With majority of the work today being done over the internet, the data is prone to attacks. Data being the top most priorities for the companies today needs to be handled with better security. Inspite of companies moving to the clouds for better protection and better options, the data still remains vulnerable to attacks.
One of the major incidents that happened in cloud segment was of cloud-based file sharing giant Dropbox in 2012. Hackers were able to access more than 60 million accounts which were sold into the dark web marketplace at the then cost of about $1,000. However, this issue was tackled by site-wide password reset from the user base.
The need for security can be well understood by the statistics below:
- The Department of Homeland Security requested a budget of $1.919 billion for the financial year 2020 for its entire cybersecurity operations.
- Cybersecurity budget of the United States for the year 2020 is 17.43 billion U.S. dollar
- The average total cost of data breach amounted to $3.92 million in 2019.
It’s mandatory and in the best interest of the organization to be in compliance with the security standards that are approved by the legal bodies.
The main goal of such statutory regulations is to secure the organizations from getting into any unlawful activities and also safeguard the interest of the users. Various statutory regulations have been ensured by the legal bodies for the same and are as below:
• ISO/IEC 38500 – IT Governance
• ISO/IEC 20000
• SSAE 16
• National Institute of Standards and Technology (NIST) Cyber security Framework (CSF)
• Cloud Security Alliance (CSA) Cloud Controls Matrix
• FIPS Publication 200
• NIST SP 800-53 R4
• EU-US Privacy Shield
• EU NIS Directive
Many a time customers have the audit requirements regarding their IT systems. The necessity for the same can be on the customer because of the legal environments they might be in or it can be from the cloud service provider because of the policies adopted by them.
While opting for the audit it should be taken into consideration by the customer that the cloud service providers are open to the third party periodic audits. The need for the same is required, so that the customers have the visibility on the documented results for any verification and to point out the certain issues that might need to be worked upon by the cloud service providers.
Some of the standards that are used in this process are as below:
• SOC 1 , SOC 2 , SOC 3 reports
• NIST SP 800-92, Guide to Computer Security Log Management
• HL7 Fast Healthcare Interoperability Resources (FHIR)
In the cloud platform while performing certain tasks data is taken care by a lot of people and it’s in the best interest of the customer to ensure whether the person has been authorized to do so or not.
The main task of this security standard is as to give access to data only to the ones who have been authorized to execute a specific task.
For the one who is providing the services to the customer, needs to ensure that proper security measures are taken while allowing its employees to have appropriate access to the customer’s data. Information security management standards like ISO/IEC 27002 and ISO/IEC 27017 describe the controls for providers. Moreover it also needs to be made sure by the customer that the service provider is certified to these standards.
For people performing roles for the customers it needs to be made sure that they have to identify as well as authenticate themselves while using cloud services and the rights for the same are granted to them for that particular task. Such people need to have specific Identity and Access management (IAM)
While we are talking about cloud security standards the most vulnerable to security hacks is data.
The proper approach to safeguarding the data is the approach of Data governance. Opting for the data governance approach helps organizations in managing, protecting and leveraging information which in turn helps organizations to gain confidence in business decision and its approaches
Majority of standards are taken into considerations while opting for the security of the data
• ISO/IEC 27000 series
• ISO/IEC 27002
• ISO/IEC 27040:2015
• VPN using IPSec or SSL
• Transport Layer Security (TLS)
Protecting the personal information is termed as the privacy. It relates to the collection, storage and using personal identifiable information (PII).
To counter the breaches related to the private data many countries have brought upon the laws such as the General Data Protection Regulation (GDPR) by EU.
While working on the cloud platform many a time’s personal information is asked for, to execute a certain task. Every individual who’s putting up any of his/her on a cloud channel must take into account the seriousness of that data.
Any hack of that cloud channel can on occasions, lead to some loss for that individual.
For the protection of personal information certain standards have been adopted and are as below:
• ISO/IEC 27018 certification
• ISO/IEC 29100
• ISO/IEC 29151
• Cloud Security Alliance Privacy Level Agreement
Applications are installed at all the levels of cloud. If any application gets compromised it not only brings down the reputation of that cloud platform but also compromises a lot of data of the customers too.
Policies related to the security of applications at this point provide a lot of help in safeguarding security related to deployment and provisioning of the application. Application policies help in its deployment, encryption and integrity requirements.
Various techniques to consider in cloud applications are
• Denying services to publically exposed endpoints
What type of traffic needs to be allowed and which one needs to be dropped off should be checked or attempted by the cloud service provider. Tradition network controls should be dropped by the service providers as certain firewalls like corporate firewall sometimes gives a fake sense of security as hacking into the corporate perimeter is easy for the hackers.
Various network standards are to be taken into consideration for the same:
• ISO/IEC 27033-1
• ISO/IEC 27033-2
• ISO/IEC 27033-3:201
In many cases the infrastructure and facilities are provided by the cloud service providers. Customers need to assure themselves from the providers that properly security measures are taken by them.
It’s in the better interest of the customer to always opt for that particular service provider who is in compliance with ISO/IEC 27002 standard for physical and environmental security. Some of the security measures in ISO/IEC 27002 include:
• Physical Infrastructure and facilities should be held in secure areas
• Protection against external and environmental threats
• Equipment security controls
• Control security of cabling
• Secure disposal or re-use of equipment
The involvement of two parties in cloud computing makes it necessary to make sure the responsibilities are properly understood and delegated accordingly.
Some key features to keep in consideration are:
• Roles and responsibility
• Security obligation
• Data protection and residency
While the agreement ends with the service providers or when the services of a particular cloud service provider is ended it needs to be made sure that the exit process is properly followed which include the achieving of “The right to be forgotten”, which means that the service provider has to ensure that none of the information is kept with the service provider.
The customer also needs to ensure that the data is extracted in a secure way. It’s always appreciable if the cloud service provider provides the written confirmation to the customer that the exit process is complete.
It’s really important to know as to what is the security parameter of the service provider. It should also be considered as to how much secured, it is from the firewalls as well as to that of the virtual machines.
Having an identification and authorization framework is needed for a cloud solution so that only proper people should be having access to the technology.
Data is the soul of any organization. It needs to be protected, right from the very beginning of its creation to its destruction when you move it off from services.
An organization should work in compliance with the standards that have been set by the regulatory authorities. This not only safeguards it from legal but also saves it from becoming a victim of any unethical activity.
You may also like to read: