Cloud Security Knowledge Sharing By Guy-Bertrand Kamga

To promote a Secure Cloud-Based Digital Transformation

Tag: Cloud Security Risks

Dealing with Shared Responsibility Model in public Cloud

Cloud computing radically changes the way computing services are provided and consumed, both cloud service providers and cloud service customers need to adapt themselves to this new information technology service delivery model.

On one hand, for public cloud services, customers must rent resources (e.g. software or applications, platforms, servers, etc.) running on platforms owned and operated by external service providers. Cloud customers generally pay for the services proportionally to their consumptions (known as pay as you go billing or pricing model), and they can automatically scale (horizontally or vertically) based on their needs. These are only few of numerous benefits of public clouds.

On the other hand, public clouds are shared platforms between several customers (including competitors, hackers, criminal organizations, etc.). That’s why, since the beginning of the 1st public cloud service offering launched by Amazon Web Services (AWS) in 2006, security and compliance risks are always among the top barriers for public cloud adoption.

When it comes to security in the public cloud, one of the main concept to understand, is the Shared Responsibility Model‍.

I released on Peerlyst (web comunity of security professionals), a series of 3 posts focusing on the shared responsibility in public cloud.

In the first post, you will learn some tips that can help to understand how the security responsibility is shared between the Cloud Service Provider (CSP) and the Cloud Service Customer (CSC), and how a cloud customer should consider this aspect during the definition and implementation of its cloud security strategy‍.

In the second post of the series, I provided some tips‍ that can be helpful for a CSC to have a detailed view of the shared responsibility in public cloud. I particularly highlighted how much a clear understanding of the chain of responsibility at CSP and CSC sides is important, as well as the key role of a cloud security RACI matrix.

In that second post, I also briefly introduced a Cloud Responsibility Checklist which can help a CSC to evaluate to what extend its security responsibilities in a public cloud are under control.

In the third and last post of the series, I proposed a process that can be used by a CSC to keep control of the shared responsibility model in public cloud. This process includes the following 3 main steps:

  • Clarification of the responsibility scope
  • Identification and agreement on the responsibility delimitation with the CSP & partners
  • Evaluation of the alignment to the CSC’s cloud strategy

This process can help a CSC to not only ensure that it understands and takes care of its responsibilities in the cloud, but also to make sure that the CSP, as well as all involved partners have formally agreed with the CSC on their scope of responsibility.

Pyramidal view of Cloud Security Risks

As I described in most of my previous articles, defining and implementing an effective cloud security strategy requires the involvement of several stakeholders within and outside of an organization.

Indeed, defining and implementing the cloud security strategy‍ within an organization should include people from diverse entities, including:

  • Business Groups or Units
  • Information Technology (IT)
  • Cyber Security
  • Procurement and Supply Chain
  • Legal & Compliance
  • External partners (Cloud Service Providers, IT partners, Managed Service Providers, etc.)

Having all these diverse profiles involved, ensures that most of aspects will be taken into account in the cloud security strategy on one hand but on the other hand, this may lead to endless debates as the members will not have the same level of knowledge in terms of cloud computing.

Learn in this article posted on Peerlyst community, the common stakeholders’ positions or attitudes with regards to cloud security‍ as well as the multi-level or pyramidal view of cloud security risk‍s.

Cloud Benefits vs Security Risks: two main pieces of the cloud solution puzzle

A security risk manager (ISO 27005 certified) not familiar with cloud solutions but who is interested in cloud topics, recently asked me to share my experience about the main cloud security knowledge & skills required to become a key member of cloud-based business transformation programs or initiatives.

It was not the first time for me to receive such request and I decided to provide some insights in this post.

Understanding the difference between business & security priorities

Most companies are transforming their businesses using cloud technologies and services.

Indeed, cloud services provide several benefits (pay as you go model, less or no CAPEX, dynamic scaling, high availability, collaboration efficiency, improved mobility, etc.) that enable a rapid business development and/or transformation.

Business divisions are then interested in trying and quickly adopting these cloud services. Their interests are mostly governed by the cloud benefits.

On the other side, the Security team who is sometime early involved or discovers by chance the businesses’ cloud initiatives, don’t look at the cloud services with the same mindset as business divisions.

Security staff mostly understands and/or analyzes the cloud services via the security risks angle, which is completely different from the benefits angle.

From the business perspective, the main goal is to maximize the cloud benefits for the company while from the security perspective, the main goal is to minimize the security risks for the company.

These two distinct goals are very important for organizations to take the most benefits from the cloud services without jeopardizing their main assets.

This is where a cloud security expert can bring the most value.

Cloud security expertise consists in a set of knowledge & skills that can help an organization to maximize the cloud benefits while minimizing (at the same time) the related security risks for the company.

Organizations should have on board, people who can understand the cloud benefits as well as the cloud security risks and who can support the business divisions to properly balance between cloud benefits & cloud security risks.

This expertise can be acquired via (i) experiences on designing & implementing cloud-based programs, (ii) cloud security trainings and (iii) cloud security certifications.

The main cloud security standards, guidelines and best practices I listed here, cloud certifications such as the top 5 vendor-neutral cloud security certifications I listed here or the platform-dependent cloud certifications such as AWS Certified Solutions Architect or MCSE: Cloud Platform and Infrastructure can be considered as main sources for developing & maintaining the cloud security expertise.

Key characteristics of cloud security expertise

A cloud security expert is a security specialist who can understand the cloud benefits for the company’s businesses and can identify the security risks applicable to a specific cloud use case.

I depict in the below figure, the main cloud benefits and security threats:

Cloud Benefits vs Cloud Security Threats

Cloud Benefits vs Cloud Security Threats

As you may know, there are 3 cloud service models (IaaS, PaaS & SaaS) and 4 cloud deployment models (Public, Private, Community & Hybrid). All the security threats are not relevant/applicable for each cloud use cases. As for other contexts, there is never a one-size fits all in terms of cloud security.

A cloud security expert should be able to perform the following tasks:

  1. Understand the business requirements (specific for each cloud use case)
  2. Map the business requirements to cloud services capabilities
  3. Analyze the security controls available in the targeted cloud service (e.g. MS Azure, AWS, Salesforce.com, SAP 4/HANA, etc.)
  4. Identify & assess the security risks applicable to a given cloud use case (main impact for the business)
  5. Help the business to decide if the security risks are acceptable (as per the company risk appetite – cloud security policy)
  6. If necessary, recommend reasonable additional security controls that can be implemented to reduce the security risks to an acceptable level (remediation)
  7. Support the business & IT during the implementation of the additional security controls
  8. Ensure that the security posture of the cloud solutions remains acceptable over the time

In short, a cloud security expert should be able to support the business in the following activities:

  • Cloud services/platforms evaluation & selection (RFP/I/Q processes)
  • Cloud solutions implementation
  • Cloud solution operation

The above tasks & activities can be performed by leveraging an agile & effective cloud security strategy such as the Cloud Usage Profile based strategy I described in this previous post.