Cloud Governance and Security Imperatives

Tulika Ghosh
Author: Tulika Ghosh, CISA, CRISC, CDPSE
Date Published: 18 October 2022

What is the cloud? Well, the cloud is someone’s else infrastructure. Yes, in simple terms, it is the service that is provided by the service provider as infrastructure, platform, or software, and this has turned out to be the lifeline for many organizations throughout the pandemic.

Cloud computing, which was a mere concept decades ago, is now a core strategy for many organizations. It is estimated that by 2025, there will be over 100 zettabytes of data stored in the cloud. With a compound annual growth rate (CAGR) of 17.5 percent, it’s projected that the market will amount to US$832.1 billion by 2025.

Among the three cloud computing deployment models—public, private and community—the public or SaaS-based cloud deployment model is being widely adopted across geographies mainly because of key drivers such as cost, ease of use, increased use of video streaming, etc.

The massive shift in cloud adoption is also observed among enterprises, especially in an era in which remote working is prevalent. The flexibility of the hybrid cloud model is fueling a multi-cloud strategy in many organizations, thereby contributing to data security needs. Also, with the pressure of adopting newer technologies, cloud adoption is only going to expand exponentially in the coming years. However, with all the success and rapid adoption stories, cloud security remains one of the biggest concerns. There are still questions around the security practices, transparency, multi-tenants model, shared responsibility matrix and the organization’s readiness to manage these, especially when the cloud service customer is construed as responsible and accountable for the security and privacy of the data.

Organizations must follow some of the key security principles when leveraging cloud computing capabilities for their business, as highlighted below:

Cloud Data Security

  • Implementing Data Discovery and Classification – As soon as data is created in the cloud, it is highly recommended to classify and label your data to implement effective data security controls. This is a foundational step to implement data security strategies. This also helps in data discovery and prevents inappropriate data proliferation.
  • Encryption – This is one of the musts when the data are stored in a multitenancy model. It is imperative to have the data encrypted whether they are in the stored, transit or use phase. Secure symmetric algorithms include 3DES, AES, IDEA and Blowfish. Secure asymmetric algorithms include RSA, ELGamal and Elliptic Curve.
  • Key management – With cloud deployment, key management is an added concern area that is to be effectively managed by the security manager. The encrypted keys need to be handled with proper security controls, or there is a high probability of data being compromised if the key access is exposed to the wrong parties. FIPS 120 Level 2 and above certifications are preferred.
  • Masking – Another effective mechanism of protecting data confidentiality is masking. It is used when the production data are used in a testing or development environment.
  • Data Loss Prevention (DLP) and Information Rights Management (IRM) – The DLP and IRM are the effective data security control implemented when the data leaves your remit. The data owner can control who can view, copy, forward, delete or modify your information. When cloud users are geographically dispersed, it is one of the most effective data security methods.
  • Auditing and Traceability – It’s imperative to have auditing and traceability features enabled in cloud data usage. The data owner must ensure that the service provider provides this feature as it is an important requirement for any future investigation, dispute or legal case purpose.

Cloud Platform and Infrastructure Security

  • Network and Communications – Networking and communication is the pillar of cloud computing, as it is the medium through which the users access their cloud. The task of safeguarding the network and infrastructure may lie with the service provider, but it is the responsibility of the cloud consumer to see if adequate controls are implemented as part of their platform or infrastructure security requirements.
  • Management Plane – This is unique to cloud deployment and considered to be the most critical element to secure in the cloud, as the management plane is considered a single point of failure. If cybercriminals can breach this, they can compromise the whole platform or infrastructure. Securing the management plane with adequate access controls and limiting access is a must.
  • Secure Data Center – A layered or defense-in-depth approach is highly recommended when securing the data center. The cloud customer must seek details on the security implementation details and location of the data center, as it has direct implications on data usage or processing legalities. After the analysis, the residual risks must be factored in through effective contract management.
  • Business Continuity Plan (BCP) and Disaster Recovery (DR) – Cloud customers must adopt a very robust and effective strategy in selecting the BCP and DR service partner. It is recommended to de-risk by not having both data center or primary service providers the same as your BCP or DR service partner. This also helps mitigate risks such as data portability, vendor lock-in or vendor lock-out.

Cloud Application Security

  • Secure APIs – Application interaction with web services is dependent on APIs, so adopting best security practices to secure APIs is a must. API keys should be prudently protected to avoid misuse.
  • Secure Software – Applying cloud software assurance and validation is important to secure the software. Proper configuration management, secure libraries, validated open sources and thorough testing, including vulnerability scanning, must be followed. Also, the developers must use at least two threat modeling methods techniques to avoid common application development pitfalls.
  • Appropriate Identity and Access Management – Managing and controlling access to your applications is a key security requirement. In any cloud service model, the onus is on the cloud customer to define and restrict access to their applications. Access logging and monitoring are to be closely controlled and monitored for effective application security management.

With cloud adoption becoming a major game-changer for many organizations, several security exploitation vulnerabilities have surfaced. Organizations that can strike a balance between their strategic objectives and security needs will foster an environment for further growth and innovation.