Cloud Security & Audit Consideration
Simply put, cloud computing is the delivery of computing services — including servers, storage, databases, networking, software, analytics, and intelligence — over the Internet (“the cloud”) to offer faster innovation, flexible resources, and economies of scale.
The NIST [1]Definition of Cloud Computing identified cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Not all clouds are the same and not one type of cloud computing is right for everyone. First, you need to determine the type of cloud deployment or cloud computing architecture, that your cloud services will be implemented on. There are three different ways to deploy cloud services: on a public cloud, private cloud or hybrid cloud[2].
Public cloud
Public clouds are owned and operated by a third-party cloud service providers, which deliver their computing resources like servers and storage over the Internet. Microsoft Azure is an example of a public cloud. With a public cloud, all hardware, software and other supporting infrastructure is owned and managed by the cloud provider. You access these services and manage your account using a web browser.
Private cloud
A private cloud refers to cloud computing resources used exclusively by a single business or organisation. A private cloud can be physically located on the company’s on-site data center. Some companies also pay third-party service providers to host their private cloud. A private cloud is one in which the services and infrastructure are maintained on a private network.
Hybrid cloud
Hybrid clouds combine public and private clouds, bound together by technology that allows data and applications to be shared between them. By allowing data and applications to move between private and public clouds, a hybrid cloud gives your business greater flexibility, more deployment options and helps optimise your existing infrastructure, security and compliance.
Types of cloud services: IaaS, PaaS, serverless and SaaS[3]
Most cloud computing services fall into three broad categories: infrastructure as a service (IaaS), platform as a service (PaaS), serverless and software as a service (SaaS). These are sometimes called the cloud computing stack because they build on top of one another. Knowing what they are and how they are different makes it easier to accomplish your business goals.
· Infrastructure as a service (IaaS)
The most basic category of cloud computing services. With IaaS, you rent IT infrastructure , servers and virtual machines (VMs), storage, networks, operating systems — from a cloud provider on a pay-as-you-go basis.
· Platform as a service (PaaS)
Platform as a service refers to cloud computing services that supply an on-demand environment for developing, testing, delivering and managing software applications. PaaS is designed to make it easier for developers to quickly create web or mobile apps, without worrying about setting up or managing the underlying infrastructure of servers, storage, network and databases needed for development.
· Software as a service (SaaS)
Software as a service is a method for delivering software applications over the Internet, on demand and typically on a subscription basis. With SaaS, cloud providers host and manage the software application and underlying infrastructure and handle any maintenance, like software upgrades and security patching. Users connect to the application over the Internet, usually with a web browser on their phone, tablet or PC.
What is a Cloud Computing Audit[4]?
In general, an audit is when a third-party, independent group is engaged to obtain evidence through inquiry, physical inspection, observation, confirmation, analytics procedures, and/or re-performance.
In a cloud computing audit, a variation of these steps is completed in order to form an opinion over the design and operational effectiveness of controls identified in the following areas:
- Communication
- Security incidents
- Network security
- System development or change management
- Risk management
- Data management
- Vulnerability and remediation management
- Tone at the top or leaderships commitment to transparency and ethical behaviour
What is Cloud Compliance?
Cloud compliance is meeting the requirements or criteria needed to meet a certain type of certification or framework. There are a variety of different types of compliance that may be required by industry, request for proposal, client, etc. The type of cloud security and compliance requirements will help determine the cloud compliance that is right for an organization.
For example, SOC 2 does not have any specific requirements around cloud compliance but does have criteria, such as “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.” To provide users assurance that the criteria have been met, certain controls are enabled to show evidence of cloud compliance.
Below is the diagram compiled checklist of mandatory security solutions, an ecosystem if you will, that supplement and enable the comprehensive technical control set required by common regulations and standards. Importantly, this list is based upon published authoritative standards and regulations, so you have specific technical requirements around cloud compliance which you need to consider for some of these include security groups to control access to sensitive information, encryption of information, and regular patching. Some other cloud compliance programs include FedRAMP, Cloud Security Alliance (CSA), HITRUST, ISO 27017, and PCI.
Cloud Compliance Challenges[5]
In the traditional on-premise datacentre, you are responsible for your entire network — your security controls, hardware, and traffic routers sit in the physical datacentre. But in the cloud, the security controls are not physically present. In addition, frequently, the computing services are owned by third-party providers, such as Amazon Web Services or Microsoft Azure.
Challenges with cloud compliance include:
Visibility into Hybrid Networks — The traffic flows over your network are complex. You may have a hybrid or multi-cloud networks, which make visibility even more complex. It is difficult to manage firewall policies without clear visibility into traffic flows over your entire network.
Multi-cloud Approach — Many organizations are using multiple cloud vendors to support their infrastructure.
Automation — Network firewalls have hundreds of security policies. Spread over multiple devices, manual management is difficult and time-consuming.
Compliance Frequently Left to Cloud Providers — Proper configuration of your network security devices is a common regulatory requirement but, in the cloud, compliance is frequently erroneously thought of as the responsibility of cloud providers.
Conclusion
Cloud compliance is about complying with the laws and regulations that apply to using the cloud. Most organizations are moving to the cloud because there are good business reasons to do so. The law does not prevent the adoption of cloud. It does have however have a significant impact. When moving to the cloud it is important to know in which countries your data will be processed, what laws will apply, what impact they will have, and then follow a risk-based approach to comply with them. It can be hard because there are many different kinds of laws, like data protection laws, data localization laws and data sovereignty laws. You also need to consider interception laws or access to information laws, which may enable Governments or others to access your data in the cloud. In addition, the laws of many different countries might apply. It is also important to know what security measures the law requires you to put in place.
[1] https://www.nist.gov/publications/nist-sp-500-291-nist-cloud-computing-standards-roadmap
[2] https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/cloud-security-key-concepts-threats-and-solutions
[3] https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/cloud-security-key-concepts-threats-and-solutions
[4] https://linfordco.com/blog/cloud-computing-audits/
[5] https://www.algosec.com/cloud-compliance/#:~:text=Cloud%20compliance%20is%20the%20principle,computing%20services%20meet%20compliance%20requirements
