cancel
Showing results for 
Search instead for 
Did you mean: 
brian-alliston
Team TFS
Team TFS

Cloud Security.jpg

 

In my previous blog post, we looked at cloud service providers’ (CSP) responsibilities regarding cloud security. Major CSPs use a shared responsibilities model to define who does what with regard to security.

 

But the cloud is secure, right?

Cloud Security 2.png

 

Probably, but have you configured your security properly, is it monitored, and do you patch operating systems with security updates? To have a secure cloud you must have a clear and detailed understanding of your responsibilities. 

 

CSPs are responsible for the security of the cloud. Their business model is to provide secure and available computing infrastructure for organizations to operate applications and store data. Cloud customers are responsible for security inside their cloud, including security of data in transit and access and identity management.

 

We live in a world where cyber attacks have become an everyday occurrence and pose a risk to individuals and business around the world. If data is of value to your organization, it has potential value to hackers.

 

Cloud security challenges

 

Running applications in the cloud has many benefits, but delegating all responsibility is not one of them. An IT department is still required to provide and implement cloud security policies and procedures and to monitor and act upon security issues. Organizations can implement IT security standards such as ISO 27001 or NIST security frameworks to ensure both on-premise and cloud applications are operated to best security practices.

Cloud customers also need layers of security. We have come back to onions and ogres  - Cloud Security Part 1: What are Cloud Service Providers' responsibilities?

 

I concluded part 1 of the blog with the following statistics to highlight some common cloud security failings:

 

66% of those breached -- access was gained through security misconfigurations

91% had overprivileged identity and access management roles

98% had disabled multifactor identification for cloud provider accounts

-- Source: Sophos, The State of Cloud Security 2020

 

How can these issues be addressed?

 

Misconfiguration

 

CSPs will help you configure your security to meet your requirements. They provide security dashboards, which flag areas of concern and indicate how to correct any issues, but your organization must still have some cloud and security expertise. CSPs can help you get that expertise by providing security training courses to help you implement best practices.

 

Overprivileged access and management roles

 

When you set up a cloud, CSPs give you a root user account. This is like the ”cmadmin” account when you first install Thermo Scientific™ Chromeleon™ CDS  — it has access to everything. The root user account can be used to set up cloud infrastructure, and configure the user’s identity and access management, but could also be used to shut down or delete your entire system. 

 

A key security measure is to apply the principle of least privilege. Users should only be given the minimum privileges and access they need to carry out their day-to-day jobs. Higher-level access should be provided and used only when needed, reducing the exposure and potential risk that those accounts could be compromised. If hackers gain control of high-level accounts, they have the keys to your cloud (or on-premise) kingdom; they will have total control and could steal data or erase the entire system.

 

Multi-factor authentication

 

Multi-factor authentication (MFA) is used to ensure that digital users are who they say they are by requiring at least two pieces of evidence to prove their identity. You may have experienced this when using online banking, where a single-use code is texted or emailed to you and is required for access. The use of authenticator apps is another common method of MFA. Hackers would require access to both account password and MFA code, making it more unlikely your login detail will be stolen.

 

CSPs provide cloud access accounts that use MFA, but it can be disabled. This is potentially a disastrous decision as, if the root access account or other high-level access account becomes compromised, your application and data are at risk of being destroyed. Cloud security dashboards will highlight if MFA is disabled and CSPs recommend it is used for at least the most critical accounts.

 

Human resource layer

 

Whether you are a CSP, a cloud user or 100 percent on premise, all organizations need a human resource layer for cyber security. Most of us receive cyber security training from our organizations, providing awareness and best practice guidance. This is part of the human resource layer.

 

People are the weakest link in any system and criminals exploit weakness with techniques such as social engineering, phishing, vishing or smishing — all with the aim of infecting your systems with malware or ransomware, gaining access to your system and data.

 

Do you know how to spot a phishing email or a suspicious link?  I’m still hoping you don’t write your passwords down on a sticky note and place it on the bottom of your keyboard or keep them in a document on your computer’s desktop.

 

Hackers’ methods of attack

 

Cyber security is everyone’s responsibility, as everyone is a potential target. The Cyber Kill Chain was developed by Lockheed Martin to model the steps hackers must complete to achieve their objectives, illustrating how an attack could potentially be stopped.

 

Cyber Kill Chain 3.png

 

One way to break the ”kill chain” is to stop the ”weaponized bundle” from being delivered. As individuals, we can break the chain. Pay attention to the awareness training, report suspicious emails, don’t open unexpected attachments, or click on random links, and if you find a USB pen drive/USB stick, don’t plug it in.

 

Cloud security is the continuing challenge

 

Cyber security is a continual process: Criminals continually exploit weaknesses and develop their attacks. Everyone has their part to play in cyber security wherever the application is hosted.

 

"I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again."

-- Robert Nueller III, FBI Director 2001-2013

 

Cloud customers must understand exactly what services are supplied and where responsibilities lie. This information should be included in a detailed service level agreement (SLA) or contract.

 

Running applications in the cloud has many benefits, but delegating all responsibility is not one of them. You still need an IT department that has roles and responsibilities for cloud deployments, such as providing properly configured firewalls to secure data transit from your site to the cloud, configuring and maintaining user identity and access for cloud applications as well as maintaining and monitoring.

 

Is the cloud secure? Yes, but we all must work at it.

 

Further reading and resources

 

The Thermo Fisher Connect Platform provides cloud-based data storage, scientific apps and peer collaboration tools. The following white paper describes the security arrangement for the Connect Platform.

Thermo Fisher Scientific Connect Platform - Security Guide

 

CSPs provide security resources and training, which can be found on their websites. For example,  

 

Cyber security resources and guidelines are available at National Institute of Standards and Technology | NIST.

The National Cyber Security Centre is also a useful resource and has a cloud-specific section. https://www.ncsc.gov.uk/.

 

Analyteguru.com.jpg