When it comes to cloud versus on-premises infrastructure, security requirements remain the same, although the cloud requires additional controls because it is publicly available.
By Simeon Tassev, MD and QSA at Galix
The major difference is that on-prem has highly defined roles and responsibilities – when you own your infrastructure, this is all an internal responsibility. With the cloud, however, the boundaries can easily become blurred, because who is responsible for what depends on the cloud model deployed, the types of cloud in use, and many other different responsibilities.
These need to be defined upfront, or businesses risk facing security issues.
IT infrastructure is made up of various systems and components, as well as applications, hosts, operating systems, and data. When this is housed on-prem, various teams may be charged with looking after the different elements, but it is all ultimately an internal responsibility. The cloud environment is different.
There are many different cloud models, including public, private and hybrid, and also different types of cloud, from Infrastructure-as-a-Service (IaaS) to Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS), to name a few. Many businesses employ a hybrid multi-cloud strategy, but each provider will also have different services and offerings, and this is where the complexity begins to creep in.
For example, IaaS covers the hardware, but may also include the operating system (OS). The cloud provider is therefore responsible for the uptime of the hardware, but if the OS is included, are they also responsible for support, updates, and patching? Are there extra services offered, such as user and identity management? They are responsible for uptime of hardware, but if the OS is included, is there an element of support and patching?
Similar situations could arise across any and all cloud services. The roles and responsibilities of the cloud provider need to be clearly defined, otherwise businesses may be under the assumption that certain elements are covered, when in fact nobody is looking after them at all.
This is a security vulnerability. In addition, it is vital to understand that, while data backup and availability may be outsourced, the ultimate management of data and its content is always a business responsibility.
Who are you?
With on-prem architecture, it is possible to physically restrict access, which makes control easier to achieve. The nature of the cloud, however, requires additional steps to be in place to mitigate threats, because unless a private cloud model is deployed, the cloud is publicly available and is therefore exposed to the internet.
Physical controls cannot be implemented, so the priority with the cloud is identification and authentication to control authorised access. Access is therefore linked to the identity of the individual, and to assign roles and responsibilities it is critical to have full control of identity management. All the new cloud-based security frameworks are centred on this concept, including Zero Trust Networking (ZTN) and the Secure Access Service Edge (SASE).
No trust until it is earned
ZTN is the foundation of cloud security in a borderless world. It is based on the premise that no device, user or entity is trusted until they can prove they are trustworthy. One of the criteria required to earn this trust is the ability to uniquely identify, without a doubt, who or what a device attempting to connect is.
This is where SASE comes into the picture. SASE focuses on the edge and the identity of the person connecting to the resource in the cloud and manages it accordingly.
By default, all devices are untrusted. To earn trust and gain access, policies need to be applied and criteria met, such as various levels of authentication that must be implemented. SASE then provides the relevant access based on identity and defined access management roles.
Identification and authentication are key
With cloud, the priority is around identification and authentication, because all controls are linked to the identity of the individual and their various roles and responsibilities.
This means that it is critical to define the roles of all parties involved, including the cloud service provider, then to assign responsibility to a role, which then needs to be uniquely identified, and held accountable by enforcing relevant policies.
Cloud security is not a ‘one size fits all’ approach, and depends entirely on the situation, systems and infrastructure in place. However, the basis of all solid cloud security practices is centred on roles and responsibilities. If the roles of both the service provider and the business are not clearly defined from the outset, the result will be grey areas and therefore gaps in security that can be exploited.