Demystifying Cloud Security: The Fundamentals

On April 23, 2020 we hosted our "Demystifying Cloud Security: The Fundamentals" webinar, where our CTO Ralph Moonen and Senior Security Specialist Tom Tervoort discussed the basics of cloud security. The attendees asked some good questions, which we have summarized below in a Q&A. Should you still have any remaining questions, please contact info@secura.com.

Curious to our other webinars? Visit: https://www.secura.com/webinars

Q&A

Thank you for all your questions during the webinar, we have received quite a few! The ones that were not already answered in the webinar are answered below.

Should you still have any remaining questions, please contact info@secura.com.

Is it not true that for many organizations cloud solutions are more secure that companies do it themselves? (especially with regards to infrastructure)

In many cases this is true for the parts of an infrastructure the cloud service provider is fully responsible for, since especially the big provider have a lot of security expertise and huge teams available for protecting this infrastructure, probably more so than most organizations have themselves. Of course there are exceptions when companies have very specific security (or legal/privacy/availability) requirements that are not met even by parties like Google or Microsoft. Furthermore, in cases when secure configuration is the responsibility of the company itself the cloud is more of a double-edged sword: on one hand cloud services may make it easier or cheaper to take the right security measures, but on the other hand a misconfiguration can have a higher impact due to a higher level of internet exposure.

Are Azure, Google or AWS more or less secure? And similar for SaaS/Paas/IaaS?

There's no good answer to this question. When it comes to general security practices all three have a very good profile, and there is no clear winner. But it may be more interesting to know which provider's services are more prone to misconfigurations, have better security documentation or have better defaults. That's highly subjective, though, and I do not dare to claim one is better than the other.

When it comes to SaaS/PaaS/IaaS in general it can be said that the type of service that requires the least configuration or maintenance has the smallest chance of being vulnerable. Therefore it is often easier to secure SaaS than PaaS, and or to secure Paas than IaaS.

Shared responsibility: who is responsible for the privileged users / admins?

The big cloud service providers take no responsibility for the protection of user credentials, and the configuration of user roles and privileges. So organizing this is the complete responsibility of the company making use of the cloud service. The providers do however provide some documentation on some best practices regarding identity and access management, but leave its implementation to you.

Are there any specific legal aspects to be aware of?

When performing a security test in a cloud environment the cloud service provider is always an involved party that has to be considered. Luckily, big providers like AWS and Azure offer clear terms and conditions regarding pentesting, and there's no need for a representative of AWS/Microsoft to give explicit approval for every test. However, one should be aware what is and is not covered by these terms and conditions, and that these may be different for other cloud providers.

This question is regarding Security testing. If an environment is outsourced (including infrastructural components) to a cloud service provider, and the CSP has an ISO27001 certification and ISAE3402 TPM, do you still recommend performing security testing on the individual components within the environment?

In general I would not recommend testing the certified infrastructural components, as long as these components require no configuration or customizations specific to the user of the environment. In practice there is usually room for configuration, and due to the shared responsibility model of most providers these configurations are not covered by the certification, and are therefore probably valuable to have tested.

Looking at regulators like DNB within finance would it be considered mandatory performing cloud pentesting as part of a cloud risk assessment?

I am no expert on financial regulation, so unfortunately I will not be able to answer which testing techniques are mandatory. I do think that, in general, pentesting is a valuable addition to risk assessment, whether this concerns a cloud environment or not.

If you have any remaining questions, please contact us at info@secura.com