Those companies considering adopting the cloud and those companies that already leverage the cloud should know one thing when it comes to security. There is no single cloud security approach.
Collectively there are a small number of companies that are not ‘ready’ to adopt their mindset of ‘cloud first’ as yet but having said that 80% of them have plans to increase investment in cloud adoption within the next couple of years. I think it’s fair to say cloud is not going away. Both Infrastructure-as-a-service (IaaS) and Software-as-a-service (SaaS) are two of the most used cloud services with an aspiration for Platform-as-a-service (PaaS) if possible.
Each cloud service offers a separate strategy model when it comes to security. I work with many different clients from public to private and health to finance sectors and one of the most common daily challenges I come across is the coming to terms with sharing your datacenter with the cloud provider (Microsoft, AWS etc) where you as the client now have a shared responsibility.
This is more of shift in mindset and requires education as to what you are responsible for and what the cloud provider is responsible for and typically what they are responsible for you must just ‘trust’ that they are protecting your services accordingly. Of course they do have a number of international and industry-specific compliance stands.
For example Microsoft Azure say
“Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards, such as Australia IRAP, UK G-Cloud and Singapore MTCS. Rigorous third-party audits, such as by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate.”
and Amazon Web Service say
“The infrastructure and services provided by AWS are approved to operate under several compliance standards and industry certifications. These certifications cover only the AWS side of the shared responsibility model; customers retain the responsibility for certifying and accrediting workloads that are deployed on top of the AWS-provided service. We Demonstrate our compliance posture to help you verify compliance with industry and government requirements. We engage with external certifying bodies and independent auditors to provide you with considerable information regarding the policies, processes, and controls established and operated by us.”
Standards include: CJIS, CSA, HIPAA, FedRAMP, FIPS, SOC 1, SOC 2, SOC 3, ISO 27001,ISO 9001, IRAP etc.
It’s important to evaluate the security capabilities of the cloud provider’s native tooling before you go to the market place in search for other products. You have to remember it’s more likely the cloud provider will have more scope in terms of coverage of their own product and any new features that come about than any 3rd party tooling. As it stands no one product covers both Azure and AWS in terms of security in their entirety and believe me I’ve looked. Therefore it’s important to set out appropriate skills within the security operations and information and risk teams so they know how to manage incidents and how to configure appropriate logging and monitoring alerts etc.