Cloud computing solutions relay upon shared physical computing resources, such as storage, servers, computing power, and more. Using this technology, the user enjoys high availability and flexibility of its resources in low cost.
Cloud computing solutions have continued to evolve over the past decade and became a statement of best practices in the last few years.
The significant evolvement of cloud technology creates higher benefit to organizations, and we can see that more and more organizations are using cloud services for storage, computing and development. The three leaders of cloud service providers (CSP) are – AWS (Amazon), Azure (Microsoft), GCP (Google).
Cloud based services -Modules:
Software as a Service (SaaS)- mainly used by end users, provides an end to end software.
Platform as a Service (PaaS)- used by SW developers.
Infrastructure as a Service (IaaS)- mainly used by IT admins and DevOps teams, provides pure computing resources.
See examples in the left side of the below diagram:
From Security perspective, if you have consulted with a security expert ~10-5 years ago, they would say that cloud is not reliable and on-premises resources are the most secure components that can be used.
Nowadays, most of the security experts will say that cloud solutions are highly secured and, in some cases, even more secured than on-premises services.
What was changed? (or cloud security benefits)
1. CSP’s Security Effort and Investment
Since security and compliance were identified as key concern with cloud transition, CSPs were and yet massively invest in Security and Compliance within the platform and within their own companies. CSPs constantly acquire and develop new security software and features to be utilized in the platform and create collaborations and integrations with security partners in order to provide their customers the tools to build a secure environment.
Today, we have reached to a point that CSPs can invest more in security than a single SMB can, therefore, in those cases your risk assessment result (cost effective regarding security investment) will lead you to the conclusion that it is preferable to build the environment using cloud services.
In order to create trust, the leaders CSP maintain high level of compliance offering with wide range of security and privacy laws, regulations and standards.
As part of the due diligence, you should at least review the relevant Global (ISO/IEC standards, CIS, SOC, etc.), Regional (laws and regulation) and Industry (Health, Finance, etc.) documentation.
The above can be easily found here:
Microsoft Azure Compliance Center- https://docs.microsoft.com/en-us/compliance/regulatory/offering-home
Amazon AWS Compliance Center- https://aws.amazon.com/artifact/getting-started/
Google GCP Compliance Center- https://cloud.google.com/security/compliance/offerings
3. Shared responsibility
In addition to the statement in section (1), using cloud resources would allow the company to share the responsibility with the CSP. Together, the company and CSP can accomplish a holistic security solution combining the best of each.
For example, see AWS Shared Responsibility diagram:
Note that the shared responsibility concept changes between the type of cloud solution you purchase (IaaS, PaaS, SaaS). The following Microsoft’s Shared Responsibility diagram explain this concept in an accurate way:
4. Security Visibility
Following to section (1), most CSPs create a Security Management Console for their customers: Security Center in Azure, Security Hub is AWS and Security Command Center in GCP. This console will allow you to manage the security posture within your area of responsibility (see section C.), gain visibility and identify gaps and even help to close them. In comparison to on-premises solutions, this feature has a major benefit.
5. High Availability and Redundancy
High availability and Redundancy capabilities are one of the main benefits of cloud services. CSPs are obliged to provide the highest availability. In most cases, companies cannot achieve this level of availability without using cloud services.
What is the catch?
1. Security controls are not implemented by default
CSP creates security controls and mechanisms within your cloud environment but most of the times they are not configured. The default configuration for most resources is minimum security (e.g., public access by default), therefore as a security expert you should verify optimal security controls implementation (network, hardening, encryption, retention, etc.) and perform periodic audits in accordance.
2. Data Localization Laws
CSPs build data centers within various regions around the world, each region\ country has its own localization laws and government control level. Therefore, as a security expert you should take into an account the data processing elements in regards to processing location.
3. Standard Contracts
If you are purchasing a service from one of the market leaders, you should expect a standard contract without negotiation possibility.
This part a catch since you’re bind to their limitations (Terms and Conditions) and you cannot conduct inspections and perform due diligence.
To summarize, cloud services with the proper implementation and configuration can provide a highly secured environment.
Understanding the difference between various types of cloud solutions offering and identifying which one is the right fit for your organization, will derive the right decision in terms of resilient security posture and financial investment.