understanding cloud security responsibilities and best
TRANSCRIPT
Understanding Cloud Security Responsibilities and Best Practices
Connect with us today. 1.800.268.7638 | www.softchoice.com
Overview
The IaaS, PaaS and SaaS
Security Models, Explained
IaaS
PaaS
SaaS
What Cloud Security Issues Are Most
Frequently Overlooked?
How to Ensure More Secure Cloud Services
01
02
03
04
05
06
08
Table of Contents
Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices
OverviewSecurity cannot be an afterthought in the cloud. Between the absence
of a traditional perimeter, the complexity of ensuring optimal security
configuration, the possibility of unsecured APIs and the movement of
workloads between multiple environments, there are many potential
vulnerabilities for sophisticated threats to exploit.
The 2019 breach of CapitalOne, which affected 106 million individuals
across the U.S. and Canada1, stemmed from unauthorized access to the
bank’s cloud-stored records through a misconfigured Web Application
Firewall. These types of incidents can be expensive to remediate and
recover from, with total costs often in the millions of dollars.2
An effective cloud security strategy mitigates such risks. Just as important,
it will not be one-size-fits-all, as many organizations now rely on a
diverse mix of IaaS, PaaS, and SaaS. Each divides security responsibilities
between cloud service provider (CSP) and the customer in its own way.
By understanding these different structures and responsibilities, cloud
customers can better protect sensitive data and avoid damage to their
reputations and bottom lines.
1 Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices
1 www.capitalone.com/facts2019/2 www.ibm.com/security/data-breach
1O10O11000111000
The IaaS, PaaS and SaaS Security Models, ExplainedThe cloud security model of a service will determine what an organization
must do to secure it. Infrastructure as a service (IaaS) will require the most
customer management. Software as a service (SaaS) requires the least,
with platform as a service (PaaS) occupying the middle ground. Across all
models, the customer is responsible for client endpoints, accounts and
access management, while the cloud service provider (CSP) manages
physical hosts, networks and data centers.
Let’s look at all three in more detail, and explore the biggest security
risks with each.
2 Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices
Data Governance &Rights Management
Client Endpoints
Account Access & Management
Identity & DirectoryInfrastructure
Application
Responsibility SaaS
Network Control
Operating System
Physical Hosts
Physical Network
Physical Datacenter
PaaS IaaS On-Prem
Always Retained by Customers
Transfers to Cloud Provider
Varies by Service Type
CustomerCSPResposibility Zones
IaaSIn an IaaS model, the consumer is often responsible for managing
data, applications, runtimes and middleware. The rest of the stack,
including storage, servers, and virtualization, is delivered as a
service. A common analogy for this setup is a rental car:
Whereas traditional IT is like owning a vehicle, IaaS provides
similar freedom but without the need to maintain everything.
Some of the main security risks to IaaS include:
Misconfigurations that expose data.
Poor API implementation.
Insider threats on the provider side.
Attacks on shared resources.
Risks to Data
3 Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices
PaaSThe lines separating IaaS and PaaS have blurred somewhat over the years, but
the two still have distinctive use cases and capabilities. PaaS often supports
development frameworks, business intelligence and analytics, adding more
middleware and specialized tools to what’s already available through IaaS.
If IaaS is a rental car, PaaS is more like public transportation. The user doesn’t
need to manage as many components and details, but can still reach their
desired destination. In terms of security, the customer is often only responsible
for protecting applications and data. They may also share oversight of network
controls as well as identity and director management infrastructure.3
Some of the major PaaS-related risks include:
• Losing track of security keys and credentials.
• Lack of strong authentication.
• Unauthorized root access to the hypervisor.
• Unsecured internet access to virtual machines.
• Disaster Recovery/Business Continuity
4 Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices
3 docs.microsoft.com/en-us/azure/security/fundamentals/paas-deployments
5 Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices
SaaSSaaS requires the lowest level of technical involvement from the
customer, as the CSP takes care of the entire stack beyond basic client/
access management. This streamlined setup is a big part of the appeal
of SaaS, but it doesn’t mean that SaaS customers are immune to
security threats.
Phishing is a particular threat to SaaS end-users, who may receive emails
containing malicious PDF attachments or embedded links designed to
harvest their logins. A 2019 survey of businesses and charities by the
British government found that phishing emails were by far the most-cited
cybersecurity disruption.4
Data exfiltration is another overarching concern with SaaS. For example,
an employee might connect a personal email address to a company SaaS
application so that they can receive updates relating to sensitive assets.
An attack breaching that personal email account may, in turn, get access
to corporate data.
4 assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/813599/Cyber_Security_Breaches_Survey_2019_-_Main_Report.pdf
1O10O11000111000
What Cloud Security Issues Are Most Frequently Overlooked?Some of the risks outlined above, such as phishing and weak
authentication, are recognized and addressed through best practices,
security training and specific solutions like multi-factor authentication.
But many others don’t receive enough attention and end up surprising
cloud customers in the form of serious breaches.
Misconfigurations exemplify this latter category. While 90% of
respondents to a 2018 Fugue survey saw configuration errors as an issue,
only 30% performed continuous monitoring to keep tabs on them. Those
who did observed an average of 50+ misconfigurations every day.5
Many incidents of misconfigured IaaS buckets exposing documents
to the public internet have also made headlines in recent years. Even
large banks and content providers have suffered setbacks on this front,
underscoring significant blind spots in cloud management and security.
5 www.infoworld.com/article/3310841/cloud-misconfiguration-the-security-threat-too-often-overlooked.html
6 Connect with us today. 1.800.268.7638 | www.softchoice.comUnderstanding Cloud Security Responsibilities and Best Practices
001010100010101010011001
010101001011110100111111
000010101011000100101110
000010101011000101011001
7 Roadmap to Multicloud Success: Why Architecture Matters Connect with us today. 1.800.268.7638 | www.softchoice.com
Along similar lines, poor visibility into cloud consumption raises the risk
of a surprise breach. Lack of clarity around ownership of a particular
workload or application erodes accountability. In turn, this leads to
virtual machine (VM) or SaaS sprawl and shadow IT as people across the
business assemble their own patchwork of products and solutions
Unapproved SaaS solutions, for instance, can cause considerable harm
even without malicious intent. Employees looking to streamline their
workflows may choose software that meets their needs but fails to
comply with IT’s security requirements.
With shadow IT, there’s no guarantee that standards for password
management, patching or any other security measures are honored or
enforced on a given application or workload. This opens the door to risks
such as data exfiltration and unauthorized access in the wake of a breach.
How to Ensure More Secure Cloud ServicesCloud security is a shared responsibility. As such, cloud customers must ensure
not only that they’re implementing the right practices and solutions, but also
selecting CSPs and partners with a demonstrated commitment to strong defenses.
The most important steps for ensuring safer IaaS, PaaS, and SaaS
consumption include:
Using a cloud management platformThese solutions help discover and monitor resources, enforce policies and run
reports on activities in the cloud, promoting better visibility. Organizations that
implement such tools see 33% fewer security failures.6 Comprehensive cloud
management also helps identify and decommission zombie workloads (those paid
for but not used) that may be security and financial liabilities.
Implementing security automationCreating and applying manual security rules is as time-consuming as it is error-
prone. Cloud security automation makes it safer and more practical to roll out
changes at scale. It can also simplify processes such as patching and identifying
devices requiring updates. Plus, automation helps with identity and access
management by flagging behaviors that deviate from baselines.7
6 www.gartner.com/smarterwithgartner/is-the-cloud-secure/7 www.softchoice.com/blogs/advisor/cloud/use-automation-modernize-cloud-security
8 Roadmap to Multicloud Success: Why Architecture Matters Connect with us today. 1.800.268.7638 | www.softchoice.com
Connect with us today. 1.800.268.7638 | www.softchoice.com
Thinking about portability and diversificationWorking with multiple CSPs is becoming more common, often as a
way to take advantage of each one’s strengths while mitigating their
weaknesses. It’s also good security practice as it helps prevent vendor
lock-in. Technologies such as containerization are useful in this regard
as they support better workload portability. But these must be managed
with care. It’s also important to scrutinize any cloud SLA to see what
moving a workload might entail.
Partnering with a managed services providerWith no traditional perimeter and a very different business model than
traditional IT, cloud security requires a different approach. Making the
transition to a cloud-centric security strategy is easier with the assistance
of an experienced managed service providers that can make customized
recommendations and help with implementation.
Learn more by reaching out to the Softchoice team today.
9 Roadmap to Multicloud Success: Why Architecture Matters
Connect with us today. 1.800.268.7638 | www.softchoice.com