It is undoubtedly, that cloud computing offers a wide range of benefits and advantages for businesses and technologists, in what regards to improving performance and supportability.

However, there are also some important security dangers linked to this new advance in computing, as happens likewise when it comes to any new development in IT. Therefore, in this posting we want to point out some of the most typical threats related to moving your business or development to the cloud and working serverless, as well as to offer a relevant guidance on how address them correctly and effectively, according with a recent article by Sam Bocetta, an expert on computing security analysis.

Frequent security risks in the cloud and how to shield your organization in consequence

Because of its nature, software can´t escape from the threat of code vulnerabilities, i.e., flaws in software that could open the door to possible attacks. Therefore, as computing systems always work with software, it doesn´t matter whether it is a cloud-based software or not, it will be always susceptible to attacks.

That been said, the major difference between a conventional data center and a cloud-based platform, lies in the question of sharing responsibility between the customer and the cloud service provider (CSP) of mitigating potential threats.

There are three major vulnerabilities that must be kept in mind when defining your security plan.

1. When an organization moves from in-house to cloud-based operations, it will obviously see a decreasing in the level of control and visibility that has had traditionally over its architecture, for the main role of keeping the platform secured will be now in the hands of the CSP.

Hence, as the sharing of responsibilities will change to some extent among different CSPs, developers and organizations need to have a better known of which kind of approach to cloud-based service will they use.

There are several types of cloud services, among which we could name Function as a Service (FaaS), Platform as a Service (PaaS), Infrastructure as a service (IaaS), Backend as a Service (BaaS), and several others.

The control level that you will have over your data will differ with each kind of cloud service model, so it is crucial to pay a lot of attention to this. According to Amazon Web Services, the CSP is in charge of providing security “of the cloud” and the customer has to deal with security “in the cloud”, which means, more or less, that the CSP will be responsible for securing all the physical and non physical infrastructure in which the service is run, while the customer will be responsible for certain level of security related to the specific services purchased.

In order to have a better understanding of how crucial could this issue become, you can give a look at the case of Nirvanix´s bankrupt in 2013, due to five CEOs, which in five years wasted around $70 million in venture capital markets. After bankrupt, the company only gave customers two weeks to recover all of their data housed in Nirvanix servers. If they didn´t recover it before the two weeks, it would be lost, because the servers were going to be shot down.

2. A second and very important issue is the question of really deleting data.

When working with CSP, there is never total accuracy about deleting your data, because you can´t have total access to servers, and therefore, there is no possibility of totally ensure that the data was really deleted.

Furthermore, due to the natural architecture of the cloud, it is quite possible that your data isn´t stored in only one physical location, but in several different servers. Also, each CSP has different parameters when it comes to deleting customers´ data.

Another point to bear in mind is that the risk of having lesser control over the data deletion process will be greater when you work with a larger number of CPS. However, there are some alternatives to diminish that risk, for instance, updating the in-house software regularly, using a Single Sign-On Solution, or implementing end-to-end encryption.

3. As we already pointed out, based on Bocetta´s advice, the responsibility of securing your data doesn´t fall completely in the shoulders of the CSP. Part of that duty will be still the responsibility of the customer. Thus, it is key to know well how does the cloud service that you will contract works.

Going too fast and without taking precautions into the process of moving all of your data to the cloud could end badly, as the British TSB Bank fiasco, occurred in the first months of 2018, shows clearly.

In conclusion, we strongly recommend not to rush too much when it comes to shifting to the cloud. Take your time to know well the characteristics and parameters of different CSPs, in which proportion they are going to manage security, what are going to be your tasks in that aspect, and, if you need to keep your data in a high level of confidentiality, it is key to use encryption services as well as the other methods previously mentioned, always with the aim of keeping your data safe.

The importance of planning the migration process

A second key element regarding security is the question of knowing how IdM (identity management) will be addressed in the cloud structure. The first aim of IdM is to control properly all personal identity data in such a way that access to all cloud data, applications, and computer resources will function with the lesser possible menace of breaches.

Therefore, IdM is an essential instrument in the duty of meeting software security protocols. For instance, as financial data is absolutely crucial for customers, it is vital to keep it safe from unauthorized access.

Consequently, it is very important to know how IdM will be managed in the cloud architecture. The main difference between IdM and most servers is that the first is able to check the possibility of establishing several connections to a certain file, while the latter permits several connections to a sole file stream from any client that requests the file.

Hence, as Mr. Sam Bocetta explains in his article, there are some recommendations in what regards to IdM, when it comes to moving your data to the cloud.

In the first place, we consider important to check the differences between encryption at rest and encryption in transit. In the case of businesses, you should use HTTPS, FTPS, SSL, or TLS for encryption in transit.

In the second place, you should use strong encryption methods of the kind of AES or RSA for the encryption of all your data. If passwords or usernames get breached, these methods will provide additional security.

In third place, is better if your organization is multi-tenancy. In that sense, native client apps are better as they are multi-tenant by default.

Why your architecture must be planned

As we have been explaining previously, the process of moving all of your data to the cloud must be taken with sufficient calm and paying attention to all security details, even more so, if your organization has to deal with legacy hardware and software.

You should carry out a complete audit of the cloud infrastructure at every level, in order to become able to make good decisions in what regards to security. After doing this, Bocetta suggests to study the possibility of contracting several different security services, or, to contracting an all-in-one security service, also underlying that there isn´t an absolute recommendation to that question, as it will always depend on the particular needs of every organization, like for example cost or the time and effort that the security system will imply.

Next, you will have as well to decide whether to form a security team within your organization or to outsource that service. Both options have their pros, but also they could have their weaknesses, from the point of view of each organization’s needs.

How to benefit from security enhancements

According to Bocetta, the first step in security should be mitigating possible unauthorized logins.

The capability of providing and suspending individuals the possibility of accessing data or applications in your infrastructure must be very simple and quick. If for instance, an employee has been dismissed or has resigned, you must have the capability of shutting down very quickly his or her access to the cloud. In the same vein, if you outsource any IT service and an outside team must have access to your system, this should always be for a short period, and what is more, you can also make it expire automatically.

On the other hand, you should know that there is a classification of CSPs, concerning physical and software features, like for example, hosting provider´s uptime, grades of redundancy or power infrastructure. CSPs which belong to the so-called tier 1 have little redundancy, as well as not the best uptime level. In the opposite position, CSPs that belong to tier 4 have better redundancy and uptime.

Finally, it is the question of automation.

One of the main features of the cloud is the capability of automating a lot of processes, which has a clear impact on security, because, as long as you can limit human control and management over certain processes the probability of mistakes will always be considerably lower, and therefore the probability of malicious penetration of your system will be lower, hence, your architecture will be far more secure.

According to data provided by Forbes magazine, automation helps organizations to reduce, among other issues, hacking attempts. As in automated processes, there will never be missing steps, the possibility of leaving breaches is considerably less.

The question of setting up an integrated architecture

In the cloud computing services business, usually, CSPs (cloud services providers) will establish a group of security protocols and fail-safes. In the majority of cases, the CSP is responsible for securing the physical data centers. However, this doesn´t mean that there aren´t going to be extraordinary situations in which security breaches occur, but in all those cases the customers will not be able to intervene, as it is the CSP who bears the main liability when it comes to server security.

Notwithstanding, the customer has to take care indeed of a part of security management, related to all the software and services that run on the data center.

As a recommendation, Bocetta says that setting up the security system of an organization should start with IAM (identity and access management), permitting access to data only to those individuals that need access to backend database.

How to prepare your system to face and avoid intrusions

In general terms, the logic and purpose of security systems is to avoid any kind of dangers and threats related to cyberattacks and breaches. Hence, one of the most crucial aspects of IT security consists in the detection of intrusions in your architecture. Furthermore, this a side of security that deserves proper attention, dedication, and also investment.

In this sense, it is vital to understand that hacking science is in permanent evolution, as hackers develop new ways of finding vulnerabilities in cloud platforms.

If a hacker could penetrate an organization´s system without anybody knowing, the damage could become really serious. For instance, you could look at the case of Github, when a DXC programmer could upload its private AWS keys and went unnoticed.

Integrating the IDS or Intrusion detection systems to all backend servers is a vital task in this regard, as long as the latter is connected to the open World Wide Web. Additionally, establishing a firewall constitutes another important task.

If your organization is still starting in what regards to setting up cloud security configuration, it could be very helpful to learn from the experience of other organizations that have already gone through that process with success, that will surely help you to avoid some common but critical mistakes that they had previously made.

Carrying out penetration tests: An essential aspect of security

In the last term, what we have been explaining about building up your security configuration would be insufficient and incomplete if you don´t carry out penetration tests, which consist of cyberattacks simulations, that will help to determine vulnerabilities in your architecture.

However, in comparison with traditional architecture, the traits of cloud architecture involve more difficulties that must be solved using cloud governance, i.e., a set of rules that you must create, constantly monitor and even amend in order to have enough control over your organization costs, reduce all security threats and vulnerabilities as much as possible and enhance the general performance of your system.

Jose Barragan

Jose Barragan

Senior enterprise architect, with over 20 years of experience in the business sector. With a high expertise on different technologies, and involved in a lot of high-performance business environments.