Cloud security refers to a vast range of approaches and schemes composed to provide controls to protect data applications and the cloud system apps.
Why cloud security is important?
Business organizations and personal users both find it necessary to ensure cloud security. Certain sectors have more stringent rules about data storage because most of them want to know that their information is safe and secure and that businesses have legal obligations to keep client data secure.
One of the advantages of utilizing cloud storage and security is that it eliminates the need to invest in dedicated hardware. Cloud computing centralizes applications and data and cloud security centralizes protection.
Here’s how you can kick start 2019 with cloud security design principles-
1. Data in transit protection
User data transiting networks must be safeguarded from intruders.
Data in transit is protected between
• End user device(s) and the service
• Internally within the service
• Between the service and other services
2. Identity and authentication
All access to service interfaces has to be limited to authenticated and authorized users.
Moreover, authentication should occur over secure channels.
• Email, HTTP or telephone are vulnerable to interception and social engineering attacks.
• Make sure that identity and authentication controls ensure users have access to specific interfaces.
3. Separation between users
An unauthorized user of the service should not be able to affect the service or data of another.
Factors affecting user separation include:
• Where the separation controls are implemented – this is heavily influenced by the service model (e.g. IaaS, PaaS, SaaS)
• Who you are sharing the service with – this is dictated by the deployment model (e.g. public, private or community cloud)
4. Secure development
To recognize and mitigate threats to their security, there is a need to design and develop services.
Threats must be constantly addressed and the service must be improved
Development must be carried as per the requirements of the industry
5. Governance framework
Effective governance framework ensures that procedure, personnel, physical and technical controls continue to work through the lifetime of a service. It also responds to changes in the service, technological developments and the appearance of a new threat.
Intact governance will surely provide:
• An authorized person who will be solemnly responsible for the security of the cloud service.
• It can be someone with the title ‘Chief Security Officer’, ‘Chief Information Officer’ or ‘Chief Technical Officer’.
• Board would be kept informed of security and information risk.
6. Asset protection and resilience
Storing or processing of user data must be secured so that no loss or damage of assets occurs.
The aspects to be contemplated are:
Physical location and legal jurisdiction: You need to know countries where your data will be stored, processed and managed.
You should be aware of the affects on compliance with relevant legislation
• Data centre security
• Data at rest protection
• Data sanitisation
• Equipment disposal
7. Secure service administration
Highly privileged access is given to Systems used for administration of a cloud service. Their carelessness would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.
• You should possess the knowledge of the service administration model being used by the service provider to manage the service.
• Be content with any risks the service administration model in use brings to your data or use of the service.
8. Personnel security
Generally, service providers have access to your data and systems so you need to have an utmost conviction on them. Proper screening, supported by adequate training, reduces the possibilities of unauthorized access.
• Service providers need to specify the policies regarding screening and managing of users information.
• Make sure very few people have access to your information.
9. Supply chain security
It is the responsibility of the service provider to make sure that the supply chain perfectly supports the security principles that are to be implemented by the service.
The reliance of Cloud services on third party products and services is a well known fact. Consequently, if this principle is not implemented, supply chain compromise can undermine the security of the service and affect the implementation of other security principles
For this, the following components are to be learnt
• The way of sharing information
• The access granted to third party suppliers
• Security risk management by service providers
10. Operational security
Operational security comes into play wherein you need to securely operate and manage services in order to prevent intrusion and attacks. A decent operational security must not involve complicated, bureaucratic, time consuming or expensive processes.
One should focus on the following elements:
• Configuration and change management
• Vulnerability management
• Protective monitoring
• Incident management
11. Secure user management
It is the responsibility of the service provider to make the tools available for you to securely use the service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.
• The facets to be considered are
• Authentication of users to management interfaces and support channels.
• Separation and access control within management interfaces.
12. External interface protection
All external or suspicious interfaces of the service should be recognized and safeguarded
If some of the interfaces exposed are private then the impact of tampering may be more significant.
• You can use different models to connect to cloud services which expose your enterprise systems to varying levels of risk.
• Understand what physical and logical interfaces your information is available from, and how access to your data is controlled
13. Audit information for users
Audit records should be available so that you can monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.
• Be aware of the audit information
• That will be provided to you, how and when it will be made available, the format of the data, and the retention period associated with it
• Available will meet your needs for investigating misuse or incidents
14. Secure use of the service
It becomes mandatory for you to use the service properly or else the security of cloud services and the data held within them will be at risk.
• Understand any service configuration options available to you and the security implications of your choices.
• Understand the security requirements of your use of the service.
• Educate your staff using and managing the service in how to do so safely and securely.
Above mentioned design principles will certainly help you to strengthen the cloud security.