CYBER SECURITY

Stay well equipped to protect your networks, devices, programs and data from attacks

Data in transit protection

User data transiting networks must be safeguarded from intruders. Data in transit is protected between:

• End user device(s) and the service

• Internally within the service

• Between the service and other services

Identity and authentication

All access to service interfaces has to be limited to authenticated and authorized users. Moreover, authentication should occur over secure channels.

• Email, HTTP or telephone are vulnerable to interception and social engineering attacks.

• Make sure that identity and authentication controls ensure users have access to specific interfaces.

Separation between users

An unauthorized user of the service should not be able to affect the service or data of another. Factors affecting user separation include:

• Where the separation controls are implemented – this is heavily influenced by the service model (e.g. IaaS, PaaS, SaaS)

• Who you are sharing the service with – this is dictated by the deployment model (e.g. public, private or community cloud)

Secure development

To recognize and mitigate threats to their security, there is a need to design and develop services.

• Threats must be constantly addressed and the service must be improved

• Development must be carried as per the requirements of the industry

Governance framework

Effective governance framework ensures that procedure, personnel, physical and technical controls continue to work through the lifetime of a service. It also responds to changes in the service, technological developments and the appearance of a new threat. Intact governance will surely provide:

• An authorized person who will be solemnly responsible for the security of the cloud service.

• It can be someone with the title ‘Chief Security Officer’, ‘Chief Information Officer’ or ‘Chief Technical Officer’.

• Board would be kept informed of security and information risk.

Asset protection and resilience

Storing or processing of user data must be secured so that no loss or damage of assets occurs. The aspects to be contemplated are:

Physical location and legal jurisdiction: You need to know countries where your data will be stored, processed and managed. You should be aware of the effects of compliance with relevant legislation.

• Data centre security

• Data at rest protection

• Data sanitisation

• Equipment disposal

Secure service administration

Highly privileged access is given to Systems used for administration of a cloud service. Their carelessness would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.

• You should possess the knowledge of the service administration model being used by the service provider to manage the service.

• Be content with any risks the service administration model in use brings to your data or use of the service.

Personnel security

Generally, service providers have access to your data and systems so you need to have an utmost conviction on them. Proper screening, supported by adequate training, reduces the possibilities of unauthorized access.

• Service providers need to specify the policies regarding screening and managing of users information.

• Make sure very few people have access to your information.

Supply chain security

It is the responsibility of the service provider to make sure that the supply chain perfectly supports the security principles that are to be implemented by the service.
The reliance on Cloud services on third party products and services is a well-known fact. Consequently, if this principle is not implemented, supply chain compromise can undermine the security of the service and affect the implementation of other security principles. For this, the following components are to be learnt

• The way of sharing information

• The access granted to third party suppliers

• Security risk management by service providers

Operational security

Operational security comes into play wherein you need to securely operate and manage services in order to prevent intrusion and attacks. A decent operational security must not involve complicated, bureaucratic, time consuming or expensive processes. One should focus on the following elements:

• Configuration and change management

• Vulnerability management

• Protective monitoring

• Incident management

Secure user management

It is the responsibility of the service provider to make the tools available for you to securely use the service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.

• The facets to be considered are

• Authentication of users to management interfaces and support channels.

• Separation and access control within management interfaces.

External interface protection

All external or suspicious interfaces of the service should be recognized and safeguarded. If some of the interfaces exposed are private then the impact of tampering may be more significant.

• You can use different models to connect to cloud services which expose your enterprise systems to varying levels of risk.

• Understand what physical and logical interfaces your information is available from, and how access to your data is controlled

Audit information for users

Audit records should be available so that you can monitor access to your service and the data held within it. The type of audit information available to you will have a direct impact on your ability to detect and respond to inappropriate or malicious activity within reasonable timescales.

• Be aware of the audit information

• That will be provided to you, how and when it will be made available, the format of the data, and the retention period associated with it

• Available will meet your needs for investigating misuse or incidents

Secure use of the service

It becomes mandatory for you to use the service properly or else the security of cloud services and the data held within them will be at risk.

• Understand any service configuration options available to you and the security implications of your choices.

• Understand the security requirements of your use of the service.

• Educate your staff using and managing the service in how to do so safely and securely.

Above mentioned design principles will certainly help you to strengthen cloud security.

Services