Is the Public Cloud Secure?

    Any organization when deciding between a public, private or hybrid cloud offering, considers the security risks involved as one of the most important deciding parameters. The prefix “Public” alone can make some people think the public cloud is not as secure as a hybrid or a private offering but is that really true or is the public cloud secure enough for your organization’s data? Let’s try to analyze this question and arrive at an answer post validation of some facts. However, before we do the analysis let’s give a brief intro to the public cloud so that this assessment becomes meaningful even for someone with no technical background on cloud computing.

Introduction to Public Cloud

The concept of offering cloud computing as a public utility is not new, it was first mooted in the 1960s by JCR Licklider as an “intergalactic computer network” which laid the foundations of grid computing, an early forerunner of the cloud. However, it was wasn’t until the 1990s when the internet started to offer significant bandwidth that the idea actually started seeing the light of the day.  One of the first milestones was the arrival of salesforce.com in 1999 which pioneered the concept of delivering enterprise applications via a simple website. In 2002, Amazon created a suite of cloud based infra services including storage and compute as a captive arm of Amazon e-commerce. By 2006 Amazon Web Services (AWS) was launched a commercial web service when they launched their compute service Elastic Compute (EC2) that allowed small companies to rent computers on the cloud to run their own applications. Soon enough other players entered the market as public cloud service providers prominent being IBM Cloud (2011), Google Cloud (2011), Microsoft Azure (2012) and many others.

Public cloud computing is defined as computing services offered by third party providers over the public internet making them available to anyone who wants to use them. A public cloud is built on a fully virtualized environment which enables a multi-tenant architecture that enables the users to share computing resources thus bringing economies of scale and lowering costs. A user pays only for what they use just like a public utility service like electricity of piped gas.

This no capex opex only model was the major attraction which initially attracted a lot of customers to the public cloud. Over the years as technology has evolved most public cloud service providers have upped their game and now provide a plethora of modern services beyond the initial compute, storage and networking. However one of the major stumbling blocks cited by many organizations in migrating to the public cloud is the security. Is that a valid concern or a bogey? This article will try to address this query.

Fig 1: Public cloud security is a concern for all customers

Security Concerns in the Public Cloud

Loss of Governance  

The idea of migrating applications hosted on premise to the public cloud is quite disconcerting to many users. The concerns largely are around the under mentioned areas.

·      Data Loss/ Leakage. Misuse or leakage of data especially with other tenants in the cloud.

·      Access Control.  When a business operates in an exclusively on-premises IT infrastructure governance is controlled and executed within a ring-fenced environment. In the cloud, the boundaries are suddenly gone and this instils a sense of unease. The customers are not sure or if unauthorised access is prevented or even if the cloud providers claim so how can they be assured about it.

·      Incident Response. How is this going to be managed?

·      DDOS Protection. What is the protection from a Distributed Denial of Service Attack?

Compliance

·      Data Sovereignty. In many cases regulation demands that the data stay within a country or a region. How can a customer be assured of the same when cloud service provider host their infra in their global data centers.

·      Compliance to Certifications /Audits. Many organizations maybe holding security related or other global certifications eg ISO 27001, etc – how can they be assured in the public cloud?

Privacy

·      Misuse of Data. There are concerns about the customer data not being used by the cloud service providers analytics, marketing and shared with any 3rd parties?

·      Data Ownership. Who owns the data in the cloud?

·      Malicious Insider. A malicious insider is an employee of the Cloud Service Provider who abuses his or her position for information gain or for other nefarious purposes e.g. a disgruntled employee, how does one prevent that?

Transparency

·      Visibility. Do I have control over my data, where is it stored? Who can access it in the cloud provider team?

·      Deletion. When I delete my data in the cloud? Is it truly and completely deleted?

How Cloud Providers Have Responded to the Security Concerns

·      Institutional Frameworks. Cloud Security Alliance (CSA) was formed in Dec 2008 with the aim of securing cloud computing. It is a Not-for-Profit organization with a “mission to promote use of best practices for providing security assurance for cloud computing”.  Over the years it has come up with several security guidelines and standards to assure public cloud security prominent amongst them being the 2010 Cloud Controls Matrix (CCM) which is a baseline set of security controls to help enterprises assess the risk associated with a cloud computing provider. It provides guidance in 16 security domains, including application security, identity and access management, mobile security, encryption and key management and data center operations. In 2013 it launched the STAR - Security Trust and Assurance Registry certification, STAR has 3 levels of certifications. It encompasses key principles of transparency, rigorous auditing, and harmonization of standards. STAR level 2 certification provides multiple benefits, including indications of best practices and validation of security posture in cloud offerings. Al major cloud providers conform to these standards and that has greatly help built assurance in the minds of the customers.

·      Shared Responsibility Model of Security. Security and Compliance is a shared responsibility between the cloud provider and the customer. This shared model can help relieve the customer’s operational burden as the cloud provider operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the cloud provider provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. The chart below shows this differentiation of responsibility for AWS as is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud. It is similar with other cloud providers as well.

Fig 2: The shared responsibility model of security in the cloud illustrated for AWS 

·      Ensuring Cloud Security.  Having a defence-in-depth approach is a fundamental element in how cloud providers provide a trustworthy cloud infrastructure.

o  Defence-In-Depth.  This means applying controls at multiple layers involves employing protection mechanisms, developing risk mitigation strategies, and being capable of responding to attacks when they occur. Refer Figure 3 for a graphical representation of the same.

Figure 3: The Concept of Defence-In-Depth in the Public Cloud

§ Physical Security. Cloud provider typically designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where your data is stored. Typically they have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. These are further strengthened by biometric access controls, CCTV, and periodic physical security reviews and audits.

·      Equipment Disposal. Upon a system's end-of-life, cloud provider operational personnel follow rigorous data handling and hardware disposal procedures to assure that hardware containing customer data is not made available to untrusted parties. They  use a secure erase approach for hard drives that support it. For hard drives that can’t be wiped, they use a destruction process that destroys the drive and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate.

§ Identity and Access Management.  Since in the cloud to access data and services from anywhere needs to be enabled you need to manage access based on identity authentication and authorization controls in the cloud services to protect data and resources and to decide which requests should be permitted. This can be done by integration with the enterprise Active Directory (AD), Role Based Access (RBAC), Single Single Sign On (SSO) and Multi Factor Authentication (MFA) in addition to logging of all events and audit trails.

§ Perimeter. The separation and isolation in a multi-tenant environment is enabled via a logical perimeter ( VNet in Azure VPC in AWS). Access can be enabled / blocked using configuration settings.

·      DDOS Protection. Backed by the Cloud Provider's global network, DDoS Protection brings massive DDoS mitigation capacity. You can scrub traffic at the perimeter network edge before it can impact the availability of your service.

§ Networking.  Limit communication between resources through segmentation and access controls. Deny by default, restrict inbound internet access and limit outbound where appropriate and  implement secure connectivity to on-premises

§ Compute. Ensure applications are secure and free of vulnerabilities by regular automated scans enabled by native tools of the cloud provider. Encrypt the VMs. Implement endpoint protection and keep systems patched and current. Advisor recommendations provided by native cloud tools goad and remind customers towards these actions. For better availability, use multiple VMs for instance in Azure we use   availability set or availability zones. Most cloud providers have built-in security controls integrated into the hardware and firmware components.

§ Application. Application security must be built at the design stage itself. Use features like load balancers, Traffic managers, etc to prevent unnecessary public exposure. Ensure applications are secure and free of vulnerabilities by regular automated scans. Move from DevOps to DevSecOps.

§ Data. Data must be encrypted and the keys stored in key vaults available in the cloud. Take a snapshot and/or backup before disks are encrypted.

·      Compliance.

o  Not only are the major cloud providers compliant to the CSA guidelines and certifications and guidelines they are also certified by many global and regional certifications. For example Azure has 90 compliance certifications, including over 50 specific to global regions and countries.

o  These ensure regular audits and validation checks which ensure a high level of security posture.

o  Distributed Regions. Most large cloud providers have a global footprint of data centers hosted in their regions. For example Azure has 54 Regions out of which 3 are in India ie Mumbai, Pune and Chennai. AWS has 22 Regions and has one in India Mumbai. This helps meet data sovereignty requirements.

·      Privacy. Most of the cloud providers have taken a lot of proactive measures to ensure privacy.

o  They certify that customer data is used  only to provide the services agreed upon, and for purposes compatible with providing those services.

o  They do not use customer data or derive information from it for advertising.

o  Will not disclose customer data hosted in cloud vendor business services to a government agency unless required by law

·      Transparency.

o  Visibility into your own customer data to effectively use and control it.

o  Encryption – own key. No one else has access to the private key.

o  Wide array of configurable security options with control to customize security.

o  Data Storage only in customer-specified Geo.

o  Reports Hub. Available on cloud provider’s website.

Conclusion

         From the aforesaid it is evident that the public cloud security has evolved a lot over the years. Not only have the cloud providers made significant R&D and infra investments in security the CSA frameworks and global security certifications along with a rich set of configurable options for security being made available to the customers have significantly moved the needle of trust, transparency and security in favour of the public cloud.

It must also be remembered that there is shared responsibility of security in the public cloud and the customers need to step up and play their part effectively to ensure foolproof security. To conclude I would like to quote David Linthicum a guru of cloud computing, “The headlines might scare you into keeping data within your firewall, but the cloud is now the safest place. In the future, it may be the only option.”