For a small to midsize business, implementing an effective cloud security program can be a challenge. A cloud-first or hybrid environment requires different policies and procedures compared to an on-premises data center, regardless of size. Knowing the right questions to ask and how to implement remote security isn't always a skillset found in SMBs, particularly when there is no CISO.
Dave Shackleford, founder and principal consultant at Voodoo Security, a veteran senior instructor at the SANS Institute and a member of the IANS Faculty and former CTO at the Institute of Applied Network Security (IANS), spoke with Tech-Channels.com about the challenges organizations face when they try to implement cloud security in an environment they might not fully understand.
Q. When it comes to cloud cybersecurity, who is responsible for what in the cloud? What should you request from your provider that might fall into the gray area of what they normally provide?
A. Any reputable cloud service provider should have a System and Organization Controls (SOC) report, at a minimum, and ideally, should have reasonable answers for industry-leading risk questionnaires like the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ) or CSA Star Certification. The shared-responsibility model is relatively mature today, which can help to better understand what they are responsible for securing versus what the provider maintains. In essence, the provider will maintain the security of the cloud fabric itself, while all deployed assets (virtual machines, containers, storage nodes, and the like) are the responsibility of the tenant, along with the security of any accounts in the cloud.
Q. We hear a lot about cloud-first architecture. What does that really mean and what role do local storage and servers play in a cloud-first environment?
A. In a cloud-first architecture, IT operations and development are deployed into a cloud-based model if possible, meaning traditional virtual machines, containers, serverless, and use of cloud storage and database services. In these scenarios, an organization has made the decision to build infrastructure in the cloud as the first choice, largely due to a desire to reduce the on-premises footprint as much as possible. Local storage and servers can still play a role in hybrid design models where cloud services and in-house services are interconnected, but usually the goal is to minimize or completely eliminate storage and compute from traditional data centers.
Q. When selecting a cloud service provider, what questions should you ask before signing a contract? For example, you might need the corporate equivalent of a prenuptial agreement that states in which format and how quickly you get your data back should you decide to move it to a different provider. What else should be determined upfront before signing with a cloud provider that is frequently missed?
A. Organizations need to ask all the typical security questions that may be in the CSA CAIQ or other cloud-centric, third-party vetting models, but they also need to focus on continuity and geography. If cloud providers have significant dependencies that could impact tenants, those should be disclosed to improve disclosure in negotiations. Also, given the rapid expansion of privacy laws globally, organizations need to ask about data residency assurances from providers, as well.
Q. We saw from the recent CrowdStrike outage that given the right set of circumstances, data in the cloud can be as vulnerable as data on-premises. What should you know in advance about your service provider’s security profile, third-party risk management, and its cyber resilience before you entrust your data to a cloud service provider?
A. It’s tough to wholly predict outages like that with CrowdStrike, but I think we’re going to see more clients and tenants of cloud service environments asking harder questions about potential single points of failure, as well as third-party relationships that could have a ripple effect on uptime and performance. It doesn’t hurt to ask a potential provider about software and vendors, along with other relationships that could impact tenants if a problem occurs, but many providers won’t answer this at the moment.
Q. Meeting compliance requirements can be challenging if you don’t ask the right questions. What must you ask and/or require from your cloud service provider concerning compliance, both to laws and to industry regulations, and what kinds of documentation should you require they provide on an ongoing basis?
A. What kinds of documentation you request from your provider will vary depending on your own regulatory requirements. For most organizations, a SOC report is standard, and for larger providers a range of different ISO audits and reports are also common. Other attestations will depend on the type of data and requirements organizations plan on hosting and generating in the cloud environment, such as Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and others. Increasingly, cloud providers are offering the CSA STAR program attestation and monitoring, as well as National Institute of Science and Technology (NIST) Cybersecurity Framework (CSF), as well.
Q. Clearly your cloud provider won’t let you do penetration testing against production cloud servers. What kinds of security testing should you request of your cloud provider and what kinds of documents can you obtain from your provider to augment testing you are permitted to do?
A. Most large cloud providers allow you to perform testing against your own infrastructure and application deployments, but no providers offer blanket testing (and many don’t allow any testing whatsoever) of their infrastructure. Cloud providers don’t want to reveal details about any possible vulnerabilities or exposure, so if they offer anything about testing to clients, it’s usually a generic, client-facing letter of testing and the testing firms’ opinions on security posture there. Providers might also offer details about internal testing cadence to help ensure tenants that frequent assessments are performed.
Q. What do many SMBs and small enterprises “know” about cloud security that’s absolutely wrong? Similarly, what do they not know about cloud security that’s absolutely essential for them to know?
A. Many smaller organizations feel that their security will almost always measurably improve when moving into the cloud, but that’s very often not the case if there aren’t skilled professionals building and deploying the cloud infrastructure. Cloud services have a wide range of configuration options that need to be well-understood to properly secure them, and you can’t rely on the provider to manage these for you. Likewise, each cloud is a unique skill, and you can’t assume that by learning a bit about Amazon Web Services, you can always readily translate that to Microsoft Azure or the Google Cloud Platform. Smaller organizations, when feasible, are almost always better off narrowing their focus to a single major cloud and learning more about how to secure and operate deployments there.