Waf Charm

Blog

AWS for beginners

Fundamentals of Cloud Security

【Table of contents】

  1. 1. Similar points as on-premises
  2. 2. Differences from on-premises
  3. 3. Points to be aware of
  4. 4. Conclusion
  • 1. Similar points as on-premises

    Here are the basics of cloud security and how it similar to on-premises security.

    • a) Confidentiality, Integrity and Availability

      Information security is said to be about "protecting confidentiality, integrity and availability," and this is a fundamental idea that is no different whether you are on-premises or in the cloud. Confidentiality, integrity and availability are defined as follows.
      ・ Confidentiality: Information must not be leaked to unauthorized persons.
      ・ Integrity: Information should always be accurate and not be destroyed or altered.
      ・ Availability: The information must be accessible to authorized persons at all times.

      The following is a simple analogy for "home".
      ・ Confidentiality: The inside of the house must not be intruded upon or peeked into without permission.
      ・ Integrity: The house and furniture must be intact.
      ・ Availability: You can stay at home anytime if you are a family member.

      Therefore, "protecting confidentiality, integrity, and availability" is a fundamental idea that remains the same whether you're at home, on-premises, or in the cloud.

    • b) Flow of security measures

      In cloud security, the flow of security measures is the same as on-premises, and the international standard for information security called as ISO27001 states that security measures should be taken as follows (1) to (4).
       (1) Determine the scope of application of security measures.
       (2) Think about the risks in the event of a security incident.
       (3) Consider and implement security measures.
       (4) Conduct audits and make improvements.

  • 2. Differences from on-premises

    Here are the basics of cloud security and how it differs from on-premises security. It's a cloud security-specific mindset, and one that you should pay particular attention to.

    • a) Understand the scope of your responsibilities

      As a fundamental part of cloud security, the scope of responsibility for security measures is different between cloud service providers and users. Most cloud services specify the scope of the service provider's responsibility and the scope of the user's responsibility. For example, AWS, the largest cloud service provider, has published a "shared responsibility model※" that clarifies the scope of responsibility. Below is an example of the scope of responsibility.

      IaaS PaaS SaaS
      Application Users Users Users
      Middleware Users Users Service Providers
      OS Users Service Providers Service Providers
      Network Service Providers Service Providers Service Providers
      Hardware Users Service Providers Service Providers
      Data Center Service Providers Service Providers Service Providers

       
      Generally, the responsibility is as above, but please contact the cloud service provider you use for details. As a user, it is important to properly understand what part of your responsibility lies within and to develop appropriate measures.

      ※Shared responsibility model in AWS
      https://aws.amazon.com/compliance/shared-responsibility-model/

    • b) Understand the characteristics of the data

      Putting data in the cloud means an increased risk of data leakage. Therefore, it is necessary to categorize the data you place in the cloud and correctly estimate the risk of data leakage. The greater the importance of the data, the greater the number of measures required to prevent data leakage and alteration. You also need to consider the option of not placing the data in the cloud if the data is at high risk of being leaked. For example, you can organize the following:

      Types of data Importance of data Risks in the event of a leak Necessary measures
      Locations of companies that disclose information to the public, etc. Low Small Tampering prevention is necessary.
      Company documents, etc., that are not disclosed to the public. Medium Medium It is necessary to prevent tampering, encrypt, and limit access rights.
      Confidential information, such as customer credit card numbers, etc. High Big Strict measures, such as PCIDSS, set by industry organizations and laws, are necessary. In some cases, it may be necessary to undergo a security audit.

       

    • c) Select a service provider that is not a problem

      Unlike on-premises, the cloud is contracted with a service provider such as AWS to use the service. You need to make sure that the service provider is operating the data center properly. Service providers, such as AWS, are required to obtain the following certifications from external public authorities to prove to users that they are operating their data centers properly. It is necessary to check beforehand what kind of certification the service provider has obtained.

      Examples:
      ・ ISO27001 (International certification for information security)
      ・ ISO27017 (International certification for cloud security)
      ・ PCIDSS (International certification for the security of credit card information)
      ・ NIST (Security approval by National Institute of Standards and Technology)

    • d) Checking the law

      If you operate on-premises in Japan, Japanese law applies, and if you are attacked by a cyber-attack, you can take your case to a Japanese court of law. However, this is not always the case in the cloud. It is necessary to find out which country's laws apply, if possible. In addition, some service providers may change the applicable laws.

  • 3. Points to be aware of

    Here are some points to be aware of when actually using the cloud.

    • a) Access routes

      When you connect to IaaS, for example, a server, you are using the Internet. Therefore, you need to make sure that the access route is protected by a secure protocol such as SSL or SSH, and how to configure it to be protected.

    • b) Destination of data

      When storing data to external storage in the cloud, you need to make sure that the data you're storing is encrypted, or that you're using a protocol, such as SSL, that can't be eavesdropped on. It is also important to be able to rotate the encryption keys used in the storage where the data is placed. In addition, consider the integrity and availability of the data and verify that the data can be backed up and restored properly.

    • c) Operation authority

      When you use the cloud, you will usually use a browser and enter your user ID and password on the login screen. At that time, it is important not only to be able to implement one-time passwords and two-step authentication, but also that operation authority does not leak and to be able to set the settings so that even if the operation authority is leaked, it cannot be operated. Also, if you can set permissions for each logged-in user, try to set the minimum possible permissions.

      Incidentally, there is a BOT program running on the Internet looking for authentication information to be leaked. In this case, if authentication information is leaked when two-step authentication is not set up, it will take as little as 30 minutes for unauthorized access to occur.

  • 4. Conclusion

    The basics of cloud security are much the same as on-premises. However, as a plus, there are some additional considerations that need to be made. It's important to choose a secure cloud provider and use it with consideration for the characteristics and usage path of the data you place in the cloud.