Cloud security strikes fear into the heart of CISOs and risk practitioners alike. For years there were alarmist warnings “the cloud is just someone else’s computer”, “once it’s in the cloud it’s no longer yours”, “you don’t know where your data is” etc. While some of these do hold some truth, the reality is that cloud computing offers additional observability capabilities. The power of the API is such that every action must be authenticated, authorised and audited, meaning that organisations have enhanced granular control over the programmatic access to, and usage of their data in a single audit trail.
As public cloud is widely accepted as the norm, more and more organisations are looking to take advantage, not just of the elasticity, capacity and pay-as-you-go model, but of the security benefits and protections that the cloud offers.
The ability for infrastructure to automatically respond to and defend against threats in real-time across different technology stacks and silos can limit the potential impact of compromise from hours/days/weeks to mere seconds.
But how do organisations ensure that their data and services are protected and how do they validate the level of assurance of their cloud provider?
Be clear on data location and access: For a long time, cloud providers have offered storage and processing of customer data across customer selected zones and regions. This provided some assurance that data would stay within the customer’s requested geographic limits. But what about access? When I authenticate, where do my credentials go? This is a harder issue and only recently have some providers been able to offer a regional solution to restrict authentication to customer defined geographies. If cloud credentials and support teams are based outside the customer regions, what risk does this carry? Understanding how you can control provider access to your cloud data and what visibility you have of that access is key.
What encryption is available and why do you need to manage keys? Hardware Security Modules (HSMs) are difficult to manage. Even more so when applied to cloud infrastructure since they were designed for on premise and do not speak cloud (they do not use APIs). This means that managing them in the cloud is complex, time consuming and can lead to a world of pain if done incorrectly. Using services such as AWS KMS to manage keys backed by HSMs is the best way to encrypt data and manage keys without incurring the pain of managing HSMs.
How do I verify what my cloud provider is telling me? Many cloud providers offer independent validation of the assertions they make, AKA compliance certifications. Compliance in itself is not a security strategy, but these do at least demonstrate an independent review of the controls and evidence of their effectiveness. It’s worth also considering a third party audit either via a group audit (community of interest) or 1-1 with the cloud provider.
By taking advantage of cloud native security solutions organisations can try before you buy and ensure that they can meet their business and security objectives. This also facilitates a best in class approach to allowing organisations to choose the right security solution, rather than the one that is free or offered by the cloud provider.
Stephen McDermid is EMEA CSO at Okta