“Is the cloud secure?” – The most frequently asked question by anyone thinking of moving an on-premise application to the public cloud.
In much the same way an application like Thermo Scientific¢ Chromeleon¢ Chromatography Data System (CDS) can be configured and operated in a secure and compliant way, the cloud can be configured to provide security. Cloud service providers (CSP) operate a shared responsibilities model, making it clear who is responsible for the security of different parts of the cloud. Responsibilities also depend upon the cloud delivery model used.
Chromeleon¢ CDS can be deployed in the cloud using Infrastructure as a Service (IaaS), where the CSP is responsible for the security of the cloud and you are responsible for the security of everything inside the cloud. For example, user access, data, applications and network traffic.
However, CSPs are by no means washing their hands of you and your security. They offer best-practice advice, applications and services that can be used to manage identity and access controls, monitor activity and improve security.
Security of the cloud
Security of the cloud is like an onion or an ogre they all have layers.
When CSPs discuss security of the cloud they don’t just mean the efforts they make to protect the cloud from hackers, they include all measures taken to prevent system failure, so you don’t lose access to their services.
Perimeter security layer
This is all about protecting the physical server farms where the cloud is hosted. There are no public tours of cloud data centers and they are generally housed in non-descript buildings. Security guard- monitored CCTV provides an outer layer of protection. Site access is controlled and logged so only authorized personnel are allowed in, and there is a record of who accessed a data center and when.
Following the principle of least privilege, access to areas and information is restricted; individuals must have a legitimate business need to be granted specific privileges and physical access to server infrastructure.
Sound familiar? This is the equivalent of what you can do with Chromeleon¢ CDS administration. Defining roles and responsibilities giving the minimum privileges and access required to carry out legitimate tasks.
Environmental layer
Unlike Bond villains and criminal masterminds, CSPs don’t usually place their data centers inside active volcanoes. In fact, they try to select locations that mitigate environmental risks such as seismic activity, extreme weather, and flooding.
Applications can be deployed across multiple availability zones within a single region so, if the worst does happen, you can continue to use your application from a different data center in the same region. After all, being a CSP doesn’t make you immune to disaster.
Unsurprisingly CSPs have business continuity plans and regularly test these against what if scenarios.
“Everything fails all the time, so plan for failure and nothing fails.” — Werner Vogels, VP & CTO, Amazon.com |
Effective planning ensures that system failure is minimized and, if this does occur, then the means for quick recovery is possible.
Infrastructure layer
The infrastructure layer is a hardware life support system consisting of structural components like backup power, heating ventilation and air conditioning (HVAC) systems, and fire detection and suppression equipment.
Infrastructure systems are routinely monitored, and preventative maintenance performed, minimizing downtime of both server and support infrastructure.
Human resource layer
“Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems. — Kevin Mitnick, cyber security consultant |
People are the weakest link in the security of any system, whether this is accidental or malicious. This is true for any organization, including CSPs.
How many of us have received a phishing email? Did you recognize it and report it? Hopefully you don’t write your passwords down on a sticky note and place it on the bottom of your keyboard?
This layer of cloud security attempts to address the human weak link. Examples of human resource security measures include:
- Documented onboarding of personnel including background checks where applicable
- Code of conduct training to ensure that employees and contractors understand their responsibilities and are suitable for the roles
- Security awareness education and training (for example simulated phishing)
- Documented off-boarding and access removal procedures
Data layer
When using the IaaS model of cloud deployment, you are responsible for the security of your data, but CSPs must comply with rules surrounding data security. For example, any decommissioned storage media must be disposed of following the techniques detained in NIST800-88. These and other guidelines can be found at National Institute of Standards and Technology | NIST along with other cloud guidance and cyber security resources. The UK governments National Cyber Security Centre is also a useful resource and has a cloud specific section. https://www.ncsc.gov.uk/
Security auditing
CSPs are audited by third-party organizations to ensure they comply with security frameworks and guidelines, providing them with security certification. For example,
- SOC 2: Security, Availability and Confidentiality
- ISO 27001: Security Management Controls
- ISO 27017: Cloud Specific Controls
It is interesting to note that documented information security awareness, education and training is a requirement of the ISO27001 standard – Annex 7A Human Resource Security.
Details of each CSP’s security measures and certification can be found on their websites. For example:
- Cloud Security Amazon Web Services (AWS)
- Azure security – Microsoft Azure
- Security, Privacy, and Cloud Compliance- Google Cloud
You will be given access to audit report documentation as part of a contract with a CSP.
Summary
Is the cloud secure? From the third-party cloud security auditors’ point of view yes, it is.
The CSPs have their responsibilities covered. It is, after all, their business to provide computing infrastructure that is secure and always available for your application and data.
The security measures they implement are far above what many organizations could afford and provision for their own server rooms and information management systems. Would you pass an ISO27001 or SOC2 audit?
The third-party security audits and certification prove CSPs continually adhere to best practices and standards. The good news is you inherit this security when renting cloud infrastructure and services. I’m not saying things can’t possibly go wrong, but CSPs have the resources to recover quickly if they do.
Security of the cloud is one of the potential benefits of deploying Chromeleon¢ CDS in IaaS, the bad news is you are responsible for the security of what happens inside of your cloud.
How’s it working out for cloud customers? A survey of organizations around the world found:
Clearly there is room for improvement.
In my next post (don’t forget to subscribe), we will look at some of the key considerations, concepts and services than can be used to keep an application like Chromeleon¢ CDS secure inside the cloud.
Further reading
The Thermo Fisher Connect Platform provides cloud-based data storage, scientific apps and peer collaboration tools. The following white paper describe the security arrangement for the Connect Platform.
Thermo Fisher Scientific Connect Platform – Security Guide
If you enjoyed this post, you’re going to want to read: Cloud Security Part 2: Cloud Customers’ Responsibility