As the practical application of cloud computing becomes cheaper, there are still many people who still have vague anxieties about security. Examine the security of the public cloud itself and the dangers hidden in the operation of users, and explain the security strategy that should be considered in cloud utilization. The safety and security of cloud services, when Software-As-A-Service and cloud computing began to become a hot topic in the market. However, many companies now use public clouds such as AWS and Azure, even major city banks are using public cloud infrastructure for their core business systems.
Cloud Security’s recent survey shows that more and more organizations are jumping into the cloud-computing bandwagon. It is now used by 59% of the surveyed firms, with most of their required apps and services (40%) now cloud-based. However, as the bandwagon continues to expand, doubts also grow with 81% of the organization surveyed being worried about their corporate security in connection with their chosen cloud infrastructure. As far as security is concerned, it can be said that it is safer than building an on-premises environment and maintaining and managing it on your own. In times when cyber-attacks were not as sophisticated and diversified as ever, the hardware could be installed in the company’s server room and data center housing services could be used for business systems, mail systems, and web servers. However, it was possible to secure a certain level of security with anti-virus software and firewalls.
However, if you want to manage servers safely in your company, in addition to the above measures, you can install security appliances such as monitor systems, monitor traffic, manage/store various logs, and enter/exit server rooms. There are many points to consider such as management. In addition, considering the reliability of BCP and systems, building earthquake resistance, fire and fire prevention equipment, air conditioning equipment, power failure countermeasures (UPS and emergency power supply), system and data backup and redundancy, etc. are also required. Naturally, these measures involve costs (resources) of people, time and budget.
If you use the cloud, not all of these measures can be solved, but many parts can be outsourced to the cloud management business. Moreover, cloud services such as AWS and Azure take advantage of the scale to increase the security and reliability of the entire system. Even for a typical large company, it is not practical to ensure the same level of security in an on-premises environment. Although it is a public cloud, it is a huge data center. In-house power generators, large-capacity standby power supplies, air-conditioning equipment, earthquake-proof equipment, gas fire extinguishing equipment (sprinklers and chemical fire fighting will also damage non-burning equipment), 24-hour operation center, strict entrance/exit management, etc.
The cloud is secure, but there are some caveats. That is the recognition and understanding of the demarcation point. In AWS, it is necessary to consider the point that the cloud operator guarantees the security and service level, which is expressed as “responsibility-sharing model.” In other words, what resources and functions are provided by the operator in the cloud environment to be used and cannot be set and controlled by themselves. It is also thinking about which resources and features can be customized by themselves. These details cannot be specified by the user, but safety is generally secured at a sufficient level.
However, OS security patches, server, and network settings, middleware to be installed, and application security must be secured by the user. Many cloud providers have security-related services, access control functions, account functions, authentication functions, encryption services, monitoring/auditing functions, and make them available to users. It is the user’s responsibility to set up and operate these functions correctly and safely. Speaking of the information leakage incident of the previous file transfer service, even if AWS was used for file transfer, the intrusion (probably) was the user company that contracted and used AWS (file) This is a system that was installed and built by a transport service provider. It has also been pointed out that personal information was leaked and there was a problem with the password file operation (stored in plain text without hashing). It was not because AWS’s internal servers or systems were invaded, but because the system environment built by users was not secure.
Virtual servers provided in many public clouds such as AWS and Azure are business servers configured with a general intranet, servers installed in the DMZ such as databases, web servers, mail servers, and external sites such as EC sites Business servers (including databases) can be configured arbitrarily. Functions equivalent to firewalls, authentication servers (Active Directory and LDAP), load balancers, backup systems, DNS, routers and switches, and system orchestration (integrated management environment) are provided as management service functions on the cloud. Automatic backup, data encryption, log collection, traffic monitoring, vulnerability diagnosis, etc. are also provided as cloud services.
The essence of security policies and countermeasure technologies does not change because they are cloud computing. To the last, the basics of thinking about what kind of countermeasures should be taken against the risks from the company’s information system and resources and the information assets to be protected remain unchanged. Once this is decided, the necessary protection functions, countermeasure technology, network configuration, account management policy, etc. are naturally determined.
If there are rules or functions that cannot be transferred due to security policies or compliance, it is not necessary to use the cloud forcibly if they cannot be realized with the functions provided by the cloud service provider. Server and network configuration, routing and access control are complicated and dangerous. There are also caveats in account management. The administrator account for using the public cloud has all privileges (root privileges) such as for instance creation and network settings and requires strict management. Like general server accounts, an administrator account with root privileges is not used for normal configuration and management tasks. Create another account with only the necessary privileges for each administrative task, such as for instance creation and security settings and use it.
Accounts used for cloud management work want to use two-factor authentication as well as ID and password protection. The main cloud service providers offer a function for two-factor authentication, so keep the settings enabled. If account information is leaked, firewall settings in the cloud and server/storage access control will be changed without permission.