cloud security fundamentals for governments
TRANSCRIPT
Cloud Security Fundamentals for Governments
We know how important it is for governments to gain and
maintain trust and confidence in secure and resilient
services. As a part of our con�nuous engagement, we have
observed recurring topics that government agencies and
policymakers o�en express interest in, as they first wade into
the world of cloud. We cover some of the most frequently
asked ques�ons in this paper.
What is my responsibility in the Shared Responsibility Model? When a customer moves to the cloud, they are now opera�ng in an environment of shared
responsibility, which is different from the tradi�onal on-premises environment.
Shared responsibility means that for a cloud-based applica�on to func�on as designed and as securely as
possible, both the customer and the cloud provider need to chip in to take care of security. Simple as that.
This model determines the amount of configura�on work the customer must perform as a part of their
security responsibili�es. Customers are responsible for security “in” the cloud (data, applica�ons, etc.),
while AWS manages security “of” the cloud (infrastructure).
The customer's responsibility is determined by the services that they select. For example, a service such as
Amazon Elas�c Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS), and, as
such, requires the customer to perform all of the necessary security configura�on and management tasks.
This means the customer is responsible for managing the guest opera�ng system - including updates and
security patches, any applica�on so�ware or u�li�es installed by the customer on the instances, and the
configura�on of the AWS-provided firewall (called a security group) on each instance.
For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS takes care of the infrastructure,
the opera�ng system, and pla�orms. And the customer accesses the endpoints to store and retrieve data.
For government agencies, they need to consider how the Shared Responsibility Model applies to their
data classifica�on prac�ces and security standards.
CUSTOMER DATA
PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT
OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION
CLIENT-SIDE DATAENCRYPTION & DATA INTEGRITY
AUTHENTICATION
SERVER-SIDE ENCRYPTION(FILE SYSTEM AND/OR DATA)
SERVER-SIDE ENCRYPTION(FILE SYSTEM AND/OR DATA)
CUSTOMERRESPONSIBILITY FOR
SECURITY ‘IN’ THE CLOUD
CUSTOMERRESPONSIBILITY FOR
SECURITY ‘OF’ THE CLOUD
SOFTWARE
COMPUTE STORAGE DATABASE NETWORKING
HARDWARE/AWS GLOBAL INFRASTRUCTURE
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
Page 2 of 9 • Cloud Secur�ty Fundamentals for Governments
Will my data go out of the country? Government agencies con�nue to have legi�mate concern about data sovereignty. In fact,
in many cases, this is the first ques�on many government agencies will ask.
There is no simple answer to it, because not all data is created the same.
Sensi�ve data, such as ci�zen informa�on, usually needs to be processed and stored in-
country. Some data may not be as sensi�ve, and can be sent out of the country.
Therefore, the first step to solve data sovereignty issue is to classify the data you have.
Data classifica�on is a fundamental step in cybersecurity risk management. It involves
iden�fying the types of data owned and maintained by an organiza�on. It also involves
making a decision about the sensi�vity of the data and the likely impact that would ensue
should the data face compromise, loss, or misuse.
We encourage government agencies to assess their data classifica�on approach and hone
in to which data needs to stay within government data centers; which data can be moved
to cloud within their country; and which data is public knowledge and can be hosted
outside of the country.
For example, in 2014, the UK government simplified its data classifica�on scheme by
reducing the levels from six to three:
Official — Rou�ne business opera�ons and services, some of which could have
damaging consequences if lost, stolen, or published in the media, but none of which
is subject to a heightened threat profile.
Secret — Very sensi�ve informa�on that jus�fies heightened protec�ve measures to
defend against determined and highly capable threat actors (e.g., compromise could
significantly damage military capabili�es, interna�onal rela�ons, or the inves�ga�on
of serious organized crime).
Top secret — Most sensi�ve informa�on requiring the highest levels of protec�on
from the most serious threats (e.g., compromise could cause widespread loss of life
or could threaten the security or economic well-being of the country or friendly
na�ons).
Page 3 of 9 • Cloud Secur�ty Fundamentals for Governments
Cloud security is an umbrella term that refers to a set
of policies, controls, applica�ons, and procedures
that oversee the protec�on of cloud-based
infrastructure. It can be further divided into different
cloud services, such as protec�ng cloud instances,
containers, network, serverless func�ons,
applica�ons, files, and more.
For governments making the move to the cloud,
robust cloud security is impera�ve. Following are
some of the major considera�ons.
How should I approach security in the cloud?
Access control is a method of guaranteeing that users
are who they say they are and that they have
appropriate access to resources.
The principal of least privilege access needs to be
considered as a fundamental step in access control of
government cloud resources; effec�ve least privilege
access enforcement requires a way to centrally
manage access control.
This model must extend beyond human access - it
must be applied to applica�ons, systems, or
connected devices that require privileges or
permissions to perform a required task.
How do I manage accessin the cloud?
Page 4 of 9 • Cloud Secur�ty Fundamentals for Governments
With the perimeters gone, how do I protect my cloud network? Cloud security architecture is fundamentally different from its on-premises counterpart.
Whereas the data centre perimeter is protect by physical firewalls, cloud security
challenges are met with a layered approach.
Most of the public cloud security has four layers of protec�on:
Page 5 of 9 • Cloud Secur�ty Fundamentals for Governments
Security Groups: The first and most fundamental layer of cloud network security is
provided by the cloud services provider, such as AWS, Microso� Azure, or Google
Cloud. The security group manages rules that allow traffic to your cloud instances,
like EC2. Unlike tradi�onal firewalls there is no deny rule to deny traffic in the
security group; the absence of an allow rule acts as the denial.
Network Access Control List (Network ACL): It provides a perimeter-level security. It
controls the traffic flow between subnets in the same virtual private cloud (VPC);
from internet/on-premises to VPC; from VPC to internet/on-premises. It has both
allow and deny rules, and makes cloud security posture much stronger. Most of the
cloud security compliance requires this layer.
Cloud services provider security solu�on: Most CSPs provide their own basic security
solu�ons, such as AWS Network firewall and Microso� Azure Firewall.
Implementa�on of these services is simple compare to third-party security solu�ons.
But they may not have as many features or are as configurable.
Third-party cloud security solu�on: These security solu�ons are specially created for
the cloud. They are typically provided by companies specializing in security and
having years of experience managing the on-premises and hybrid environment
security. Such solu�ons stand between the public cloud and the outside world. Public
sector customers must adopt this fourth layer for ul�mate hybrid cloud security
challenges.
Data stored in a public cloud typically resides in a
shared environment collocated with the data from
other customers. Organiza�ons placing sensi�ve
and regulated data into public cloud, therefore,
must account for the means by which access to the
data is controlled and the data is kept secure.
Similar concerns exist for data migrated within or
between cloud.
Data can take many forms. For example, for cloud-
based applica�on development, it includes the
applica�on programs, scripts, and configura�on
se�ngs, along with the development tools.
For deployed applica�ons, it includes records and
other content created or used by the applica�ons,
including deallocated objects, as well as account
informa�on about the users of the applica�ons.
Access control is one way to keep data away from
unauthorized users; encryp�on is another. Lacking
physical control over the storage of informa�on,
encryp�on is the only way to ensure that it is truly
protected. Data must be secured while at rest, in
transit, and in use, and access to the data must be
controlled.
How do I protect my data in the cloud?
Page 6 of 9 • Cloud Secur�ty Fundamentals for Governments
In the cloud, things change rapidly. Instances can be
spun up and scaled down any second. So collec�ng
and analyzing available data about the state of the
cloud should be done regularly and as o�en as
needed by the organiza�on, in order to manage
security and privacy risks.
Con�nuous monitoring of informa�on security
requires maintaining ongoing awareness of security
controls, vulnerabili�es, and threats to support risk
management decisions.
Transi�on to public cloud services entails a transfer of
responsibility to the cloud provider for securing
por�ons of the system on which the organiza�on’s
data and applica�ons operate. To fulfil the obliga�ons
of con�nuous monitoring, the organiza�on is
dependent on the cloud provider, whose coopera�on
is essen�al, since aspects of the compu�ng
environment are under the cloud provider’s
complete control.
Why do I need to do con�nuous monitoring in the cloud?
Page 7 of 9 • Cloud Secur�ty Fundamentals for Governments
How do I protect my cloud servers?
Page 8 of 9 • Cloud Secur�ty Fundamentals for Governments
To secure the server, it is essen�al to first define threats that must be mi�gated.
Knowledge of poten�al threats is important in understanding and making decision of
various baseline technical security prac�ces.
Many threats are possible because of mistakes or bugs in the opera�ng system and server
so�ware that create exploitable vulnerabili�es; or human error made by end-users and
administrators. Threats may involve inten�onal actors or uninten�onal actors. Threats can
be local such as a disgruntled employee; or remote, such as an a�acker in another
geographical area.
Organiza�ons should conduct risk assessments to iden�fy the specific threats against their
servers and determine the effec�veness of exis�ng security controls in counterac�ng the
threats.
A number of steps are required to ensure the security of any server. As a prerequisite for
taking any step, however, it is essen�al that the organiza�on have a security policy in
place. Taking the following steps for server security within the context of the
organiza�on's security policy should prove effec�ve:
Patch and update the OS
Harden and configure the OS to address security adequately
Install and configure addi�onal security controls:
1.
2.
3.
An�-malware so�ware
Host-based intrusion detec�on and preven�on system
Host based firewall
Patch management and vulnerability management so�ware
Applica�on security describes security measures at the applica�on level that aim to prevent data or code
within the app from being stolen or hijacked. It encompasses the security considera�ons that happen
during applica�on development and design, but it also involves methods to protect the apps a�er they
are deployed.
Security measures at the applica�on level are typically built into the so�ware, such as applica�on firewall
that strictly defines what ac�vi�es are allowed and prohibited.
Applica�on security in the cloud poses some extra challenges. Because the cloud environment is based on
the shared responsibility model, and the service being u�lized for applica�on hos�ng might have different
security threats than tradi�onal data centers.
Tradi�onal perimeter-based protec�on of applica�ons has proven to be insufficient in cloud era, and
run�me applica�on security is needed to detect a�acks in real �me as well as get be�er insight into these
a�acks.
Make sure security controls are integrated into applica�on development lifecycle as well as at the run
�me of the applica�on. For example, by implemen�ng run�me applica�on self protec�on (RASP),
organiza�ons can gain two valuable capabili�es to their security systems:
Run�me alert when an applica�ons vulnerability is exploited
Detailed applica�ons security threat intel
1.
2.
How do I protect my applica�ons in the cloud?
Page 9 of 9 • Cloud Secur�ty Fundamentals for Governments