Cloud computing security is the technology, policies, controls, and services that protect your cloud data, applications, and infrastructure from hackers, malware and ransomware, data leaks, and other cyber threats. Another common term for it is cloud security. Whatever you call it, the true meaning of cloud security and who is responsible for it are not always widely understood. So, when the question of whether cloud security ensures your applications, including mobile applications, are safe, the answer is, “It’s complicated.”
In this blog post, I lift the fog around cloud security so that you have a clearer understanding of just what it protects, where you are on your own, and what you can do with it.
What Are the Common Cloud Computing Security Issues?
In 2018, hackers accessed Tesla’s AWS environment to steal data and computing power, and they did it through Kubernetes, a cloud framework for managing containers (learn more about containers here). This is just one example of cloud computing security issues and challenges that organizations can face. Here are some other examples.
A Bigger Attack Surface
An attack surface is all the points in software that are vulnerable to cyber threats. The public cloud environment is complex and for that reason, it increases that surface because hackers can exploit places in your network where data enters (“ingress ports” in security lingo), to access and disrupt workloads and data in the cloud. Malware, Zero-Day, Account Takeover and many other malicious threats are a painful daily reality.
Workload Ups and Downs
One of the major benefits of the cloud is also one of its weaknesses. The ability to meet workload demands also means dynamic provisioning and decommissioning your cloud assets —at scale and at velocity. These ever-changing and ephemeral workloads can leave your organization exposed. Consider the case of Capital One, where a hacker used a misconfigured workload to access AWS computing resources for cryptomining, which requires massive compute power not available to the average hacker.
Vulnerable DevOps Pipelines
DevOps promotes a culture where pipelines are used for continuous integration and continuous deployment (CI/CD). When pipelines are delivered as cloud services, hackers can use them for nefarious purposes. The now-famous SolarWinds hack is an example. The hackers compromised the servers that take source code and build executable software and injected their own malicious code into the Solarwinds software directly at the source.
Loose Privilege and Key Management
Organizations often configure cloud user roles loosely, giving them more privileges than they really need. For example, untrained users or users with no need to delete or add and delete database assets often have permissions to do one or both. At the application level, improperly configured keys and privileges can expose sessions to security risks. In 2020, Google had to patch a privilege vulnerability in its OS Config service.
Many organizations and enterprises must comply with government and other regulations or risk significant fines. For example, in 2020, British Airways was fined $26,000,000 after the UK’s data protection authority discovered that a data breach that affected 400,000 customers was a result of insufficient security measures. Although this isn’t a threat per se, it can be an issue. In these cases, you must know where your data is, who has access to it, how you process it, and how you protect it.
Other regulations require that cloud providers hold certain compliance credentials. Even if your on-premises infrastructure meets these requirements, your cloud infrastructure might not unless you are using a platform-as-a-service (PaaS) that adds compliance to its arsenal, like this.
Cloud security addresses compliance and all the other issues that can put your organization at risk.
What Is Cloud Security Really All About?
Cloud computing security is an umbrella term for the procedures and technology required to secure the different varieties of cloud computing provided by a third party such as Amazon, Microsoft, and Google:
- Public cloud services are delivered by a public cloud provider such as software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS).
- Private cloud services are provided to one customer by a public cloud provider and operated by a third party.
- Hybrid cloud services combine private and public cloud computing configurations to host workloads and data and generally, your organization manages them, although there is an option to use the third-party providers.
- Multi-cloud services consist of SaaS, PaaS, and IaaS from more than one provider, such as when an organization uses Amazon Web Services (AWS) for unstructured data storage and Microsoft Dynamics 365 for customer relationship management.
“Third party” and “public” are the operative words here. They change the game and separate cloud security from traditional IT security and a private cloud managed internally. In the latter instances, security is solely the responsibility of your organization. But make a move to the public cloud, and suddenly you are sharing the responsibility for securing your cloud. Although this is one of the benefits of cloud security, it can also be the most confusing.
What Is Security Management in Cloud Computing? Who Is Responsible for What?
Security management in cloud computing is the more specific term for safeguarding and protecting all elements of a cloud implementation from cyber attack. A common misconception about cloud security management is that it is the sole responsibility of cloud providers. It’s true that providers do have certain cloud security management responsibilities. However, you also have certain responsibilities.
Simply put, if you are running anything on a cloud that is not your own private cloud, both your provider and you share the responsibility for cloud security. Your provider secures the cloud itself and you secure what you put on the cloud. So, what does that mean in terms of what you will have to secure yourself? This chart breaks it down better than the extra 1000 words it would take me to go into more detail.
You might be thinking that this responsibility all just boils down to network security vs. application security, where the provider secures the network and you secure applications. Not so fast. The middle tier in the chart shows that the cloud provider is not responsible for local networking for IaaS implementations; that is the responsibility of the customer. For these reasons, network security and cloud security are not synonymous. Now that this distinction is all cleared up, let’s look at application security and how even that can get tricky.
Application Security: What You Own and What You Don’t
If you are developing your applications on the cloud and you’re using PaaS, your provider secures the development platform itself. For example, more than 200 (and growing) risk and security controls are built into the OutSystems platform. Those points cover application protection, continuity, and availability, data protection, infrastructure protection, policies, and procedures. In other words, you are developing applications in a secure environment and until they are on a customer’s device, they are protected. You can even reinforce them with OutSystems Sentry.
Once your applications are in the wild, you own their security. As you saw in the chart, you need to put controls in place to prevent unauthorized access and keep hackers away from the data assets, logic, and code specific to the application.
What About Mobile Application Security?
Cybercriminals now target B2C mobile applications more aggressively, leading to downtime, data exposure, intellectual property theft, and damage to brand reputation, not to mention those hefty fines for the industries and regions that must meet data security regulations. Mobile apps also have unique characteristics, such as rooting and jailbreaking, that can leave data and code exposed because these techniques separate mobile applications from the phone operating systems.
Like web applications built and delivered from the cloud, your PaaS provider only protects your mobile applications while they are in development. Once they are on a device, you are on your own. There are no open-source solutions, and seeking out third-party solutions can get expensive when you realize that they charge by the application. Fortunately, OutSystems is not your ordinary PaaS provider. You can learn more about how we can add mobile application protection to your services in this brief.