First of all, it is important to know that cloud security is particularly different depending on the type of cloud and the way cloud services are consumed. Among these services, there are three main categories: SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).
Overall, the security of the cloud is quite distinct between the PaaS / IaaS part and the SaaS part. This is materialized by the principle of the shared responsibility model. When consuming a cloud service, the customer will have access to a certain perimeter with a certain number of data layers or infrastructure depending on the category of cloud service.
This model makes it possible to determine on which perimeter of the service the responsibility of the cloud provider or the customer is engaged. The security part will also be shared on the data layers for which the customer will have responsibility, so the customer must ensure the security of its perimeter.
In the context of SaaS, to give an example, Microsoft Office 365 is a service where the customer integrates its data and does not have access to all the lower layers of the service. Since the customer has little access to the configuration of the service and consequently to security, he can contractually demand a level of security from his supplier who will have control over the configuration of the service.
On the contrary, on PaaS or IaaS solutions, the customer will have access to the lower layers and will therefore be responsible for configuring them to ensure their security if they are not managed by the service provider. The customer can still require certain elements, but the customer will be responsible for a significant portion of the configuration and secure use of the cloud service.
The security of the cloud particularly raises a contractual issue since it is not the customer’s service itself but that of a third party. This raises security issues in its own right, and in particular the question of what the customer can demand of its supplier in terms of data security. These requirements are likely to change depending on the nationality of the supplier.
This security issue also leads to organizational changes. The consumption of cloud services must involve rethinking the organization of the IT department and the way it operates in the broadest sense, with security included in the new processes. In this agile approach, security must also be included with DevSecOps type practices.
Just a few years ago, customers were reluctant to move towards cloud solutions, but today, the subject has gained consensus and is becoming more and more important. One of the major factors in its development is the Office 365 solution from Microsoft Azure.
The market trend on the customer side is to launch large cloud migration programs in order to be supported in this process, especially if they have to use a single or multiple providers. The topic of multi-sourcing is particularly important right now. Customers are also asking how they can organize their IT departments to adopt agile and DevOps principles and thus achieve their transformation from in an intelligent way. The objective is not to “lift and shift”, i.e. to migrate an existing on-premise application without making any changes or redesigning it by integrating it directly into the cloud.
Customers realize that managing their information system involves very high costs and that this does not correspond to their core business. The cloud offer allows companies with this expertise, the service providers, to carry out the migration of these cloud platforms. This allows the customer to focus on their business processes and reduce the time to market, the time it takes to realize an initial idea and deliver a finished product to consumers.
In terms of security, a trend for large programs is to support secure cloud migrations. This involves several elements:
- Support on the contractualization with the cloud provider regarding the shared responsibility model and what the customer can or cannot migrate;
- On the organization of the IT department so that it becomes DevSecOps, an approach that makes it possible to integrate security into the entire life cycle of projects, from development to implementation, using flexible methods and the DevOps approach;
- For more advanced customers who have already begun a migration and who already have a multicloud, the objective is to accompany them in the harmonization of these different cloud platforms and in particular in terms of security.
The trend among cloud security vendors is to offer multi-cloud solutions, but to separate the different types of cloud (IaaS, PaaS, SaaS) in order to offer specialized tools. The latest market trend is the so-called CSPM (Cloud Security Posture Management) tools that enable compliance checks on multi-cloud platforms. In terms of encryption, which is a sensitive issue for our customers, the dynamics of multicloud support are based on service offerings such as HSMaaS or KMSaaS, which enable the provisioning of keys belonging to the customer – of the BYOK type – that can be used from one cloud to another.
From a technological point of view, the basic trend remains serverless. This is a cloud development model that allows developers to build and run applications without having to manage servers. Containerization and Dockers or Kubernetes technologies are currently being deployed on a large scale by our customers, leading to major security issues.
Customers with a low level of maturity on the subject who are reluctant to migrate to the cloud are generally entities that process data with a very high level of confidentiality (e.g.: healthcare providers, military, etc.). They wonder how they can trust an American company. Currently, when we talk about the cloud, we are mainly talking about American players: Microsoft, Amazon and Google, which own almost the entire public cloud market.
To answer this question, we put forward that when you use a cloud provider, you have to have complete confidence in it. The objective is to define the contThis can be done through a contractual guarantee, security controls, etc. This can be done through a contractual guarantee, security controls, etc. Note that encryption will never prevent the provider from accessing the data, so it is important to ensure that the cloud is secured against real threats.
Of course, we accept a very small risk that the provider can access our data, since it is transmitted to him, but the risk is negligible compared to the risk as a customer of misconfiguring the cloud service. Thus, the main security incidents in the Cloud concern the theft of data exposed publicly through storage services (S3 bucket, Azure storage, etc.). The provider is not responsible in these cases since it is up to the customer to guarantee the correct configuration of the PaaS services they use so that they are used in private and not exposed mode.
This obviously requires an effort on the skills to consume cloud services in an intelligent way while securing it.
For more advanced customers, vendor locking is a dominant topic. If tomorrow, the cloud provider with which the customer is collaborating stops its activity or is unavailable for a defined period of time, the customer loses access to its IS. This is why customers are turning to multi-cloud strategies.
At Wavestone, we believe that the cloud can be a facilitator for IS security. It’s a gateway to building an IS on a sound basis and relying on technologies that work. You can take advantage of this to put security in the right place from the start and one of the keys to doing this is automation.
Automation needs to be put in place in deployment, infrastructure but also security to get real value. If the customer sets the right security rules and these technical rules are translated into the integration and deployment chains (CI/CD), the customer will have the guarantee that the deployment of its resources and infrastructures will be secure as soon as they are deployed.
Wavestone also assists clients in contracting with cloud providers. We help our clients build landings zones, i.e. the basis of the security architects that will be deployed in the cloud. Our teams are embedded in cloud centers of excellence at our customers’ sites and work every day to secure cloud infrastructures. We also have the capacity to help our customers in their agile transformation and especially on DevSecOps topics, in order to bring security closer to their projects.
The emerging trend of the moment is Zero Trust. This is a new security model that responds to the challenges of the cloud and current uses of mobility of people and data. The Zero Trust model aims at granting access on a need-to-know basis and thus putting security closer to the resources.
The objective is to put the user at the center with the guarantee of
The system is able to control access to a resource whenever someone expresses the need for it. This verification will be done regardless of its origin, even if it is an internal collaborator. Identity and authentication are central, as are the means of detection and control.
The definition of least privilege allocation algorithms and systematic verification for each new entry request are vast topics around identity governance for our customers. Their technological translation, as with Azure AD to quote Microsoft’s technology, requires solid technical knowledge and change management to be able to identify and configure the right authentication means (MFA, temporary rights assignment, etc.) and controls (Conditional Access Policy, sign-logs, etc.) available.
This model is particularly well suited for cloud use since most public cloud providers allow the use of more reliable and configurable technologies than on-premise to manage identities, authentication and detection.
Continue reading: https://www.riskinsight-wavestone.com/2021/12/les-enjeux-et-les-tendances-de-la-securite-du-cloud-risk-insight/