That is quite the catchy title don’t you agree? Ok so that needs some work and when we think about cloud security, we need to realise that Computing as a Service isn’t a silver bullet.

One Cloud to Rule them all and in the darkness bind them

Ok so the cloud was promised as the saviour of IT and Cyber security but the promise vs the reality. Well, let’s be frank, they don’t really match up. But have no fear – secure cloud design is here (omg cringe)! Ok now we have that out of my system let’s look at some basic cloud security considerations to make when thinking about cloud services.

Checklist

Ok so the world doesn’t work with a checklist however, if you are like me you will want to use lists and aides to jog the little grey cells into action. Let’s think about cloud services and security:

  1. Security Policy
  2. Governance
  3. Supply Chain Security
  4. Identity and Access Management
  5. Conditional Access
  6. Role Based Access Control
  7. Privileged Access Management
  8. Asset Management (and reporting)
  9. Secure Configuration Management
  10. Availability
  11. Audit Logs and Alerting
  12. Risk Management
  13. Incident Response and Digital Forensics
  14. Vulnerability Management
  15. Patching
  16. Backup
  17. Recoverability
  18. Insurance
  19. Compliance
  20. Network Segmentation and Data Flows
  21. Administrative Interface Security
  22. Encryption at Rest
  23. Encryption in Transit
  24. Personnel Security
  25. Contractual Terms
  26. Data Location

Now this was from the top of my head, you will also want to consider how your cloud provider and the service you are operating conforms to the 14 CSP Principles from NCSC:

https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles

Secure Design

Now let’s also contextualise this with some good guidance from NCSC on secure design:

https://www.ncsc.gov.uk/collection/cyber-security-design-principles

  • Establish the context
  • Making compromise difficult
  • Making disruption difficult
  • Making compromise detection easier
  • Reducing the impact of compromise

We need to think about cloud architecture because it’s not as simple as people might say it is.

Cloud Architecture

Now cloud isn’t a single model, cloud refers to 5 key elements according to NIST. It comes in a range of shapes and sizes:

  • SaaS
  • FaaS
  • PaaS
  • IaaS

It also comes in public, private and hybrid deployment modes. Simple right?

Not only that but when we think about cloud architecture, we must consider a range of planes:

  • Cloud Provider Plane (Supply Chain Security)
  • Tenant Management Plane (The high privileged access component for management of the cloud service)
  • Tenant Service Plane (where the components, VMs and applications/services go)

So, you can start to see that although you are effectively outsourcing some of the areas you used to worry about (e.g., physical security, facilities management, hardware management, warranty support, HVAC etc.) you still have a whole range of security considerations and design decisions to make.

It’s easy with cloud to make assumptions, much like it’s easy with outsourced services to do so to (hell it’s easy with everything in house). So, a key step to both planning a new service or reviewing an existing one is planning and design. That goes for the understanding phase as well as when you want to design and integrate cloud services as part of an implementation.

The 26 number was from the top of my head, can you think of other areas you should think about?

Leave a Reply

Your email address will not be published. Required fields are marked *