How to safely use cloud services?

According to the latest research conducted by EY as many as 64% of Polish companies already use cloud solutions, while it is forecast that another 26% plan to do so in the coming year. The market of cloud service providers is developing and constantly improving, trying to react to changes and errors encountered by users on an ongoing basis. For the vast majority of companies multi-cloud (use of multiple cloud computing and storage services) and hybrid solutions is becoming the norm.

Access to data is now so obvious that even when there is no information about any threat to our data, every company should ask itself: how to safely use cloud services?

Who is responsible for data security: the company or the supplier?

There is no solution in which the entire responsibility for what happens on the servers is taken over by an external company. Always the use of cloud services is based on the shared responsibility model. In order to ensure the security of the IT system, a number of rules must be followed that are the responsibility of the user.

Working with cloud service providers, we are obliged to train employees in terms of safe use of the cloud, information and data processing, use of mobile and stationary devices, verification of access to accounts and identity management.

Depending on the scope of services we choose in cooperation with the provider, the areas of our security supervision or sharing may include additional elements, such as: applications, network or operating system configuration. However, the security of the cloud infrastructure, i.e. servers, networks, databases, storage or network system, is always the responsibility of the service provider.

Simply put – cloud providers ensure the security of platforms, while users are responsible for securing communication channels, data and processes they carry out in the cloud.

What type of cloud computing services to choose?

Cloud can be divided into 3 types: public (publicly available, we gain access to resources via the Internet), private (created for the needs of one company) and  ;hybrid (we store data in both public and private clouds).

Migration to the cloud is a gradual removal of responsibility by the client and transferring them to the cloud service provider. The more advanced and complementary the service, the more responsibility the provider assumes.

Cloud service providers offer their own cooperation proposals related to the different scope of taking over responsibility for data security. An example are models of infrastructural services, tailored to the requirements of a specific user.

There are several basic models of cooperation between the provider and the cloud consumer:

• Infrastructure as a Service (IaaS) – infrastructure as a service, in which the public cloud provider takes responsibility for the physical part of maintaining the IT environment (power supply, hardware, access control), it creates a data center. The user, on the other hand, takes care of the security of the operating system, databases, applications, account access verification and identity management, etc.
• Platform as a Service (PaaS) – platform as a service in which the public cloud provider takes responsibility for the physical part of maintaining the IT environment, data center and operating system. The user, on the other hand, takes care of the security of databases, applications (to be determined, there may be joint responsibility), verification of access to accounts and identity management, etc.
• Software as a Service (SaaS) – software as a service, where the customer's responsibility begins with the application, taking care of the identity and permissions of users. Everything else is taken over by the cloud service provider.

Providers provide data backup, but it is never 100% secure. For example, in situations where users make mistakes that compromise security, such as accidentally scanning/duplicating data or documents that will not appear in the cloud.

It should be remembered that the cloud consumer always takes responsibility for identity management in the public cloud by himself and his task is to create a model that will ensure comfortable use of the system and maintain security.

Cloud service providers

One of the largest global cloud service providers is AWS (Amazon Web Services), next to GCP (Google Cloud Platform) and Microsoft Azure.

Amazon Web Services provides details related to shared responsibility. The service provider, i.e. Amazon Web Services, introduces and supports measures related to the security of the cloud itself, and the client, when implementing various types of measures in the cloud, is obliged to ensure the appropriate selection of services, and more importantly, their correct configuration.

For example, the two most popular AWS services are Amazon EC2 (Amazon Elastic Compute Cloud) and Amazon S3 (Amazon Simple Storage Service). The first is infrastructure as a service (IaaS), where customers are required to manage the operating system, software and installed firewalls. The second, Amazon S3, in which the customer is responsible for managing and securing their data by choosing the appropriate security policy and granting access to their data in accordance with whom and to what extent they may be visible.

Of course, there are already many smaller cloud service provider companies on the market, which in cooperation with available public clouds will help each company choose the right solution tailored to its needs.

How do cloud users not care about their own security?

The security of a system using cloud services depends to a large extent on cloud consumers. The vast majority of successful breaches of data security systems result from the negligence of companies, not service providers.

A good illustration of this statement is the Security 2020 State of Public Cloud Security Risks report published by Orca Security. It was created on the basis of data analysis carried out using the Orca SideScanning tool. The move was related to Orca's customer assets, which were located in AWS, Azure and Google Cloud. It shows that almost 1/4 of companies do not use multi-factor authentication mechanisms for access to a cloud account by administrators with full rights, e.g. zerotrust/">ZeroTrust”. In addition, many companies have data resources connected to the Internet through unauthorized paths or use unsupported and not constantly updated operating systems. There are also companies with data resources, access to which is secured by means of weak or quite widely disclosed passwords.

When starting cooperation with a service provider, you should be aware of the possibilities described above and approach the subject of data security in your company consciously and responsibly.