understanding cloud security responsibilities and best

Understanding Cloud Security Responsibilities and Best Practices

Connect with us today. 1.800.268.7638 | www.softchoice.com

https://www.softchoice.com/

https://www.linkedin.com/company/softchoice/

https://www.facebook.com/softchoice

https://twitter.com/softchoice

Overview

The IaaS, PaaS and SaaS

Security Models, Explained

IaaS

PaaS

SaaS

What Cloud Security Issues Are Most

Frequently Overlooked?

How to Ensure More Secure Cloud Services

01

02

03

04

05

06

08

Table of Contents

Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices





OverviewSecurity cannot be an afterthought in the cloud. Between the absence

of a traditional perimeter, the complexity of ensuring optimal security

configuration, the possibility of unsecured APIs and the movement of

workloads between multiple environments, there are many potential

vulnerabilities for sophisticated threats to exploit.

The 2019 breach of CapitalOne, which affected 106 million individuals

across the U.S. and Canada1, stemmed from unauthorized access to the

bank’s cloud-stored records through a misconfigured Web Application

Firewall. These types of incidents can be expensive to remediate and

recover from, with total costs often in the millions of dollars.2

An effective cloud security strategy mitigates such risks. Just as important,

it will not be one-size-fits-all, as many organizations now rely on a

diverse mix of IaaS, PaaS, and SaaS. Each divides security responsibilities

between cloud service provider (CSP) and the customer in its own way.

By understanding these different structures and responsibilities, cloud

customers can better protect sensitive data and avoid damage to their

reputations and bottom lines.

1 Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices

1 www.capitalone.com/facts2019/2 www.ibm.com/security/data-breach

1O10O11000111000





The IaaS, PaaS and SaaS Security Models, ExplainedThe cloud security model of a service will determine what an organization

must do to secure it. Infrastructure as a service (IaaS) will require the most

customer management. Software as a service (SaaS) requires the least,

with platform as a service (PaaS) occupying the middle ground. Across all

models, the customer is responsible for client endpoints, accounts and

access management, while the cloud service provider (CSP) manages

physical hosts, networks and data centers.

Let’s look at all three in more detail, and explore the biggest security

risks with each.


Data Governance &Rights Management

Client Endpoints

Account Access & Management

Identity & DirectoryInfrastructure

Application

Responsibility SaaS

Network Control

Operating System

Physical Hosts

Physical Network

Physical Datacenter

PaaS IaaS On-Prem

Always Retained by Customers

Transfers to Cloud Provider

Varies by Service Type

CustomerCSPResposibility Zones





IaaSIn an IaaS model, the consumer is often responsible for managing

data, applications, runtimes and middleware. The rest of the stack,

including storage, servers, and virtualization, is delivered as a

service. A common analogy for this setup is a rental car:

Whereas traditional IT is like owning a vehicle, IaaS provides

similar freedom but without the need to maintain everything.

Some of the main security risks to IaaS include:

Misconfigurations that expose data.

Poor API implementation.

Insider threats on the provider side.

Attacks on shared resources.

Risks to Data






PaaSThe lines separating IaaS and PaaS have blurred somewhat over the years, but

the two still have distinctive use cases and capabilities. PaaS often supports

development frameworks, business intelligence and analytics, adding more

middleware and specialized tools to what’s already available through IaaS.

If IaaS is a rental car, PaaS is more like public transportation. The user doesn’t

need to manage as many components and details, but can still reach their

desired destination. In terms of security, the customer is often only responsible

for protecting applications and data. They may also share oversight of network

controls as well as identity and director management infrastructure.3

Some of the major PaaS-related risks include:

• Losing track of security keys and credentials.

• Lack of strong authentication.

• Unauthorized root access to the hypervisor.

• Unsecured internet access to virtual machines.

• Disaster Recovery/Business Continuity


3 docs.microsoft.com/en-us/azure/security/fundamentals/paas-deployments






SaaSSaaS requires the lowest level of technical involvement from the

customer, as the CSP takes care of the entire stack beyond basic client/

access management. This streamlined setup is a big part of the appeal

of SaaS, but it doesn’t mean that SaaS customers are immune to

security threats.

Phishing is a particular threat to SaaS end-users, who may receive emails

containing malicious PDF attachments or embedded links designed to

harvest their logins. A 2019 survey of businesses and charities by the

British government found that phishing emails were by far the most-cited

cybersecurity disruption.4

Data exfiltration is another overarching concern with SaaS. For example,

an employee might connect a personal email address to a company SaaS

application so that they can receive updates relating to sensitive assets.

An attack breaching that personal email account may, in turn, get access

to corporate data.

4 assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/813599/Cyber_Security_Breaches_Survey_2019_-_Main_Report.pdf

1O10O11000111000





What Cloud Security Issues Are Most Frequently Overlooked?Some of the risks outlined above, such as phishing and weak

authentication, are recognized and addressed through best practices,

security training and specific solutions like multi-factor authentication.

But many others don’t receive enough attention and end up surprising

cloud customers in the form of serious breaches.

Misconfigurations exemplify this latter category. While 90% of

respondents to a 2018 Fugue survey saw configuration errors as an issue,

only 30% performed continuous monitoring to keep tabs on them. Those

who did observed an average of 50+ misconfigurations every day.5

Many incidents of misconfigured IaaS buckets exposing documents

to the public internet have also made headlines in recent years. Even

large banks and content providers have suffered setbacks on this front,

underscoring significant blind spots in cloud management and security.

5 www.infoworld.com/article/3310841/cloud-misconfiguration-the-security-threat-too-often-overlooked.html


001010100010101010011001

010101001011110100111111

000010101011000100101110

000010101011000101011001





7 Roadmap to Multicloud Success: Why Architecture Matters Connect with us today. 1.800.268.7638 | www.softchoice.com

Along similar lines, poor visibility into cloud consumption raises the risk

of a surprise breach. Lack of clarity around ownership of a particular

workload or application erodes accountability. In turn, this leads to

virtual machine (VM) or SaaS sprawl and shadow IT as people across the

business assemble their own patchwork of products and solutions

Unapproved SaaS solutions, for instance, can cause considerable harm

even without malicious intent. Employees looking to streamline their

workflows may choose software that meets their needs but fails to

comply with IT’s security requirements.

With shadow IT, there’s no guarantee that standards for password

management, patching or any other security measures are honored or

enforced on a given application or workload. This opens the door to risks

such as data exfiltration and unauthorized access in the wake of a breach.





How to Ensure More Secure Cloud ServicesCloud security is a shared responsibility. As such, cloud customers must ensure

not only that they’re implementing the right practices and solutions, but also

selecting CSPs and partners with a demonstrated commitment to strong defenses.

The most important steps for ensuring safer IaaS, PaaS, and SaaS

consumption include:

Using a cloud management platformThese solutions help discover and monitor resources, enforce policies and run

reports on activities in the cloud, promoting better visibility. Organizations that

implement such tools see 33% fewer security failures.6 Comprehensive cloud

management also helps identify and decommission zombie workloads (those paid

for but not used) that may be security and financial liabilities.

Implementing security automationCreating and applying manual security rules is as time-consuming as it is error-

prone. Cloud security automation makes it safer and more practical to roll out

changes at scale. It can also simplify processes such as patching and identifying

devices requiring updates. Plus, automation helps with identity and access

management by flagging behaviors that deviate from baselines.7

6 www.gartner.com/smarterwithgartner/is-the-cloud-secure/7 www.softchoice.com/blogs/advisor/cloud/use-automation-modernize-cloud-security

8 Roadmap to Multicloud Success: Why Architecture Matters Connect with us today. 1.800.268.7638 | www.softchoice.com


Thinking about portability and diversificationWorking with multiple CSPs is becoming more common, often as a

way to take advantage of each one’s strengths while mitigating their

weaknesses. It’s also good security practice as it helps prevent vendor

lock-in. Technologies such as containerization are useful in this regard

as they support better workload portability. But these must be managed

with care. It’s also important to scrutinize any cloud SLA to see what

moving a workload might entail.

Partnering with a managed services providerWith no traditional perimeter and a very different business model than

traditional IT, cloud security requires a different approach. Making the

transition to a cloud-centric security strategy is easier with the assistance

of an experienced managed service providers that can make customized

recommendations and help with implementation.

Learn more by reaching out to the Softchoice team today.

9 Roadmap to Multicloud Success: Why Architecture Matters

understanding cloud security responsibilities and best

Documents