Cloud migration brings many benefits: cost optimization, architectural elasticity, process automation and ease of use.
Contrary to popular beliefs, the cloud also offers a high level of security.
What level of trust do you have in cloud platforms? What are the main security features provided? How to make sure that your most sensitive data is well protected? We will try to answer it.
How to make sure your sensitive data is protected
To determine which data and elements to protect, risk assesment is a prerequisite. It is a question of positioning a cursor in term of risks and asking ourselves the question of knowing what to protect against, and then putting the most appropriate answer. The company must establish the classification or categorization of its information assets and in particular their degree of criticality with respect to the business activity.
This preliminary step is carried out according to the 4 information security objectives known as A.I.C.T:
1. Availability: it is the quality of a computing resource that can be used on demand. Availability implies the elimination of any breakdown or the installation of relays in case of breakdown: PCA (Business Continuity Plan) and DRP (Disaster recovery Plan)
2. Integrity: it is the quality of a computer resource to resist alteration, destruction by accident or malice. This is the assurance that the data has not been changed during transport or in the original file.
3. Confidentiality: it’s about the quality of computing resources to be known only by authorized people
4. Traceability: it is important to add the notion of Proof (or Traceability) which will allow to find with sufficient confidence the circumstances in which the good evolves.
Depending on these security objectives, the value of the data can be defined as well as the level of security to be implemented.
Cloud computing, synonymous with trust?
Cloud provider considers data protection a high priority in all implementation processes. The company can trust the security of the Cloud Provider as they have many certifications.
The cloud provider can be a member of the CSA (Cloud Security Alliance) that defines best practices to ensure a secure cloud computing environment and even be CSA Star certified.
The cloud provider can also have the following certifications:
- ISO 27017 (Cloud Specific Controls) provides guidelines for information security and control over the provision and use of cloud computing services.
- ISO 27001 (Security Management Controls) defines the requirements for setting up an Information Security Management System (ISMS).
- ISO 27018 (Personal Data Protection) establishes control objectives for the implementation of personal data protection measures in the cloud.
- PCI-DSS (Payment Card Standards) makes it possible to verify that the control points are well implemented and that they are effective for the protection of bank card data
- SOC 1, SOC 2, and SOC 3 are independent reports on the security, availability, and privacy of the cloud provider.
- ISO 9001 (Global Quality Standard): Based on a number of quality management principles, with a strong customer focus, a process approach and continuous improvement.
All these certifications are relevant sign of confidence because they ensure that the Cloud Provider is regularly audited by an independent company which ensure that they are compliance with those standards.
Beyond the certifications, other elements will have to be considered in the choice of the supplier to make sure that it answers the business problems: localization of the hosting, services proposed in terms of availability, reversibility, offered guarantees …
The security levels provided by the cloud provider
Those giants of automation deliver natively several layers of security:
– Infrastructure security:
24/7 video surveillance, admission to server areas requires several forms of authentication, including biometric control …
In terms of security, public cloud providers have a strong experience, know-how and spend billions of euros to build strong defenses to protect their infrastructure and those of their customers.
– Network security
At the network level, most cloud providers also offer the following services: anti DDos, VPN, and a network-level firewall.
– Application security
Application security is at the center of new threats and recent intrusions: 75% of attacks target applications directly (source: Gartner). Often focused on infrastructure protection, security teams are often too far away from application issues.
As a result, the cloud provider also offers a native Web Application Firewall (WAF), anti DDoS.
– Operational security
Providing Backup Infrastructures: Protecting with Data Encryption (AWS: Key Management Service, Azure: Storage Service Encryption)
– Security of services
Finally, at the management and monitoring level, the cloud provider (AWS: trusted advisor / Azure: Advisor / Google: Cloud platform Security) also offers management and analysis of logs. There is also the duplication of data for a business continuity plan that will be a determining factor in terms of native protection (Automatic protection and disaster recovery).
The cloud provider thus makes available to its customers many elements around security: redundancy, confidentiality, encryption. Even in the event of an infrastructure failure, the integrity of the data will have to be guaranteed and the system will have to be able to be operational again quickly (resilience).
Do not forget the perimeters under your responsibility
It is important to remember that a Cloud Provider offers important security guarantees but that the extent of the responsibility of the Cloud Service Provider depends on the services choosen – IaaS, PaaS or SaaS.
For example, identity and access management (IAM) and data security are always the responsibility of the customer. It’s up to the company to define who can do what. You must also isolate idle data with application-level encryption and use VPN or TLS protected access. To effectively manage the risks associated with storing sensitive data in the cloud, it is imperative that the organization has full visibility of this data, in transit and at rest. To improve this visibility, it is advisable to focus on fundamental measures in governance and technologies.
Among the relevant solutions, a Cloud Access Security Broker (CASB) solution will meet this need for visibility in SaaS applications and will offer data loss prevention features. A Web Application Firewall from a pure player company, will offer better security guarantees with more comprehensive features.
It is complex to be able to protect yourself effectively without the help of a third-party company that can advise you on the type of solutions to be put in place and define the appropriate technology.
Before embarking on the migration of its infrastructure in the cloud, it is therefore essential to ask the right questions and have a clear vision of the security of its IS. In this context LINKBYNET can assist you in the migration of your resources on the cloud with an ISS diagnosis and a Risk assessment for a better visibility of your level of maturity in terms of security.