The Basics of Cloud Computing
Cloud computing is a service that instead of housing servers and databases internally you can have them hosted in a data center by a cloud provider. Cloud providers can be a completely managed service where all most every task is performed by the provider, or you can own your cloud infrastructure similar to how you’d own your own internal infrastructure without the physical access. When dealing with either a fully managed or self-managed cloud infrastructure, you do not own any hardware or underlaying systems that lay beneath the operating systems such as firmware, BIOs or etc. You’ll never see a Dell splash screen on a system inside of AWS.
This is different from utilizing a co-location, which is when you migrate your hardware (servers, databases and etc.) inside of a data center, but you still own the hardware and are responsible for it. When using a co-location, the datacenter is essentially lending you a secure space and providing a more reliable uptime for your systems with possible redundant internet connections and power generation. As it is the opposite with cloud hosting you do not own the hardware and are not responsible for it. However, with both of these models you’re responsible for what is running on the hardware such as your operating systems, application(s), database(s) or other services.
Watch the Webinar!
Read below for a transcription of the webinar.
Cloud computing utilizes what is known as the Shared Responsibility Model. This model basically defines what the customer is responsible for versus the cloud provider.
Cloud Provider Responsibility
- Physical Security
- Underlying Network access to the internet/intranet
- Operating System
- Access Controls
- Data Protections
- Network Security
In a cloud computing infrastructure, you will be responsible for the operating system. As with any computer the operating system must be configured in a secure manner just as any other device. The operating system will require patching, installation of possible anti-virus or agent-based endpoint detection, and configuration to perform its desired task. Additionally, any recovery or restoring of the host’s operating system will fall on the hands of the client.
Similar to any on-premise environment your cloud infrastructure should utilize a centralized identity and access management system. Utilizing a system such as LDAP or Active Directory allows IT staff to assign user roles. By assigning user roles we can effectively limit the access each user has based upon their job function.
When using a cloud infrastructure, I will bet that your company possesses some type of sensitive data. Your company’s data must be protected at all times. Any Card-holder data (CDH), Private Health Information (PHI) or Controlled Unclassified Information (CUI) must be protected both at rest and in transit. When data is at rest it will live in most cases in either a file share or a database. All CDH, PHI, or CUI should be encrypted if it stored within a database or file share. Encryption should occur to provide an additional layer of defense. Additionally, any sensitive files contained on a shared folder should have their read/write/modify access limited to the least possible for each user.
I’ll make an assumption that if you contain sensitive information it may need to be exchanged with other parties outside of the organization. If that is the case, you must utilize a secure means to transport that data as it is still your responsibility to see that the data is sent securely. Luckily today many solutions exist to send data securely such as encrypted email, SFTP, or HTTPS protocols all can send sensitive data in an encrypted fashion.
One dangerous misconception about migrating to a cloud environment is that by default they’re secure. I would say that is partially true but not completely. By default, AWS, for example, will utilize a deny all policy for its security groups. Utilizing a default-deny policy is a best practice implementation which requires that any legitimate access to that system will need a rule added to the security group (same as an access control list or ACL). That rule should define WHO can send or access WHAT in that cloud resource. As best practice access to everything should be limited to only the least necessary amount of access to perform the desired functions. Creating rules containing the phrase ‘any’ can be potentially dangerous and leave an attack vector for a malicious hacker. Defining the Security Group (ACL) rules as specific as possible is the preferred method.
Overview of the Benefits of the Cloud
Cloud environments make a lot of sense for businesses of all types. As we move to a more agile workforce utilizing cloud resources provide added functionality, which was often not obtainable for smaller to medium businesses. Cloud resources in their nature are highly available, highly scalable, and, easier to implement disaster recovery/business continuity.
In the past, for a smaller company to scale up to meet demand it would require a huge up-front investment to acquire new hardware. That hardware would require time to set up and then configuration. With the advent of the cloud hosting these operations have become much easier and at a much affordable subscription model instead of previous up-front costs of hardware/licensing.
I can see some situations which may still require on-site equipment for various, compliance, legal, or cost requirements. Those situations will be the exception, as most businesses will benefit from the cost savings associated with cloud hosting. Overall, most organizations can benefit from some aspect of cloud hosting. Organizational needs and requirements should be the primary driver to determine the proper cloud utilization for your organization. The cloud is not a one size fit all solution and multiple variations can be implemented to add capability, stronger continuity and lower costs.
What Was Said During the “Cloud Basics – Overview” Webinar?
Introduction to I.S. Partners and the AWA Internation Division
“Good afternoon, everyone. I’m happy to present to you today on cloud basics. My name is Anthony Jones. I’m an MBA QSA, CIS and CISM. I’m a leading partner of AWA and I’ve been in the industry for 20 years. I put in 10 years at PWC and our business was started in 2005 by four former auditors in CPA-registered firms. For the most part we’re controls-related; we focus on controls-related audits like PCI DSS assessments, SOC 1, SOC 2, and SOC 3 audits, and HITRUST certifications.
“AWA International Group, which is a division of I.S. Partners, was born about that five years ago. Our clients came to us and identified a need for more technical resources and capabilities. And we responded, by hiring individuals with more technical skill sets. In my opinion, we just created a better approach to controls and opened a whole segment of opportunities in the types of assessments that we perform, including PCI DSS assessments.
“We provide secure framework assessments, such as ISO 27001, NIST, and FISMA, which is a segment of NIST, which we all know is extremely important in this new technical environment. We also do penetration testing. That’s something that we started two years ago, and it has had tremendous success. It’s given our clients even a greater strength of security, as well as his HIPAA assessments and security risk assessments, which are other things that we specialize in.
Meet the Webinar Speakers
“For this presentation, we have two of our lead technical guys ready to inform you about cloud basics. We have Mike Ciunci; he’s a QSA, CISA, and CISM. He’s a director with AWA international group. He has 20 years of experience in technology, as well as auditing and security experience. So, he has a large depth of knowledge in security.
“We also have Josh Perri. He is a CISSP, a certified ethical hacker, and a CCNA security guy. He’s an AWA senior consultant with 11 years of experience. In the last four years, he’s focused solely on security, both as a security engineer and as an assessor.
“So, you know, the experience level here is high. I’m so excited to turn this over to Mike Ciunci, to go through cloud basic with you and give you some really good information.”
Goals of the Webinar & Main Topics
“As Anthony just said, we’re going to cover some cloud basic security features with a high-level overview. As you will hear, there are many, many aspects to cover when discussing the cloud. Today, we just wanted to provide a brief overview of some of the topics we feel strongly about.
“We’re going to cover, variations of cloud environments, client responsibility, defense in layers, operating systems, access controls, data protection, network security, application development, native AWS services. We’re going to talk about some outside help you can get. And at the end, we’ll have some time for some questions and answers.
Advantages of Using the Cloud
“Some benefits of being in the cloud include the fact that the client is not responsible for any hardware. You do not have the upfront expense of having to purchase all your hardware. There are no support contracts to consider when cloud providers offer infrastructure as a service (IaaS). So, you only pay for what you actually need, at the current time.
“The client is not responsible for physical access to the data center either. The cloud provider is responsible for all physical access since they own the data centers. And this takes all the liability out of your hands in disaster recovery and business continuity capabilities. There are multiple ways you can utilize the cloud to help with your DR and BCP needs.
“You can use cloud backups to securely store or your backup data in the cloud and restore as needed. You can use a hybrid approach and connect your on-premises network to your DR cloud environment and create replicas of your servers and infrastructure, and recover to the cloud during a disaster. If you are entirely in the cloud, you can take advantage of multiple regions and zones available to replicate your production environment accordingly. This can make the disaster recovery process much more streamlined.
“Also being with being in the cloud, scalability is simplified. The benefits of cloud computing services include the ability to scale elastically; in ‘cloud speak’ this means you utilize the proper amount of resources and only when needed. This offers you the flexibility to adjust the amount of computing power, bandwidth, and storage. Scaling can help keep costs under control by only utilizing only using the resources you need, when you actually need them, and turning them off when you don’t, thus keeping your costs and expenses in control.
Variations of Cloud Hosting
- Fully Managed
- Cloud Backup
Hosted Cloud Structure
“A hosted cloud environment will utilize the shared responsibility model. In a hosted shared responsibility model, the cloud service provider takes care of the physical requirements and compute power. However, it’s critical to understand, that – as the client – you are responsible for protecting the data and who has access to your environment.
“Some things to think about when choosing between these three cloud hosting structures:
- Customer data – Does your customer data need to be encrypted?
- Identity management – This helps simplify security can make access control easier for your IT folks to manage.
- Platform and application management – You want to keep in mind that, although your application is in a shared responsibility model, you are still responsible for the SDLC process.
- Firewall configuration – Firewall rules or security groups must be configured properly to, to prevent unauthorized access, especially from public-facing networks.
- Client-Side Security – You want to implement data integrity authentication.
- Server-Side Security – Determine if you need file-level and/or disk encryption.
- Network Traffic Protection – Implement an IDS/IPS solution. Make sure you are encrypting the network traffic. You also want to consider what VPN solution you will put in place.
Fully Managed Cloud Structure
“The fully managed cloud provider will be responsible for the hardware and operating systems, including all IT infrastructure. Even if you choose fully managed, as a client, you still need to:
- Follow best practices regarding application development.
- Implement a secure coding practice or use a scanning tool to check for vulnerabilities in your code.
- Follow the OWASP Top 10 Guidelines.
- Follow best-practice change management procedures.
- Don’t allow development access to push code changes to production.
- User provision should grant access according to the principle of least privileged access.
Cloud Backup Structure
“Cloud backup utilizes the redundancy of the cloud to store sensitive data. Oftentimes a company’s first step in moving to the cloud starts with backups.
“Some benefits of cloud backups are reliability, reduced costs, and file transfer security. There’s no need for a tape or disc-to-disc backups. And it helps with data disaster recovery and meeting some compliance requirements.
Defense in Layers
“When thinking about securing your environment, you may want to use the “layered defense” approach. Securing your cloud environment could be a whole webinar in itself. In fact, we will dedicate a future webinar to this exact topic.
“One of the biggest things you need to understand when moving to the cloud, is that there are many security features and offerings, but most are not on by the default. It’s up to you to turn them on and configure them as needed. And also make sure you’re monitoring as well.”
“The guest operating system is the responsibility of the client. And when I say the ‘guest operating system,’ that would be the operating system that lives on the instance, not the hardware that would be the responsibility of the cloud provider.
“The operating system gets installed on the specific instances or hosts that are running. And examples of the operating system are Windows Server 2020, RedHat Linux, CentOS, and Ubuntu. And just like on-premises, the basic hygiene of these systems must be maintained as if it were on-premises.
“These maintenance processes include:
- Configuration of the device or service;
- System hardening, which may include removing applications that aren’t used, removing services ports on the system;
- Frequency of the application and operating system patching;
- Threat detection;
- Backup and recovery processes.
“Organizations implement access controls to prevent on authorized access. The goal should be to provide your employees with just enough access for them to perform their job responsibilities, and nothing else.
Centralized Identity & Access Management
“Best practices include utilizing a centralized identity management, which helps with terminations, compliance, and operations for your IT staff. This is going to be a one-stop-shop when you need to change access or remove a user’s access.
Limit Access Based on Need
“If I am giving an employee access, I’m going to give them just enough to perform their job function and nothing else, so that if their credentials are phished, or a malicious actor got access to their system, the role the user has is limited based on needs.
“Additionally, adding some type of token authentication to any type of identity management system is going to really bolster your security by adding that second layer of authentication. Where a password just isn’t enough for access, you also need that additional token.
Secure Your Storage
“You just want to keep anything that’s private, private. And anything that is public, you fully understand it’s public.
Securing Data at Rest
“Basically, data must be protected when it’s stored. This could be achieved by utilizing some type of key management system or server-side encryption that makes sure your sensitive data is encrypted at rest.
“Additionally, we’re going to need to verify that data is stored within a database is encrypted. This should always be checked for compliance reasons, if you have sensitive data in a database that is not encrypted, it might not meet your compliance needs.
“When you’re working with a cloud provider, don’t assume the cloud provider will always take responsibility for your sensitive data. There are going to be occasions when utilizing a business associate agreement (BAA) is required for use with a cloud provider to store your sensitive information.
Securing Data Transmission
“Now, we’re going to continue with data protection, but focus on a different element. We’re going to focus on the transmission. When data is transmitted, it can become susceptible to snooping. Utilizing secure and encrypted protocols will render that data unreadable and useless to any malicious attacker. You must implement security protocols for the exchange of data, such as encrypted email, HTTPS, SFTP or otherwise FTP(s), along with any type of VPN for securing data during transmission.
“A strong security program will implement protections on the network to limit access and detect malicious traffic as it’s transmitted. When dealing with cloud security, a layered approach is still a viable option. This includes the things that we’ve always talked about…
- Utilize a deny-all policy – Only allow traffic that is required for business needs.
- Network segmentation – Separate your sensitive data from the other services. An example would be a database should not be in the same network as, as something that receives web traffic. That should be segmented so that they can communicate, with the communication that’s severely limited to just what’s required.
- Centralized monitoring – A centralized location receives all the different logs, offering an easy solution for IT staff when looking at a common metrics and help discover possible errors in real-time. It’s just as a best practice for utilizing monitoring.
- Network intrusion detection/prevention – Systems that are capable of monitoring network traffic for possible threats. There is a difference between an intrusion detection system – which detects threats and alerts you to the threats – and a prevention system – which can actually stop the threats in line on the network and prevent the traffic, in addition to alerting IT that it was detected.
“Now, this is going to be one situation in the cloud where everything is going to be the same practice as if they were on-premises. The application that you developed for your organization must be secure and following secure coding guidelines, performing application-specific testing, such as static code analysis or dynamic code analysis, or performing application-based penetration testing.
“As Mike mentioned earlier, following the Top 10 OWASP Rules and utilizing a web application firewall can go a long way to secure your application in the cloud.
Native AWS Services
“These can include managed databases, managed containers, single sign-on, and a plethora of other services, which can be intimidating to understand. Working with a consultant who understands and can suggest improvements is extremely valuable. Not only can you save time with automation, but money as well, through cost-effective use of the cloud.
- Managed Databases – This is probably the most common that we see with our clients. Instances of this would be an Amazon RDS, Dynamo-DB, or Aurora. Google Cloud and Azure have similar offerings.
- Cloud trail and guard duty – Again, these are AWS specific services that can monitor and gather logs. They essentially use the logs as threat intelligence to detect any malicious traffic on the network.
- Elastic load balancers – Services that will protect your servers, which run in front of your application server. They allow the application server to run properly and, based on performance and demand, the elastic load balancer will balance between different servers preventing the traffic from reaching a point where it’s detrimental to the service.
- Application firewall – This is extremely similar to a load balancer, but it has added functionality to allow or block traffic based on the defined criteria. An application firewall, otherwise known as a layer 7 firewall, is an added layer of security that enables extremely granular blocking of the traffic. You can block traffic based on the location or other similar criteria that you determine.
- DDoS shield – All AWS instances are protected by the DDoS shield, which protects against the distributed denial of service attack This type of attack we see very commonly in the news and the main goal is taking a service offline. So, utilizing a cloud will make you extremely resilient to any type of DDoS attack.
- Single sign-on – The last cloud-native service is single sign-on and we single out AWS for this service. However, Google and Azure have the same management systems for identity management to utilize a one-stop-shop for all identity in the cloud environment.
“When implementing, maintaining, or even choosing an information security management program, the task can seem daunting. One possible shortcut is to find a partner who can help relieve anxiety. Pick your vendors, contractors, and assessors wisely, as they’re not all created equal. One aspect that a third party can assist with is a compliance audit, such as PCI, HITRUST or ISO, and then additional security risk assessments.
“Third-Party Assistance Options:
- Compliance audits and security risk assessments.
- Penetration testing and vulnerability scanning.
- Independent security reviews – firewall rules, user permissions, privileged access, etc.
- Security Operation Services (SOC), firewall management, or SIEM management.
“Essentially, a third party could provide these services which add a lot of value to your organization.”
Questions from Webinar Participants
What are the biggest challenges to migrating to the cloud?
“One of the biggest concerns or challenges is having staff that’s not familiar with the cloud. We’ve seen this firsthand with clients who rush to get their services and databases in the cloud. They might have mistakenly left an S3 bucket open to the public, and that could lead to a data breach, which would be detrimental to your company.
“The other thing you want to keep in mind is cost. Like I said earlier in my presentation, you can slowly approach the cloud. You may want to just start with simply cloud backups. That’s one good, easy way to get into cloud first. The other thing you want to keep in mind is the amount of assets you have and how you’re going to put them into the cloud.”
If I am in the cloud, does that mean I’m secure?
“Nope, nothing in life is 100% sure. Right? I think that getting to the cloud is half the battle and then actually securing it to make sure that you’re safe is the second half. You have to implement measures to ensure that nobody malicious comes knocking or is able to find a way to get in. That’s why we recommend performing assessments, penetration testing, vulnerability scanning. It’s still necessary to have an active security program to ensure security.
“I advise organizations to get into the cloud. Then, once you get in, start building your controls against the threats that we’ve just discussed. Next, after each door to those things is closed, that’s when you can start measuring, monitoring, and reviewing the controls that are in place.
“Because it’s one thing to be secure, but it’s another thing to stay secure. I would say, natively nobody is secure in the cloud. You must achieve it.”
Will I still keep my compliance status if I migrate to the cloud?
“Based off of our experience, this is another area of confusion for some of our clients. Now, you may be compliant right now. You move to the cloud and you think, ‘Well, AWS has PCI certification. AWS has SOC 1 and SOC 2; I’ve seen the reports. Therefore, I must also be compliant and I don’t have to do anything.’ That is a common mistake that we see happen repeatedly.
“Just because AWS or Google offers centralized monitoring, doesn’t mean you meet that requirement. You still have to set that up and you still have to proactively take those measures to make sure you’re actively monitoring. IBS/IPS is another thing. They both offer that service, but it’s not on by default. Even if it was, the client still needs to monitor it, configure it, set up alerts and take the actions necessary to meet compliance regulations.
“These are just two, brief examples. There are a lot of other things that you need to do to ensure you continue to be compliant.
“I know that both AWS and Google offer downloadable matrices that show their responsibility, your responsibility, and then what requirements could be a shared responsibility.”
How can I retrain my staff to operate in the cloud?
“This is a kind of a tough question because the cloud and DevOps are still fairly new and are changing every day. But the best approach, honestly, as with most things in the IT field, is self-study. There are plenty of online resources: AWS, Google, and Azure, Docker and Kubernetes, regarding DevOps and cloud features. There are also some very good courses you can take. I think self-teaching and hands-on experience are key. Have the IT staff set up their own little test labs in Azure, Google, or AWS.”
Trust AWA for Assistance with Cloud Security
The decision to move to the cloud or how to best utilize the cloud resources are not simple questions. When attempting to make that choice many factors must be considered. Pain points for migrating to the cloud include migrating current infrastructure into the cloud and building a new environment from the ground up. Moving to the cloud may give you a new opportunity to start from scratch and follow best practices and put your organization to succeed for a long period of success. When making this decision consider a trusted partner to help consult and review possible options and solutions to the new and exciting challenges ahead.
Contact AWA and I.S. Partners to help bridge the gap between compliance and security.