Companies of all sizes are transitioning their processes and presence to the cloud faster than ever before. Managing cybersecurity risk during times of such accelerated change is complex but critical. We can help.
Cloud Service Providers (CSPs) generally refer to the model of securing the cloud as one of ‘Shared Responsibility.’ As AWS puts it, the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. Which aspect of security an organization is responsible for depends on which of the three cloud deployment models an organization utilizes.
Organizations commonly utilize services such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) to offload the procurement and maintenance of infrastructure such as servers, networks and databases. More and more companies are abandoning on-premise data centers in favor of third-party IaaS offerings.
In such circumstances the cloud customer has the highest level of responsibility, including securing virtual machine (guest) operating systems (including updates and security patches), containers, customer-installed/developed applications, and network access (firewall configuration).
Platform-as-a-Service sits between IaaS and SaaS, and includes platforms such as Google App Engine, Amazon Elastic Beanstalk and Force.com. PaaS includes the infrastructure components (compute, storage, network) delivered with IaaS, and adds to this additional components such as middleware, analytics, database management systems, and development environments/tools. The cloud customer here is responsible for securing the applications and services they develop, including application data.
SaaS-model cloud implementations (also sometimes referred to as Application-as-a-Service, or AaaS) include web-delivered software services such as Amazon S3 and Amazon DynamoDB, or web applications such Salesforce or Office 365. In this scenario the CSP is responsible for securing everything from the physical hardware and network which hosts the application all the way up to the security of the application itself. The customer for his part is responsible for correctly configuring and implementing Identity and Access Management, as well as ensuring correct classification of assets and proper data management (for example, encryption options and policies).
The cloud offers unparalleled advantages in terms of elasticity, scalability and cost optimization, through outsourcing responsibilities that were traditionally handled within on-premise data centers. The same factors that make cloud adoption attractive and almost inevitable also introduce unique compliance challenges. Your data is no longer exclusively under your control – but the requirement for legal and regulatory compliance is yours.
We’ll help you assess compliance requirements and ensure that compliance is built-in to your cloud implementation.
Compliance starts with keeping track of where a company's assets are located, and categorising and labelling sensitive categories of data. Not owning the infrastructure can limit a company's auditing capabilities, but enterprise-grade cloud services also provide tools of their own to help.
Standards such as PCI-DSS, HIPAA and SOX include security requirements regarding the gathering and processing of data., such as encryption, monitoring and access controls.
Legislation such as the GDPR and CCPA increasingly regulate the processing, storage and uses of personal data that companies collect for various purposes. Ensuring the privacy of data in the public cloud is more complex since custodianship of the data is shared with the cloud provider.
The fact that an organization’s infrastructure and workstations are in the cloud does not mean security is somebody else’s responsibility. The Shared Responsibility models of the major Infrastructure-as-a-Service (IaaS) cloud providers – AWS, Azure and Google Cloud – means that certain aspects of security fall within their domain – such as the physical security of the hardware upon which the cloud service is deployed. But securing the virtual machines, containers, and their operating systems, the applications, databases and associated networks (firewall configuration) remains largely the responsibility of the cloud customer.
BrothersKeep’s security monitoring services include 24/7/365 monitoring of your (multi)cloud deployment, giving you critical visibility into suspicious or anomalous activity in your distributed infrastructure.
AWS provides robust security logging capabilities which integrate with our security intelligence correlation and analysis platform. These logging capabilities include Amazon CloudTrail, CloudWatch, GuardDuty, and Security Hub. Collecting and correlating these logs with logs from other organizational infrastructure - cloud or otherwise - provides a more complete security perspective.
Microsoft Azure provides multiple security logging options. Services such as Azure Security Center or Azure Sentinel can be utilized to collect and analyze compute, storage (Blob), Active Directory logs and more. For a more comprehensive perspective, Azure logs can be sent to our security intelligence platform for correlation with other corporate logs, through the Graph Security API or Azure Event Hubs.
GCP's Security Command Center provides customers with visibility through log analysis and various threat detection capabilities. Utilizing the Security Command Center REST API allows this data to be easily exported to our security intelligence platform for comprehensive correlation and analysis, providing you with holistic organizational visibility instead of a partial perspective.
the same but different
The accelerated adoption of cloud computing, a relatively new frontier for many IT departments, invariably leads to new kinds of vulnerabilities and risks. Security testing geared specifically toward a cloud environment will help ensure you are aware of and can mitigate your risk.
As a new frontier, cloud deployments are more prone to misconfigurations, some of which can have significant security ramifications. For example, misconfigurations of publicly accessible storage (S3, Blob) and databases have resulted in embarrassing data breaches and compromised sensitive data.
Authentication in the cloud means that access points into an organization - which were once behind firewalls - are now publicly exposed, presenting new challenges for defenders.
Cloud deployments are often connected to an organization's on-prem (office) assets either directly or indirectly, creating opportunities for attackers for lateral movement between cloud servers and services to the on-prem environment.
