Cloud Security 101: What Executives Need to Know

Cloud services offer great flexibility to the user, allowing access to many resources quickly and the ability to scale according to use. That’s why many organizations build cloud-native applications and migrate legacy systems to a provider as well. Cloud providers follow rigid security protocols to ensure the stability of the service, protect against attacks, and comply with different norms and standards of quality. 

To maintain a secure use of the services, we need to understand what steps providers take and which practices must be implemented by the user. In this article, we will review the categories of cloud services and the best methods to ensure cloud security while using each. 

Some examples below are based on two of the most popular cloud providers today, Amazon’s AWS and Microsoft Azure. While we will cover best practices, there is no way to discuss all cloud security requirements in one article. Therefore, contact your cloud provider to get the most up-to-date information possible.

Standards of Quality

Cloud providers use several security techniques and follow strict quality standards to meet international and industry-wide benchmarks. Some projects may demand compliance with certain norms, such as ISO or HIPAA. 

AWS has a portal called Artifact, where compliance information can be verified for the resources in use. Azure also offers some online documentation. Always check directly with your cloud provider for the latest information on which norms are covered for the different services you intend to use.

Shared Responsibility for Maintaining Systems

The opposing model to the cloud is on-premises services, in which the company has total control over hardware and software. While absolute control sounds empowering, companies using on-prem solutions also have complete responsibility for providing a safe and secure place of installation, managing energy and temperature, assuring that the physical components work correctly, keeping the system updated, and more. 

After migrating to the cloud, some of these responsibilities shift from users like you to the provider. The level of management varies according to the different categories of services. Let’s discover these different categories.

IaaS – Infrastructure as a Service

In this category of services, the provider is responsible for offering the infrastructure needed for the user to control their services and applications. This category provides a higher control over what will be installed and the settings for each app while also demanding a bigger responsibility to guarantee the security of these services. 

An example of a service that falls under IaaS is virtual machines (VMs), where the provider generates and gives access to a device with specified hardware and operating system selected by the user at the moment of its creation. The user is then responsible for managing the system and setting up software according to their needs. 

In contrast to physical machines, this service allows for quick scaling by replicating its contents in new machines (horizontal scalability) or adjusting the specs of the hardware, such as processing or memory (vertical scalability). These concepts of scalability do not apply only to VMs, but also to many other cloud services.

PaaS – Platform as a Service

In this service model, the provider offers the infrastructure, as seen before, and a platform for your services or applications controlled by the provider. One example is a managed database. 

In the previous model, the user would need to install a database application on a virtual machine. But this service is offered directly by the provider in an easier and quicker way since the user will not need to install the software and has options for backup and updates. 

This service also needs one or more machines to work. However, this becomes the responsibility of the provider, which guarantees access to the database, ready for configuration and use.

SaaS – Software as a Service

In this model, the user interacts directly with the application they intend to use. The provider handles all responsibility for the system behind the scenes. An example of this category is email services. 

With email, the user directly sends and receives emails without worrying about the infrastructure under the hood. The user is responsible mainly for keeping and protecting access to their account, removing spam, and avoiding malicious links. The provider offers all the resources and is responsible for keeping the system working efficiently.

Everything Starts with Your Account

To access cloud services, the user first needs to register with a provider. The credentials, which usually comprise of a username and password, must be kept safe since they provide direct access to your most important information. In case of stolen credentials, one could compromise sensitive data and generate high costs unduly. 

AWS provides granular control of permissions with IAM – Identity and Access Management, which has its own best practices. Microsoft also provides recommendations for Azure account security.

Let’s see some tips to ensure higher safety of your account:

• Generate a uniquely strong password. Plus, do not share credentials with other users. Each user should have their own access credentials.
• Make use of multiple-factor authentication. By using MFA, even if your username and password are compromised, the intruder will not have access to your account unless they can provide the second authorization method. 
• Manage the level of privilege for each user. Use the least privileged model to guarantee that users can only access what is necessary to accomplish tasks.
• Use tokens instead of usernames and passwords to access non-human users, such as CLIs and APIs. Rotate these access tokens regularly.

Virtual Machines (VMs)

In this type of service, the physical part (hardware) used to provide the VM is under the responsibility of the provider. However, the user is still responsible for managing the resources, installing, configuring, and providing access to the software. This service is called Elastic Cloud Computing (EC2) on AWS and Virtual Machines on Azure. 

Here are some quick tips:

• Avoid using administrator or super user accounts to run the systems. Generate specific users with the level of privilege necessary to complete their tasks.
• Review the network ports and access to the machine. Deny access to all non-used ports.
• Restrict remote access, only allowing the necessary users and IP addresses.
• Keep the operating system up to date with the latest security patches.
• Monitor the use of memory and processing. Generate alerts to be informed of unusual usage.

Managed Database Services

There are many managed database options available on the cloud, be it SQL, non-relational, or graph. Managed databases provide many advantages since there is no need to keep a machine to host the database, and there is no installation, only the setup.  AWS offers its Relational Database Service, while Azure’s service is named Azure SQL Databases.

However, some security responsibilities still lie with the user. Here are some tips:

• Do not share the superuser credentials. Be sure to store them safely.
• Remove any database or pre-created structures, since these are generated for tests only.
• Users must only have restricted access based on what they need for their roles. Remove access to deletion of structures and databases, unless it is necessary.
• Allow only direct access to the database by the machine or system that will use it.
• Connection strings and credentials must be kept safe. Therefore, a cloud service for secure credential storage is recommended.

Object Storage

Cloud object storage can be useful in a variety of ways. One example is providing static files for Web systems. Since these files do not change, they can be stored, cached, and distributed easily using a cloud service and can even be served by a Content Delivery Network (CDN). This service is called Simple Storage Service (S3) on AWS and Blob storage on Azure. 

Let’s see some security tips for this service:

• Objects are usually organized in containers with specified permissions. Therefore, review permissions to the containers and ensure that only files meant to be publicly accessed are added to public containers.
• Review user permissions for creating, deleting, and viewing objects.
• This type of service is usually charged by storage and transfer. Therefore, set up limits and alerts to avoid incurring excessive charges.
• Periodically review and remove unused objects and containers.

Email Services

We usually do not think of email as a cloud service, but it does fall into the SaaS category. The client is the system’s end-user, and all responsibility for maintaining, managing, and updating the service is the provider’s responsibility.

It is still necessary to be cautious and understand how to use the system safely. Despite not being part of the Azure portal, Microsoft offers its own email service called Outlook. 

Here are some recommendations:

• Do not reuse your email password anywhere else. Keep the credentials safe, such as in a password manager.
• If possible, use multiple-factor authentication.
• Do not share your credentials with anyone.
• Always check the sender’s address, and do not open emails from suspicious domains.
• Be careful when clicking links and downloading attachments. Always verify and evaluate the sender’s information and the body of the email.
• Report any phishing attempts. These are fraudulent emails trying to gain undue access or steal credentials.
• Remember to always log out of your account, especially when using public computers.

Other Services

There are several other categories and many other services from different cloud providers. It would not be viable to cover them all, but some of the tips above always apply, such as providing the least privilege needed, using strong and unique passwords, and safely storing your credentials. To ensure the best cloud security practices and check the latest information, contact the service information directly with your chosen provider.

Remember that when using cloud services, security is a shared responsibility between the user and provider. Therefore, always be sure to apply the best practices for full security on the cloud.

How Programmers Helps

Programmers helps companies across industries develop cloud-native applications and migrate their legacy systems to the cloud. We leverage the best agile methods to produce digital products that provide your organization and its customers with the most value possible. 

We also take a value-oriented approach to modernization with our Fast-Track service, which continuously boosts your bottom line every 90 days. Learn how we managed to help a company reduce the data upload time of one of their applications from one day to one hour by migrating it to the cloud.

Let us know how we can help you.