Applying the five controls to cloud services

What are cloud services?

Different components of computing are available to users remotely over the internet and payable on demand or by subscription. Cloud services is the collective name for these externally managed services. Examples are: Microsoft 365, Dropbox, Googledrive, AWS and Citrix workspace.
Most organisations use a great many cloud services, it allows for a flexible and collaborative use of a resource without having to make the large outlay for ever changing technology. During the Covid pandemic, organisations were able to adapt and survive by allowing workers to access and share company information from any location and deliver their services online. Cloud services were often used to achieve this. It revolutionised working models, yet also raised significant security concerns. If workers can access an organisation’s information from anywhere, then criminals can too. It is important that these services are set up correctly and have the essential security controls in place.

What is the difference between public, private and hybrid cloud? 

Public cloud services are the wide spread and commonly used cloud computing model. All the resources needed to run the infrastructure (servers, storage, networking components, and supporting software) are owned and managed by the third-party provider, and accessed by the users within organisations over the Internet via a web browser. In a public cloud,  companies share the infrastructure with other organisations, but data and workloads are usually kept isolated from each other in a safe and secure virtual space. Rather than having to own and operate the hardware, organisations pay only for the services they actually use.
A private cloud service is a computing infrastructure devoted to use by a single organisation. It can be housed in a privately owned data centre facility or at that of a third-party service provider. The defining characteristic is that the IT resources are run and maintained on a private network for one user organisation only and consequently, the security controls are under their full management.
Hybrid cloud is any environment that uses both public and private cloud.

For the purpose of this guidance, we are talking about public cloud services.

The three main categories of cloud computing

There are three major cloud service models. The aaS letters stand for ‘as a service’ which means organisations can rent facilities that are physically elsewhere for a range of different purposes. (See guidance about virtualisation.)

Infrastructure as a Service (IaaS)
An IaaS cloud service provider hosts the infrastructure components that typically exist in an on-premises data centre including servers, storage and networking hardware as well as the hypervisor or virtualisation layer. A company might use IaaS if they need to develop bespoke applications and programmes but are not equipped to handle the infrastructure that this requires. The user organisation would access, configure and manage the resources using a dashboard or Application Programming Interface (API).

In addition to program development and testing purposes, IaaS is also a solution for disaster recovery or backup solutions, hosting complex websites, high computing performance and big data analysis.

For the IaaS model, the cloud service provider only provides the hardware, all of the security and backing up is the user organisation’s responsibility.
Examples of IaaS include Rackspace, Google Compute Engine, or Amazon EC2.

Platform as a Service (PaaS)
Platform as a service offers developers a platform for software development and deployment over the internet, enabling them to access up-to-date tools. A person or company might use PaaS if they needed a collaborative development and deployment environment to create and manage custom applications, without the need to build and maintain the underlying infrastructure themselves.
Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda.

Software as a Service (SaaS)
SaaS cloud service providers host the applications and make them available to users over the internet. With SaaS, organisations do not have to download any software to their existing IT infrastructure.

SaaS is used by most organisation for everyday tasks such as creating and sharing files, signing and sending contracts and project management. The tools and applications are highly scalable and easy to access remotely which is particularly helpful for distributed global teams who don’t work in close proximity.
Examples of SaaS include Microsoft 365, Jira, Dropbox, Gmail.

What are the security risks with cloud services?

Most data breaches in the cloud occur when criminals are able to gain access through badly configured accounts and interfaces to locate valuable data. This is usually due to weak user access control and misconfiguration and is the responsibility of the cloud service customer.

According to research by Microsoft, there are over 300 million fraudulent sign-in attempts to their cloud services every day.  Most data breaches involve weak, default or stolen passwords which highlights the requirement for comprehensive password policy and strong authentication. It is estimated that 99.9% of attacks can be blocked with Multi-Factor Authentication.

Another threat to data stored with cloud services is from the unintentional mistakes or malicious intent from employees, also known as the ‘insider threat’. A rogue employee can use their knowledge and access to company information to steal data or commit fraud.

Access to sensitive resources needs to be limited to employees that require that information to perform their job. Administrator accounts usually give the most access to the system and it is essential that they are protected with MFA. Privileged accounts, such as these, need to be created, restricted and controlled with a comprehensive policy.

Who implements the five core controls to the cloud services?

Most cloud providers attempt to create a secure cloud for customers and aim to prevent breaches and maintain public trust. Most invest a significant amount of resources to keep their services secure, however, they cannot control how their customers use the service, what data they add to it, and who has access.  It is worth bearing in mind that not all cloud service providers understand or value security.  It is essential that the user organisation researches the security controls used by the cloud service provider before entrusting organisational data to that service.

When talking about security, cloud service providers often reference a ‘shared responsibility model’. This means that for some security controls, it is the cloud service that is responsible for implementation whereas for other features, it is the user organisation. Who implements which controls will vary depending on the design of the cloud service being subscribed to.

Working with a cloud provider can be unfamiliar and new for some organisations and it is helpful to outline from the start where the line is between the cloud provider’s security responsibilities and those of the user organisation. Each provider and each service will have different security models, different tools for ensuring security, different configuration parameters, different dashboards and different contact points. Putting all these details together and creating a coherent multi-cloud security strategy is a vital process.  It is a good idea to have security in mind  when researching a cloud service product in the first place, and to document a named point of contact to help and support your organisation if there are difficulties.

Although the potential cost saving, flexibility and scalability attracts many modern businesses to cloud computing, it also represents a paradigm shift for business owners and their staff who need to understand new services, tools and processes. When using cloud services, it is necessary to set up separate policies on each individual service and ensure that all access is controlled. It may be necessary to update staff about the functions and responsibilities in the cloud with training and information courses on each chosen cloud service.

The business owner or IT manager should reference their service-level agreements, and clear up any confusion with the provider when necessary to ensure a successful security strategy.

Google, AWS and Microsoft all offer a range of certifications and cloud computing training programs for their platforms. The goal is to get companies that aren’t as familiar with cloud to be comfortable with modern techniques and practices.

For Infrastructure as a Service, the user organisation is responsible for maintaining their operating system, data use and applications and are therefore in control of the implementation of all 5 Cyber Essentials controls.

With Platform as a Service, the cloud service provider manages the security of the underlying infrastructure and operating system and the user manages their data use and applications, this would mean the user needs to control the secure configuration, user access control and security update management.

For Software as a Service, the user organisation is usually only responsible for secure configuration and access control, and the cloud service provider usually takes care of the malware protection, firewalls and security update management.
Where the cloud provider implements a control, the user organisation must satisfy themselves that this has been done to the required standard. Details of implementation of these controls can usually be found in the terms and conditions of the service. Look within contractual clauses or in documents referenced by contract, such as security statements or privacy statements. Cloud providers will often explain how they implement security in documents published in their trust centres.
The security arrangements of a cloud provider are sometimes explicitly documented; for example, Microsoft Azure and AWS document shared responsibilities and whether the provider or the customer is responsible for aspects of security operations and management. With smaller providers or SaaS products, however, these details may be less explicit, but they will still need to be accounted for.

Understanding your security responsibility is essential to keeping your data safe in the cloud.

The five core controls

Secure configuration
The responsibility of the user organisation to all cloud services
An ‘out-of-the-box’ set-up can often include an administrative account with a standard, publicly known default password, one or more unnecessary user accounts enabled (sometimes with special access privileges ) and pre-installed but unnecessary applications or services. All of these present security risks. Where you are able to do so, remove or disable all the software that you do not use on your cloud services.

*Check your cloud services and disable any services that are not required for day to day use.
*Ensure that all your cloud services only contain necessary user accounts that are regularly used in the course of your business.
*Remove or disable any user accounts that are not needed in day-to-day use on cloud services.

User access control
The responsibility of the user organisation to all cloud services
User accounts with special access privileges (e.g. administrative accounts) typically have the greatest level of access to information, applications and computers. When these privileged accounts are accessed by attackers they can cause the most amount of damage because they can usually perform actions such as install malicious software and make changes. Special access includes privileges over and above those of normal users.

Privileged access — Identify all possible forms of access that privileged accounts may have to your data and applications, and put in place controls to mitigate exposure. It is not acceptable to work on a day-to-day basis in a privileged “administrator” mode.

(See guidance about accounts.)

Enable multi-factor authentication (MFA) to all user accounts and all administrator accounts on all of your cloud services
(See guidance applying MFA to access cloud services.)

Security update management
The responsibility of the user organisation for IaaS and PaaS cloud services.
To protect your organisation, you should ensure that all your software is always up-to-date with the latest security updates.
(See guidance about software.)

Malware protection
The responsibility of the user organisation for IaaS and PaaS cloud services
Malware (such as computer viruses) is generally used to steal or damage information. Malware is often used in conjunction with other kinds of attack such as ‘phishing’ (obtaining information by confidence trickery) and social network sites (which can be mined for information useful to a hacker) to provide a focused attack on an organisation. Anti-malware solutions (including anti-virus) are available from commercial suppliers, some free, but usually as complete software and support packages. Malware is continually evolving, so it is important that the supplier includes both malware signatures and heuristic detection facilities which are updated as frequently as possible. Anti-malware products can also help confirm whether websites you visit are malicious.

Prevent malware from entering cloud services using techniques such as file-scanning, application whitelisting, machine learning-based malware detection, and network traffic analysis.
(See guidance about malware.)

The responsibility of the user organisation for IaaS.
(See guidance about firewalls.)