How will Cloud strategy impact your Cyber Security Strategy?
Forty percent of organizations in North America alone plan to spend the majority of new or additional funding on cloud, according to a recent Gartner survey.
This in itself is a huge leap from about a decade back where Cloud Computing was taken as the “goto” solution for small enterprises who can’t afford to host and maintain their own servers and data centers. So, the basic thought process was “If a company is hosting on the cloud, it’s a small company… Enterprises have their own Data Centers”… Unbelievably, with the advent of Azure, AWS and Google Cloud platform with their super-scalable, secure and having feature sets that most Enterprises couldn’t afford in their Datacenters, the migration to the Cloud began with even critical and sensitive businesses such as banks moving to the Cloud… Private Cloud in some instances and Public Cloud for many.
Being an independent Cyber Security Consulting and Auditing organization, we have had the privilege of interacting with many organizations who approached us for doing a Cyber Security audit or readiness check of their organization which includes their “Cloud-hosted” assets. Now, for some organizations, the long-term goal may be to move all applications out of their data centers. For others, a long-term goal may mean moving a subset of applications to the public cloud such as their application servers and web applications to the cloud but retain their database servers internal to the organization. In all these engagements, what we have typically seen (with some exceptions of course) is that regardless of whether the assets are hosted in their own IDC or on the Cloud, the Cybersecurity strategy be it process audit or architecture review or even assessment strategy remains the same on the lines of doing a “process audit” or a “VA/PT. This is a grossly incorrect strategy if an organization fails to understand how Cloud Strategy should impact its Cybersecurity Strategy. This article will cover precisely the same.
I am aware that for most organisations, having a Cloud Strategy in itself is a far-flung idea… if you are one of those organisations, please feel free to drop me a line and will do my best to help you out. Coming back to the point… below are the top five reasons on how Cloud Strategy will impact your Cyber Security Strategy.
1. Which model:
Is your organization going in for Infrastructure-As-A-Service (IAAS) or Platform-As-A-Service (PAAS) or Software-As-A-Service or a combination thereof? Right from Data to Computing to Network layer, the custody and thereby the ownership and accountability for Cyber Security changes as per the model you have signed up for. So, depending on your Cloud Strategy, your Cyber Security Strategy will change such as in an IAAS model, right from securing the OS to the platform and the application running on it, all is your responsibility. But, if you are using a hosted SAAS solution, the variables are just too many depending on the SLA you have signed up with the provider. Below is a good summary pic of the possibilities.
So, once your short term and long term Cloud Strategy is in place which defines clearly as to what rights you have for testing which controls and parameters. I would suggest you turn the tables and define your Cloud Strategy basis of what level of assurance you need to have in place with regards to your Cyber Security readiness.
2.Which provider:
From AWS to Azure to Google Cloud… all, have their own Dos and Don’ts with regards to what is your “Right to Audit”. Many also ask for prior intimation and then expect you to wait until you authorize them for even doing a plain VA. So, let’s assume that your organization has identified and classified critical assets and then as per some XYZ regulation or dictate by a stakeholder, this particular asset needs to be checked for vulnerabilities on a daily basis. But, now if this particular asset is then hosted on AWS, AWS requires you to get prior approval for some of its services. Then AWS also has dos and don’ts of what tests can be done and what tests are forbidden in which circumstances. You can get full info on this from- https://aws.amazon.com/security/penetration-testing/. So, if all these factors are not factored into your Cloud Strategy to ensure that the tests required as per your Cyber Security Strategy is allowed and doable, then you are set up for failure. Now, I have mentioned AWS as an example over here… but similar nuances are in place for even the other Cloud Providers.
As if things were less complicated, there are many services such as virtual switches and virtual firewalls with patch management, backup and even vulnerability management is on the menu of providers. This would again mean that you have outsourced critical services to Cloud Providers. These Cloud Providers, in turn, will have their own Do’s and Don’ts… if not factored into your Cloud Strategy to ensure that you have signed up for the appropriate Cloud Service Offering, this can lead to grave issues in the managing and delivery of your Cyber Security Strategy.
3.“All On” or “Some on”:
In other words, have you decided to offload all your central computing requirements to the Cloud or a piece thereof? If you have offloaded all central computing to the Cloud, then things are lesser complicated. But, if you are like most Enterprises which have offloaded services such as Email, Office Collaboration, Data Storage, CRM, etc. to the Cloud but retained services such as ERP, HRMS internally then you again have a problem of access control as we saw in points 1 and 2 above. For your assets which are hosted in your own IDC, you are the veritable god for the assets and can run whatever tests you might choose and rearrange assets any which way you choose. But, the assets you have hosted on the Cloud, now, based on your Cloud Strategy as we saw in points 1 and 2 above, you will need to have a Cyber Security Strategy which is in sync with the Cloud Strategy. So, ensure that your Cyber Security Strategy has taken into consideration this heterogeneous model.
Again, at the cost of sounding repetitive, I say that either frame your Cloud Strategy based on the Cyber Security Strategy and Risk Exposure of your organization OR, ensure that your Cyber Security Strategy is not compromised on the altar of a very cost-effective “Cloud Strategy”.
4. Compliance Check:
As a company, we at VISTA InfoSec are engaged by organisations across the world to audit and certify against standards such as PCI DSS, HIPAA, SOC1, SOC2, GDPR and many more. Needless to say, many of the organisations are hosted on popular cloud platforms such as AWS, Azure or Google Cloud Platforms. Public Cloud platforms depending on parameters such as service offerings, locations, etc. have their sites validates against these standards. Now, let’s assume that you as an organization call us for doing your compliance checks for PCI DSS or SOC2 and your servers are hosted on a local popular Cloud provider. As an auditor, we have to check the site where the servers have been hosted. If your provider is also PCI DSS / SOC2 certified, then it’s well and good and makes our job as an auditor smooth. But, let’s assume that your Cloud provider is not SOC2 certified, then we as auditors have to do the control checks. Now, the Cloud provider may simply refuse to allow this audit to happen on their premises for reasons such as confidentiality or even on the grounds that this “Right to Audit” is not a part of their contract. In that case, you as the auditee will be in serious trouble. So, while defining your Cloud Strategy, do take these audit requirements from your Cyber Security Strategy into consideration.
A quick word of advice which we have many a time seen as an oversight. Let’s assume your Cloud Provider is SOC2 and PCI DSS certified. Your Cloud provider may be providing you Server Patch Management services and Backup Services. If we are called in for auditing your organization on a SOC2 or a PCI DSS, we will be checking that your Cloud Provider’s audit and certification scope for PCI DSS and SOC2 covers not just the Availability parameters but even these two services that are being provided to you i,e. Server Patch Management services and Backup Services. We have noticed in some cases that the Cloud Provider’s certification only covers Availability but not these ancillary services. This will lead to huge complications and escalation in time to complete the audit and the audit fees itself.
5. Multi-Cloud:
Well, I saved the best for the last 😊 In today’s scenario, many organisations are hosting their Email and Collaboration services on one provider but hosting its customized applications on another provider… This really complicates matters for the management of Cyber Security. As we have seen in point 1and 2 above, the variables are too many based on the model you have selected and the ancillary services you have added to the bouquet of services provided to your organization. You need to ensure that your Cyber Security Strategy contains the output from a thorough Risk Management exercise of the various Cloud Providers, assets in scope with each provider, Cloud model opted for each provider and last but not the least, and the ancillary services opted for.
Well, hope this article was able to shed some light on the importance of a well-integrated and interdependent Cloud Strategy with a Cyber Security Strategy.
Do drop me a line with your feedback and comments on narendra@vistainfosec.com.
———————————————————————————————————————————————————————————————————————————-
This post was authored by Narendra Sahoo. If you want to get featured on our website please reach us at advertising@alltechevent.com
Author Details:
Narendra Sahoo
Director – VISTA InfoSec
