The New World - Cloud Computing

By: Moran Geva - Pen Tester , Cyber security consultant   |   Updated: 9/19/2022

Until recent years, clouds to us were the ones we see in the skies. They bring rain and occasionally block out the sun. But, in the modern technological age, the word "cloud" got an addition, "Computing" - which, as the name suggests, is far away, up in the air. But is it really so? so what is cloud computing, how does it differ from what we know today, and how can we handle the changes and innovations it brings?

The U.S. National Institute of Standards and Technology (NIST) defines cloud computing as:

"A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

 Cloud computing is the same old computation we know, but with a new exterior, with five main components that make it cloud computing - independent self-service, unlimited network access, an address pool, component flexibility, and metered service. 

To understand the changes and risks that cloud computing entails, we must first understand the different functions cloud computing fulfills. Think of any component in your organization as-a-service, and you can provide that through the cloud - workstations as-a-service, platform as-a-service, infrastructure as-a-service, e-mail as-a-service, etc.

There are three common categories for cloud services:

• Infrastructure as a service: the infrastructure is the product, access to an environment is given for infrastructure setup, and the service provider provides customer support. 
• Platform as a service - the product is the platform. Access is given to a provided\built environment, managed and supported by the service provider.
• Application as a service - software is the product. Access is given to an application provided and supported by the service provider. 

Now that we understand the different types of cloud services, let's try to understand the changes that come along with it:

Computing components - split into four main categories

• Security - so far, Firewalls, access-control lists (ACLs) and network administrators have been used for security. With cloud computing, those three components are replaced: security groups that limit access users have to various cloud components, NACLs - Network ACLs which act as a Firewall on the network level, and Identity and Access Management (IAM) which is responsible for managing the identities of users in the various cloud components.
• Network - routers and switches are replaced with virtual components that mimic their functions - Virtual Private Cloud and Load Balancer are responsible for network traffic and delimiting the network.
• Servers - some companies keep physical server farms on-premises. In cloud computing, all the servers are virtual and can be set up from scratch according to spesifications or loaded from a preexisting image of a server. 
• Storage and databases - many storage methods like DAS, SAN, NAS and others are replaced in the transition to cloud computing with the S3, EBS RDS, EFS storage types.

Access - with local computing, having a computer\server or any network resource means buying, installing and configuring it. Servers need to be kept in protected locations, properly installed, cooled, etc. access to many of these systems is only possible from a specific location. In cloud computing, one can connect to the systems from anywhere, to any component, as long as they have an internet connection and the needed permissions.

Costs and resources - if we were to expand the network's capabilities, we'd need to approach purchasing and ask for a purchase order for hardware that might end up being obsolete in a few years, leading to more new or additional costs in the future as the system grows. As another example, let's consider a ticket-selling company that sees traffic spikes at predictable times. Should they keep servers whose sole use is for those specific dates? Cloud computing allows companies to spin up servers and shut them down when they are no longer needed. In fact, cloud computing eliminates reliance on physical resources, eases the purchase of new servers and shifts perception from CapEx to OpEx - from paying in advance for all of it, to paying just for what's needed according to usage.

So it sounds like moving to the cloud is the ideal solution for many challenges, but we must address the challenges cloud computing brings with it in terms of cloud, information and asset security.

•  Multitenancy - when several entities operate on one server using shared network resources, but are separated on a logical level. When switching to cloud infrastructure is important to understand how the provider is protecting our information and creates a separation so that two entities sharing the server cannot access each other's information. 
• Loss of data - data leaks are a concern for most organizations. When switching to cloud infrastructure, we lose some control to the provider, meaning if the provider is experiencing a breach or attack, some of the organization's data might be leaked, and will be held responsible for damages incurred by the organization's clients.
• Regulations - Up until now, it was the organization's responsibility to modify its policy to comply with regulations. Starting with where information is stored, What standards are enforced, if our company is required to comply with the GDPR standard, does our cloud provider store information in accordance with the standard? For example, if we as a company allow making purchases with credit cards on our site, we are obligated to comply with the PCI standard. Does the system we purchase as a service store the credit card information in accordance with the standard?
• Limited access to network resource management - when switching to a cloud computing configuration, depending on how the system is deployed, many organizations will lose a certain degree of control and visibility of their assets and data. The reason is that part of the system maintenance becomes the provider's responsibility. For example, if an organization needs a particular application, there is a scale of implementation. With infrastructure as a service, a company will have a very high level of control - from setting up and managing the servers, monitoring and managing the environment, developing and managing the app, and storing data. On the other end of the scale, application as a service gives the lowest degree of control. Infrastructure, app development and management are all under the provider's responsibility, and the company manages users and how information is stored. 
• Monitoring - currently, monitoring is an internal organizational procedure. A company could determine the types of logs it will collect, where they will be stored, and how long they'll be available in cases like investigating a security incident. Today, our ability to monitor the network resources also varies due to our varying degrees of control over the different cloud configurations. For example, not all logs will be accessible to the company; the vendor may not keep logs for as long as the organization's policies dictate. Another problem with monitoring is our ability to synchronize logs with the company's monitoring systems.

So how can we still deal with these changes and risks?

Risk management - consider which assets we are interested in switching to the cloud, understanding scenarios and which cloud configuration meets our needs. Issues to be considered in risk management:

• Organization's ability to monitor and access logs.
• User management responsibility.
• How data is stored.
• Access to the organization's systems and resources.
• What happens in the event of downtime?
• What happens in the event of an Information leakage?

User access controls - Many of the risks cloud computing poses can be managed by controlling user access. A common concept in cloud computing is zero trust - assuming that no one has access to a particular network \ system resource except those who have been given access to the specific functions required to perform their job.

Cloud provider testing - similar to working with a third-party vendor, A thorough review of the provider is required to ensure that the scope of work for switching successfully and efficiently to the could is clear. There are several tools that can be used here:

• Going over the contract with the supplier - the contract must outline the scope of the responsibilities, both ours as an organization and the cloud provider as the service provider. It's important to understand the SLA times in the event of a malfunction or resource downtime. Go over financial matters like pricing and additional costs.
• Performing penetration tests and security assessments - To evaluate the level of security of the supplier, there are several possible tests and assessments that can test the level of security the supplier provides, to protect our company's information and data as customers.
• CSA STAR - a free web tool that provides a table of security controls and standards that can be implemented and makes accessible to us the controls that the cloud provider has applied

Training - As in any new field, we must ensure our staff is ready for new technology and new procedures. This can be achieved in several ways:

• Hold training and exercises for teams and employees whose work is going to focus on cloud computing.
• Recruit new employees with knowledge of cloud computing.
• Implement Secure Software Development Lifecycle procedures.

The cloud may seem like something far and distant, out of our control, but in the end, everything boils down to preparation, understanding the path ahead of us, understanding changes and adapting to them.

Back