Back to overview

Cloudy to clear skies – a guide for cloud security

After initial concerns, especially in the German market, cloud services have finally proven themselves. The offers are versatile, flexible and comprehensive. Furthermore cloud service providers (CSP) offer their services in different ways. No matter if the service is offered as software as a service (SaaS), platform as a service (Pass) or infrastructure as a service (IaaS) the fundamental problem (concerning IT-security) stays the same: Using services from a service provider instead of using your own infrastructure doesn’t mean that your data is automatically save. You still have the responsibility for the security of your data and for dealing with the risks.

The following chart shows where the responsibility shifts from CSP to the customer.

Area of responsibility SaaS Paas IaaS On premise
Data governance &
rights management
Customer Customer Customer Customer
Client Customer Customer Customer Customer
Account & access
management
Customer Customer Customer Customer
Identity management CSP / customer CSP / customer Customer Customer
Application CSP CSP / customer Customer Customer
Network management CSP CSP Customer Customer
Operating system CSP CSP Customer Customer
Physical infrastructure
(host, network &
data center)
CSP CSP CSP Customer

Figure 1: Responsibilities of CSP and customer

Conclusion: At least the responsibility for data governance, rights management for the different clients using the service and account and access management is still the customers obligation.

Threat modeling helps to identify danger zones

But how can one find out which means have to be taken for proper security of critical information? Threat modeling is the answer – the modeling of potential threats has been proven as the best way. Often the STRIDE model is used to categorize the threats. This model includes the following categories:

  • Spoofing identity
  • Tampering data
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privileges

Threat modeling should be done in an early stage of the design process. Here you have the best flexibility in designing the necessary security measures. Doing this you should focus on the application itself but also on all the features that are relevant for security and would affect the user in case of compromise.

The process of the threat evaluation counts basically four steps:

  • Modeling of the application (reference architecture)
  • Specification of threats
  • Mitigation of threats
  • Validation of mitigation measures

In the process you consider the following elements of the application which are relevant to most threat categories:

  • Processes (STRIDE)
  • Dataflows (TID)
  • Datastores (TID and sometimes R)
  • External entities (SRD)

Eventually you should have a comprehensive overview of potential threats as well as appropriate countermeasures.

Cloud security checklist

Common risks while using cloud services can be avoided if you keep the following security checklist in mind:

  • Secure your root account and access keys. Protect your access keys the same way you protect your bank data. Use multi-factor-authentication (MFA) if possible.
  • Create user roles with limited rights. Only grant access to your data if it is necessary. You can use appropriate policies in your identity and access management (IAM).
  • Secure your data stores, especially those that contain logging and account data. Only grant access to persons that really need it.
  • Only use encrypted data stores. Encrypt your data, snapshots and disk I/O with state-of-the-art algorithms (e.  g. AES-256). Enforce the encryption through policies.
  • Do not create public data stores.
  • Activate the existing monitoring and logging functions. Enable auditing processes and transparency of all activities within the cloud.
  • Limit the privileged rights to the necessary roles and time periods. Cloud service providers often offer functions that allow you to use temporary credentials with limited rights.
  • Control the in- and outgoing traffic of your system with the help of clearly defined security groups. A security group controls the in- and outgoing traffic and functions as firewall for one or more systems.
  • Capture the IP traffic from and to network interfaces on your virtual private cloud (VPC) and analyze it to recognize anomalies and misconfigurations.
  • Encrypt in- and outgoing data traffic. Use TLS or IPsec to move your data safely.
  • Familiarize with versioning and lifecycle policies. Versioning allows you to restore single versions of saved objects. Automate the lifecycle of your objects using rule-based actions.
  • Activate access logging and analyze the data. Analyzing access logs is crucial for the detection of fraud and can help you to better understand and optimize user behavior.
  • Control the accounts of your cloud provider to detect fraud.

Related links:

https://aws.amazon.com/de/security/

https://cloud.google.com/security/

https://www.microsoft.com/en-us/TrustCenter/Security/AzureSecurity

Leave a Reply