3 Ways to Navigate the Complexities of Modern Cloud Security

Integrating with a Cloud Service Provider (CSP) can be one of the most significant relationships your organization will manage. While CSPs provide services that support your security objectives, the responsibility for achieving these objectives remains with your organization. A strategy grounded in traditional third-party risk management, with an awareness of the contextual challenges that have arisen in the past decade of cloud adoption, is essential.

A CSP (Cloud Service Provider) is a third-party company that provides scalable computing resources that businesses can access on demand over a network, including cloud-based compute, storage, platform, and application services. (Google)  Examples include AWS Microsoft Azure, Google, and many others. 

The Evolution of Cloud Services

Cloud has evolved significantly since the rise and proliferation of AWS, Azure, and GCP. In the past, it was reasonable to group cloud services into three 'as-a-Service' models to simplify integration: Infrastructure, Platform, and Software. A relatively short list of secure design patterns could be applied to most solutions in the cloud. However, today's list of cloud service options is significantly more numerous, making the path to securing them less clear cut. As the variety of service type increases, so does complexity, and service models become less useful. Nevertheless, common issues can be managed with the shared responsibility model combined with a responsibility matrix approach.

Learn more about Online's Cloud Security Services

What issues do you need to consider to ensure optimal and efficient cloud solutions? Let's explore together.

The first step in securing a solution is understanding its component parts. Principles such as Defense in Depth or Zero Trust are challenging to implement when asset inventories are incomplete, and unfortunately this is often the case. We find this is often due to the convergence of roles in product teams and an over-centralization of personnel responsibility. This leads to loss of technology domain specialization. Rapid development cycles also encourage teams to implement a solution only until it is functional without additionally ensuring that it is secure.

Mistakes can be made quickly when new architecture layers are introduced without fully analyzing the operational needs of the components involved. Databases, virtual appliances, and other self-contained components introduce access control systems, data retention obligations, insecure defaults, and other concerns. Vendors can be reluctant to advertise the list of management tasks that consumers must take on following integration of their products.

Many times, components are left off asset lists and required pieces are forgotten based on the assumption that being in the cloud inherently ensures scalability, availability, and security.

Reviewing the asset inventory sets efforts up for success by ensuring scope is not outright missed. Teams should ensure that all components are represented, and that administration and operation obligations are known.

The second part of shared responsibility is in handling the cloud management plane. This is where the largest CSPs differentiate the most. More than just APIs, this also includes the customer relationship, the billing mechanisms, the documentation, and the wealth of cloud resource and account configuration options.

Two conditions contribute to issues in cloud management plane management:

1. Incentive for Rapid Deployment: CSPs often encourage the deployment of running services as quickly as possible, even if those configurations are not the most secure. 
2. Community Tutorial Content: A significant amount of community tutorial content is circulating which solves technical challenges but does so with insecure configurations.

Default CSP resource configurations have become much more secure over the years, but the many configuration options suit a variety of different needs. The path of least resistance to functionality is unlikely to be the well-rounded solution which satisfies your stakeholders’ risk appetite.

Given a complete asset inventory, teams will also need access to guidance from cloud security professionals. Organizations retain the responsibility for knowing their target security profile. Cloud security specialists help teams to translate security targets into secure deployments. They know what to look for, and they can raise concerns when the selected services and configurations aren't compatible with security targets.

Like any rainy-day preparation, the true value of security is not in peace of mind, but in the difference in outcomes when incidents occur. Too often, CSP customers do not fully integrate incident response (IR) procedures with cloud services at the operational level.

Learn more about Incident Response Plans and Online's Tabletop Exercises                  

When working with CSP customers, it’s crucial to ensure that IR is more than just lip service. It's important to understand how each cloud resource works so that event streams can be observed, centralized, and analyzed, and that alerting is timely and contextual. These technical capabilities must support documented recovery, restoration, and reporting capabilities. Failures in connecting security procedures to technical operations can create costly delays or missteps during some of the most critical times in an organization.

If all the assets in a solution are known, and the responsibilities for implementing them have been handled correctly , the effort to fulfill operational requirements is much easier to accomplish. Cloud security specialists ensure not only that each component is running securely, but also that the organization is operating the solution securely. Technical security outputs are integrated back into organizational security operations, playbooks are built with cloud components in mind, and incident response is tested regularly to meaningfully minimize impact.

Your unique operating environment dictates how you walk this path. Your products have a risk profile shaped by the current threat climate, legislative, regulatory, and industry requirements, and the tolerance of all stakeholders involved. What all cloud solutions have in common is their engagement in sharing responsibility with cloud providers. Understanding your environment, knowing where management responsibility is delegated, and building operational security are key components to securing cloud-dependent products.

Online's Cloud Security team can help you identify your unique needs, assess and advise on cloud delivery, and verify that results of cloud integration are continuously supporting your objectives.

Questions? Ask a Cloud Security Expert

Let us know how Online’s Cloud Security Services team can help your business better understand these shared responsibilities and how to navigate the complexities unique to your environment. We’d be happy to answer any questions you have.
Send us your thoughts// connect@obsglobal.com 

Adam Kreiger, MBA, CISSP, CSSLP, CISA

Adam Krieger is a Senior Security Consultant and Cloud Security Architect specializing in cloud security implementation. With a 16+ year background in security, solutions architecture, DevOps, development, and team leadership, he has implemented a wide variety of solutions across several domains. He loves a good scale problem and may be able to read off pages of cloud API documentation by memory. He has his CISSP and collects certifications like pokemon cards.