The cloud has been central to the business workings of organisations. Reliance on the cloud as a central storage tool highlights the importance of security. With important data and documents and sensitive information stored away on the cloud, there is too much at stake. Intense effort and investment needs to be put into making sure cloud providers are providing these five main security features:
Standards based integration with identity management providers
Forming an integrated identity is crucial as it has become a key enabler, both to provision and de-provision access to company resources and data. Having an identity solution for their management tools that allows fast and easy integration with existing processes used by the customer helps facilitate this. This is done through a standards-based mechanism such as Security Assertion Markup Language (SAML) 2.0, OAuth 2.0 with OpenID Connect.
Another benefit is the complete control over password complexity rules, expiration and the ability to require various forms of multi-factor authentication. In addition to standards-based integration, the service should also provide an easy-to-use, stand-alone multi-factor authentication (MFA) mechanism for those customers who don’t already have an existing identity management solution. This encourages the customer to implement strong authentication measures which can help prevent malicious actors from being able to take over control of their accounts.
Securing specific API cells
Allowing for the integration flexibility is something business users have come to expect from cloud providers, and many cloud providers regularly provide application programming interfaces (APIs) that allow customers to integrate management of their cloud service into 3rd party management platforms or their own internally built applications.
This flexibility enables business customers to mould cloud services around their unique business needs, customising workflows or integrating cloud automations into their existing corporate or customer-facing applications. This enhances business agility, and competitive advantage, as well as provides valuable business capabilities for customers.
However, this also opens businesses up to risk as it introduces additional attack surface that must be properly protected. To safeguard against possible attacks, service providers should give customers API authentication mechanisms that are resistant to replay or man-in-the middle attacks and can be used to provide cryptographic validation of the API messages being sent. These authentication mechanisms should ensure that API commands can only be issued by properly authenticated endpoints, and that each message is authentic and hasn’t been tampered with using cryptographically sound techniques.
Multi-tier user management and billing
As businesses become increasingly complex, their needs become increasingly intricate as well. Cloud providers need to constantly evolve their services to match the expectations of their customers, especially in providing a flexible account structure that allows easy rollup of billing and usage information at the top level. All this while enforcing complete segregation of networks and hosts at the sub-account level.
The most important thing though is customer control – the customer should have complete control over which sub-accounts must be completely isolated, even from the parent account, and which sub-accounts are allowed to exchange data freely. This allows the segregation of production and development/QA, or perhaps meets a regulatory requirement that two different business units are prohibited from being able to share data between their systems.
Logging and reporting
Intricate services and functionalities are typically the focus of many cloud providers, and often, in their haste to meet customer expectation, they marginalise seemingly mundane tasks like collecting logging from the cloud environment and reporting.
While not a main focus of cloud providers, at a minimum, service providers should be able to provide detailed logging of all management actions performed through the provider’s user interface or through API calls. Access to this logging data should be provided both in the user interface as a reporting function, and in a real-time publish/subscribe method so it can easily be consumed by the customer’s existing log management system.
For those customers who don’t already have a well-developed log management and alerting mechanism, it would be ideal for the service to have an integrated add-on capability to perform log management and alerting within the customer’s cloud environment.
Staying relevant with patches is extremely important for service providers, and they typically update their templates used to create new machines to stay up to speed.
Once a virtual machine is launched, however, the responsibility to patch the system falls to the customer. This creates a gap in expertise, where customers fail to take the cloud environment into consideration for their patch management tools, creating a window of opportunity for attackers.
To mitigate against this potential risk, customers should look for a cloud service provider that offers an easy, integrated option that provides patch and vulnerability management for the customer environment. This would include regular (monthly) OS and application patching, along with vulnerability scans run at a frequency as required by the customer, and a dashboard where the customer can view up-to-date statistics on security vulnerabilities while trending the environment over time.