That is quite the catchy title don’t you agree? Ok so that needs some work and when we think about cloud security, we need to realise that Computing as a Service isn’t a silver bullet.
One Cloud to Rule them all and in the darkness bind them
Ok so the cloud was promised as the saviour of IT and Cyber security but the promise vs the reality. Well, let’s be frank, they don’t really match up. But have no fear – secure cloud design is here (omg cringe)! Ok now we have that out of my system let’s look at some basic cloud security considerations to make when thinking about cloud services.
Ok so the world doesn’t work with a checklist however, if you are like me you will want to use lists and aides to jog the little grey cells into action. Let’s think about cloud services and security:
- Security Policy
- Supply Chain Security
- Identity and Access Management
- Conditional Access
- Role Based Access Control
- Privileged Access Management
- Asset Management (and reporting)
- Secure Configuration Management
- Audit Logs and Alerting
- Risk Management
- Incident Response and Digital Forensics
- Vulnerability Management
- Network Segmentation and Data Flows
- Administrative Interface Security
- Encryption at Rest
- Encryption in Transit
- Personnel Security
- Contractual Terms
- Data Location
Now this was from the top of my head, you will also want to consider how your cloud provider and the service you are operating conforms to the 14 CSP Principles from NCSC:
Now let’s also contextualise this with some good guidance from NCSC on secure design:
- Establish the context
- Making compromise difficult
- Making disruption difficult
- Making compromise detection easier
- Reducing the impact of compromise
We need to think about cloud architecture because it’s not as simple as people might say it is.
Now cloud isn’t a single model, cloud refers to 5 key elements according to NIST. It comes in a range of shapes and sizes:
It also comes in public, private and hybrid deployment modes. Simple right?
Not only that but when we think about cloud architecture, we must consider a range of planes:
- Cloud Provider Plane (Supply Chain Security)
- Tenant Management Plane (The high privileged access component for management of the cloud service)
- Tenant Service Plane (where the components, VMs and applications/services go)
So, you can start to see that although you are effectively outsourcing some of the areas you used to worry about (e.g., physical security, facilities management, hardware management, warranty support, HVAC etc.) you still have a whole range of security considerations and design decisions to make.
It’s easy with cloud to make assumptions, much like it’s easy with outsourced services to do so to (hell it’s easy with everything in house). So, a key step to both planning a new service or reviewing an existing one is planning and design. That goes for the understanding phase as well as when you want to design and integrate cloud services as part of an implementation.
The 26 number was from the top of my head, can you think of other areas you should think about?