- Security
- A
Cloud Computing Security
In recent years, there has been a trend towards the use of cloud computing, with companies increasingly preferring it when developing their information infrastructure.
According to open sources, in 2023, total spending on the Russian cloud services market increased by a third from 90.6 billion rubles to 121.4 billion rubles, and the growth dynamics were even higher the previous year, almost 50% per year.
The active growth of the Russian cloud services market is also facilitated by the geopolitical situation: the departure of foreign service providers, difficulties with the supply of foreign equipment and software necessary for infrastructure expansion, the strengthening of state policy in the field of import substitution, and regulatory requirements for the transition to Russian software.
The rapid increase in the cloud services sector also leads to an increase in the number of attacks on cloud resources. According to open sources, the number of cyberattacks on cloud resources is expected to increase by 30% by the end of 2024 compared to 2023. A successful attack on the infrastructure of a cloud provider can seriously affect its clients: deprive them of critical data or "leak" it to the public, stop business for an indefinite period, or significantly slow down business processes.
In this regard, information security issues of cloud computing remain among the most pressing when businesses make decisions about transferring part of their infrastructure or storing data in the cloud.
Terms and Definitions
Cloud computing – a model for providing on-demand network access to cloud resources, allocated regardless of the time of day, access channel to the computing network (project "GOST R. Information protection. Requirements for the protection of information processed using cloud computing technologies. General provisions").
Cloud resources – any types of computer resources distributed among consumers using cloud computing technologies (GOST project).
Cloud service provider – a person or organization responsible for the operation of a cloud server (GOST project).
Cloud service consumer – a person or organization that accesses one or more cloud services provided by cloud servers using one or more cloud clients (GOST project).
Cloud Computing Deployment Models
There are various ways to organize cloud computing based on the management and sharing of physical and virtual resources.
Currently, there are three main types of hosting:
1. Private cloud computing.
A model in which cloud computing services are used exclusively by one organization, it can be deployed on its own or rented servers.
2. Public cloud computing.
A model in which cloud computing services are used by multiple clients at once, with resources managed by the cloud service provider.
3. Hybrid cloud computing.
A model in which at least two different cloud computing deployment models are used, for example, a combination of a private cloud available from a company's local area network and a public cloud accessible via the Internet.
Cloud Computing Service Models
In any third-party cloud infrastructure, the cloud service provider manages the physical network, data storage, servers, and virtualization systems, and provides services as "modules" that make up the cloud environment.
The most common cloud computing service models are:
1. IaaS, Infrastructure as a Service.
A model that allows cloud service consumers to place all their computing resources in the cloud, up to the operating system. Such an IT infrastructure is a full copy of the physical environment.
Suitable for hosting online stores and corporate portals, it can organize storage, deploy CRM or ERP, terminal or mail server, etc.
The IaaS model has advantages and disadvantages.
1. PaaS, Platform as a Service.
A model that allows cloud service consumers to develop their applications, which run in their own "sandbox" on the cloud service provider's server.
Suitable for working with databases, as well as for software development.
The PaaS model has advantages and disadvantages.
3. SaaS, software as a service.
A model that allows cloud service consumers to access applications that are stored and run on the cloud service provider's servers.
It is widely used both in the corporate environment for implementing business processes (WordPress, SAP, SalesForce) and for home needs (Gmail, Dropbox).
The SaaS model has advantages and disadvantages.
Advantages of cloud computing from the perspective of information security
1. Cost savings.
Cost savings on information infrastructure are achieved because the cloud service consumer pays only for the amount of resources they consume, and they have the ability to opt out of excess resources since cloud services easily adapt to the consumer's needs.
2. The ratio of capital expenditures to operating expenses for information infrastructure.
The ratio of costs for information infrastructure becomes more balanced. Migration to cloud computing allows for the reduction of high capital expenditures and their replacement with lower operating expenses.
3. Reducing time to market.
The cloud infrastructure necessary for product development is deployed faster and costs less.
Disadvantages of cloud computing from the perspective of information security
1. Confidentiality of processed information and its storage.
The first thing most cloud service consumers will think about is unauthorized access to the processed information by cloud service providers or malicious actors. In fact, the data is stored by a third-party organization and ceases to be fully controlled by its owner.
In some cases, the territorial location of the cloud service providers' servers is critical, and their location outside the country imposes restrictions on the possibility of use, for example, for storing personal data of Russian citizens.
2. Integrity of applications and software.
In the context of using cloud services, it is extremely important to ensure the integrity of applications, from writing the source code to running this code on the production service. When using external services, additional threats such as unauthorized changes to the assembled containers and the introduction of malicious code during the compilation process arise.
3. Service availability.
The availability and performance of cloud service consumer services depend on the cloud service provider. If the provider experiences an operational failure, this will also affect the operation of the consumer's systems.
Information security threats
When using cloud computing, information security threats arise due to the lack of control by cloud service consumers over:
hardware, with the complexity of organizing secure interaction between consumers and cloud service providers, as well as related to problems in organizing interaction between information security tools used by consumers and cloud service providers (IaaS);
the software and hardware used (SaaS);
the software and hardware used, as well as the features of cloud software development (PaaS).
In addition, information security threats include:
threats related to uncertainty in the distribution of responsibility;
threats related to loss of control;
threats related to loss of trust;
threats related to vendor lock-in;
threats related to unauthorized access by cloud service consumers;
threats related to lack of information or cloud resource management;
threats related to data loss and leakage.
The disadvantages of cloud computing and information security threats can be mitigated by the proper implementation of information security measures, which can significantly reduce the risks of their realization.
Security measures when using cloud computing
Cloud security consists of two components: security on the part of the cloud service provider and security on the part of the cloud service consumer. The principle of shared responsibility is relevant here.
In the responsibility zone of the cloud service provider are:
1. Physical security.
Includes access control at the levels of:
territory (e.g., fenced territory);
building (e.g., video surveillance inside and outside, 24/7 security and a contract with external security, access control system);
equipment racks and the equipment itself (access control and management system, access control to equipment).
2. Fault tolerance and redundancy.
Includes:
periodic backup of data on provided cloud services, as well as data belonging to cloud service consumers;
quality management of provided cloud services by monitoring current bandwidth, number of lost network packets, etc.;
timely detection of cloud infrastructure node failures;
reserving bandwidth for priority cloud services and the most important ones for their consumers.
3. Network security.
Includes network segmentation and protection against DDoS attacks.
4. Identity and Access Management.
Includes:
storage of authentication information and accounts;
security parameters from accounts;
two-factor authentication when accessing cloud infrastructure management tools;
audit of passwords for privileged and user accounts.
5. Vulnerability Management.
Includes scans:
of cloud and corporate infrastructure (monitoring the relevance of software versions, timely detection and elimination of vulnerabilities in the infrastructure);
scanning of IP addresses "from the outside" in BlackBox mode.
6. Event Logging and Monitoring.
Includes the implementation in the cloud client of a mechanism for collecting and transmitting information about registered security events to the cloud server, ensuring the ability to compare information about security events registered by the cloud client with information registered by the cloud server.
7. Compliance with Legal Requirements.
Includes:
the presence of an approved Information Security Threat Model and its provision to the cloud service consumer upon request;
readiness to sign an order for the processing of personal data with the cloud service consumer;
the presence of segments certified for compliance with information security requirements;
the presence of conclusions (certificates) of compliance with the requirements of GOST 57580.1, PCI DSS, ISO 27001, etc. (if necessary).
In the responsibility zone of the service consumer are:
1. Choosing a reliable cloud service provider.
Important aspects to consider when choosing a cloud service provider are:
reputation of the provider in the service market;
the level of service that the provider can ensure (uptime and availability of services);
guarantees of data protection and confidentiality;
data on the territorial location of servers (in Russia or abroad);
data on compliance with information security standards and requirements (availability of certificates and attestations).
A Service Level Agreement (SLA) is concluded with the cloud service provider, which documents the services provided and agrees on their levels. The Service Level Agreement may be included in a contract or another type of documented agreement.
2. Identity and access management.
User authentication and authorization procedures, granting them appropriate access rights to resources, and controlling access usage (including privileged access) allow limiting access to processed information and reducing the risks of unauthorized access to data and their leakage.
In turn, authentication can be single-factor (e.g., password) or multi-factor (implies an additional authentication factor, such as a one-time code from SMS or a token).
3. Secure configuration of cloud resources.
Configuration is one of the key measures for information protection in the cloud. The configurations of the operating system, application software, and information security tools in use must meet the required level of security and not use "default" settings.
It is recommended to monitor:
software, information security tools, operating systems for updates and relevance of their versions;
disabling or limiting unused services, ports, and protocols;
the levels of permissions assigned to key files;
password policies.
4. Protection against malicious code.
Exploited antivirus protection tools must be regularly updated and adapted for use in cloud infrastructure, as it has a number of specific differences, making the use of classic antivirus tools difficult.
5. Backup.
The importance of performing backups is due to the fact that in case of unavailability of the cloud service or data loss on the side of the cloud service provider, the cloud service consumer has the ability to restore the information that was most critical to them.
6. Encryption.
Data encryption involves converting data into an encrypted format that can only be read by authorized users. The choice of encryption option directly depends on the needs of the cloud service consumer. This can be end-to-end encryption when transmitting confidential information or encryption of only certain categories of information stored in the cloud.
The highest level of security in the cloud environment is ensured by encrypting data at all stages of its transmission and storage: on the user side, during transmission from the user to the server, and when stored in the database.
7. Incident Response.
Detection, response, recovery, and analysis of incidents in the cloud infrastructure is part of the incident management of the cloud service consumer. The response process should take into account the specifics of cloud computing and fit into the overall strategy of the company's information security incident management.
8. User Training.
Cloud service consumer users are a vulnerable spot in the entire infrastructure, they are susceptible to social engineering methods, many still open suspicious emails and click on phishing links.
Informing and training employees on security issues is an integral part of information protection in the cloud infrastructure. All employees with access to cloud services should have a basic understanding of information security rules.
9. Compliance with regulatory requirements and standards.
Responsibility for compliance with current legislation in the field of information protection lies with the cloud service consumer.
The cloud service consumer must ensure that the processes involving cloud computing comply with established legal requirements.
Thus, it is he who must monitor relevant changes and discuss additional needs with the cloud service provider.
In conclusion, it can be said that cloud computing is a good alternative to physical information infrastructure. However, despite all the advantages, they have, in addition to "classic" information security threats, threats associated with the specifics of cloud computing.
To neutralize them, it is necessary to build an information protection system with a clear understanding of how the areas of responsibility of the provider and the cloud service user are distributed, how the service provider protects information on its side, and what information security mechanisms are already technologically embedded in a particular provider.
Write comment