Cloud Security Fundamentals for Governments

We know how important it is for governments to gain and

maintain trust and confidence in secure and resilient

services. As a part of our con�nuous engagement, we have

observed recurring topics that government agencies and

policymakers o�en express interest in, as they first wade into

the world of cloud. We cover some of the most frequently

asked ques�ons in this paper.

What is my responsibility in the Shared Responsibility Model? When a customer moves to the cloud, they are now opera�ng in an environment of shared

responsibility, which is different from the tradi�onal on-premises environment.

Shared responsibility means that for a cloud-based applica�on to func�on as designed and as securely as

possible, both the customer and the cloud provider need to chip in to take care of security. Simple as that.

This model determines the amount of configura�on work the customer must perform as a part of their

security responsibili�es. Customers are responsible for security “in” the cloud (data, applica�ons, etc.),

while AWS manages security “of” the cloud (infrastructure).

The customer's responsibility is determined by the services that they select. For example, a service such as

Amazon Elas�c Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS), and, as

such, requires the customer to perform all of the necessary security configura�on and management tasks.

This means the customer is responsible for managing the guest opera�ng system - including updates and

security patches, any applica�on so�ware or u�li�es installed by the customer on the instances, and the

configura�on of the AWS-provided firewall (called a security group) on each instance.

For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS takes care of the infrastructure,

the opera�ng system, and pla�orms. And the customer accesses the endpoints to store and retrieve data.

For government agencies, they need to consider how the Shared Responsibility Model applies to their

data classifica�on prac�ces and security standards.

CUSTOMER DATA

PLATFORM, APPLICATIONS, IDENTITY & ACCESS MANAGEMENT

OPERATING SYSTEM, NETWORK & FIREWALL CONFIGURATION

CLIENT-SIDE DATAENCRYPTION & DATA INTEGRITY

AUTHENTICATION

SERVER-SIDE ENCRYPTION(FILE SYSTEM AND/OR DATA)

SERVER-SIDE ENCRYPTION(FILE SYSTEM AND/OR DATA)

CUSTOMERRESPONSIBILITY FOR

SECURITY ‘IN’ THE CLOUD

CUSTOMERRESPONSIBILITY FOR

SECURITY ‘OF’ THE CLOUD

SOFTWARE

COMPUTE STORAGE DATABASE NETWORKING

HARDWARE/AWS GLOBAL INFRASTRUCTURE

REGIONS AVAILABILITY ZONES EDGE LOCATIONS

Page 2 of 9 • Cloud Secur�ty Fundamentals for Governments

Will my data go out of the country? Government agencies con�nue to have legi�mate concern about data sovereignty. In fact,

in many cases, this is the first ques�on many government agencies will ask.

There is no simple answer to it, because not all data is created the same.

Sensi�ve data, such as ci�zen informa�on, usually needs to be processed and stored in-

country. Some data may not be as sensi�ve, and can be sent out of the country.

Therefore, the first step to solve data sovereignty issue is to classify the data you have.

Data classifica�on is a fundamental step in cybersecurity risk management. It involves

iden�fying the types of data owned and maintained by an organiza�on. It also involves

making a decision about the sensi�vity of the data and the likely impact that would ensue

should the data face compromise, loss, or misuse.

We encourage government agencies to assess their data classifica�on approach and hone

in to which data needs to stay within government data centers; which data can be moved

to cloud within their country; and which data is public knowledge and can be hosted

outside of the country.

For example, in 2014, the UK government simplified its data classifica�on scheme by

reducing the levels from six to three:

Official — Rou�ne business opera�ons and services, some of which could have

damaging consequences if lost, stolen, or published in the media, but none of which

is subject to a heightened threat profile.

Secret — Very sensi�ve informa�on that jus�fies heightened protec�ve measures to

defend against determined and highly capable threat actors (e.g., compromise could

significantly damage military capabili�es, interna�onal rela�ons, or the inves�ga�on

of serious organized crime).

Top secret — Most sensi�ve informa�on requiring the highest levels of protec�on

from the most serious threats (e.g., compromise could cause widespread loss of life

or could threaten the security or economic well-being of the country or friendly

na�ons).

Page 3 of 9 • Cloud Secur�ty Fundamentals for Governments

Cloud security is an umbrella term that refers to a set

of policies, controls, applica�ons, and procedures

that oversee the protec�on of cloud-based

infrastructure. It can be further divided into different

cloud services, such as protec�ng cloud instances,

containers, network, serverless func�ons,

applica�ons, files, and more.

For governments making the move to the cloud,

robust cloud security is impera�ve. Following are

some of the major considera�ons.

How should I approach security in the cloud?

Access control is a method of guaranteeing that users

are who they say they are and that they have

appropriate access to resources.

The principal of least privilege access needs to be

considered as a fundamental step in access control of

government cloud resources; effec�ve least privilege

access enforcement requires a way to centrally

manage access control.

This model must extend beyond human access - it

must be applied to applica�ons, systems, or

connected devices that require privileges or

permissions to perform a required task.

How do I manage accessin the cloud?

Page 4 of 9 • Cloud Secur�ty Fundamentals for Governments

With the perimeters gone, how do I protect my cloud network? Cloud security architecture is fundamentally different from its on-premises counterpart.

Whereas the data centre perimeter is protect by physical firewalls, cloud security

challenges are met with a layered approach.

Most of the public cloud security has four layers of protec�on:

Page 5 of 9 • Cloud Secur�ty Fundamentals for Governments

Security Groups: The first and most fundamental layer of cloud network security is

provided by the cloud services provider, such as AWS, Microso� Azure, or Google

Cloud. The security group manages rules that allow traffic to your cloud instances,

like EC2. Unlike tradi�onal firewalls there is no deny rule to deny traffic in the

security group; the absence of an allow rule acts as the denial.

Network Access Control List (Network ACL): It provides a perimeter-level security. It

controls the traffic flow between subnets in the same virtual private cloud (VPC);

from internet/on-premises to VPC; from VPC to internet/on-premises. It has both

allow and deny rules, and makes cloud security posture much stronger. Most of the

cloud security compliance requires this layer.

Cloud services provider security solu�on: Most CSPs provide their own basic security

solu�ons, such as AWS Network firewall and Microso� Azure Firewall.

Implementa�on of these services is simple compare to third-party security solu�ons.

But they may not have as many features or are as configurable.

Third-party cloud security solu�on: These security solu�ons are specially created for

the cloud. They are typically provided by companies specializing in security and

having years of experience managing the on-premises and hybrid environment

security. Such solu�ons stand between the public cloud and the outside world. Public

sector customers must adopt this fourth layer for ul�mate hybrid cloud security

challenges.

Data stored in a public cloud typically resides in a

shared environment collocated with the data from

other customers. Organiza�ons placing sensi�ve

and regulated data into public cloud, therefore,

must account for the means by which access to the

data is controlled and the data is kept secure.

Similar concerns exist for data migrated within or

between cloud.

Data can take many forms. For example, for cloud-

based applica�on development, it includes the

applica�on programs, scripts, and configura�on

se�ngs, along with the development tools.

For deployed applica�ons, it includes records and

other content created or used by the applica�ons,

including deallocated objects, as well as account

informa�on about the users of the applica�ons.

Access control is one way to keep data away from

unauthorized users; encryp�on is another. Lacking

physical control over the storage of informa�on,

encryp�on is the only way to ensure that it is truly

protected. Data must be secured while at rest, in

transit, and in use, and access to the data must be

controlled.

How do I protect my data in the cloud?

Page 6 of 9 • Cloud Secur�ty Fundamentals for Governments

In the cloud, things change rapidly. Instances can be

spun up and scaled down any second. So collec�ng

and analyzing available data about the state of the

cloud should be done regularly and as o�en as

needed by the organiza�on, in order to manage

security and privacy risks.

Con�nuous monitoring of informa�on security

requires maintaining ongoing awareness of security

controls, vulnerabili�es, and threats to support risk

management decisions.

Transi�on to public cloud services entails a transfer of

responsibility to the cloud provider for securing

por�ons of the system on which the organiza�on’s

data and applica�ons operate. To fulfil the obliga�ons

of con�nuous monitoring, the organiza�on is

dependent on the cloud provider, whose coopera�on

is essen�al, since aspects of the compu�ng

environment are under the cloud provider’s

complete control.

Why do I need to do con�nuous monitoring in the cloud?

Page 7 of 9 • Cloud Secur�ty Fundamentals for Governments

How do I protect my cloud servers?

Page 8 of 9 • Cloud Secur�ty Fundamentals for Governments

To secure the server, it is essen�al to first define threats that must be mi�gated.

Knowledge of poten�al threats is important in understanding and making decision of

various baseline technical security prac�ces.

Many threats are possible because of mistakes or bugs in the opera�ng system and server

so�ware that create exploitable vulnerabili�es; or human error made by end-users and

administrators. Threats may involve inten�onal actors or uninten�onal actors. Threats can

be local such as a disgruntled employee; or remote, such as an a�acker in another

geographical area.

Organiza�ons should conduct risk assessments to iden�fy the specific threats against their

servers and determine the effec�veness of exis�ng security controls in counterac�ng the

threats.

A number of steps are required to ensure the security of any server. As a prerequisite for

taking any step, however, it is essen�al that the organiza�on have a security policy in

place. Taking the following steps for server security within the context of the

organiza�on's security policy should prove effec�ve:

Patch and update the OS

Harden and configure the OS to address security adequately

Install and configure addi�onal security controls:

1.

2.

3.

An�-malware so�ware

Host-based intrusion detec�on and preven�on system

Host based firewall

Patch management and vulnerability management so�ware

Applica�on security describes security measures at the applica�on level that aim to prevent data or code

within the app from being stolen or hijacked. It encompasses the security considera�ons that happen

during applica�on development and design, but it also involves methods to protect the apps a�er they

are deployed.

Security measures at the applica�on level are typically built into the so�ware, such as applica�on firewall

that strictly defines what ac�vi�es are allowed and prohibited.

Applica�on security in the cloud poses some extra challenges. Because the cloud environment is based on

the shared responsibility model, and the service being u�lized for applica�on hos�ng might have different

security threats than tradi�onal data centers.

Tradi�onal perimeter-based protec�on of applica�ons has proven to be insufficient in cloud era, and

run�me applica�on security is needed to detect a�acks in real �me as well as get be�er insight into these

a�acks.

Make sure security controls are integrated into applica�on development lifecycle as well as at the run

�me of the applica�on. For example, by implemen�ng run�me applica�on self protec�on (RASP),

organiza�ons can gain two valuable capabili�es to their security systems:

Run�me alert when an applica�ons vulnerability is exploited

Detailed applica�ons security threat intel

1.

2.

How do I protect my applica�ons in the cloud?

Page 9 of 9 • Cloud Secur�ty Fundamentals for Governments