Gradually, the cloud changes the way we use computers. We hear more and more talk about hybridization, scaling, data availability … Even if some of these aspects of the IT world already existed, the cloud democratizes them.
However, everything is not rosy in the cloud universe. Indeed, by changing the mode of IT consumption, the cloud brings its share of new problems and concepts, notably related to security. So we will see together the main notions of security, related to the use of the cloud and the services offered by the cloud to help you maintain an optimal level of security.
Cloud and Data Security
The term “data security ” is often used nowadays, but do you really know what we do not mean by data security?
Generally, data security consists of 3 axes:
- The availability of data,
- The integrity of the data,
- Confidentiality of data.
Data security, therefore, applies globally to your data over all their life cycles.
Take the example of the big players in the cloud, such as Microsoft, Amazon or Google: these companies, by their size, means, and expertise, are able to offer an optimal level of availability.
When your data is located on your servers internally, it is essential to back them up regularly to avoid any eventuality. The cloud does not escape this rule. Loss of data is a significant risk for a company and backups help limit this risk. You are not immune to the accidental deletion of data (more likely) or a failure of your cloud provider (less likely). Wherever your data is, it is important to back them up.
The cloud is not a miracle solution guaranteeing a 100% availability rate. By using the cloud to store your data, you transfer the availability management (servers, networks, systems) to specialized companies. So you can concentrate on your core business.
Data integrity is the assurance of the accuracy and consistency of the data throughout its lifecycle. Its validity must be ensured, in addition to being able to be modifiable, only by authorized persons. Nevertheless, the given is not something static, it is brought to evolve, to be transferred, … It is, therefore, necessary to be able to ensure its integrity constantly.
Today, a lot of data is exchanged on networks, whether internet or public. It is therefore important to use communication protocols ensuring the accuracy of the data sent:
- The use of HTTPS when accessing an online service or an API,
- The use of VPN connections, etc. These protocols make it possible, among other things, to guarantee that the data will not be modified during its transit.
But what happens to the data when it is not in transit?
When the data is at rest, stored on a file system or in a database, there are generally technologies to ensure the integrity of the latter: logging systems, hash calculation, etc. In case of data corruption, it is always possible, especially thanks to backups, to restore a confirmed version of the data.
Data integrity is neither a new concept nor an exclusivity of the cloud. The same security principles apply whether data is stored internally or on the cloud.
Confidentiality of data is a sensitive issue. It is not uncommon to hear about data leakage on the Internet, even from globally known companies. The confidentiality is, therefore, an important and essential aspect for any business.
One of the major concerns with the use of the cloud concerns the geographical location of the data. Indeed, the big actors of the cloud are mostly American companies, and that says American, says Patriot Act. Simply put, this law allows American security agencies to consult computer data held by individuals or companies (US), without prior authorization and without informing them.
This kind of legislation has a real problem with data privacy. Unfortunately, there is no tremendous solution to this problem: hosting data in a country that does not have a Patriot Act.
Do not host data considered too sensitive in the Cloud. Industrial espionage (for example) by foreign powers is not, however, a real concern for many companies that are not international in scope.
Another aspect of confidentiality is to allow access to the data only to a certain group of predefined people. In order to do this, an authentication principle is generally used to verify the identity of the user and control lists to restrict access to the data in question.
Things get complicated when the data is stored in the cloud. Indeed, the user account used internally is not available on the cloud platform. So you need an additional user account for cloud services…
Cloud and Identity Management
Identity management has become an important issue in the use of the cloud.
Let’s say, for example, that for each cloud service there is one account per user. Each user account is associated with a password, which should ideally be different from the others, but is not actually. For administrators, this also means a greater number of user accounts to manage: password reset, the creation of accounts, assignment of rights, this solution is not possible and increases the complexity at all levels. Ideally, each user should be associated with a single account that he/she would use on all services.
In order to achieve this result, the simplest method to implement is the synchronization of user accounts. For example, Azure AD Connect can be used to synchronize its internal user accounts on Azure or to use simple Active Directory replication through a VPN connection to your private cloud. With these solutions, users use the same account to connect to different services.
However, account synchronization has several disadvantages. The first is its compatibility. Indeed, not all services are necessarily compatible with the synchronization of user accounts. The second disadvantage, users must always identify themselves on each service. Despite the fact that there is only one account per user, the user must enter the “username password” pair several times a day (connection to the extension, connection to Webmail, connection to Office 365,). And finally, the implementation of the synchronization of user accounts requires also synchronizing the password (in the form of hash and in a secure way). In the case of Azure AD, your hash passwords are stored on Microsoft’s servers. If you have security constraints that prohibit this use or you are not comfortable with this idea, you still have another solution: the Federation of identities.
Federation of Identities
Identity federation involves the use of existing directory servers (e.g., internal Active Directory) to authenticate on-premises or mobile users on internal or external services to the enterprise. For example, when a user logs on to Office 365, it will be authenticated by your internal servers before they can access the services.
Although federation of identities is not the simplest solution to implement, it nevertheless brings its advantages:
Identity federation, by centralizing the authentication and authorization process, enables global security policies to be applied to all federated services. For example, it is possible to force dual authentication on federated services that do not support it natively.
In addition, the Federation of identities allows the implementation of Single-Sign-On or SSO. SSO allows your users to authenticate once and for all to access all federated services. In practical terms, the user authenticates him/herself for the first time (usually at the beginning of their session). When the user wishes to access the webmail, the Identity Provider already knows this user (he has already authenticated himself), he then authorizes the user to connect to the webmail, provided that the latter respects the security policies in place, and this without second authentication.
Finally, identity federation allows centralized management of the authentication and authorization process. The latter also allows the setting up of tools for users such as password resetting, dual authentication management, etc. Using standardized protocols (SAML, OAuth) interface with a multitude of external applications (Office 365, Salesforce, SharePoint).
However, centralizing the authentication process transforms your user directory infrastructure (e.g. Active Directory, AD FS) into a critical service. Indeed, if your authentication service were no longer working, users would no longer be able to access the various services. It is, therefore, necessary to provide a highly available infrastructure in this case.
Cloud and Threat Protection
Today, every company faces multiple threats: ransomware, phishing, data leakage, and many others. To counter these threats, each company must, therefore, put in place protection systems (antivirus, firewall), secure network connections, train its users, and deploy procedures. These operations take a lot of time, investment to be efficient and benefit only the company in question.
Although the cloud is also affected by these threats, the perimeter of enforcement of security is much greater.
For example :
A security measure deployed on Azure potentially benefits all its customers. The time/investment ratio is therefore better.
In addition, cloud providers can use their customers’ usage data to quickly identify anomalies and threats, resulting in enhanced security.
These cloud providers usually have teams of security experts who work to continuously improve the quality and robustness of the services offered in a comprehensive manner, benefiting all users of their platforms.
Data security is a constantly evolving field and the cloud has revolutionized usage and created new problems. However, with its many changes, the Cloud has also brought new answers and solutions to these problems. We understood these new security issues. Our teams are waiting for you to answer your questions and accompany you in your cloud projects.