CYBER SECURITY MUST KNOWS FOR CLOUD SERVICE PROVIDERS
WHAT IS CLOUD COMPUTING?
The Information Technology world is emerging and with fast pace, new innovative ideas are changing the scenarios constantly and cloud computing was one of those ideas which has changed the perspective of IT services.
Cloud Computing is a network of remote servers which are used to store, manage and process data via internet, instead of local servers or hard drives.
With ease of use and flexibility, it has become most usable IT services nowadays.
SECURITY RISKS ASSOCIATED WITH CLOUD COMPUTING?
Cloud computing transformed the way organizations store, use, and share data, applications, infrastructure and workloads. Cloud computing also provides a flexible model for simplified IT management, remote access, mobility, and cost-efficiency. With so much ease of access and flexibility most of the organisations are availing cloud services, however as more mission-critical applications migrate to the cloud, data privacy and software security are growing concerns. With so much data going into the cloud including critical data like PII and PHI —these resources become natural targets for hackers.
Availing IaaS or Moving web applications to the cloud does not make organisations inherently more secure. Organization nowadays might be ready to adopt the benefits of the cloud infrastructure. But you must also ensure you address all the potential security risks in cloud computing, especially public clouds.
WHAT IS CLOUD COMPUTING SECURITY?
Cloud computing security is the combination of guidelines and technologies controls, which are helpful to manage information security compliance and provides instructions for securing data applications and infrastructure identify with cloud computing use.
Cloud computing has many advantages, such as Ease of use for customer, speed and efficiency. But there are also many potential threats in cloud computing. These threats include human errors, misconfigurations, data breaches, insider attacks, account hijacking, and DDoS attacks. According to studies, businesses which are using cloud computing services are more prone to data breach and cyber-attacks in comparison of others.
CLOUD SECURITY: CHALLENGES AND SOLUTIONS
Below is the list of most critical cyber security challenges faced by Cloud Service providers.
1. Data Breaches:
A data breach is a result of infrastructure or application vulnerabilities, human error, poor security practices such as weak password, inadequate access control etc. Data breach is one of the top most security challenges, mostly public cloud because of different requirements by different customers. Solution to this problem is that organizations should always secure their databases which contains sensitive data like user credentials, by hashing and salting and implement proper logging and behavior anomaly analysis.
2. Human Error:
Human errors like clicking on malicious links, sharing data with unauthorised person, using weak passwords and not having maker checker procedures etc. are challenges in Cloud security. These errors are often at customer’s end. Training and awareness pertaining to Cyber Security, imposing strong password policy and segregation of duties can really resolve this issue. Proper monitoring is also necessary.
3. Insufficient Identity, Access and Key Management:
Hackers can act as legitimate users, developers, or operators can read, manipulate, and delete data; snoop on data in transit or release malicious software that appears to originate from a genuine source. Any unwanted service running on the server can allow access without authentication. Solution to this problem is implementation of preventative controls across all perimeters, and that organizations scan managed, shared and public environments for vulnerabilities.
4. Data Loss:
Data loss can be because of an accidental deletion by the cloud service provider, or a disaster like a fire or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer .takes adequate measures to back up data, Solution to this problem is having a full proved Business Continuity and Disaster Recovery plan in place, performing data backups & testing regularly and conducting DR drills at regular intervals.
5. Insecure application programming interfaces (APIs):
APIs are exposed to public and so too attackers, an API is likely to be the initial entry point for attackers. Hackers exploit vulnerabilities of insecure APIs to get access to servers. Performing security assessment prior to deployment and after any significant change can help to identify the existing weaknesses and patching it.
6. Advanced persistent threats (APT):
APT uses sophisticated and continuous attack techniques to get access in Cloud infrastructure and monitor the Cloud provider’s activity and steal the data rather damaging the networks. In this the attacker gain access and remain undetected for long. Monitoring network on regular basis for abnormal behaviour, update latest antivirus signatures and scanning networks on regular basis can resolve this issue.
7. Insider Attacks/ Malicious Insider:
A malicious insider can be performed by any employee or any privileged user who has access to potentially sensitive information, and critical systems which contains critical data. Organisations which are doesn’t have their own IT security mechanism and solely dependent on cloud service providers are at higher risk. A Data Loss Prevention (DLP) solution along with event logging and monitoring is a solution for this challenge. A Confidentiality Agreement signed with employees will act as deterrence.
8. Distributed Denial of Service (DDOS) Attacks:
DDOS attack is a crafted malicious attack to disrupt normal traffic and prevent users of a service from being able to access their data or applications. Attacker can cause a system slowdown and leave all legitimate service users without access to services by forcing the targeted cloud service to consume inordinate amounts of finite system resources such as network bandwidth, processor power, memory or disk space. Implementing adequate network security measures like IDS, IPS, and Load Balancers and monitoring networks for anomalies. Having a robust Business Continuity plan will definitely help.
9. System Vulnerabilities:
System vulnerabilities are the weaknesses or loopholes in any application and network, which can be exploited by any malicious user to intrude into a system to steal or manipulate data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the application and operating system put the security of all services and data at significant risk. In case of public cloud, application or systems from various organizations are sharing memory and resources, creating a new attack surface. Regular patch management, bug fixing and vulnerability management is the best solution for this issue.
10. Spectre and Meltdown:
Last but not the least, Spectre and Meltdown which are considered as the most catastrophic vulnerabilities where hackers can exploit Meltdown to view data on virtual servers hosted on the same hardware, potentially disastrous for cloud service providers. Spectre is worse –it is hard to exploit and even harder to fix.
In a nutshell the security solution is very crucial for any Cloud Service provider for their business .Compliance related to cyber security protect the organisation from unauthorized access, data breaches and other threats and also provide assurance and confidence to clients.
INFORMATION TECHNOLOGY (IT) RISK MANAGEMENT
What is Risk?
Risk is any unwanted event which impact organisation’s objectives to attain business goal.
There are various type of business risk exists in any organisation
- Strategic Risk
- Operational Risk
- Financial Risk
- Compliance Risk
Risk Management is a process of Identifying, analysis and evaluating the organisations risks and then providing appropriate controls in order to mitigate the risk.
What is IT Risk?
In this digital age most of the businesses are using Information Technology. Hence IT is playing very pivotal role in many businesses.
If any organisation use IT to manage their business, it is very important to understand and identify risk related to their information systems and data, then to manage and reduce the risk, and develop a response plan in the case of any IT crisis.
Nowadays business have regulatory and legal compliance obligations in relation to data privacy, electronics transitions and staff training which are the factors which can influence IT Risk Management strategies.
Main IT risks include software and hardware failure, malicious and virus attacks, humanerrors, misconfigurations as well as natural disaster like flood,fire earthquake and cyclones.
General IT Risk
These Risk can be subcategorised further:
- Hardware and software failure – Abuse of rights and Corruption of data ,Electromagnetic radiation ,loss of power supply
- Malware – malicious software designed to disrupt computer operation
- Viruses – computer code that can copy itself and spread from one computer to another, often disrupting computer operations
- Spam, scams and phishing – unsolicited email that seeks to fool people into revealing personal details or buying fraudulent goods
- Human error–error in data processing, data disposal errors, or accidental opening of infected email attachments.
Natural Disasters such as fire, earthquake, cyclone and floods also acts as risk to IT infrastructure. In absence of business continuity plan, it may lead to data loss, corruption in data records and unavailability of IT services to the customers.
How to Manage Information Security Risk?
Management of IT risk involves a series of activities in this chronological order:
- Risk Identification
- Risk Assessment
- Risk Mitigation
- Development of Response Plan
- Review of Risk Management procedures
How to reduce Information Technology Risk?
There are lots of risks and threats on business which can impact IT Operations. Applying appropriate measures will protect the IT system through unauthorised access.
Few steps to improve IT Security
- Proper access control to computer, servers, networks and Wi-Fi.
- Using strong password
- Encryption of critical data
- Using firewall. IDS ,IPS on the network
- Update software and antivirus with latest patches.
- Data backup for all the critical data
- Information security training and awareness to the staff
- Using secure software developments processes.
- Implementing SSL for secure online communication.
- Last but not the least having Cyber Security Insurance.
Few famous standards and frameworks which can help organisations to mitigate IT risks are:
- ISO 31000
- NIST Risk Management Framework
- ISO 27001
- ISO 27005
For any organisation risk identification is the first step for risk mitigation. An undetected risk is the most dangerous thing, a treatment methodology can be only be implemented once the risk is identified. Organisation need a right approach and skilled workforce to this job.Step by Step risk management process will help organisation’s to mitigate IT related risk and get an effective and efficient IT system to achieve business goals.
ISO 27001: ISO 27001 is a standard that is folloVendord for the Information Security Management System (ISMS) of an organization in which, the said company’s compliance status is checked, based on which new policies are created and applied. It’s a mandate in many sectors such as companies involved in the Cyber Security domain.ISMS includes the 3 major elements of cyber security: Confidentiality, Integrity, Availability (CIA).
To ensure compliance to the CIA in terms of ISO 27k1 the companies need to
- Assess the risks
- Formulate policies
- Implement policies
- Continuous monitoring & Updates
The departments/processes that go through the above mentioned process are both, IT & Non IT Infrastructure of a company, but the audit of ISO 27k1 is mainly focused on the IT Infrastructure of a company.
ISO 27001 Certification:
Being ISO 27001 Certified means, the certification body that you choose for this process (PECB or IRCA), gives you an attested confirmation that your organization is compliant to all the guidelines of ISO 27k1.
Now there are two types of certifications in ISO: Individual / Organization
The process for an Individual certified professional is completely different from that of a Certified Organization, these certified professionals then move on to performing the process of certifying the organization.
Types of ISO certified Professionals
- Lead Auditor
- Lead Implementer
A lead auditor is the one who is responsible for leading the audit team in an organization. He or she prepares the audit plan, delivers meetings and submits audit report at the end of quarter or year. Conducting audits is the main responsibility of a lead auditor and that needs to be done on a daily basis.
A Lead implementer is the one responsible for bringing the Lead auditor plan into action and makes sure all the policies are implemented and properly controlled.
Process of getting certified
According to PECB, the process for getting ISO 27k1 LA/LI certified is nearly not as lengthy for individuals as it is for the organizations.
- Previous experience: minimum 4 years of job experience in IT is crucial, out of which at least 2 years has to be in cyber security.
- Training & Examination: After attending 5 days of training in ISO 27k1 LA/LI, in the course outline guided by the certification body of your choice/requirement, you have to submitted a certain examination fee to the certification body, after which, an invoice in your name along with your exam question papers are prepared & sent to the authorized training center for you to attempt the exam.
- Certification process: After attempting the certification exam, the candidate fills the certification forms in which they put in the required information, In the back-end the certification body verifies the information given by the candidates and if the compliance is there, the certificate is issued.