Phy-gital Roundtable: Breakfast Roundup from Germany and Netherlands

02 May '15 | Debjyoti Paul

German Shoppers: Meet Them in the Fast Lane to Phy-gital

15 January '15 | Ralf Reich

Shoppers Will Share Personal Information (But They Don’t Want to be “Friends”)

15 January '15 | Anil Venkat

Modernize or Perish: Property and Casualty Insurers and IT Solutions

14 January '15 | Manesh Rajendran

Benelux Reaches the Phy-gital Tipping Point: Omnichannel Readiness is Crucial

13 January '15 | Anil Gandharve

The New Omnichannel Dynamic: Finding Core Principles Across Industries

13 January '15 | Debjyoti Paul

Technology does not disrupt business – CIO day 2014 Roundup

02 December '14 | Anshuman Singh

Apple Pay – The Best Is Yet To Come

02 December '14 | Indy Sawhney

Digital transformation is a business transformation enabled by technology

01 December '14 | Amit Varma

3 Stages of FATCA Testing and Quality Assurance

06 October '14 | Raman Suprajarama

3 Reasons why Apple Pay could dominate the payments space

18 September '14 | Gaurav Johri

Beacon of Hope: Serving Growth and Customer Satisfaction

05 August '14 | Debjyoti Paul

The Dos and Don’ts of Emerging Technologies Like iBeacon

30 July '14 | Debjyoti Paul

What You Sold Us On – eCommerce Award Finalist Selections

17 July '14 | Anshuman Singh

3 Steps to Getting Started with Microsoft Azure Cloud Services

04 June '14 | Koushik Ramani

8 Steps to Building a Successful Self Service Portal

03 June '14 | Giridhar LV

Innovation outsourced – a myth or a mirage or a truth staring at us?

13 January '14 | Ramesh Hosahalli

What does a mobile user want?

03 January '14 | Gopikrishna Aravindan

Cloud Computing Security: Provider & Consumer Responsibilities

Posted on: 31 August '17
Arunvignesh Venkatesh
Arunvignesh Venkatesh
Technical Architect, Mindtree

Cloud Computing growth in recent years

I will be surprised, if I come across any techie who does not mention “Cloud” during the course of his conversations today. That’s the growth of cloud computing in the market. Here’s another classic example. The number of searches in Google for the term ‘Cloud Computing’ has drastically increased from 20% in 2009 to around 95% in 2015.

Not only the techies, but Global Industries too are turning to Cloud, given its inherent advantages like No CapEx, Pay-as-You-Go pricing model, absence of need to manage IT infrastructure and options like ‘Cloud as a service’.

Not surprising that based on Enterprise interest in Cloud, leading technology vendors like Oracle, Redhat, Windows and Symantec have also migrated their products to the Cloud Model. The Cloud Model works on a subscription basis instead of the traditional license model.

Recent attacks on Cloud Computing

It is a known fact that the number of attacks on Cloud environments has increased in recent years.

To cite a few examples, the Cloud environment of Home Depot (HD), JPMorgan Chase (JPM) and even the White House, were breached in 2015. Reconnaissance increased significantly in 2014. Some of the most common scans we detected included ZmEu, Morfeus, VNCScan, and Nessus scans, as well as multiple generic scans.

According to Health Information Trust Alliance (HITRUST), the number of security breaches around healthcare data alone has been immense.

  • Total Breaches: 495
  • Total Records: 21.12 million
  • Total Cost: $4.1 billion
  • Average Size: 42,659 records
  • Average Cost: $8.27 million
  • Average Time to Identify: 84.78 days
  • Average Time to Notify: 68.31 days

The Cloud Security Alliance Report cites insider attacks are the sixth biggest threat in cloud computing.

Securing Cloud

Cloud always comes as a Shared Responsibility model between a service provider (example Amazon, Azure Google) and customers using this service.

Provider’s Security measures:

The first step Cloud Service Providers take, is to secure the Data Center where they host their IT hardware (Compute, Network, and Storage) for the Cloud. This is to secure the DC against unauthorized access, interference, theft, fires, floods and so on. The Data Center is also secured to ensure redundancy in essential supplies (Example power backup, Air conditioner) to minimize the possibility of service disruption. In most cases, Provider’s offer Cloud applications from ‘world-class’ data centers.

The Cloud Provider ensures that their Infrastructure and the Services comply with Critical Protection Laws such as data protection laws, Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), Criminal Justice Information Services(CJIS) , the Sarbanes-Oxley Act, the Federal Information Security Management Act of 2002 (FISMA) and so on.

Along with Data Security, in order to ensure business continuity and data recovery, they also maintain resilient Recovery Time Object (RTO) and Recovery Time Point (RTP) and Failover in their Tier 3 or Tier 4 Data Centers which hosts their Cloud Services. In addition, continuous log audits keep them aware of all the activities under their radar.

Secured Cloud Design

Consumer’s Security measures:

The key player in Cloud Security is the Solution Architect. While the Solution Architect makes sure the security measures on the Customer’s Cloud Space are met, the Cloud Service provider ensures whether or not adequate security measures have been taken, on premise.

Security measures focus on securing End user access and end-to-end protection of the enterprise’s Cloud environment.

1) Identity Management:

Organizations prefer all-in-one authentication which can be extended to Identity Federation. Identity Federation includes Identity Access Management (IAM) with single sign-on (SSO) and centralized AD account for secure management.

Multi Factor Authentication (MFA) is enabled for the Cloud root account and for individual users created under that account. It is also used to control access to Cloud service APIs. However, the best option is to go for either Virtual MFA or a hardware device.

2) Data Encryption:

This relates to translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text while encrypted data is referred to as cipher text.

Volume encryption: – Native volumes provided by the Cloud Provider has the option to encrypt the volume for securing the data residing at the 1st level. The following types of data can be encrypted:

  • Data at rest inside the volume
  • All snapshots created from the volume
  • All disk Input/Output

The encryption occurs on the servers that host the Virtual Machines (VMs). The VMs provide encryption of data-in-transit– VMs to Volumes.

3) Network Protection:

Though the Cloud Providers ensures Network Level Protection as part of Native Cloud Services (example AWS’s Security Group, NACL | Azure’s End Point, NSG), it is highly recommended that they use an additional layer of Network layer Protection with Palo-Alto, Barracuda Solutions of WAFand Firewall.

4) Secured Solution Design:

The first question asked by any Enterprise Customer is “How secure are my Servers in the Cloud set-up?”. The answer lies in the Model Cloud Solution Design given below which is also aligned to Industry Best Practices. We, as Architects make sure the Servers / Services are kept in the respective layers –Management, Public, Private, DMZ.

Amazon Web Services

Amazon Web Services

Conclusion

Though there have been many incidents of data breach, it can’t be denied that there is a gradual rise in cloud computing adoption in the global market. Enterprises need to bear in mind just two issues to avoid unwanted security issues in Cloud:

Customer should undertake detailed due-diligence before moving to a Cloud environment.

Solution Architect is the ultimate Guide for the customer in terms of Security, Compatibility and Performance and in making the Cloud Journey successful.

Only if both the aspects are kept in mind can Enterprises truly enjoy the benefits of Cloud Computing without fear of security violations.

For more information on Mindtree Cloud Services, please write to Ims.Consultants@mindtree.com

Arunvignesh, is a Technical Architect at Mindtree. He has the vision, architectural skills and experience to elevate any application, computing platform infrastructure or Data operation to the Cloud.