The shared responsibility model for cloud security exists because in spite of the convenience, cost-savings, and even centralizations of IT expertise in the cloud, data breaches in and from the cloud are real.
But why do breaches in the cloud happen? The answers can be found in several, preventable ways:
- Human error can still occur, perhaps exacerbated by self-service and varying security controls across different IaaS/PaaS and SaaS providers. Multi-cloud means learning new policies and cloud- and identity-security solutions.
- Vulnerabilities happen in software, hardware, and firmware, whether on-premises or in the cloud. A breach of customer data from a cloud data store in 2019 was caused, in part, by a bug identified in 2015 and not patched in the cloud.
- Insiders include both cloud infrastructure administrators plus your administrators with elevated privileges in the cloud. In IaaS, OS root users have too much visibility, with admin credentials targeted and compromised – sometimes the same passwords used in the cloud as on-premises. And with certain types of encryption, privileged users can see data in the clear for all users.
- Even with encryption, there remains the risk of poor practices for encryption keys, which truly require enhanced control and separation between encrypted data in the cloud and the keys.
- These factors were confirmed in analyst research: an IDC study found that 61% of cloud data breach victims indicated that the breach was the result of a cloud or cloud infrastructure-related vulnerability or misconfiguration
Data in transit protection should be achieved through a combination of:
- Encryption – denying your attacker the ability to read or modify data
Data encryption protects data confidentiality by converting it to encoded information, called ciphertext, that can only be decoded with a unique decryption key, generated either at the time of encryption or beforehand. Data encryption can be used during data storage or transmission and is typically used in conjunction with authentication services to ensure that keys are only provided to or used by authorized users.
Encryption is usually implemented to provide additional confidentiality and integrity of data over and above what network layer protections provide. All approaches should include encryption between endpoints and components of the cloud service.
- Network protection – denying your attacker the ability to intercept data
Public cloud providers are accessible directly over the internet. You should ensure that all data flows between clients and the cloud service are encrypted as described above.
Your data will usually need to flow across the cloud provider’s network between different cloud service components, and between physical servers. Cloud platforms usually allow you to create virtual networks, which use dynamic routing rules on the underlying network to ensure that packets can only flow between your hosted resources. You can usually also apply data flow rules at the application layer (usually called an Application Layer Network). You should ensure that you understand how these controls are enforced and how to use them to ensure that your data flows cannot be accessed or tampered with by another customer of the service.
- Authentication – denying your attacker the ability to impersonate the service
All accesses made to your cloud service should be authenticated. Most public cloud providers are accessible directly over the Internet. If doing so, you should ensure that all data flows are authenticated and encrypted as described above. Both parties should be authenticated, but you don’t have to use the same method for both cases.