Let’s Face the Fact: Cloud is More Secure Than On-premise
In early 2015 the Swedish Transportation Agency decided to outsource some of its operations to IBM’s public cloud. This included, for example, driver’s license registry data with pictures of the license holders.
The common misconception about public cloud computing is that after moving to the cloud, organizations must give up their role in securing their own data as cloud service providers take over the compliance responsibilities.
This is not true. Cloud service providers will be responsible for the physical infrastructure of their data centers and customers’ network architectures per their mutual contract. Defining the compliance policies, and identifying and labelling the classified data has and will remain to be the customer’s responsibility.
Back to Case Sweden...
In May 2015, the Head of the Transportation Agency decided to abstain from several Swedish laws as well as the Agency’s own information security requirements that would protect the sensitive data that they are holding.
During the investigation in July 2017 it unfolds that neither Säkerhetspolisen (Sweden’s Security Service) nor the Transportation Agency had control over the people who handled the information that could damage the security of the country.
If we disregard all illegalities performed by decision makers in influential positions as outliers, how can you as an organization prepare yourself for a successful cloud implementation in terms of security and compliance?
Public cloud vs. On-premise
First of all, security in the computing industry can be said to consist of both physical and virtual security. Neither of those are anything to take lightly.
The end result is not the same when you host a data center in the premises of your company and develop the virtual security framework without outside assistance when you could purchase the computing power as a service from a vendor who’s specialized in making their data centers as easy to breach as modern military bases and whose virtual security policies are legislation-guiding after years of experience and development in an incomparable scale with which individual companies operate at.
As hinted above, this blog post doesn’t leave room for discussion whether on-premise computing comes close to public cloud in terms of security. Instead, the blog will focus on the risks at hand with cloud and explains how the cloud service providers associate themselves with security issues.
According to Gartner, there are currently (August 2017) two major players dominating the cloud analytics market and this blog post will use Microsoft’s policies as an example to explain how the big players relate to security issues.
Shared responsibilities – Microsoft’s view
The chart below depicts Microsoft’s view on shared responsibilities in different cloud models. Depending on the cloud model, the responsibilities of the two parties differ. The seven sections in the shared responsibility model are among the most important factors every organization should focus on.
- With on-premise solutions, the customer is responsible for both physical and virtual layers (all aspects) of security.
- With IaaS solutions, all physical elements of the security are managed by the cloud service provider. The customer on the other hand is fully responsible or shares the responsibility with the vendor about network configuration, application layer, host infrastructure, data classification, clients, and access management.
- PaaS solutions have the groundwork ready by IaaS-type deployment, but unlike with IaaS solutions, the cloud service provider shares the responsibility of access management and application layer and is fully responsible for securing the network controls.
- With SaaS solutions, cloud providers’ responsibilities grow within application level but the cloud customer remains still fully accountable on identifying and classifying the sensitive data.
Frequently asked questions:
1 - Does Microsoft have any security certificates to show for its policies?
Yes. Microsoft was the first major cloud service provider to adopt first international code of practice for cloud privacy, ISO 27018, an addendum to the ISO 27000 family of Information Security Management Standards.
This new standard requires that...
- Cloud provider’s customers know where their data is stored
- They have a right to refuse the use of their data in marketing or advertising
- They know what’s happening with their Personally Identifiable Information i.e. return, transfer and secure disposal of personal information within a reasonable time
- The cloud provider will comply only with legally binding requests for disclosure of customer data i.e. in case of a criminal investigation, the cloud provider will always notify the customer unless it’s prohibited by law from doing so
2 - Who can access my data?
You can access it at all times.
Microsoft has the following guidelines when it comes to data access management. This includes restricting not only the access of customer’s unauthorized people but also Microsoft’s own personnel and subcontractors.
The access to customer data essentially falls into two categories: physical and logical. Datacenters and its perimeters are equipped with multiple layers of industry standard best practices in security ranging from perimeter fencing to integrated alarm systems, around-the-clock video surveillance, multi-factor access controls and locked server racks.
Virtual access to customer data follows the principle of business need by role-based access control, multi-factor authentication, and others.
3 - What about Microsoft personnel? Can they access my data?
No. Microsoft’s personnel don’t have default access to customer’s data. They are granted access only when it’s required, working under management oversight. In situations like these, they will only use customer data to provide you the contracted services e.g. troubleshooting issues.
4 - How about government?
No. Microsoft does not release customer data to government officials unless instructed by the customer or required by the law.
All reports from requests made by government officials are visible at the Microsoft Transparency Hub to enforce Microsoft’s commitment to transparency.
5 - What are the biggest risks when operating with cloud platforms?
There are multiple risks and different reasons for their realization. Data leaks, data losses, data corruption, cloud account theft and SLA issues for example.
The total risk factor is evaluated based on risk’s impact and probability i.e. high impact – high probability risks are the ones to prioritize when analyzing the security policies.
6 - What are the reasons then?
The main reasons for risk realization associated with the use of cloud platforms are typically human errors, negligence or false architectural choices. An example of these may be excessive or unreasonable use of open source solutions and their different versions, which can lead to difficult maintenance and / or inadequate service provision.