Organisations seeking to improve IT services by moving to the cloud can manage potential security issues by adopting a structured approach to the confidentiality, integrity, and availability of data.
Using cloud services creates a shared ownership of risk between the organisation which owns the data and the cloud service provider, so it is imperative that security considerations are put at the heart of decision-making from the outset.
There are five key questions organisations must consider when migrating to the cloud.
1. How do you classify your data?
Knowing the value, risks, and legal obligations associated with different data – and the impact if compromised – is essential for a successful cloud security strategy.
Creating an easily understood data classification system allows data to be consistently categorised by risk, confidentiality and the need for availability. Effective classification enables organisations to quickly identify data that merits extra control and protection, which in turn informs robust decisions on cloud-based activity. It helps avoid a ‘one size fits all' approach and ensures focus is placed on truly important data. A solid data classification system also helps businesses comply with regulatory restrictions and meet contractual obligations.
Because cloud-based data is no longer physically held by the organisation, it is also crucial to understand the cost of downtime if access becomes unavailable. For example, online retailers need their customer-facing presence to be accessible more than 99.99 percent of the time, but could accommodate the temporary loss of data supporting internal processes. Remember that downtime can arise from multiple causes: a cloud provider's availability SLA is all but negated if parts of the network infrastructure used to access it are not equally robust.
2. How do cloud services alter your risks?
Aligning business and technical risks, and understanding business tolerance of risks, are central elements of a security strategy. Moving to cloud services can fundamentally change the ‘threat landscape': removing some existing risks, creating new ones and altering the source of threats, all of which must be analysed holistically.
The shared nature of cloud creates an inherent risk. Cloud providers use logical, ‘soft' controls to segment different customers' data. Without physical separation provided by dedicated infrastructure, the compromise of one customer's environment may place others at risk. Responsibility for cloud infrastructure security lies with the provider; accreditations such as ISO 27001, ISO 27018 and SOC2 can help provide confidence in the quality of their controls.
3. How will data be protected in the cloud?
Encryption is a key tool for protecting data from compromise, alteration, and unauthorised distribution. It ensures that, if the cloud service security is breached, stolen data is unreadable to the attacker. As a side benefit, encryption protects data against access by the cloud service provider.
While encryption keys must be protected, they must also be accessible which means encryption can never be a panacea. Some systems, such as online purchasing portals, must encrypt and decrypt data on the fly, making it impossible to keep encryption keys entirely separate from the data they protect. But many organisations can retain control of the keys by encrypting information before sending it to the cloud.
4. What is your approach to identity and access management (IAM)?
Strong IAM ensures only authorised users have access to data.
In the early days of the cloud, users had to register separate accounts for each platform they accessed. This ‘credential soup' inevitably led to the poor security practice of re-using names and passwords for multiple services.
Today, cloud providers offer federated identity management, allowing companies to operate a single user directory for authentication. Users only need one set of credentials to access both internal and cloud resources, meaning organisations can simply extend their access management processes to the cloud. This approach improves efficiency and enhances security when granting or revoking access.
5. What is your incident response plan?
Even with a best-practice security model, in today's environment of complex systems and determined attackers, data breaches can still happen. Being properly prepared to respond to an incident, whether malicious or accidental, will reduce the impact.
Ideally organisations would create bespoke incident response policies jointly with cloud providers, but in the real world most are at the mercy of standard terms and conditions. Simple ways to improve incident response include the following:
- Document and, if possible, test the cloud provider's incident process. Knowing what to expect helps ensure a calm response and faster resolution.
- Implement a cloud recovery plan to maintain business continuity. Test it regularly.
- Focus on communication. Keeping employees and customers up-to-date avoids the sort of confusion that can prove more damaging than the original incident.
Contributed by Ian Kayne, cyber-security practice lead, Mason Advisory