User:Shawndouglas/sandbox/sublevel1

From LIMSWiki
Jump to navigationJump to search
Virtual data room.png

For any organization, managing security is a challenging yet necessary part of operations. This includes deciding on and implementing physical controls like locks, alarms, and security staff, as well as IT controls like passwords, role-based access control, and firewalls. Much of this security is governed by standards, regulations, and common business practices. Yet while those standards, regulations, and practices also play a pivotal role in how cloud services should be rendered and managed, it would be foolish to forget the human element of cloud security. Employees, contractors, and other users who misconfigure cloud resources, fail to implement robust cloud security architecture, fail to practice proper identity and access management, fall for phishing and other account exploitation attacks, poorly design application programming interfaces (APIs), or maliciously access and sabotage resources all pose potential risk to the security of cloud-based system.[1]

While these and other security concerns of CSPs are valid, concerns are beginning to shift more towards how the decisions of an organization’s senior management affect the human element within the organization using and managing cloud services.[1] Fortunately, the traditional management-driven business approaches towards on-premises computing projects—getting management buy-in; developing goals, scope, and responsibility documentation; identifying computing requirements and objectives; identifying risk; documenting and training on processes and procedures; monitoring performance; and employing corrective action[2]—still largely apply to cloud implementation and migration projects.[3][4]

Yet cloud security should be viewed more holistically, as a combination of standards, technologies, policies, and people influencing the end results. This sentiment is reflected in Kaspersky Lab's definition of cloud security, as "the whole bundle of technology, protocols, and best practices that protect cloud computing environments, applications running in the cloud, and data held in the cloud."[5] And as was suggested prior, addressing cloud security requires more than a narrow local networking-based cybersecurity approach. Maurer and Hinck noted in 2020 that "cloud security risks are different from other types of cybersecurity risks because cloud security is networked, concentrated, and shared."[6] The networking is often spread across multiple locations and services; those services are concentrated with only a few major CSPs, with security disruptions having a much broader effect for many customers; and security is a shared responsibility for those services, spread across at least two parties, requiring clear delineation of responsibility for security.[6] With the increased popularity of hybrid and multicloud, these networking challenges also increase complexity, which means more attention to security is required by not only the CSP but also the customer. Adopting security strategies such as the "zero trust" model, which assumes an attempted connection is untrustworthy until proven as trusted, increasingly make sense in these complex cloud environments. Requiring every user and device to verify first "helps security teams protect the enterprise against both sanctioned cloud deployments and shadow IT as well as cloud providers whose own embedded security isn’t as robust as the organization requires."[7]

Additionally, through its recent work on the challenges of conducting digital forensics in the cloud, NIST also highlights data replication, location transparency, and multi-tenancy as "somewhat unique" challenges to cloud computing, and by extension digital forensics in the cloud. Though digital forensics isn't the primary topic of this guide, it's useful to mention because the process of cloud computing forensic science includes determinations of chain of custody, data integrity, and confidentiality status of cloud computing data[8], all critical considerations of using, storing, and transferring regulated, protected data in the cloud, especially for laboratories.

This all leads to the questions of responsibility: who is ultimately responsible for the security of any given cloud service? From a shallow point of view, it may be easy, as a customer, to consider a CSP and say "their service, their responsibility." However, it's more complicated than that. This brings us to the topic of the shared responsibility model.

References

  1. 1.0 1.1 Cloud Security Alliance (2020). "Top Threats to Cloud Computing: The Egregious 11" (PDF). https://cloudsecurityalliance.org/download/artifacts/top-threats-to-cloud-computing-egregious-eleven/. Retrieved 21 August 2021. 
  2. Douglas, S. (July 2020). "Comprehensive Guide to Developing and Implementing a Cybersecurity Plan". LIMSwiki. https://www.limswiki.org/index.php/LII:Comprehensive_Guide_to_Developing_and_Implementing_a_Cybersecurity_Plan. Retrieved 21 August 2021. 
  3. Kearns, D.K. (December 2017). "Planning & Management Methods for Migration to a Cloud Environment". The MITRE Corporation. https://www.mitre.org/publications/technical-papers/planning-management-methods-for-migration-to-a-cloud-environment. Retrieved 21 August 2021. 
  4. Sheppard, D. (28 May 2015). "Managing a cloud computing project". IT World Canada. https://www.itworldcanada.com/blog/managing-a-cloud-computing-project/374832. Retrieved 21 August 2021. 
  5. "What is Cloud Security?". Resource Center. AO Kaspersky Lab. 2021. https://usa.kaspersky.com/resource-center/definitions/what-is-cloud-security. Retrieved 21 August 2021. 
  6. 6.0 6.1 Maurer, T.; Hinck, G. (31 August 2020). "Cloud Security: A Primer for Policymakers". Carnegie Endowment for International Peace. https://carnegieendowment.org/2020/08/31/cloud-security-primer-for-policymakers-pub-82597. Retrieved 21 August 2021. 
  7. Pratt, M.K. (14 December 2020). "Building stronger multicloud security: 3 key elements". CSO. https://www.csoonline.com/article/3584735/building-stronger-multicloud-security-3-key-elements.html. Retrieved 21 August 2021. 
  8. Herman, M.; Iorga, M.; Salim, A.M. et al. (August 2020). "NISTIR 8006 NIST Cloud Computing Forensic Science Challenges". NIST. https://csrc.nist.gov/publications/detail/nistir/8006/final. Retrieved 21 August 2021.