Richard Beck, head of cyber-security, QA
Richard Beck, head of cyber-security, QA

Cloud services have been around for many years and are gaining in popularity. In fact most businesses are now using some form of cloud.

The meteoric rate of growth in the use of cloud, along with the sheer number of services which now depend on it, mean that cloud has moved from being used selectively for only non-critical applications and workloads to being a mainstream proposition for organisations of all sizes. 

Recent research, undertaken by Computing, found that 77 percent of those surveyed were using cloud services to some extent and a huge 75 percent of survey respondents expected their use of cloud services to increase in the next year. However, 45 percent of those surveyed had security as a main concern when it comes to Cloud adoption.

1.     Demonstrable network security

Choose a Cloud Service Provider (CSP) based on their ability to support the technologies that are right for your business. Moving to the cloud should not reduce your involvement in network security, some of the responsibilities will shift and even though you may implement a cloud environment without control of the network infrastructure you are advised to understand it to support the change in your approach to risk management.

How do they provide isolation protection within the network and virtual infrastructure? Understand the implementation of the network, its address assignment and elasticity, subnet routing configuration and availability zones. Ask where traffic is protected and appreciate the data flow and its design of the environment. If connectivity is required to others through a community or private cloud how is this traffic separated from public traffic?

What analysis are they performing on traffic patterns and behaviours? Do they provide zones of availability? What intrusion protection systems are available and which commercial/ proprietary network tools can they implement to provide the level of assurance your business requires?

2.     Protection for public facing systems

Web Application Firewalls (WAF's) can provide health monitoring of inbound HTTP and TCP connections vital to identify attacks. This inbound traffic can be inspected before forwarding traffic to customer's systems.

Where necessary, SSL traffic inspection can be implemented supported by the certificate infrastructure of the CSP to provide deep packet analysis and threat mitigation.

Using the scale of the CSP its Content Delivery Networks can provide website content distribution and caching as well as Distributed Denial of Service (DDoS) protection through flood mitigation which would far exceed the protection affordable on premise.

3.     Application Programming Interfaces (API's)

API's and entry points into the infrastructure should be assessed and monitored for their functionality, performance and most importantly their security. They may be considered one of the weakest points of the design.

Monitoring of these API's and console management calls in real-time is necessary to provide prompt system event notifications. These can be delivered through in and out of band communication methods.

Code review where possible should be mandatory as should a reliance upon a Software Development Lifecycle (SDLC) to provide the assurance that the software written to support the connectivity into the cloud infrastructure has been properly assessed in terms of its design, review, testing and update schedule.

Where code has been written yourselves, this review may be easier to test and if not the CSP can provide its own assurance to you by discussing and demonstrating its software development framework and its supported accreditations.

Remote access can be provided using Secure Socket Tunnelling Protocol (SSTP) in conjunction with RDP as well as options for Secure Shell (SSH) either of which can be implemented using mutual authentication with certificates.

4.     Identity & Access Management

Controlling who has access and when and with what level of authorisation through Management consoles and API's proves to be a complex challenge. Identity management can provide the appropriate level of access based upon individual users or groups as well as role based access as appropriate.

Strong policy based authentication using multifactor is now considered a requirement to mitigate the ever-increasing threat of brute force password cracking attempts and poor password behaviours. Technical controls such as “something that you do” or “somewhere you are” could be added to the traditional “know”, “have” and “are” factors in conjunction with a comprehensive procedural password policy.

Integration with existing on-premise directory services should be supported rather than the requirement to maintain multiple databases of users and their credentials in the cloud. Active Directory Federated Services is one such solution.

Recently we have seen an increase in Single Sign On (SSO) adoption based upon the Security Assertion Mark-up Language (SAML) and Simple Object Access Protocol (SOAP) where an Identity provider “asserts” the validity of an individual within its own authenticated infrastructure by providing a token which can be used by the entity to validate itself to a trusted third party. All this without the reliance upon that third party having to maintain its own user database. Oauth and Open ID are alternatives as well as systems that provide Single Page Authentication (SPA) using Asynchronous JavaScript asynchronous XML (AJAX) and HTML5.

5.     Data Encryption

As our requirement to store and process data increases there is a need to preserve the confidentiality integrity and availability of this data both within and outside the organisation.

As a customer of a cloud service you are able to leverage their technology to provide enhanced security around the three states of data, in transit, in use and at rest. If required, the data processor can act to store only the data and have no access to its content without your encryption keys.

This may be necessary to help the customer maintain its legal and regulatory compliance in conjunction with its Information Security Management System and any relevant accreditation as well as satisfy those stakeholders not comfortable with data being accessible by a third party.

It is likely that encryption is implemented in hardware using Hardware Security Modules (HSM's) which, as well as offering performance benefits, provide features to securely store cryptographic keys and prevent their export which offers greater protection and mitigates insider threat.

Data tokenisation may also be a consideration to obfuscate certain stored data.

6.     Platform support and security

There are a wealth of cloud service providers offering services which range from those which require little if any configuration, perhaps only a web interface as a means to consume a product such as web-based email to those giving the flexibility for you the customer to build and design your environment for development and testing where the responsibility for building and updating the network is more incumbent on the customer. Different cloud models exist around public and private as well as community environments and Cloud Security Brokers exist to facilitate the integration between on premise and cloud for those customers wanting that additional support.

Your choice of cloud provider may be dictated by your reliance upon a specific technology. Experience with Microsoft solutions may lead you to Azure where the use of Hyper V may be a major benefit in terms of existing experience and skills along with ease of integration. Likewise, Amazon customers may wish to stay with AWS and leverage its scalability and infrastructure. VMWare customers may choose either even though their choice may not be the default for either of those providers.

Virtualisation is such a mature product now that the choice of which provider and thus the virtual platform is no longer dictated by features and performance as it used to be. These systems all provide support for the latest security features for the three components of compute, storage and networking.

Mitigation for VM Escape or VLAN traversal, VLAN ID protection, secure storage secure network configuration and identify management features are now available across all the major virtualisation providers regardless of which Cloud Service Provider implements them. The use of hardened base images for deployment is a useful feature that some CSP's provide their customers.

7.     Secure cloud data centres

Cloud infrastructure can benefit from improved physical, procedural and technical controls in relation to Data Centre Security far in excess of what may be achievable on premise without a prohibitive cost. This may include state of the art locations and the latest security systems.

Risk management will shift in terms of the needs to address these changes but often to the benefit of overall security and a reduction in the necessary controls that would need to have been implemented if the infrastructure and data remained on site.

Where are the data centres and how are, they designed? Are they in populated areas with good infrastructure and access to emergency services?

Some providers may allow and even suggest a tour of the facilities to demonstrate the general, local and electronic security environments within their building. Using state of the art biometric systems and more traditionally physical controls such as mantraps and tiger cages can provide additional assurance around the protection of customer data.

8.     Operational Security

The customer should investigate and discover the operational security elements of the CSP. These include Incident Management, Vulnerability Management, Monitoring and Configuration and Change Management.

Investigate incident management to ensure a prompt response to potential issues allowing for information gathering and remediation within an acceptable timeframe.

Investigate vulnerability management to proactively identify and mitigate weaknesses within the infrastructure.

Configuration and change management to ensure changes due not unexpectedly reduce the security environment.

Monitoring of the infrastructure to detect attacks in progress and provide analysis and evidence for investigation.

9.     External audit and configuration testing

What assurance does the Cloud Service Provider offer in terms of visibility into its systems? In most cases this visibility may be limited, perhaps naturally so and a requirement for them to keep their systems secure and less exposed to outside analysis.

An audit by an independent company or individual may be a possibility to test their data protection, network security, security operations and identity and access management. Penetration testing may also be included.

The service provider should have a security governance framework, which coordinates and directs its management of the service and information within it.

Global standards that they can be assessed against may include ISO or NIST and more specifically to Cloud, Amazon's Centre for Information Security (CIS) or the Cloud Security Alliance Cloud Control Matrix.

   10. Personnel screening and vetting

Within your business, you would have followed the appropriate due diligence when making decisions about who to hire and the accuracy of their backgrounds in terms of your own vetting procedures.

Moving to Cloud services creates the increased risk of data breach through loss, change or destruction on behalf of a malicious insider at the CSP.

Thorough screening with support from adequate training helps mitigate the risk.

BS7858: sets out some standards for personnel screening and a demonstration to its adherence by your provider will be valuable. Nevertheless, it is very difficult to completely thwart a motivated and privileged user. In some cases, it may be necessary to prevent your provider from having access to your data using encryption and performing key management independently.

Contributed by Richard Beck, head of cyber-security, QA