Companies are switching more and more applications to the Cloud by relying on IaaS, CaaS or PaaS services. These environments can be hybrid and multicloud by using different Cloud Service Providers (CSP). This development poses serious challenges in terms of security and compliance, for example in terms of responsibilities, security systems actually available as standard, consistency and homogeneity.
An essential first step is to define the controls required by the company, taking into account the risks, regulatory requirements and security (compliance) policies.
The next step is to assess the security devices made available as standard by the CSP. Indeed, if companies have total control over the security of their own information system (IS), in the Cloud, they rely on the tools provided by the CSP. And depending on the nature of the services they use, the scope of their responsibility – and therefore of these tools – is limited.
The diagram below illustrates the respective limits of responsibilities:
It also highlights the need to ensure the consistency and homogeneity of the security devices according to the services consumed, the data always being the responsibility of the company.
A difficulty encountered by companies is to have an end-to-end security solution allowing to manage an environment combining internal information system and Cloud services from multiple partners.
It is then a question of identifying the complementary devices to those provided by the CSP and associated projects in order to cover the security requirements and controls required by the company.
Based on our experience and the projects carried out, we have identified six essential safety areas to study, namely:
- Container and application security
- Identity and access management, privileged accounts, identity federation, secret management
- Data protection (data discovery and classification, encryption, lifecycle management of encryption keys, DLP, DAM, CASB…)
- Security and network segmentation
- Management of security events and incidents (detection, response, etc.)
- Compliance with internal security policies (vulnerabilities, hardening, etc.)
In general, it is difficult to have the same level of technical granularity as on the internal IS of the company. A structured approach then consists in evaluating for these 6 essential security areas the services and conditions offered by the CSPs, in identifying the contractual obligations to be specified by the suppliers and in developing projects for the implementation of additional security systems. Among these 6 essential security areas, there are 11 essential themes.
Network Security and Segmentation
The segmentation features are not necessarily the same on IaaS, CaaS and PaaS. However, the company must organize itself to segment and differentiate its workloads: how to ensure that resources A are well compartmentalized and that they are only accessible by application A? It will seek a unified system that can respond to all the problems of segmenting the overall infrastructure from end to end, including legacy.
Identity and Access Management
Different access rights allow employees to exploit the resources of the Cloud. Allocated according to the role of the users, these rights must also be updated according to movements in the DevSecOps squads and also departures from the company. At any time, the latter must be able to audit identities and access authorizations, which means synchronizing the company’s IAM system with that of the Cloud.
Privileged Account Management
In the area of Identity and Access Management, special attention must be paid to the management of privileged accounts which intervene in configurations, access to sensitive data, creation or deletion of accounts. Likewise, it will be necessary to secure the “secrets” of the containers, because they can be easily accessed without a suitable solution.
Setting up a hybrid Cloud infrastructure requires a good understanding of how the data encryption of each CSP works. Encryption can be performed at different levels (disks, file-system, database, etc.) and therefore provide a higher level of security. The analysis of the functioning of the CSP encryption will identify the level of risk covered by the solution and, if necessary, provide a complementary solution for sensitive data.
Life cycle management of encryption keys (Key Lifecycle Management)
Cloud services managing data are protected by Data Encryption Keys. These are managed by the CSP and they are “wrapped” (encrypted) by Master Keys managed by the client. This is the principle of Bring Your Own Key (BYOK) with these Master Keys stored in an HSM in the Cloud or on-premise. It is important to define the life cycle and rotation of Master Keys in the various Cloud services – especially since the loss of a Master Key will make the service data inaccessible because it cannot be decrypted.
Data Discovery and Classification
The company must ask itself what data will be eligible for the Cloud and what data should remain on-premise. To make a decision, it must identify the nature of the personal data and the sensitive and secret data it administers and where it is located. This is imperative to arbitrate between legacy or the Cloud – and in the latter case, to predict what type of protection to implement.
The rise of CaaS is dedicating the reduction of the duration of the development phases. The containers are not deployed by administrators but by developers in DevSecOps mode with the CI / CD (Continuous Integration / Continuous Delivery) tools. With this in mind, it is important to be able to easily detect the vulnerabilities of containers. CSPs, like IBM Cloud, typically provide such services, called Container Vulnerability Advisor.
Security Event Management
How is the company going to capture all the events from the Cloud and send them to the SIEM operated by SOC? For example, as soon as an administrator changes an authorization to access a Cloud data service, how does the CSP service report it to SIEM? Analysis of CSP services (eg Activity Tracker on IBM Cloud) verifies that infrastructure logs can be integrated.
If there is a data leak in the cloud, how can the company interact quickly and efficiently with the CSP? In the event of a crisis, the company must be able to rely on investigation and reaction processes shared with the CSP.
Risk and Compliance Reporting
With the rise of automation and the proliferation of workloads and deployment activities automated by DevSecOps practices, it is increasingly complex to consolidate all the logs. The company must for example be able to audit all the virtual machines (VM) deployed, all the containers created, all the access groups configured … This reporting service allows RSSIs to have precise synthetic dashboards.
Secure Cloud Access Security Broker
The businesses can be very independent and use different Cloud services. In this case, the CASB constitutes the essential tool of a multicloud approach in order to audit all accesses: which services are consumed, provisioned, by which entities? The CASB thus makes it possible to identify the CSPs, even to prohibit the consumption of certain services if they do not meet standards, or even to alert about the volumes of data in transit.
In general, if it will be difficult to have the same level of technical granularity as on the company’s IS, the company will be able to maintain a high level of control over the security of its hybrid and multicloud environment. However, it must adopt a structured approach to study the services and conditions of the CSPs, even if it means incorporating specific obligations into the partnership contracts. This global approach also brings another advantage: the reduction of dependence on CSPs.
By Olivier Chelly and Giuseppe Brancadoro Security Transformation and Advisory Services