NIST provides an industry-recognized definition of “the cloud” in their special publication 800-145.

NIST also provides a discussion of challenges with cloud environments in their special publication 800-146.

The graphic depicts a version of the NIST reference model.¹

Broad Network Access

Rapid Elasticity

Measured Service

On-Demand Self-Service

Resource Pooling

Public Cloud

Community Cloud

Private Cloud

Hybrid Cloud

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Moving enterprise IT to the cloud may or may not improve cybersecurity compared to operating it in a private network and datacenter.

Improving cybersecurity with cloud computing depends, in part, on enterprise size and security maturity vs. the cloud provider’s size and security maturity.

Cloud providers have the same challenges securing their systems that enterprises have.

Cloud providers have several advantages.

Small cloud providers have many of the same strengths and challenges as a small business.

Likewise, large cloud providers have many of the same strengths and challenges as a large business.

However, large customer enterprises doing business with small cloud providers should be cautious because the business cybersecurity may be better than the cloud provider’s cybersecurity.

Moving to the cloud presents a number of challenges

DevOps and DevSecOps

DevOps

DevSecOps

This paradigm shift also means cybersecurity team members may have to change their methods of incentivizing developers to comply with security policies.

Since anyone with a cloud account can stand up a server, install an application, and start running code on the platform, cybersecurity may not be able to use traditional “gates” to review cybersecurity and enforce cybersecurity policies.

Instead, the cybersecurity team may have to switch to a more passive method:

Rather than being a “gatekeeper,” cybersecurity may need to be more of a “scorekeeper,” giving cloud development teams feedback via “security scores” and “penalty flags” so business leaders can identify and consider cybersecurity concerns.

Challenge

Response

By ensuring different people and teams manage different scopes, the enterprise can guard against a single breach or failure being disastrous.

Cloud service is often delivered over an open network, and users and administrators must access the system and services through the network.

Another authentication challenge is account life cycle and access management.

When using a cloud service, data is residing on someone else’s computer in someone else’s facility.

Protection of data is at the mercy of someone else’s enterprise operational procedures and supply chain.

Data stored in a cloud provider’s environment needs to be protected.

When analyzing cloud key management, customers should ask the following questions:

Enterprises must balance their design of key management strategies carefully.

Logging, monitoring, and investigations have to do with the enterprise’s ability to record, detect, and investigate cybersecurity incidents within its cloud provider services.

Customers should ask questions about key attributes:

Good logging may be an afterthought for cloud providers and is a potential risk customers should consider.

Cloud providers are highly motivated to provide the best possible service.

Cloud providers have the IT challenges of a normal enterprise (people changing roles, hardware failing, software patching and upgrading, and constant pressure to reduce costs and increase revenue).

Providers manage challenges on their schedule and not their customer’s schedule (quarterly financial closing) and timing can be an issue (North America vs. Europe).

When the provider has an outage, customers may have little recourse and there may be few provider penalties.

Customers should have solid contingency plans.

Scale

Reliability

Enterprise cloud architecture should be designed to be resilient.

By using a cloud provider, an enterprise takes technical problems—storage management, network configuration, maintenance—and makes them contractual in nature.

Providers write contracts to provide desired services while protecting themselves from liability to the greatest extent possible allowed by market and regulations.

Enterprise needs to ensure contract provides desired features and protections.

Enterprise needs to have some contingency plans without dependencies on cloud providers.

Enterprise needs to perform risk assessments and consider contingency, insurance, and disaster recovery options to fill in gaps between enterprise needs and provider services.

Questions to consider:

Systems administrators frequently do their work using regular usernames and passwords, just like ordinary users.

Secure systems administration may be severely impaired when using cloud services.

To compensate for this potential situation, there are some actions an enterprise can do to protect its cloud systems administration:

Cloud providers often provide basic firewalling or load balancing for systems, but few additional networks security services are offered.

Provider has own network security infrastructure for protection and detection; it is unusual for customers to get visibility into provider’s network security operations, events, alerts, or logs.

Limitations may hamper customer’s ability to do investigations requiring analysis of network traffic.

Customer considerations include

With SaaS, application-level security configuration is up to the cloud provider.

With PaaS and IaaS, the customer has the ability to put in place application-level security, which can include extensive detection capabilities.

Provider will have access to customer’s platform and storage. Customer should maintain tight control over the “path to production” to detect any unauthorized software changes.

Every aspect of system configuration can become a script managed by the developers (see DevOps).

Such scripts include network configuration, endpoint security, identify and authentication configuration, and so on.

Enterprise needs to consider how to manage code, code configuration controls, and software path to production.

Major constraint is the fact that the servers reside on the Internet and may be accessible from the customer’s internal network and security services.

Enterprise can compensate for this situation by connecting cloud systems to the enterprise network via a point-to-point, always-on, virtual private network.

Such connectivity gives systems access to the enterprise’s internal services (that is, security). Be careful connectivity does not become a backdoor.

Public cloud services are connected to the Internet; user accounts are used to connect to these services.

Protection of the services is primarily through identity, authentication, and access management of the user accounts.

Multistep or multifactor authentication provides a dramatic increase in security over username and password authentication.

Federated authentication simplifies authentication and the account management process, but it can add risk if accounts are compromised.

Another security concern involves identity life cycle and de-provisioning.

In the absence of an automated process, periodic manual audits should be performed to clean up orphan accounts and excessive permissions.

Data protection is critical for cloud services; it is difficult to “get it right.”

Enterprises need to carefully review the cloud provider.

Hardware Security Module (HSM) services protecting cryptographic keys can be extremely effective at ensuring physical protection of keys, but they require significant expertise to deploy and maintain properly.

Cryptographic keys need to be backed up to avoid a disaster recovery situation where the enterprise cannot decrypt its data.

Digital signatures can be used for data integrity (detecting unauthorized changes to logs, transactions, and so on), but not for data confidentiality (stealing data).

Functional area is largely depends on whether the cloud service is SaaS, PaaS, or IaaS.

Customers need thorough logs of all activities against the cloud environment (user account, originating system, request interface).

For monitoring, provider may be able to feed some logs into customer systems for the sake of monitoring and incident response.

Providers may make application interfaces so customers can connect to cloud service logs programmatically.

Cloud provider determines the physical location and protection of cloud resources.

Customers may have option to select cloud provider facilities.

Customers can protect themselves.

Even with cloud services, there is still a need for an incident response capability.

Monitoring and investigating cloud services for security incidents can be considerably more difficult than with a traditional network perimeter.

Detection capabilities should cover the most expected attack scenarios against the cloud service, particularly, stolen credentials and compromised servers; logs should record cloud service activity.

Enterprise’s Security Operations Center (SOC) should

Enterprises should meet periodically with cloud provider to discuss threat scenarios, incidents the provider is seeing, and joint protections.

Cloud services transform a technology challenge—standing up and deploying storage, computing, operating systems, and applications—into a supply chain challenge.

Challenge involves establishing a contract with a supplier to deliver a service and manage assets associated with service in the context of cybersecurity that mitigates the enterprise’s major risks.

Enterprise should treat cloud service provider contract as a risk management exercise where cybersecurity risks are considered in terms of the cybersecurity functional areas.

Enterprise needs to perform cost-benefit analysis on security trade-offs and other related costs associated with breaches.

When using cloud services subject to regulation or external standards, the enterprise should consider the services in the context of those regulations or standards.

Cloud services may run afoul of other internal cybersecurity policies such as requirements for strong authentication, network protection, or encryption.

Just because a service is being provided by a cloud provider does not remove the service from enterprise’s policies, procedures, or security capabilities.