your ISO 27001 certification after cloud adoption. You can follow similar exercises to get certified for PCI DSS, HIPAA etc.
Finally, as far as cloud service provider are concerned, there are several guidance available like CSA CCM (Cloud Control Matrix). You should make sure that you look into CSP’s CSA CCM sheet which will give you an idea about kind of security controls that they have in place. You can even look into their SOC 2 report which will also give you an insight into cloud security provider’s security
So, as we see GRC plays a very important role in managing risk and security related to IT assets and how it changes from traditional computing to cloud adoption.
We will cover other steps of cloud security in upcoming articles.