The cloud has been and continues to be an important enabling technology for many, both professionally and socially, during the COVID-19 pandemic. We have built a virtual world and now we are putting it to the ultimate test. But let us drop the “patter” of cloud computing and take a look at what it looks like behind the shroud.
Of course, cloud computing can be reductively described as the ability to use “on-demand” computer services such as storage and processing power. We could take an extremely deep approach and discuss the different hypervisors, containerization and hardware that are running in the background, but in most cloud computing use cases, the customer has little to no access to these components. Let us start with the most likely components that, as customers, we can control.
Operating System (OS) Security
There are a few studies that suggest that close to 90 percent of the cloud is made up of instances where Linux is running as an underlying operating system OS. That seems like a logical place to start as far as training or skillsets go. We need people (cyber professionals, admins and IT auditors) who understand Linux. I am not suggesting that every professional in this field needs to be able to compile a custom kernel for a system or write device drivers, but an understanding of the configuration and hardening of the OS would be useful in securing Linux cloud instances, especially the built-in and third-party OS firewall capabilities.
If Windows is being used as an underlying OS, the same rules apply. It is important to know PowerShell and basic Windows hardening techniques, and use best practices for OS configuration and use.
Firewall/Security Devices
Most big cloud providers (Amazon Web Services [AWS], Azure and Google Cloud) will have custom dashboards that provide firewall-like capabilities. The best way to know how to control these from vendor to vendor is to understand how firewalls work in general. Terminology and some functionalities change between vendors, but the overall working knowledge of these security devices remain constant. This type of knowledge will also, of course, come in handy for any systems that may be intermediaries between cloud services and on-prem functionalities.
DevOps
If you are using platform-as-a-service (PaaS) cloud services to provide proprietary software services to your customers, then secure development is a must. Static and dynamic software analysis and security-conscious programmers are quintessential to this process. This can be exceptionally challenging when using multiple programing languages and frameworks, such as Django or Ruby on Rails, where the programmer is using multiple prebuilt functionalities and libraries. Therefore, testing of software and code review must be a priority before pushing the code to production environments.
Business and Contracts
We do not always have access to system components on this granular level. The last line of protection for our cloud services and components are usually service-level agreements or other agreements with the vendor. Who is responsible for security in a cloud agreement? If there is an incident, who conducts incident response? If we cannot run vulnerability scans and conduct audits, can the vendor provide up-to-date reports and attestations for compliance? These are just some of the lines of thought you need to have while in the process of finding a vendor to suit your security and compliance needs.
At ISACA, we constantly ask our members for feedback on what type of training would be most valuable, and the cloud is one of the most prevalent subjects requested, specifically cloud security. Taking the simplest definition of the cloud and paring it with a request for training on cloud security, one could assume that what is being asked for is training on the security of on-demand computer resources. It, of course, comes with its own challenges, but while working with these emerging technologies, it is extremely easy to get lost in the vastness of what is being accomplished and forget that some fundamental skillsets and critical thinking skills most certainly apply
These ideas are repeated ad nauseum in cyber professional circles and trainings. And yet breaches still occur, and the cyber skills gap grows every year. As technology stacks skyrocket in complexity, maybe the best approach is to simplify. Find professionals with these simple skillsets, work from the ground up to provide defense in depth, and understand that continuing education and learning is never finished in this industry.
Editor’s note: For further insights on this topic, read Dustin Brewer’s recent Journal article, “Nothing But Blue Skies,” ISACA Journal, volume 4, 2020.