Know Your IaaS From Your SaaS: Crucial Security Considerations for Cloud Service Models

The high percentage of organizations that are using cloud services, currently migrating to the cloud or planning their move to the cloud isn’t all that surprising. When the destination is digital transformation, cloud computing is the bullet train organizations are riding to get there.

Forrester’s forecast for cloud computing in 2019 concluded:

  • The largest public cloud providers are getting bigger
  • The cloud is getting ever more entrenched as the new enterprise digital application platform
  • Enterprise spending for cloud is surging by more than 20%

This move from intent to actuality means many organizations are now also learning and adapting to new security best practices.

The good news is that public cloud providers care about security as much as the organizations they serve. The shared nature of public cloud means multiple parties are using the same resources, and enterprise IT security teams need to acknowledge they aren’t always in control of their resources—and then act accordingly in their security stance.

Cloud computing is not essentially insecure and a recent report shows that most IT leaders are acknowledging this. Of the 271 respondents, 61% said that cloud is as likely or less likely to suffer a breach than on-premises.

But cloud computing does need to be managed in a secure way. This same report showed that 92% of the CISOs, CIOs and CTOs surveyed are implementing cloud-based security tools. Choosing the most effective tools relies on an understanding of how cloud computing and cloud service models are different, and what that means for securing IT.

Cloud computing is highly distributed and fluid, with applications and user accounts that are constantly shifting within data centers, hybrid clouds, and public service clouds. With cloud computing, there is less perimeter to guard, but there is heightened attention to data security, risk management, monitoring and audits.

Infrastructure as a Service (IaaS)

In a virtualized environment, you only have so much control. Your provider’s weaknesses become yours, dramatically impacting your own security posture. The security concerns here are the same as with a traditional data center:

  • Protecting sensitive data and intellectual property
  • Standardizing identity management procedures across on-premises and cloud providers
  • Ensuring that compliance standards are evaluated and met
  • Auditing cloud providers to meet compliance requirements
  • Addressing how virtual machines are created, configured, secured and spun down, which can help you avoid uncontrolled and unsecured images

Platform as a Service (PaaS)

Data protection is key with this service model because of shared resources like hardware, network, and security provisions. Outages for cloud providers are rare, but they do happen. Your security plans should allow you to do loading balancing across regional zones or providers to ensure failover in case of an outage. Additional considerations include:

  • Encrypting data
  • Securing applications and configurations
  • Monitoring access and usage
  • Understanding regulatory issues in different regions

Software as a Service (SaaS)

Securing applications and minimizing risks to data are top SaaS security concerns. Knowing what applications are in use across the organization and being able to manage and enforce security policies across the different administrator user interfaces, features and capabilities involved are essential. Include these factors as well:

  • IAM controls, such as single sign-on and federation
  • Cloud access security brokers
  • Data protection controls, such as data loss prevention (DLP) and encryption
  • Access policies

Security controls for hosting, building and consuming cloud service models

Understanding the security needs of each individual cloud service model is important, but multi-cloud is becoming the norm. Of those same 271 respondents of the report mentioned previously, almost half have a multi-cloud approach, 24% use hybrid cloud and 24% use a single cloud.

The multi-cloud approach helps to avoid vendor lock-in and can help with failover, protecting data loss and downtime due to vendor delivery issues. This resiliency and flexibility also come with increased exposure because more parties are involved.

To achieve consistent security across multi-cloud and hybrid cloud resources, organizations need security controls with enhanced flexibility. The following security tools can help.

Cloud access security broker (CASB)

CASBs are security policy enforcement points that sit between an organization’s infrastructure and a cloud provider’s infrastructure. They act as gatekeepers, interposing enterprise security policies as cloud-based resources are accessed. CASBs leverage multiple types of security policy enforcement designed to govern usage, secure data, and protect against threats. Policies can include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, data loss prevention (DLP), logging, alerting, malware protection, etc.

Data protection solutions

At a minimum, all data stored in the cloud should be encrypted. While many of the SaaS and PaaS vendors provide some level of encryption, they also maintain and store the encryption keys, which presents a risk. Organizations should consider using third-party encryption solutions that work across key SaaS and PaaS vendors to encrypt data while leaving the management and control of the encryption keys to the organization. For additional data security, organizations should leverage a CASB or deploy/expand their DLP solution. These added controls provide monitoring and alerts if sensitive data is accessed and copied, moved, or deleted to and from the cloud.

Identity and access management (IAM)

Identity and access management tools help organizations grant and control access to cloud-based resources, ensuring that the right individuals have access to the right resources at the right times. Key components include provisioning, access management, governance and recertification, federated identities and single sign-on, and privileged user management. Cloud security efforts should include a special focus on privileged users, as well as federation and single sign-on capabilities. The ability to standardize on credentials and roles—and quickly de-provision access as needed—is key to minimizing security risks in the cloud.

Virtual workload protection

A “workload” can be broadly defined as “the total requests made by the users and applications of a system.” For IaaS deployments such as AWS, it’s key to be able to secure the virtual workloads as if they were stored on-premise. The types of controls that should be considered to protect organizational workloads within IaaS deployments include next-generation firewalls (NGFW), micro-segmentation, server anti-malware, log management/security information event management (SIEM), and security orchestration.

Building in strong cloud security controls and continually evaluating them are necessary to avoid placing the entire organization’s environment at risk. If you’d like to learn more about layering cloud security and crucial ingrained security resources, listen to our podcast on cloud security or contact us for more information.

By |2019-10-02T11:16:56-06:00October 4th, 2019|Blog|Comments Off on Know Your IaaS From Your SaaS: Crucial Security Considerations for Cloud Service Models

About the Author:

Chris Hoke is a Managing Director of Security Solutions at Sirius.