Keeping Your Sanity Securing IaaS, PaaS, and SaaS Cloud Services
In most organizations today, cloud services are a fact of life. Whether you’re deploying and managing servers in the cloud, building on top of a globally distributed platform, or consuming constantly updated services, the cloud is a fundamental part of your IT service delivery…whether you know it or not.
And why wouldn’t you move to the cloud? The business advantages are clear. You can great reduce the time to deploy new services, reduce your operational burden and costs, and rapidly iterate on new ideas.
There are security advantages as well.
It may require a cultural shift in your organization to accept extending trust to your cloud service providers (CSP), that trust is well place. Top tier CSPs understand that they live and die on their reputation. It’s in their best interests to deliver a secure service to you.
Shared Responsibility
But that’s not to say that you don’t have responsibilities for security when using cloud service. All cloud services (regardless of SPI model; IaaS, PaaS, or SaaS) use this simple model.
Of the main areas of security, the CSP is always responsible for;
- physical
- infrastructure
- network
- virtualization
Depending on the service, you may be responsible for securing the;
- operating system
- application
And you are always responsible for;
- data
- service configuration
Put these areas together across all three SPI methods and you get figure 1, “Shared Responsibility Model”.
Straightforward Strategy
Looking at cloud security in this manner brings clarity. You can take each type of service (IaaS, PaaS, SaaS) and apply reasonable security controls in order to fulfill your day-to-day responsibilities
It’s important to note that we’re talking about day-to-day responsibilities here. You’re always responsible for the security of your deployments. However you delegate some of the day-to-day work to your CSP. In these cases, you have to trust but verify the work your CSP is doing.
IaaS
When dealing with IaaS, most of the controls you are used to from the datacenter are still applicable. They’re just delivered in a different manner in order to optimize for the attributes of a cloud environment.
You see this with controls like intrusion prevent and filtering. Traditionally gateway controls, it is now much more effective to deploy them directly on an instance or virtual machine. This maintains the scalability and flexibility of the cloud without sacrificing security.
PaaS
Platform deployments can be tricky to secure because of how intertwined your application is with the platform itself. This is a service type where secure design, a strong understanding of the CSP’s role, and programmable security controls are critical to a successful, secure deployment.
SaaS
Securing software delivered as a service is typically accomplished using a combination of a CASB (cloud access service broker) and configuring the native service controls in order to meet your security needs.
Not So Fast…Please?
While the plan for securing each service type is clear, the pace of change in this space is a major challenge.
Cloud services (of all types) are readily available. It’s never been easier to stand up a new application or service.
This rapid pace of innovation is a huge boon to business. IT is finally a consistent enabler within the organizations.
The challenge is for security to keep pace.
Innovation in at an all time high in the security space but even with current levels of investment and effort, it’s difficult for security controls to keep pace with the new services being developed.
This rapid pace of change is leading to more and more security solutions being required to properly secure the vast number of services that each organization is using.
Putting It Together
The average organization uses a lot of services. Ok, I’m sure there’s an actual number but it’s hard to nail down. Depending on the source, the average is somewhere between 5 and 700. So let’s settle on “lots”.
Solid guidance exists on how best to secure each of these services according to your needs. The challenge is stitching the security of each of these services together into a cohesive whole.
The Roadmap
The industry (lead by organizations like the Cloud Security Alliance, of which Trend Micro is a member) is working towards a common goal to help address this challenge.
The goal is to be able to provide tools that can organizations can get to easily work together (regardless of vendor) in order to provide a comprehensive security solution around cloud services.
The strategic vision and guidance is already in place with the Cloud Control Matrix (the CCM, a living document currently at version 3.0.1). This document lays out the types of controls that should be applied to various cloud services.
In addition to the CCM, there are a number of efforts in place to help organizations combine the right tools for their security needs. The Cloud Security Open API shows a lot of promise in helping make this a reality.
Separate from these efforts are the individual roadmaps for each cloud security tool. This is a very active and innovate space (yes, I realize I have a bit of bias here but just look around at the number of cybersecurity startups and established companies efforts and I think you’ll agree).
But each of these efforts are a medium term solution at best. What are organizations supposed to do now to address this problem?
3 Not So Easy Steps
When attempting to address this problem today there are 3 main areas where you should focus your efforts.
Reduce Your Exposure
First you want to try and reduce the organizations overall exposure when it comes to using cloud services.
At solid first action is to attempt to inventory the number and type of services currently in use. To do this you should enlist a combination of technology and old fashioned methods (a/k/a asking teams what they are using).
With a better idea of what you’re attempting to secure, you can then start working with the teams throughout the organization to ensure that they are aware of the risks and security challenges associated with the services they use.
An ongoing discussion and education campaign is a pillar of the good security practice and critical to address the issue of multi-service use.
These discussions will also help inform your internal security policies. A strong, realistic policy will help establish a baseline for all stakeholders. It lays out what the norms for your organization and acts as a standard to compare against for any new business initiatives.
Above all, the responsiveness of your internal IT services is instrumental in reducing your overall exposure. Many teams don’t want to go against policy or organizational standards but don’t have a choice when internal service delivery is unresponsive.
Centralized Monitoring
As exposure is inventoried and scaled back (hopefully), your next step should be to implement a robust monitoring practice.
This will require a lot of initial work with an ongoing effort.
The variety of services and security controls applied to those services creates a unique challenge for each organization.
In general, you want to start with the lowest common denominator for monitoring (access logs, basic API access, network traffic, etc.). Where possible these should be tied to business metrics and risk.
For example, knowing that a business unit’s use of a cloud storage service is increasing week over week is a good monitoring metric (GB used) tied to a business risk (the exposure of that data on a 3rd party service).
Due to the nature of the problem, you best approach is a lot of spit, glue, and hope. This step requires a lot of manual effort but is crucial to being able to answer the deceptively simple questions, “where is the organization’s data stored and what’s it exposure?”.
Smart Service Choices
With time, your monitoring practice will mature and you’ll grow to have a better understanding of your business requirements.
The lessons you learn should be applied to selecting cloud services that align with your business needs as well as your security strategy and tactics.
The organization should select services that allow you to easily get data in and out, provide support for standard APIs (or at least logical and well supported APIS), and have a strong reputation for services and security.
Choosing a provider based on these attributes will go a long way to ensuring that you have a consistent approach to onboarding new cloud services.
Constant Learning and Improvement
Building a coherent security practice for organizations using multiple cloud services is a challenge today and will continue to be a challenge for the foreseeable future.
The most efficient way to address this challenge is to focus on;
- Reducing your overall exposure
- Centralizing your monitoring efforts
- Being smart about selecting your service providers
These three areas create a solid foundation for your security practice.
This will allow you to adapt and grow as the strategy for cloud security evolves, as more and more services support standard APIs, and as security technologies continue to provide innovate solutions that better address the new reality of modern IT service delivery.
This essay was built on a talk I presented at the CSA Summit during RSA 2016, “Defending The Whole. Iaas, PaaS, and SaaS”. It was originally posted in 2 parts on the Trend Micro blog (part 1, part 2). The slides are available on SlideShare.
For some additional thoughts and perspective on my talk, check out this piece by Rob Wright for TechTarget’s SearchCloudSecurity site.
Mark is a seasoned infromation security professional currently focused on researching & teaching cloud security and usable security systems at scale. Catch him on Twitter or at his site, markn.ca.
