We all want a castle. High walls, sentries on lookout, a moat only crossed by a drawbridge – which is then backed by strong doors and a garrison of troops that are trained and ready to defend the jewels that are deep inside yet more walls and doors.
The king of the castle would have absolute power – the ability to call for an execution of a guard for not being at their post, immediately replacing them with another. The king knows all the business that is going on within their walls, and their absolute authority means that their commands are needed for almost all significant activities. The jewels would be protected by a full contingent of guards during the day, and a skeleton garrison at night. The castle would be marked by flags and standards that show who is in charge – and it is a well-known structure (which is difficult to relocate).
This is the way we managed our IT security in the past – a strong perimeter around an isolated structure.

The cloud office block

Cloud is more like an office building. The landlord ensures that the office spaces are secured against fire and break-in, with automated monitoring systems that react to events in the building. The landlord does not know (or care) what sort of business is going on – and the tenant is free to fit-out the floor as they desire. If the tenant only wants half a floor, then the landlord will rent them that much space – and does not care if it is empty and un-occupied, as the rent is the same. The tenant may run a business that has a customer-facing area – and the tenant will put up their branding and put in a receptionist who will check credentials. The landlord is not responsible for the comings and goings of visitors, but is responsible for ensuring that there are no back-doors or risk of other risks such as fire. The landlord will have multiple floors and multiple tenants, and may offer additional services such as night security, or a reception desk at ground level. Tenants move in and out of floors, expand and reduce, or may simply change to another building (and another landlord).

READ ARTICLE:   Lessons from the CrowdStrike incident

Move from a castle to an office?

Cloud can be just as secure as your castle – in many cases it is more secure. Cloud providers (even local providers who are not big international names) have perimeter and physical security that is just as good, if not better, than what can be achieved by a business (particularly one that does not have IT datacentres as its core service or product). By moving your applications and services to the cloud, you are not inherently decreasing security in relation to who can access the physical servers or disks where your services and data reside.

The analogy of a castle against an office building apply for portability too. How do you extend a castle? Its expensive and hard, and is never really part of the original castle. What happens when your office building needs to expand? Its easier to take a new floor, or even move to another building.

There are concerns that many have around Cloud, primarily linked to the view that no-one else can do it as well as your own people, or that an external provider will not have your interests considered as highly as their own. But where does this come from? The number of very public breaches (normally related to consumer services), or the number of hushed-up data theft incidents (normally related to targeted attacks that would happen no matter where the data is located), or the number of attacks that are never reported – are these what people are worried about?

Physical interference

Inherently, just as it would be highly unlikely that you would be able to identify a single disk in your on-premises datacentre that contains a specific file, multiply this by a multi-tenant environment and the cloud provider themselves would not be able to identify which physical disk contains a specific file of yours. If you have a virtualised environment, particularly if it is running DRS, it may take you a little while to work out which physical host is actually running a server – and if you were to do something to interfere with that host, the VM would automatically restart on another host. Your team may have taken all the required measures to secure your on-premises datacentre – but will others do the same?
15 years ago, if someone was to try and interfere with your servers – they would know where you are, and if they obtained access to your on-premises datacentre, they may even get helpful labels on the front of servers to know which one they need to target.
Scale that up to a multi-tenant cloud provider, where physical access is not permitted to even the customers, and the cloud provider is distributing their customers across hundreds or thousands of servers and disks – and I hope you will agree that if someone wanted to target your data or systems when it is in the cloud, they would have a very hard job in trying to obtain access to your physical environment. The risk changes from someone trying to attack your castle, to the risk of someone attacking the whole cloud – everyone’s cloud. Cloud providers take extensive measures to protect their physical infrastructure – try and ask Microsoft or Amazon for the address of their datacentres… they won’t tell even their own staff.

READ ARTICLE:   PII in Australia and personal information

The risks of cloud security

Here’s the main point of Cloud security. It is very easy to mis-configure cloud security, with catastrophic results. Some cloud solutions require extra effort to secure, and some take special skills to make insecure.

The risk vectors

So, the physical security of cloud is better, the perimeter security of cloud is better, the cloud providers have dedicated 24×7 security teams maintaining the latest and greatest security and threat protection – so where is the problem?

The main problem is you.

And your devs, your admins and your staff.

Going back to the analogy of the office building – if your staff have a common practice of leaving the door propped open, accept unknown people walking around without checking them – if you have no receptionist checking credentials, or if credentials are simply trusted without checking with the issuer – then you are going to have problems with security. Cloud security is different – more capable, more flexible, but can have catastrophic effects when done wrong.

Where to improve

In the past, there was no driver to encrypt and authenticate communication, such as between an application tier and a database tier – after all, the perimeter was your high wall of protection. Even when internal firewalls existed between network trust zones on an internal network, this is now not enough in Cloud – Layer 3 (IP address) and Layer 4 (transport & port, e.g. TCP/1433) should be supplemented by application layer (protocol, e.g. SQL) plus additional controls such as authentication and encryption, plus effective coding techniques to prevent out-of-sequence requests. Security is no longer a layer, no longer a perimeter, it needs to be inherent and pervasive. Network layers are no longer the location for security, it needs to be embedded into the application, factoring in authentication and encryption for communication between systems, not simply to protect from outside penetration attacks

READ ARTICLE:   Design for Failure

Related posts:

Half the battle is knowing what is going on
Risks of SaaS
Creating good policies and procedures
The BCP Drill
Share this knowledge