Cloud security responsibilities
Security in information systems, also known as "cybersecurity," is created, produced, and distributed by people. The systems and software they use are merely tools. No one can design an information system to be inherently secure. Security is a process that either enables that system to operate in a secure fashion, or to be redeveloped or replaced with another system that can.
Cloud services are an extension of the data center. They enable the functionality that an organization provides to its customers to be served from a multiplicity of locations. They allow that functionality to be distributed and yet remain cohesive and interoperative. And most importantly to some businesses, they also distribute the risks involved with managing and securing highly distributed services to professionals outside the organization. Companies such as Amazon and Microsoft employ legions of world-class network-security engineers. Organizations that use public cloud platforms are the beneficiaries of their expertise.
Risk assessment and management
The problem an organization immediately faces when making any level of investment in cloud-based assets - infrastructure, software deployment platforms, development tools, or applications - is that it surrenders the ability to directly impact the integrity of at least that portion of its information systems. There are ways for that organization to send software-based agents into a cloud platform to observe and measure its performance and, to some degree, its system integrity. But even then, it cedes some or all oversight responsibility to its service provider of choice.
Some organizations made their initial decision to move some or all their information assets to the public cloud with the express intent of bypassing the comprehensive risk-management practice or protocol they would have required had they stayed entirely on-premises. What they would soon discover is that working in the public cloud actually mandates the very protocol they tried to avoid, though not for the reasons one might think. Cloud security professionals are risk-management experts. Whenever a cloud migration moves beyond the superficial level, both parties in the transaction need to understand how much risk the customer is willing to accept, and how much it will cede to the cloud, before they can come to terms with the provider's service-level expectations.
The International Information System Security Certification Consortium, more often referred to as (ISC)2, defines risk management as "the process of designing, developing, sustaining and modifying operational processes and systems in consideration of applicable risks to asset confidentiality, integrity and availability."1 It is not, as some have interpreted it in the context of information systems, a life support system, or a mechanism for preserving these systems in the face of threats. Rather, it is the opposite. Risk management mandates that systems be adaptable and modifiable to a reasonable extent. That's what the "applicable" part means here - it's a measure of fairness.
One international IT industry organization that has endeavored to maintain a standard of fairness for quantifying risk is the FAIR Institute. It has advanced what it calls Factor Analysis of Information Risk, whose goal is to quantitatively ascertain the amount of loss an organization is prepared to sustain if the security of an information asset is compromised. FAIR groups losses into six categories:
- Productivity - The ability of the organization to continue to produce goods or services its customer perceives as valuable
- Response - The capability of the organization to mitigate damages, internally or externally, on account of the loss
- Replacement - The actual fixed value of compromised assets
- Fines and judgments - The legal and regulatory costs sustained as a result of the loss
- Competitive advantage - The perceived ability of the organization to continue to differentiate itself from its competitors in a market
- Reputation - The damage sustained to the image customers retain of the organization, irrespective of its competition
In the event of a database breach, for example, where customers' personal and private data becomes exposed to malicious actors, an assessment using FAIR would estimate the amount of loss the organization may sustain in all categories. This amount may be offset by the organization's capability to respond effectively and mitigate damage. Cloud services don't change this equation, but they do influence these mitigation factors - potentially for the better. FAIR enables an organization to put a price tag on how much it is willing to spend to reduce risk, weighing immediate expenses against potential long-term costs. It also factors in the costs the organization may be willing to sustain to essentially own the risk level it settles for by way of insurance policies. Through a system of weights and offsets, FAIR sets the fair market value for cybersecurity risk.
Cloud security professionals
The people charged with maintaining security for cloud service providers are typically certified professionals. Their jobs are not only to protect their own employers' systems and platforms, but also their clients' and customers' services, to the extent that their service-level agreements (SLA) direct and limit them to. These agreements explicitly specify the responsible party -- the provider or the customer -- that will assume the risks for various classes of service.
Certification in the context of cybersecurity holds a different meaning from educational accreditation such as a degree from a university. A certification is a frequently renewed statement attesting to the fact that its bearer has demonstrated proficiency in a certain set of skills. The (ISC)2 organization backs the security industry's most recognized certification: Certified Information Systems Security Professional (CISSP)2.
For a person to become accredited for CISSP, they must demonstrate proficiency in securing networks, securing data at rest and in transit, and maintaining security protocols and best practices for software development. But first and foremost, this accreditation focuses on the topic of risk management. On either side of a cloud services partnership, a security professional must be capable of comprehending, if not directly assessing, the risks involved in transitioning critical assets from owned infrastructure to leased.
(ISC)2 offers a more narrowly focused certification on cloud security with its training courses and accreditation for Certified Cloud Security Professional (CCSP). Among the first topics are the roles and responsibilities of the customer and of the cloud service provider. The Cloud Security Alliance (CSA) offers its own certification called the Certificate of Cloud Security Knowledge. By comparison with CCSP, CCSK is more concerned with technologies and methodologies than with people, and for that reason, many see the two certifications as complementary. However, CCSK pays particularly close attention to risk-management principles, and especially how pre-existing principles change once the public cloud enters the equation.
Public cloud services and platforms (for example, Amazon AWS' Redshift data warehouse, Microsoft Azure Stream Analytics, Google BigQuery, and Red Hat OpenShift) are continually evolving. Developers integrate new code into these services on a daily basis through a process known as continuous integration and continuous deployment (CI/CD). By the time new code is "released into production" (made accessible to the end user), it has already been tested in working network environments. However, some newly released code is actually still being tested. On modern cloud platforms, new code and old code can coexist in what are called A/B deployments, with some customers operating the newer code. The performance of both classes is compared, and if the new code passes, the old code is phased out.
What this means in terms of security is that the behavior of cloud-based systems is always changing. Therefore, whether or not an organization's on-premises assets are subject to the same amount of change, these assets must be as aggressively monitored as any cloud-based environment, to the extent that they interoperate with the public cloud.
Azure, AWS, and Google Cloud voluntarily follow a policy framework called the Shared Responsibility Model (SRM). Though the model specifies different delegations of responsibility for various classes of services, its formative principle is this: The service provider pledges responsibility for security of the cloud, while the customer is deemed responsible for security in the cloud. Think of a hotelier that pledges physical security for its guests but expects those guests to behave themselves while in their rooms.
Figure 1: The Shared Responsibility Model for Azure. [Courtesy Microsoft]
Figure 1 shows how Microsoft represents this model to Azure customers. It depicts the degree to which responsibility for security is delegated to the service provider with each progressive service tier. For example, with respect to an IaaS platform that hosts Web servers on behalf of customers, the following table shows the responsibility assumed by the cloud service provider (CSP) and by the customer:
|Domain||CSP’s responsibility||Customer’s responsibility|
|Data classification and accountability||
|Client and endpoint protection||
|Identity and access management||
One important question that may come up after a thorough examination of the SRM: Who is responsible for privacy? This is a complex question, because from the perspective of the customers' own users and clients, any misuse of their personal information, however it may have been obtained, may be a violation of their privacy. If someone infiltrates the CSP's network, or if data is exposed through a flaw in the software or an opening in the firewalls, or if someone busts through the walls of the CSP's data center and steals its hard drives, personal information is at risk. Someone's privacy is breached, and end users don't care about how. They care about why, and about the damage that could result.
This is one more justification for the FAIR risk-management model. It takes account of the multiple factors that jointly comprise privacy and calculates how adjustments to roles and responsibilities for these factors may have a direct impact upon customer privacy. Loss of trust may be the greatest loss an organization can incur.
As it presently stands, the SRM does omit one important option: Cloud providers may also function as managed services providers (MSP), giving customers the option of outsourcing responsibility (and by extension, risk) for low-level assets such as infrastructure. When an organization builds a cloud platform on its own premises, as is possible with OpenStack, recent editions of VMware vSphere, and AWS Outposts, an MSP contract gives an outside source responsibility for supporting and maintaining the customer's infrastructure.
McCumber, John, et al (2018). The (ISC)2 Cybersecurity Lexicon. https://blog.isc2.org/isc2_blog/2018/02/welcome-to-the-lexicon-project.html.
(ISC)2. CISSP Training Course Outline. https://www.isc2.org/Training/Courses/cissp-training-course.