Cloud Service Providers (CSP) have seen a substantial rise in commercial and personal adoption of their services, in the last few years ago, particularly for the commodity services such as email and basic office applications. Office 365 adoption, for example, has increased hugely, with Microsoft stating in October 2018 that there were 155 million Office 365 monthly active users, an increase of 3 million users per month since the previously reported number in April 2018, and cloud revenue generation exceeding $23 billion for that year.
This increased growth rate has been achieved mainly due to the corporate confidence of the CSP security offerings to support the general business landscape. Many CSPs have made significant and highly visible strides towards inspiring confidence in their security and privacy efforts, enabling clients to easily implement security capabilities, as well as offering transparency regarding resilience of their services.
This is evident from the many government departments, healthcare organizations, critical national infrastructure (CNI) providers, banks and large financial institutions that are moving to adopt the cloud services. The simplicity, security and flexibility offered by CSPs providing collaborative, work-from-anywhere capabilities have seen cloud averse organizations from previous years, now fully embracing the change.
Given that corporates are now establishing a level of ‘trust’ with the major players such as Google G-Suite, Microsoft O365, Workday, Salesforce, this blog will look at the security considerations that a CISO should consider for their use of cloud services, beyond the previously considered high risk domains focused on vendor due diligence.
Determining your cloud needs
Before making the move, it is important to understand:
- Your requirements for moving to the cloud. It may be the right fit if, technology is not your core business function, you require additional resilience, reduced infrastructure management and maintenance effort, ability to scale quickly, broader user access, Capex reduction and so on
- The key capabilities you must maintain when moving to a cloud service. Does the new service offer the same or better levels of protection for the type of data you intend to put in the cloud, and do these controls match your budget?
- The changes to your existing security stack. Will your existing security controls still be effective after the move to cloud, or do you need to buy additional security services such as cloud based Identify and Access Management, Multifactor Authentication, BYOD & Mobile Device Management tools?
- The standardized generic cloud package. Does the service offer additional bundled featured or services which you may or may not actually require? These capabilities must be fully understood and controlled carefully, otherwise these services can “leak” and start being used by your user community without any specific governance principles or technical controls being in place to limit risks such as data leakage, phishing and account take over
Cloud services offering additional functionality
The CSPs generally provide standardized service offerings to meet most of their clients’ requirements and potential upsell. For example, if you are considering a move to O365 to use its core email service, the various package offerings will include additional capabilities such as Teams, One Drive or Yammer. It can be a difficult challenge culturally, to reign back control of these tools once the user base has started to use them, especially if the relevant policies or procedures are not in place.
Security should not be the blocker to staff when using these new tools to increase productivity, however governance structures, policies and adequate configurations must be put in place to ensure that users and information are protected.
To this end a classification and information management policy is crucial so that users understand what is and is not permitted, and the technical teams understand the requirements for configuring and securing the service.
CSP due diligence
Even though CSPs are becoming steadfastly embedded in many organizations, don’t completely skip the due diligence* phase.Make sure that you understand:
- Where your data will be stored? Can you choose the geographic location of the data store and do you have assurance that it will not be moved from that region? What resilience is offered? What is the incident response policy and process?
- How the multitenancy access control is managed? What controls are in place to prevent other tenants from seeing your date? Who has access to the logs? Can CSP administrators access your data?
- Who has ownership of your data? Once you have uploaded your documents, emails and other data types, do you still retain ownership? Are there non-disclosure agreements in place?
- Whether vendor accreditation fits within your contextual needs, considering regulatory, legal and contractual obligations you may be under (GDPR, PCI DSS, ISO 27001, SOC II, SOX, HIPPA, NIST etc). Do you have the right to audit?
Most mature CSPs can provide answers to these questions via their compliance portals, use policies and terms and conditions.
It is worth noting that some cloud service providers will only provide you with assurance if you ask for it and only under NDA, so it is worth considering if you require specific assurance such as a Level 1 PCI DSS audit.
*For less mature cloud service providers significant vendor due diligence should be undertaken, always remembering that with cloud you are basically “using someone else’s computer”
Controlling your new cloud service
Once you’re satisfied that you have a need and that you have chosen the right vendor, the next stage is to consider the following security controls:
- Enable and publish only the services and capabilities you need
- Implement secure multi-factor strong authentication to prevent the vast majority of SaaS based data breaches
- Integrate the cloud services into your movers, joiners, leavers processes and also consider single sign-on. A CASB maybe be useful here for managing authentication to multiple cloud services, for providing fine grained user access control and authorization, device profiling and configuration, data encryption, key management etc. The approach facilitates the Zero Trust model, where you have such a great degree of control over identity, end point authorization and access control that you can consider remote users with the same level of trust if not more trustworthy than those resident on an internal network
- Prevent introducing new security gaps which had not previously existed. With email, for example, ensure that controls like Anti-Spam, Anti-Malware, web filtering, attachment and link sandboxing, SPF, DKIM and DMARC are in place and effective.
- Develop BYOD and mobile device policies, technical controls and supporting processes and procedures if you are now making services available of devices that previously would not have had access to the system
- Ensure that an adequate logging, monitoring and alerting system is in place, with associated operational staff, processes and procedures in place to react in the event of a breached account
- It is imperative that you can identify a breached account, and further that you have practiced how to manage a breach or incident response in the cloud service. You now have new stakeholders (Cloud Service Provider) who will need to be considered.
- Validate that backups are in line with your business requirements, do not assume this will be the case always with cloud service
As cloud services are becoming more embedded and acceptable to organizations, it is as important as ever to remember that, as with all new technologies, you will still need to understand your business requirements and how they align with the capabilities of the cloud service. Specifically, you need to understand the new risks that could be introduced and ensure adequate security and privacy protection is in place before you make the leap.