Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Cloud Security Best Practice in 2022

For our last instalment for Cyber Security Awareness Month in October, we’ve got a blog on Cloud Security Best Practices.

The cloud offers huge benefits in terms of flexibility, scale and functionality and, if they haven’t already, many organizations are in the process of moving towards cloud computing, either wholesale or according to a hybrid model. But, as the saying goes (by Spiderman’s Uncle Ben I’m told), with great power comes great responsibility. Due to the fact that cloud computing is by definition available via the Internet, it comes with its own share of information security risks.

Computer with cloud security icon

What is cloud security?

Because of the different ways in which the cloud can be used by an organization, cloud security can cover a wide variety of areas. The commonly accepted forms of cloud computing are as follows:

  • Software as a Service (SaaS) – this is where an application log on screen is presented to the user via the Internet and all of the supporting infrastructure is taken care of by the vendor. Examples are Salesforce.com, HubSpot and Slack.
  • Platform as a Services (PaaS) – in this model, the cloud service provider (CSP) allows the user to choose specific pre-defined configurations, such as Windows servers, and then install their own software onto them. The major providers are Amazon Web Services (AWS), Microsoft Azure and Google Cloud.
  • Infrastructure as a Service (IaaS) – at a lower level, IaaS consists of making what is effectively just the virtual hardware available, and the user is responsible for installing and configuring operating software, such as Windows, and the application software on top of that. Common providers are the same as for PaaS.

For each of these types of cloud computing, the security duties that fall to the cloud service customer (CSC) vary according to what is generally known as the shared responsibility model. In simple terms, this means that the CSC has to do more in security as they move down the above list from SaaS to IaaS.

A very useful description of how this works is given in the ISO/IEC 27017 standard (Code of practice for information security controls based on ISO/IEC 27002 for cloud services) which covers the application of the Annex A controls from the ISO/IEC 27001 standard specifically to cloud services. Well worth a look.

Let’s look at the security considerations for each type of cloud computing in more detail.

Software as a Service

If you’re making use of an application that is hosted in the cloud, then you’re using SaaS. The great thing from an ICT point of view is that the CSP looks after all the difficult aspects of security such as patching, firewalls and networking. That’s a huge help to getting up and running with a new system but it doesn’t let the customer off the hook completely when it comes to security. Some of the key security issues to address when you’re using SaaS are as follows:

  • Beware shadow IT – because SaaS applications are so easy to sign up to and access, you may find that employees have done exactly that, and not told you. Before you know it, you have a range of unauthorised systems in use, with sensitive data spread across the cloud. Your main defence is policy and awareness, with a solid disciplinary process to enforce it.
  • Due diligence – you have a responsibility to check out the CSP before you sign up with them and start to input your data. Where are they based? Who owns the company? What security controls do they have in place? Which certifications do they hold?
  • Where’s your data? – particularly if you’re storing PII (personally identifiable information), you’ll need to know in which country (or countries) your data is located. Otherwise, you could be looking at a transfer of data between countries which could lead to fines under privacy legislation such as the GDPR.
  • User setup – One of the areas you’ll have complete control over is the creation of users, and the areas of the SaaS application they have access to. You’ll need to restrict admin access and have clear procedures for setting up and changing user permissions.
  • Access control – because it’s accessible from the Internet, an attacker on the other side of the world can try to log in as one of your users. Currently, the best way to prevent this (as well as strong password controls) is to enable multifactor authentication (MFA) in the form of a text message (good), smartphone app (better) or secure key (better still).
  • Application configuration – your SaaS system will allow you to set various parameters to achieve the results you want.
  • Incident management – if the SaaS provider gets hacked, then it’s possible that all of its customers are too, so you need to be clear about when and how they will tell you, and who will do what if it happens.
  • Endpoint security – although the SaaS provider looks after the infrastructure, you still have responsibility for the endpoints (laptops, tablets etc.) so don’t forget to implement good controls at your end too.

Platform as a Service

If you’re using the cloud to host your own applications, then in addition to the security considerations for SaaS, you’ll also typically need to address the following:

  • Application security – the configuration of the application is now down to you, so you’ll need to choose your settings carefully. If it’s a bespoke system you’re hosting, then this will include the design and coding of security features.
  • Application patching – you’ll need to download and apply relevant patches to the application you’ve installed, prioritising security updates where possible.

There may be more considerations if you’re making use of some of the more unique aspects of cloud services, such as serverless computing and containers.

Infrastructure as a Service

You may have requirements where you need to control everything about your cloud environment, from the operating system upwards, in which case the issues which may now fall to you to address could include:

  • Network security – configuring access control lists to segment your network in the cloud.
  • Firewalls – configuring rule sets to protect your virtual environment from intruders.
  • Operating system patching – ensuring your servers stay up to date with patches released by vendors such as Microsoft.
  • Database management – maintaining the health of your databases, including table sizes and performance.
  • Infrastructure as code (IaC) – the writing and testing of routines to automatically create virtual resources such as servers and network components.

5 Tips for cloud security when starting out

Finally, however you decide to exploit the potential of cloud services, here are a few tips to guide you on the way.

Tip #1 – Think carefully before deciding which model is for you

As explained above, each of the models of cloud services come with their own responsibilities. If there is a SaaS application that meets your needs, this may save you a significant amount of effort over the more DIY approach that PaaS and IaaS involve. The depth and amount of technical resource you have available will be a big factor in this decision.

Tip #2 – Be sure which model you are employing

Once you’ve chosen which way to go, make sure it’s clear what the relative responsibilities are between you and the CSP. Read the contractual information and ensure your part in the deal is enshrined in procedures and training as part of the implementation. Don’t allow anything to fall between the cracks.

Tip #3 – Make use of automation where you can

There are a significant number of excellent software tools available for jobs such as patching and the creation of virtual components (infrastructure as code). Used wisely, these can save a lot of time and reduce errors across all three cloud models.

Tip #4 – Secure your admin access very tightly

In a cloud environment your admin user accounts are very powerful and, if compromised, can be very dangerous. Ensure strong, unique passwords are in place and MFA is used.

Tip #5 – Invest in your cloud knowledge

Cloud services are incredibly powerful and can revolutionise your organization’s approach to ICT. Particularly if using PaaS and IaaS, invest in training and recruitment to ensure that the people managing your virtual environment know what they are doing and can maximise that potential.

Last words

The cloud can be a game changer for many organizations and the breadth and quality of services available from it are truly impressive (you want to rent time on a quantum computer? – no problem!). But moving to the cloud can be a risk if not managed carefully. Hopefully these tips may help.


More ISO27001 Resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

It was like having your hand held through the whole confusing and frustrating process of getting GDPR compliant, making it much more bearable.

EBY Design
UK

View all Testimonials