Cloud computing security

Cloud computing is the practice of using servers hosted on the internet to store, manage, and process data, rather than a local server or a personal computer.

Cloud computing can bring many economic and efficiency benefits for organisations. It also brings cyber security benefits and cyber security issues. Different types

Cloud computing is a very broad term. It can refer to lots of different ways of organising computers on the internet to do work.

Three broad service types for cloud computing are:

  • infrastructure as a service (IaaS)
  • platform as a service (PaaS)
  • software as a service (SaaS).

More information on cloud computing, including more details on these service types can be found at the following location: https://en.wikipedia.org/wiki/Cloud_computing

Cyber security in the cloud

The good news

Cloud computing offers organisations the opportunity to access scales of economy and efficiency that they cannot reach themselves. For cyber security this can mean that issues are managed more effectively than any single organisation can on their own.

For example, a public cloud service providing:

  • email will have more information about legitimate email flows. Using this data they can do a better job of filtering spam and malicious attachments.
  • SaaS applications (such as Salesforce or Google Docs) will take responsibility for patching their own servers and applications, helping them stay on top of vulnerabilities in that software.
  • data storage will have more comprehensive disaster recovery arrangements than a single organisation could hope to match.
  • a content distribution network will be more likely to withstand a distributed denial of service attack because of larger available bandwidth and its ability to automatically scale capacity when needed.

But there are new challenges too.

Understanding shared responsibility

It is a common misconception that cloud providers manage all aspects of cyber security for their service. However, much of the responsibility falls on the organisation using the service. For example, if you are using:

  • virtual machines in an IaaS model, then these servers are basically yours to look after—you need to keep them patched, review logs, restrict and manage access, etc.
  • SaaS, then your cloud provider will give you access to controls to manage who can access your information. If you don’t spend the time to correctly configure and monitor these then the service may give more access to your information than you wanted.

Make sure you review and understand the provider’s shared responsibility model so you can identify the cyber security gaps which your organisation will need to address.

Some cloud provider’s will also publish their own technical guidelines on how to securely use their service. Make sure you read these and follow their advice.

Strong authentication

Cloud systems are exposed to the internet, so strong authentication is particularly important. While cloud providers can implement sophisticated mechanisms to detect unauthorised access there is still a critical role to be played through good cyber hygiene.

Strong authentication mechanisms, including strong passwords and two-factor authentication, should be used where available. Privileged users in particular (such as systems administrators) should use two-factor authentication. Communications to and from the cloud

Information being transmitted to and from your cloud service should be encrypted. By default most cloud services make use of acceptable, commercial-grade encryption such as TLS. Ensure this encryption is enabled. The Australian Government Information Security Manual (ISM) provides guidance on specific cryptographic algorithms if you want to delve further into the details and are looking for a credible source for this information.

Always be skeptical of claims of proprietary or unique data encryption approaches. Your cloud provider should make use of widely available and credible encryptions algorithms and protocols. Remember that for many IaaS situations you will be entirely responsible for correctly configuring encryption on cloud resources.

Data sovereignty

Data sovereignty refers to the country in which data is stored and the issues that can flow from that.

Data stored in non-Australian jurisdictions will be subject to the laws of the other country. Offshore storage may limit the ability of Australian authorities to help if there are issues.

If the cloud service has the option, often storing your information in Australia is a straight-forward and reliable choice. If you must choose between other jurisdictions you should first consider those with strong rule of law, good cultural ties and similarities to Australia.

For some services you can’t choose where your data will be stored. If the nation where the data is being stored doesn’t seem appropriate then it might be worth considering competitors’ services, where data may be stored in locations you find more acceptable.

Privacy

The Privacy Act (1988) does allow organisations to store personal information with a cloud provider in another nation provided certain requirements are met.

Two parts of the Australian Privacy Principles (APP) apply:

  • APP 8: Cross border disclosure of personal information
  • APP 11: Security of personal information.

APP 8 mostly relates to intentional and accidental disclosure of personal information to overseas parties. It is likely to apply where an overseas party performs a business process for you (such as an overseas call centre). However, if you use a public cloud service to store, process and retrieve information, such as an online office or email tool, you are unlikely to be affected. Seek advice if you are unsure.

APP 11 relates to taking ‘reasonable steps’ to protect personal information. Guidance on ‘reasonable steps’ is available in the APP guide, but it does vary based on certain factors. For these purposes, using the cloud service providers’ security configuration guide, and aiming to achieve security at least equivalent to any local systems you have, is a good start. If you hold significant amounts of personal information you may need to seek advice.

Backups and access to data

Cloud services usually provide reliable data storage—in fact this reliability is often one of the benefits that makes cloud attractive.

But you may still need to do your own backups:

  • Ransomware attacks may affect your online file storage. Backups may still be required to restore data which is maliciously deleted.
  • The cloud provider may offer backup facilities, but you could need to explicitly activate them (potentially with additional charges).
  • You might lose access to your cloud service for some reason, in which case having your own copy of your information will be important.

Understand your cloud provider’s shared responsibility model, so you know when, and to what extent, you still need to manage data backups.

Choosing a cloud service provider

Cloud service providers can become an integral part of business processes. Choosing providers who will be reliable, long term partners is critical, as is ensuring that they implement adequate cyber security.

In the first instance the ACSC’s Certified Cloud Services List (CCSL) identifies cloud services who have been assessed against the Australian Government Information Security Manual.

Due to the size of the cloud segment many cloud service providers are unlikely to ever appear on the CCSL. In these cases, you should consider the reputation of the cloud provider, data sovereignty and industry cyber security certifications such as Cloud Security Alliance STAR, as well as other industry certifications such as SOC2 and ISO27000.