Module 5 - Technical Security Controls
This Course defines the different types of malware and outlines the impact that each one can have on an organisation’s computer systems. It also details the different methods through which networks can be accessed, and how the related security risks can be controlled. Finally, it defines what cloud computing is and explains the different deployment models, before looking at the security requirements of an organisation’s IT infrastructure and the documentation required to support this.
The objectives of this Course are to provide you with and understanding of:
- The different types of malware and the impact each one can have on an organisation’s computer systems
- Methods of accessing networks and how related security risks can be controlled
- The security issues related to networking services, including mobile computing, instant messaging and voice over IP
- Cloud computing deployment models and the security implications of cloud services
- The security requirements of an organisation’s IT infrastructure and the documentation required to support this
This Course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this Course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at firstname.lastname@example.org if you are unsure about where to start or if would like help getting started.
Welcome to this video on cloud computing.
Organizations are increasingly using cloud computing services which are provided online and consumed as a commodity.
This approach has many advantages, like service scalability, ease of deployment and reduced capital costs for IT equipment. However, there are also risks relating to the security arrangements and the ongoing reliance on a third-party organization for a critical service.
This video will define what cloud computing is and explain the different deployment models.
It will then explore the security implications of cloud services and identify the steps that can be taken to mitigate these.
Let’s start by looking at the characteristics of cloud computing which, according the National Institute of Standards and Technology, are:
· That it’s an on-demand, self-service. The fact that an IT service is being provided online by a supplier doesn’t make it a cloud service; the customer’s ability to fire up and close down services on demand is an essential feature;
· It has broad network access; services should be accessible over the network using standard protocols;
· The cloud provider’s resources are pooled; particularly through the use of virtualization technologies, and made available to multiple clients in a multi-tenant environment;
· Services can be provisioned and released rapidly, either manually or automatically; and
· It can provide a measured service; resources can be monitored, controlled and reported to provide transparency to customer and supplier.
In a cloud service, a subscriber consumes services provided by a cloud provider. A subscriber can take many forms, including:
· A user working at a PC; and
· A server within the subscriber’s IT infrastructure, for example an organization might outsource their messaging infrastructure to a cloud provider.
A cloud can have a single tenant, known as a private cloud, or multiple tenants, either as a community cloud or a public cloud.
Cloud services are usually grouped into different logical layers in the service stack. These service models are:
· Software as a Service, or SaaS, which is the provision of software over a network rather than being loaded directly onto a local computer. In this case, applications are exposed as a service running on cloud infrastructure. The consumer doesn’t manage or control the underlying cloud infrastructure; this is entirely handled by the provider and includes the network, servers, operating systems, storage, and individual application capabilities. Examples of SaaS applications include SalesForce CRM, Google Apps and Microsoft Office 365;
· Platform as a Service, or PaaS, which is the provision of computing platforms that create the environment for a subscriber to develop and deploy their own network applications; and
· Infrastructure as a Service, or IaaS, which provides access to a virtual computer infrastructure, such as data storage or computing power over a network to complement local platform resources.
The consumer using the service doesn’t manage or control the underlying infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of selected networking components. An example is Amazon Elastic Compute Cloud (EC2).
The physical data centre where the hardware resides sits at the bottom of the stack. The level of abstraction and level of control changes as the services move up or down the stack.
These service models can be deployed in four different ways:
· Through the public cloud where access to the cloud computing service isn’t restricted to any particular entity or community of entities and is generally available to the public. It may be owned, managed and operated by any organization, exists on the premises of the cloud provider and could be hosted anywhere in the world;
· Through a private cloud where the infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers, business units, departments or teams. It may be owned, managed and operated by the organization or a third-party, and it could exist on or off premises;
· Through a community cloud where access is available for a community of entities. For example, a government-wide cloud providing for many different subscriber agencies. It may be owned, managed, and operated by one or more of the organizations in the community or a third-party, and could exist on or off premises; and
· Through a hybrid cloud where more than one of the other models operate together to provide a level of interactivity between the clouds that isn’t available in any other way.
The control that the service consumer has varies between the deployment models, with the private cloud giving the most control and the public cloud the least control.
Public and community clouds generally share the following characteristics:
· Low or zero up-front capital costs;
· Little operational responsibility for the organization. For example, if a hard disk fails, the subscriber doesn’t need to fix it;
· No requirement to know where the data is being stored or where applications are run from;
· Substantial scalability; if more or less processing power is required, levels can be adjusted quickly; and
· Leveraged economies of scale; the cloud provider runs data centres with tens of thousands of computers which is less expensive per computer than running a small machine room with a few systems.
If an organization has a private cloud, the costs are higher.
The control model changes for the different service and deployment models. With an IaaS service model deployed in a private cloud, the subscriber would have the most control. A public cloud with a SaaS service model provides the subscriber with the least control over the underlying systems.
In this context, control means:
· The ability to configure the service: in the SaaS model, the consumer has little ability to configure the service;
· Responsibility for security: in a private cloud, the provider is responsible for ensuring the service is secure and meets regulatory compliance requirements; and
· The location of the data: in a public cloud, the data could be located anywhere in the world. However, most providers allow customers to specify geographical regions where their data is stored and processed.
In a private cloud environment, the organization running the cloud is fully responsible and accountable for information security. However, in a community or public cloud, this responsibility depends on the service model selected.
As you can see, there are different degrees of responsibility for the subscriber and the provider. With the SaaS model, the provider is primarily responsible for security, whereas with the IaaS model, this changes to the subscriber.
The SaaS model is based on a high degree of integrated functionality with minimal customer control or extensibility. In contrast, the PaaS model offers greater extensibility and greater customer control, but fewer high-level features. Hence, with the SaaS model, the cloud provider is responsible for most aspects of security, compliance and liability.
Cloud computing should still be considered a form of outsourcing, so an organization needs to trust the suppliers contracted to deliver the service. To gain the trust of organizations, cloud providers must deliver security and privacy expectations that meet or exceed those available in traditional IT environments.
Now, let’s look at some of the legal implications of cloud provision, starting from the perspective of confidentiality, integrity and availability:
· Appropriate contractual measures must be in place to ensure personal information is protected, regardless of where the provider or its subcontractors are based. When contracting offshore, organizations need to ensure they can enforce the clauses of a contract.
Protecting privacy in a cloud environment is further complicated by the distributed nature of the systems and the possible lack of subscriber awareness of where data is stored.
· An organization may have contractual or regulatory obligations to keep certain information confidential which needs to be passed on to the cloud provider. The contract must also state that the provider should not sell, license or disclose subscriber information, except in response to legal requests.
· Both the service and the data should be constantly available and resilient.
Cloud providers also define a range of subscriber obligations. The primary one is an Acceptable Use Policy. This will be written in the cloud provider’s terms and conditions and will typically prohibit the following:
· Publishing or sharing of materials that are unlawfully pornographic or indecent, or that advocate bigotry, religious, racial or ethnic hatred;
· Sending spam;
· Conducting security scans, such as denial of service attempts and hacking;
· Distributing any sort of malware or spyware;
· Intrusive monitoring; and
· Attempting to subvert the cloud provider’s system infrastructure.
We’ll now move on to look at the security considerations when selecting a cloud provider.
The deployment model needs to fit with the organization’s requirements. In many respects, this is the most important decision because it will drive many of the other security considerations.
The next consideration is whether the cloud provider has any form of security certification for its services. For instance, have they been audited against ISO 27001? Also consider whether they’re a member of the Cloud Security Alliance and do they participate in the Security, Trust & Assurance Registry (STAR) scheme?
The organization’s data mustn’t be shared with any other tenant of the cloud service so the provider will need to provide a level of assurance that their data separation procedures and techniques are adequate. If the organization’s data is highly sensitive and separation is vital, especially in a multi-tenanted cloud, encryption should be used to protect the ‘information in transit’ on the network and ‘information at rest’ on the cloud-based virtual disks.
The service provider should also confirm that they can support the organization’s exit strategy from their service and give assurances that the data has been securely deleted.
One of the ways cloud providers keep their costs competitive is by locating their data centres in countries where labour, electricity and other overheads are low. So, the services could be delivered from anywhere in the world, and the organization’s data could be stored outside their national border.
Some cloud providers have a distributed network where data could be located in all their geographically separated data centres. If they provide resilience in the service, multiple copies of the data could exist in each of their data centres and they may not even be able to disclose where each copy is.
The organization will also need to establish whether the provider has a layered supply chain and ensure that all locations the equipment and physical assets are stored in meet the security requirements.
As data controller, the organization is liable if anything goes wrong. So, a Data Protection Impact Assessment should be completed, especially if some of the data centres are outside the organization’s national border.
The organization needs to establish the availability it requires and confirm that the cloud provider can meet that level. If it’s a business-critical service, alternative arrangements should be established. For example, it might be possible to switch to another cloud provider and quickly provision the services to their platform. That should be built into the cost model.
Most cloud providers use distributed and replicated file systems which ensure hardware failures or loss of a data centre doesn’t result in permanent service or data loss. However, there may be value in continuing to carry out traditional offsite backups of critical business data just in case.
Most organizations who run their own IT systems are careful who they use for critical or sensitive roles; in particular, system administrators and network engineers who have high levels of access to systems and information.
This is also the case in outsourced environments, where the organization maintains accountability for the people doing the work. Government departments insist that their outsourced service providers have a level of security clearance commensurate with the data they have access to.
If a cloud provider has a careless or untrustworthy system administrator working in their operations centre, the integrity and privacy of data will be at risk. Therefore, cloud providers should be able to satisfactorily confirm:
· Employee background and ongoing checks are performed;
· Administrative privileges are promptly removed when employees leave or change role;
· Training is provided to staff in critical and sensitive roles;
· The certifications and accreditations held by the company and individuals;
· The results of the latest external audit;
· Processes and procedures are documented for critical operations; and
· Administrator actions are tracked and audited.
Many of these questions are the same as those asked of a traditional IT managed service provider.
Finally, the organization should be entitled to audit the cloud provider. This is unlikely to include rights of access to the provider’s premises where relevant records and data are held, but will be provided by an independent auditor.
If forensic examinations are required, the organization should consider:
· Working with the cloud provider to produce a Forensic Readiness Plan; and
· Establishing the auditing requirements with the cloud provider, including defining what events are collected and how access to appropriate logs would be provided. This is critical if they need to support the incident management process.
Having seen some of the security considerations, let’s now look at some of the risks of cloud services compared to traditional IT services:
· In a traditional system, the availability of the service is dependent on how much money the organization invests in the infrastructure for things like resilient servers and networks. In most cloud environments, the availability of the service should be superior. This is especially true for community and public clouds. However, the subscribing organization must still address their networking availability, i.e. their access to the cloud service;
· For a traditional IT environment, the viability of the service is in the hands of the organization. However, with many new entrants into the cloud market, the long-term viability of the provider would need to be established;
· In a traditional environment, disaster recovery and business continuity management are owned by the organization. In a cloud environment the organization will still need to do some business continuity management planning for their buildings and business functions. The subscriber should understand the cloud provider’s capabilities in this area and have a backup plan in case the service catastrophically fails;
· Most organizations have a security incident team that interacts with the IT department. In a cloud environment the team needs to deal with the cloud provider’s response team;
· The key legislation and regulations to consider are ones related to privacy, like the Data Protection Act in the UK. In a traditional environment, compliance is within the organization’s control, whereas in a cloud environment the organization has lost some of the control and this requires appropriate contractual cover.
Although cloud services rely on virtualization, networking and other IT technologies, they’re essentially a different way to deliver IT services. So, it’s not surprising that some of the most serious risks in moving to the cloud are related to the organization’s business model.
For example, when an organization moves to the cloud to provide services to its own customers, its expenditure moves from capital expenditure (CAPEX) to operational expenditure (OPEX). This is often attractive in the short term as large amounts of capital doesn’t need to be provided up-front when launching a new service.
However, OPEX can be variable and sometimes hard to predict as it will depend on the demand for cloud resources. If there’s a mismatch between the income generated by the new service and the cost of the cloud resources consumed, then cash flow can be adversely affected.
There’s also a more fundamental problem. As an organization comes to rely on a cloud provider’s services, it will gradually lose the in-house resources and skills to provide those services. This will make it hard to move away from the cloud provider in future – which results in the problem of vendor lock-in.
This problem is made worse by the likelihood that, to make efficient use of the cloud provider’s services over time, the organization will increasingly integrate its business applications with the application programming interfaces, or APIs, of the provider. This will make it harder to migrate services from one provider to another. Therefore, perhaps the most important thing for an organization to have in place before moving to the cloud is an exit strategy.
That’s the end of this video on cloud computing.
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.