Security is a shared responsibility between the end user and the cloud provider

  /  ICS Security   /  Cybersecurity   /  Security is a shared responsibility between the end user and the cloud provider
cloud security

Security is a shared responsibility between the end user and the cloud provider

As the security of your data is the most important factor when considering the use of cloud services, we will examine how data is protected at the client site, as it traverses public and private networks, and within the cloud provider’s data centers. Security is a shared responsibility between the end user and the cloud provider and it is important to understand where the lines of demarcation are located to ensure your data is protected.

Cloud providers are responsible for:

  • Physical data center security – access control, manned security, and video surveillance of cloud data centers

  • Securing network infrastructure – segregation of traffic and prevention of insider threats within the cloud network

  • Isolation of virtual machine instances – ensuring physical hardware is secured to prevent access to other instances via hypervisor or physical adapter exploitations

  • Security compliance – regular external audits to ensure customer data is protected and handled in accordance with applicable government and industry certifications

The client is responsible for:

  • Data in transit – information flowing to and from the cloud via public and private networks

  • Data at rest – information stored at the customer premises and within the cloud data centers

  • User credentials – privilege management and protection of user passwords

  • Operating system – ensuring OS is updated and latest patches are applied

  • Antivirus software – running and updating antivirus software to protect your network from trojans, worms, botnets, and other nasty creatures trying to find their way into your system

  • User applications – installing only necessary applications, ensuring applications are updated and from reputable sources

  • Policies – governance of internal and industry policies to prevent unauthorized access to data and network configuration parameters

Responsibilities will vary depending on which cloud services you are using. If using Software-as-a-Service (SaaS) applications for example, the SaaS provider is typically responsible for OS and system updates, data at rest, and data in transit, depending on the application and level of service provided. Regardless of application, it is important for the client to understand the impact and safeguards necessary for every service deployed. We will now take a closer look at how data should be protected at the client sites, network paths, and cloud locations.

Client Site

Client sites consist primarily of data centers, but mobile and other remotely connected devices are part of the scope as well. For those of you working in the electric utility business, you are well aware that the days of the simple substation with just a few SCADA boards have been replaced with sophisticated gear and complex networks carrying SCADA, voice traffic, video feeds, and other Smart Grid data. Substation networks must be treated with more scrutiny as most substations are unmanned and often have a weaker security perimeter than corporate data centers. Some of the precautions to be taken include:

  • Client-side encryption. Data at rest should be encrypted to prevent data compromise in the event that an intruder gains access to the system. Windows BitLocker, TrueCrypt, and SafeNet are just a few examples of disk encryption utilities available today. Client-side encryption provides the added benefit of encrypting your data before it leaves your network and while it is stored in the cloud, further protecting against data compromise in transit or at rest.

  • User access.  The principle of least privilege should be put into practice, meaning that administrator accounts and user privileges are limited only to the services required for the roles they serve.

  • Key management.  If you use the same encryption key to encrypt all data, all data is compromised if that key falls into the wrong hands. Key rotation prevents this by periodically changing out encryption keys, encrypting new data with the active key and decrypting archived data as needed with the master key it was encrypted with. Key rotation can be performed automatically (typically every 3 months but can vary based on need) or manually. A manual key rotation is good practice if suspicious activity is detected or if an IT admin leaves the department or organization.

Network Path

The network is comprised of all physical and logical connections required to get your data to the cloud. There are several methods of establishing secure network connectivity, some of which include:

  • VPN tunnels. A Virtual Private Network (VPN) tunnel is simply a secure connection between two points, usually over unsecured networks such as the Internet. It does this by encapsulating the data into encrypted packets and sending them to the intended recipient, where they are converted back into plain text with the correct decryption key. This is a popular, cost-effective method still in widespread use today.

  • TLS/SSL encryption. The Transport Layer Security (TLS) protocol is designed to authenticate and encrypt the transferred data. Through a series of asymmetric key exchanges, a symmetric key pair is created and data can be sent securely. You can see this in use every time you visit a secure (https://) website and get the green seal of approval in your browser tab. TLS is a newer version of the older Secure Sockets Layer (SSL) versions. Older versions such as SSL 2.0 and 3.0 should no longer be used given its compromised key exchange process and susceptibility to man-in-the-middle attacks. Given the longetivity of the term SSL, both TLS and SSL are often used interchangeably which can create confusion.

  • Trusted certificates. To safeguard against spoofing or man-in-the-middle attacks, always issue trusted certificates such as X.509 that are verifiable to a Certificate Authority (CA). Never used self-signed certificates.

  • Direct connection. Exactly how it sounds, a direct connection is a dedicated network connection between your site and the cloud data center. With a direct connection, your data is never exposed to public networks so the likelihood of hacking and other malicious efforts in transit are statistically reduced to near zero. Depending on your throughput requirements, distance from a direct connect location, and state/local tariffs, the cost of a direct connection can vary greatly and may be prohibitive for some organizations. Trade-offs will have to be evaluated to determine if this is an option.

  • Hardware Security Module (HSM). HSMs are specialized hardware modules that handle key management, encryption, exchanges, and rotation. Cloud providers also offer HSM and key management services, making it easier to manage your own keys with no up-front costs and the ability to pay as you go with on-demand pricing structures.

Cloud Site

Cloud sites are just remote data centers and are subject to many of the same best practices in your data center. The difference, however, is that you may never set foot in any of these data centers or even know where they are located, and you have no control over how they are managed. Fortunately, these data centers are among the most secure you will ever encounter, monitored 24/7 and compliant with the most stringent of industry standards. Distributed Denial of Service (DDoS) attacks are typically monitored and mitigated as well. While your cloud provider has done their part in securing their infrastructure and keeping bad things out, the data you put in it is still your responsibility.

  • User access. No surprise here, the principle of least privilege should be put into practice in the cloud just as you do in your own network. Multi-Factor Authentication (MFA) should also be implemented as an additional layer to safeguard against unauthorized access in the event a user account is compromised.

  • Traffic control. Traffic flow should be limited to only what is required for system operation. Using stateful firewalls and Access Control Lists (ACLs), you can restrict IP traffic to allow only the ports, protocols, and IP addresses required both inbound and outbound.

  • Restrict public network access. Back-end servers and databases not requiring Internet access should be limited to private cloud connectivity and accessed remotely by means of a NAT gateway or bastion server.

  • Server-side encryption. While client-side encryption is the preferred method to secure your data at rest, there are some use cases where this is not possible. Server-side encryption should be implemented at minimum to protect your data. There have been cases where disks in the cloud were wiped after service was deprovisioned and the next occupant was able to recover fragments of the previous user’s data. While the possibility of this reoccurring has been mitigated by the use of disk-zeroing techniques, it’s best to assume the worst and take all necessary precautions.

We discussed many strategies to implement across your network, but this is by no means an exhaustive list. There is no one-size-fits-all guidance and threats are continuously evolving. Each use case has its own set of requirements and your team must understand what each application does, how they talk to one another, who needs access, and where the connection points are located. When it comes to security, servers and data stores within the cloud should be handled like any other physical or virtual device in your data center but you must recognize and mitigate the threats that exist between your data center and the cloud as well. Properly deployed and managed, cloud services are a secure, flexible, and cost-effective way to run your business applications. If you follow common sense and have sound policies in place, you might be able to sleep at night knowing your data is safe. No promises on sleeping though.

 

Josh SimmonsThis article was written by Josh Simmons and originally was published here. Josh is a licensed Professional Engineer (PE), Project Management Professional (PMP), Cisco Certified Network Associate (CCNA), and AWS Certified Solutions Architect Associate. As founder of Cogito Innovations, his team supports mission-critical communications systems for the DoD and electric utilities. Read the full bio here

Post a Comment