The Cloud – Security
A question I come across all the time in my field of work as a Managed Cloud Engineer is “Will my data be secure in the Cloud?” Whether it is for an on-premise to cloud migration project whereby a customer is wants to lift and shift their current estate, or even just parts of it into the cloud; or whether a customer is taking on a new project implementing a cloud native application, it’s a question that is the back (or in a lot of cases, front!) of everyone’s mind.
It’s very easy for me to say that moving to the cloud is a great idea… it’s scalable, it’s cost efficient, you get to use the most innovative tools and technologies available, it’s highly available and reliable. All of which are huge benefits. But that still leaves the number one concern and subsequently the reason why companies and Government department do not wish to migrate to the cloud; security.
Of course security is, and should be, the number one non-functional concern for any development or migration project, whether it is hosted in your own company’s datacentre or hosted in the cloud. Surely hosting your own application in a proprietary datacentre under your own control and run by your own company is safer right? This is not always the case and is a common misconception.
Security is the biggest operational challenge and it’s very important that it is baked into a solution from the start. In a recent report published by Kainos “Bringing Cloud Clarity to Public Sector Organisations”, 53 per cent of those stated that getting security RIGHT was the biggest challenge they faced on their journey to adopting cloud technologies, and 8 per cent still think that the risks outweigh the benefits. There are a multitude of concerns and considerations to take into account when considering whether to place your data in the cloud for public access, especially for a UK Government department, and I want to touch on just a few.
Physical Security — You’d hope that wherever you decide to place your data or hosted service, that the facility it’s hosted in is secure, right? Perhaps the datacentre that your company owns and manages is seen as being more secure. Cloud providers are continually fighting the stigma and perception that they are ‘not as secure’. Now let’s take Amazon AWS an example, they usually incorporate 3 lines of defence when securing their datacentres. An outer wall or fence designed to withstand a vehicle impact, an inner zone which requires a pin/swipe card authentication (this houses the generators and cooling equipment), equipped with constantly monitored 24/7 CCTV along with trip lighting. The inner most security perimeter houses the physical servers, networking and storage equipment. Again, only pin and swipe card entry is permitted by authorised staff. Many of the AWS Architects themselves are not allowed in and you’d be hard placed to find the physical location of any of the datacentres themselves, other than the ‘region’ they belong to.
Security OF/IN the cloud — Most cloud hosting providers will make it very clear of the responsibilities held by them and what is expected of you. A provider will be responsible for security OF the cloud. Basically, this means that they will ensure the physical location of where your service is hosted, is secure, along with securing the underlying infrastructure that runs your service. On the other hand, YOU are responsible for the data that is then hosted on that infrastructure and you are also responsible for keeping that data safe through implementing the correct controls, such as data encryption (both in transit and at rest), web application firewalls, intrusion detection systems, integrity monitoring and threat management. It is another common misconception that deploying a service onto an accredited cloud hosting provider will ensure a level of security for your application when this is just not the case. Most cloud providers are clear about this and Amazon have laid this out very clearly in their ‘shared responsibility model’.
Data Residency — The geographical location where your data resides can play a big part in whether or not you wish to place a service within a cloud platform. With the European Court of Justice overturning the EU Safe Harbour Privacy Principles in October 2015 and the introduction of the EU-US Privacy Shield (which is yet to be finalised at the time of this blog entry), it’s no surprise that companies or Government departments handling citizen data that is deemed to be “Official Sensitive” are concerned about where they are able to host public services. There are of course other alternatives to using cloud providers with a global footprint, i.e. using smaller providers that are based within your own locale. For example, Skyscape Cloud Services or Carrenza offer UK-only based Cloud services. Also, with post-referendum uncertainty, and the UK now set to leave the EU, the UK Government could develop their own new privacy laws which may further dictate information assurance decisions on where data can and will be hosted.
Compliance — It won’t take you long to find a wealth of information on how a chosen Cloud provider meets specific compliance requirements of the infrastructure underpinning their platform or service, such as ISO27001 for information security management, PCI DSS for taking payments or SOC1/2/3 for measuring the control of financial information. All of which is of course great as it’s important to know that the cloud provider themselves is accredited to a specific standard; and I know I am quoting AWS again but I find their Cloud Compliance section very impressive. Microsoft Azure also address their own compliance requirements within their Trust Center. Note that both have a UK Gov G-Cloud offering up to OFFICIAL classification. That said, it is still the customer’s responsibility to ensure the service that is being run IN the cloud, adheres to any specific compliance requirements depending on the type of service being offered, especially within UK Government where data classification will dictate the constraints around where data can be hosted and how it may be used.
Separation of customers — It’s not uncommon for cloud hosted services to share physical infrastructure or clusters of servers and back end storage platforms within a datacentre. This is a shared tenancy model which fits many use cases. However, if you require it, most if not all cloud providers will offer dedicated compute and storage upon request. Dedicated will be more expensive so it’s worthwhile keeping this in mind but more often than not, the decision to use dedicated hardware will likely be driven by a compliance or regulatory requirement. However, bear in mind that there are adequate controls available to ensure that your data is secure in a shared tenancy model, e.g. data encryption in transit and at rest.
In summary, there are many topics that cover ‘Cloud Security’, and I have touched on only some considerations above. If you haven’t already, I would highly recommend reading our cloud report and Amazon AWS’s Security Whitepaper which outlines Amazon’s physical and operational security practices, as well as outlining service specific security. I would also recommend reading and becoming familiar with Gov UK’s Cloud Service Security Principles that you should consider. It shouldn’t have to be a daunting task, and feel free to contact Kainos to see how we may be able to assist you in your journey.