As the digital transformation of businesses accelerates, driven in particular by the increased need for online services during the pandemic, the public cloud remains the main option of choice for digitally transforming business operations. However, outsourcing in the cloud does not work on any sort of “click and forget” basis: customers need to remain alert and take on several safety responsibilities, or else serious incidents may occur.
With an average cost of three million dollars incurred by corporate victims of malware and 51% of companies having been attacked, cybercrime is alive and well.
One of the reasons is the widespread migration of companies to the cloud as a result of the health crisis. For example, between 2019 and 2020 in France, the market for cloud computing services recorded an increase of 17%, while IaaS and PaaS – popular for providing online video conferencing, collaboration, e-commerce and streaming solutions – increased by 25% over the period. But as they move data and applications to the cloud, organizations are also creating a much larger attack surface for criminals.
This is why, at a time when cybersecurity needs to stay one step ahead of cybercriminals, security must not be viewed as the poor relation in the company’s cloud approach.
In the cloud, security is an issue at every level
Like it or not, the cloud does not offer the option of completely outsourcing the security of migrated IT assets. The customer will always have some responsibility. To ignore this fact is to put security under the rug and expose yourself to many security incidents and attacks – data theft or loss, confidentiality breaches, disrupted operations, to name but a few.
For Matthieu Bonenfant,
“The trust that we bring to our cloud environment must operate at all levels, from outsourced service providers to security applications and solutions managed directly by the customer. ANSSI’s qualification sytems for cloud computing service providers (SecNumCloud) or security products help develop this trust.”
First of all, it is important to understand that security in the cloud calls for protective measures at all infrastructure levels:
- Physical infrastructure underlying the cloud: servers, storage arrays, switches, monitoring systems;
- Virtual infrastructure: compute instances, storage, VPC, virtual networks;
- Applications and micro-services that run in the cloud;
- Identities of users and administrators whose profiles and access accounts must be managed to use applications and data;
- Data stored in the cloud infrastructure, whether unstructured or structured in a database.
Customer/supplier: who secures what in the cloud?
There is no single one-size-fits-all answer for every case. It all depends on the model offered by the cloud provider. This is why the company needs to understand what its supplier is responsible for in terms of security, and what it is required to secure itself. Starting with the following key principles:
With IaaS, the cloud provider is responsible only for the physical infrastructure underlying the cloud, and its security. This leaves the customer in charge of security at all other levels. PaaS adds virtual infrastructure security to the responsibilities of the provider, while the customer takes care of identities and data. Finally, in a SaaS model, the bulk of the responsibility for security rests with the supplier; however, the customer must always keep control over identities and their own data.
In summary, customers will always be responsible for their own data, user and administrator accounts and identities, at the very least. They must check with each supplier what other security responsibilities the contract requires them to take. And all the more so if the company follows a hybrid cloud and/or multi-cloud strategy, possibly in connection with edge-computing, and involving several providers and types of cloud.
Best security practices for the cloud
The main point you need to keep in mind: the customer remains primarily responsible for security in the clouds that they use, and must be proactive in this area. At all levels of cloud security, the company must ensure that it maintains as much insight as possible into what is happening, Edouard Camoin explains:
“It must collect and exploit tracking information such as activity and access logs, and operating information for applications. With such a holistic overview, the company retains control and, where appropriate, ensures that security in the cloud is reversible.”
Another good practice: to think in terms of “Security by design” – in other words, to bake security into your cloud project from the start. This means thinking ahead and being organized, which involves establishing security criteria to specify what applications and data are eligible for the cloud, deciding who does what in terms of security and at what point to include them, planning the resources to be allocated, and setting up backups and continuity and recovery plans that make full use of the security features of the clouds used by the company. This will prevent the need to shore up subsequent breaches at great cost – and more importantly, will avoid crises. All without overlooking training and awareness, because, Camoin says,
“Too many operators are still choosing their cloud technology, setting it up in-house, and thinking about security at the last moment: the worst approach to cloud security!”
When choosing its cloud providers and setting up a reliable environment, the company must factor the concept of trust into its selection criteria. Working with SecNumCloud-qualified cloud providers and ANSSI-qualified security technologies is a step in the right direction. In addition, supplier assessment requires particular attention to the security scope that is actually covered behind a displayed certification: the company must ensure that security commitments are clearly set out in contract clauses.
Because customer proactivity is essential for cloud security, the business must be prepared to take the lead in order to cover themselves from a security point of view, even in cases where the supplier takes responsibility, recommends Bonenfant:
“For example, retaining the encryption key for your own data, and even not letting the supplier perform encryption operations. And in cases where security is the customer’s own direct responsibility, they must make maximum use of third-party protection technologies, compatible with various cloud environments, over which they have full control.”
In doing so, the company ensures the consistency of security policies across its entire information system (including hybrid cloud or multi-cloud) and makes it easier to reverse security in the event of a change of cloud provider.
Businesses hold a share of responsibility when it comes to security in the cloud: their data and their sovereignty in the cloud are not issues that can be put off!