Challenges around Information Security Management in the Public Cloud

(1)

Challenges around Information Security Management in the Public Cloud

Using Managed Security Service Providers in Multi-Cloud Environment

Julia YuZhou Chen Candidate nr.: 580775

Informatics: Programming and System Architecture Information Security

60 ECTS Master’s Thesis Department of Informatics

The Faculty of Mathematics and Natural Sciences

Spring 2021

(2)

1 Abstract

This thesis answers three research questions. Firstly is how cloud computing influence security management, secondly is what the possible strategies are for an organizations who want to leverage multi-cloud and Managed Security Service Providers, and lastly is which challenges appear when combining multiple cloud providers and Managed Security Service Providers.

Based on reading existing literature and consulting industry experts it shows that cloud computing has forever changed our way of doing security management by introducing cloud-native services as well as cloud providers who will always be part of security management.

An analytical investigation has been done which showed that in a multi-cloud environment, it is possible to utilize the cloud providers as the Managed Security Service Provider, or select a Managed Security Service Provider which is recommended by a cloud provider, or choose an entirely different Managed Security Service Provider as long as they fulfill the criteria and needs of an organization.

This thesis also analyzes the challenges which arises when utilizing cloud computing and when Managed Security Services Providers gets involved. It takes into aspect the difficulty of gaining proper visibility, the multitude of compliance offerings that has to be followed, and the difficulties of choosing a proper Managed Security Service Provider.

(3)

2 Acknowledgment

I would firstly like to thank my loyal mug which has stayed with me during all my late nights and early mornings, and provided me with an endless supply of coffee and tea.

I would also like to thank my thesis advisor Professor Audun Jøsang of the Department of Informatics at University of Oslo. He has continuously guided me whenever I had questions or was struggling with my writing. He steered me in the right direction and helped me greatly these past years.

My co-advisor, manager, and domain expert, Morten Stange Bye, has provided me with resources and research papers, as well as shows me full support in writing this thesis while working full-time.

In addition, I must express my gratitude to my parents and my partner for providing me with unfailing support and continuous encouragement. This accomplishment would not have been possible without them.

Finally, I would like to thank my two cats, Eevee and Mochi, for being excel- lent, yet slightly distracting, co-workers and study-partner during COVID-19 lockdown. Seeing them makes me smile without fail.

Thank you.

Julia YuZhou Chen

(4)

3 Background

This section explains why the topic of transparency and openness of security services in the cloud are important for companies and organizations that are leveraging cloud services.

3.1 The Cloud

Cloud technology, or cloud computing, was popularized by Amazon Inc when they released their Elastic Compute Cloud (EC2) in 2006, but the term ap- peared as early as in 1996 in an internal Compaq document. Cloud computing is the on-demand availability of computer resources such as storage, compute power, servers, network and software. This means that rather than needing to have the resources available locally, leveraging the cloud makes it possible to access such resources remotely.

There are different types of cloud and cloud computing, different models which offer different ways to deploy and access cloud services.

Public Cloud

Public clouds are owned by third-party cloud service providers such as Ama- zon, Microsoft, Google, IBM and Alibaba. These cloud service providers deliver their resources over the Internet, and all hardware, software and supporting infrastructure is owned and managed by the cloud providers. These services and resources are made available and accessed through an account,

(9)

Private Cloud

Private clouds provide cloud computing used exclusively by a single company, organization or business. Such private clouds can be located on the company’s on-premise data-center, and some companies may also pay third- party service providers to host their private cloud. The services and infrastructure on a private cloud are managed and maintained on a private network.

3.1.1 Current Cloud Landscape

Cloud technology has increased in popularity over these last few years, and will continue to see a steady growth. Roughly 94% of companies as of 2019 are using cloud technology to a certain degree where public cloud adoption is at 91% and private cloud adoption is at 72% [1], this shows how widely cloud technology is used across industries and company sizes.

The reason for such demand for cloud computing varies differently between companies and organizations and their requirements. Cloud computing is generally known to reduce or eliminate capital expenses, having the ability to scale elastically, increase productivity and performance, being reliable in terms of disaster recovery and business continuity, and offer a broad set of security services. Innovation is also rapidly shifting to the cloud with vendors implementing cloud-first approaches to product design and some technology innovations available only as cloud services - such as Internet of Things (IoT) and Artificial Intelligence (AI) [2].

(10)

In 2019, it also also estimated that 84% of companies have a multi-cloud strategy [1]. This is the deliberate use and combination of multiple public cloud providers and their services. Multi-cloud can lower the risk of cloud provider lock-in, can more easily specify functional requirements as well as provide service resiliency and migration opportunities. It also provides agility and the potential of some target cost optimization opportunities.

It is also estimated that 58% [1] of companies have a hybrid cloud strategy.

This is the usage of both private and public cloud that operates as separate entities but are integrated. Hybrid cloud can offer the benefits of cost optimization, flexibility, agility and elasticity that comes with public cloud while also benefiting from the control, compliance, security and reliability of a private cloud.

Hybrid IT is another popular operational model for IT companies and organizations that are brokers for a range of different services from external cloud providers. The model leverages different types of cloud computing, traditional computing and edge computing¹. Unlike hybrid cloud which is a complex implementation and integration of multiple cloud services into one, hybrid IT adds value across multiple services from different providers as well as internal technology solutions.

1This is a concept where resources and compute power is brought closer to the location it is needed in order to improve response time and save bandwidth. The increasing usage of IoT devices at the edge of networks is producing large amounts of data that needs to be processed, thus pushing network bandwidth requirements as well as having longer response time. Edge Computing aims to move away from data-centers and do the computing at the edge network where it is needed such as on boats.

(11)

It is also estimated that for organizations which are already running applications on the cloud, they leverage on average almost 5 different clouds [1].

Companies are on average running applications on 3.4 public and private clouds, and experimenting with 1.5 clouds or more, for a total of 4.9 clouds.

Among those using public cloud services, it is estimated that companies are currently using 2 public clouds and experimenting with 1.8 more.

3.2 Strategies of Cloud Services Providers

Cloud Computing has grown more mature these last years, and the big Cloud Service Providers are competing against each other and battling each other for the market shares. 2020 has also been a defining year when it comes to the growth of these big cloud-companies due to COVID-19. This section will give insight to strategies of the biggest Cloud Provides and how they have come to the place they are today in terms of market shares and status.

3.2.1 Starting Point

The idea of Cloud Computing started as early as in the 1960s when DARPA (Defense Advanced Research Projects Agency) asked MIT to develop a technology which allowed two or more users to access a computer simultaneously, and thus was Project MAC (Project on Mathematics and Computation) es- tablished [3].

It was not until 1970s when IBM developed and released an Operating System

(12)

called ‘VM’ that allowed its admin users to have multiple virtual systems, or ’Virtual Machines’, on one single physical node [4]. This is where virtu- alization was introduced. This operating system took access sharing to the next level by allowing multiple compute environment to live and exist in the same physical environment.

Telecommunication companies started utilizing this technology at first. They changed from single point-to-point data connection to offering private network connections that were virtualized [4]. This lead to the same quality of service but to reduced cost because they no longer needed to expand their physical infrastructure in order to provide their users with their own connection, but rather just provided their users shared access to the same physical infrastructure. This in turn allowed the telecommunication companies to shift their traffic when it seemed necessary and lead to better network bal- ance and more control over their bandwidth.

As the Internet became more accessible throughout the years, the virtualiza- tion started to be taken online. The price of physical hardware was and still is a significant cost, and more and more people wanted to be online. Soon, servers were virtualized and used as shared hosting services. Slowly, the cost of servers declined and more and more people were able to afford their own servers, a new realization came upon them: one single server is no longer enough to provide for the resources they needed. It went from a “split up these servers because they are expensive” mindset to a “let’s combine these servers because of lack of resources, plus they’re cheap” mindset [4]. Thus the idea of online Cloud Computing online were born.

(13)

Amazon Web Services

Amazon was the first company that scaled Cloud Computing to Enterprise- level back in 2006 with their Amazon Web Services (AWS). As an e-commerce company that was struggling with scaling problems as they grew larger, they also had monolithic software that grew increasingly complex. Amazon soon decided to split up their data-sets into separate items and then into smaller units again. At the same time, they also started to offer computing resources and tools. This lead to Amazon’s costumers being able to easily scale their utilization of resources. This flexibility gave Amazon an advantage over their competitors in terms of compute power such as storage and network, and were able to introduce a pay-as-you-go payment basis for these resources.

This new investment were also timed with more companies looking into storing vast amount of data, and the need of compute resources. Modern Social Media as we knows it were born as Facebook opened its social network to the world. This lead to an increasing number of users on a single site, with 12 million accounts at the end of 2006. This is also the year when Google bought YouTube and started to invest in this video-sharing platform that also hosted millions of users.

During 2006, Amazon had released their Storage Service as well as EC2 - an Infrastructure-As-A-Service (IaaS). In the next two years, Amazon improved and refined their offering as they expanded to Europe and also expanded their offerings.

Google Cloud Platform

Google announced Google App Engine during April 2008 which was a tool

(14)

to run web applications on Google’s infrastructure. This was Platform-as-a- Service (PaaS) offering which launched in preview for a limited amount of developers, but soon opened up to the general public. This would be the first offering among the increasingly growing portfolio of Google Cloud Platform (GCP).

Google, as a widely used search-engine company which also had acquired YouTube had an advantage in terms of users-base as well as their years of experience in terms of developing algorithms which best matched with search- results and handling of large amounts of data. This would be a technology that Google would invest more into which also help them grow their Machine Learning offerings.

Microsoft Azure

Microsoft announced their Windows Azure Platform in October 2008 during their Professional Developers Conference, and the name changed to Microsoft Azure in 2014. Windows Azure Platform was positioned and marketed as an alternative to Amazon EC2 and Google App Engine. Building upon their strong offerings and tools for development, Microsoft released Windows Azure as a PaaS offering.

Microsoft had a different edge than the other two Cloud Providers in terms of already having a significant foot into most companies and organizations.

Having the operating system Windows, productivity offerings such as the Office packages, and existing server offerings such as Microsoft SQL Server, Microsoft had existing ties they could work on. However, Microsoft was

(15)

income came from, and switching to pay-as-you-go basis required a switch in mindset.

3.2.2 Current Strategies

With Cloud Computing becoming increasingly popular, and the big Public Cloud Providers also expanding their offerings and reach, this section takes a look into where they are positioned now and their strategies for the future.

Amazon Web Services

Amazon was the first and earliest Public Cloud Provider with its strong lead in IaaS offering and has 45% of the IaaS market share in 2019 [5] and has 33% market share across IaaS, PaaS and Private Cloud Services. Amazon has created its own compute stack and branched out and become a central player when it comes to Artificial Intelligence, Machine Learning, databases and Serverless offerings.

In 2018, Amazon released multiple new offerings in AI such as Amazon Tex- tract², Amazon Personalize³, Amazon Forecast⁴ and Amazon DeepLens⁵. In late 2019, Amazon focused more on hybrid cloud solution with their release of AWS Outposts, a solution that brings the same AWS infrastructure and

2A service that automatically extracts text and data from scanned documents.

3A ML service that makes it easy for developers to create individualized recommendations for customers using their applications.

4A fully managed service that uses machine learning to highly accurate forecasts

5A wireless camera in which that customers can deploy their own deep learning models for computer vision onto.

(16)

services to virtually any data center, co-location space, or on-premises facil- ity [6]. This is the biggest hybrid solution that AWS offers in addition to supporting Kubernetes⁶ and the partnership with VMware where AWS is the preferred public-cloud provider for vSphere-based workloads.

Google Cloud Platform

AI and Machine Learning has always been a strong selling point for GCP with BigQuery and PredictAPI⁷being released in 2010. The investment in AI and ML has only expended with their acquirement of Kaggle in 2017 - the world’s largest community of data scientists and machine learning enthusiasts which serves as a place to search and analyze public data-sets and build machine learning models.

Google has also invested into the hybrid and multi-cloud market with the released Stackdriver in 2016. The name has now changed to Operations, and serves as a monitoring, logging and troubleshooting application which can also be used in a hybrid- and multi-cloud environments. The release of Anthos in 2019 was a more strategic and targeted approach to reach out for hybrid and multi-cloud solutions. It is a platform based on Kubernetes that lets its users run application on on-premises solutions or in the public cloud - using only GCP or in a multi-cloud solution. Anthos also includes capabilities

6Kubernetes is an open source software that allows you to deploy and manage container- ized applications. First developed by Google engineers in early 2014, now independent.

It manages a cluster of compute instances and can schedule containers to run based on resources available and required.

7A serverless and multi-cloud data warehouse with built-in machine learning which helps predict business outcome.

(17)

to help you automate policy and security at scale across deployments. The multi-cloud solutions for Anthos increased at they announced in 2020 that it could consolidate operations on AWS.

Microsoft Azure

Microsoft Azure has an advantage with its SaaS offerings and with its estab- lished footprint in Enterprise solutions. Being second to Amazon, Microsoft Azure had 17.9% of the IaaS market share in 2019 [5] and 18% market share across cloud infrastructure services.

Microsoft started to heavily invest in Cloud towards the end of the Steve Ballmer area, and Satya Nadella took the seat and announced their cloud- first strategy in 2014. This was also the year Microsoft Azure became the new name of Windows Azure Platform - a re-branding and a new focus on cloud and expanding their cloud offerings. With their collaboration and strategically partnering with Red Hat, Oracle and SUSE, Azure became a highly sought place to run Linux OS.

Microsoft has also invested in hybrid and multi-cloud solutions with Azure Stack which was first announced in 2015 and released to the public in 2017.

It serves as an on-premise version of their public cloud. Azure Stack is Microsoft software that run on a select certified group of partners’ hardware and aimed to look and feel like the Azure public cloud. It also provides a a common management platform between the public and private cloud.

Microsoft’s additional investment into hybrid solutions is Azure Arc which was announced in 2019; a control plane that extends out from Azure onto on- premises, multi-cloud environments and edge. Azure Arc also lets customers

(18)

have a central and unified government and management service across their environments.

3.2.3 Trends

The acceptance of Kubernetes in the-data center and multi-cloud investments has been a growing trend in the IT industry and among enterprises. This re- flects the strategies of the leading public cloud providers with AWS Outpost, Google Anthos and Microsoft Azure Arc all being announced in 2019 and serves as a way to grab their share of the hybrid and multi-cloud market.

Multi-cloud strategy has only been growing as it can lower the risk of provider lock-in while discussing an exit strategy in case a particular cloud decision does not work out as planned. In addition, it can provide service resiliency and agility. Hybrid strategies also covers a huge market as virtually all enterprises are hybrid as no company can afford to do everything by itself or put everything they run in a public cloud [7].

3.3 Security in the Cloud

The cloud is sometimes perceived as less secure. To date, however, there have been fewer security breaches in the public clouds whereas most breaches involve on-premises data-centers or environments [2]. It is also important to understand that leveraging public cloud services is a shared responsibility, and understand which security tasks are handled by the cloud provider, and

(19)

which are handled by the organization itself. The amount of responsibilities vary depending on whether the workload is hosted on Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), or in an on-premise data-center.

Figure 1: Security responsibilities as a function of cloud service types [8]

The challenge exists not in the security of the public cloud itself, but in technologies and policies for security and controls of such technologies [2].

Cloud computing does not mean a reduction on the overall security scope and it does require customers to manage some of the stack in a shared-

(20)

responsibility model. The cloud requires a different approach to security - it is not as simple as moving on-premises workloads to the cloud; the customer should leverage and look into visibility and control features offered by cloud providers as well as look into cloud-aware tools to improve visibility.

All leverage of public clouds, when leveraged according to their intended usage, are highly resistant to attack, and in the majority of circumstances, can offer stronger security than a traditional in-house or on-premise implementation. However, the organization has the responsibility to exert control over the cloud. Secure and compliant usage of the public clouds means for example that enterprises are required to enforce and implement clear policies, responsibilities, and risk acceptance processes.

3.3.1 Monitoring and logging

Managing security incidents effectively once they occur involves detective and corrective controls designed to recognize and respond to such circumstances and events, minimize impact, restore a damaged service as quickly as possible, gather forensic evidence and prompting improvements. This also means usage of sophisticated monitoring of services and APIs, as well as monitoring and leveraging log files. Log management, audit logging, security logs from operating systems, configure log storage and monitoring and analyzing these log files are all important security controls that should be thoroughly evaluated and implemented. This monitoring can help identify issues before it has been affected in addition to expedite the incident identification and

(21)

resolution phase.

With the popularity of cloud computing and cloud technology, and the vastly used strategy of hybrid cloud and multi-cloud, it is in the best interest for both the cloud providers and their customers to have services which are easily integrated and communicate seamlessly with one another. However, different cloud providers are competing against each other, as well as against other third-party technologies on competing services.

Questions regarding security arise as the competition between cloud providers increases. Monitoring and logging in a multi-cloud or hybrid scenario are vital as customers may choose different service providers for their security services such as monitoring or logging as to their other cloud services. The workload and applications of a customer may be utilizing services from different cloud providers or other third-party tools, and commonly, customers would prefer having one centralized monitoring service which can give them an overview of the health of their systems, enforced policies, anomalies and logs. This then raises the question of transparency, visibility and accountability, as well as pros and cons of using the same cloud providers compared to different cloud service providers, and also entirely different third-party providers for their security services.

Another important aspect to consider is privacy and handling of data across multi-cloud environments. This again touches upon the topics such as transparency and accountability as customer should have insight into which service from which cloud provider is storing, accessing, handling and processing which data.

(22)

3.4 The influence of COVID-19

As the COVID-19 Pandemic hit the world in March 2020 and many countries started to encourage or even mandate the use of home office, and we saw an unexpected but significant rise in offerings and solutions for remote work and video conferencing. Microsoft Teams and Google Meet became central in many Enterprises and were used as the main tool of communication and collaboration.

Having remote workers also causes rise in demand and increase of capacity in terms of network, storage and service - not only for organization and their internal employees, but also for organizations and companies holding digital events and streaming service providers. Operations are facing challenges with maintaining availability and performance while also have to work remotely with reduced staffing. This in turn leads companies and organization to see the cloud as a way of digital transformation and a critical component in having business continuity.

Customers are adopting public cloud, and collaboration platforms with its possibility of shared documents, videos and files across geographical areas.

Examples of such platforms are Microsoft Teams and Google Meet which relies on their respective public cloud platforms has increased significantly.

This emphasis the importance of security, privacy and incident management in this hybrid and multi-cloud world.

(23)

3.5 Research Questions and Method

This sections will show my research questions and the methods I used in order to answer them. It also aims to explain what I wish they will accomplish.

3.5.1 Research Questions

The following research questions had provided guidance for the present master project.

1. How does cloud computing influence security management?

2. What are possible strategies for organizations who want to leverage multi-cloud and Managed Security Service Providers

3. Which challenges appear when combining multiple cloud providers and Managed Security Service providers?

These research questions aims to go give organizations and companies an understanding of our current landscape, how and why it has evolved and will keep on evolving. It will also help them in choosing how they will start or continue their multi-cloud journey in terms of leveraging Managed Secu- rity Service Providers. In addition, it will also provide different challenges cloud computing faces, and how that also will reflect upon the challenges an organization may face when.

(24)

3.5.2 Research Method

This project has been based on the following methodology.

1. Reading literature

2. Consulting domain and industry experts, with particular Microsoft.

3. Analytical investigation around practical solutions based on the state of the art of cloud computing and managed security services.

By reading existing literature and research paper done on these topics, I will gain insight into others perspectives and understandings. After consulting experts, I aim to gain more knowledge about the cloud domain as well as their point of view of their clouds. I will also perform analytical investigations which will help me in finding solutions as well as challenges which will arise during an organizations multi-cloud cloud-journey.

(25)

4 Information Security Management

The main goal of information security is to ensure security goals of information resources, such as confidentiality, integrity, availability. This also implies other aspects such as privacy, anonymity and verifiability. Security Manage- ment is a continuous proactive process of governance and management of information security objectives and measures to prevent loss of information or information being accessed by unauthorized entities or people, as well as having a reactive plan in case security incidents occur.

4.1 Proactive Processes and Measures

Proactive processes and measures means actively preventing security incidents from occurring. This includes having proper monitoring on networks and systems, having a security mindset when designing and utilizing applications, having a proper logging system, and having done risk assessment on assets and risk management on possible risks.

Having a security-mindset has to be adopted throughout the entire organization or company, and having a well manned and trained Security Operation Center can help implement and enforce security measures.

(26)

4.1.1 Monitoring and Logging

Monitoring is mainly considered and used as a way to ensure that application and services are available, are responding within a threshold, and how much compute resources such as CPU, memory and network bandwidth is being utilized. However, it is also an important security measure if configured to do so. Network monitoring can help monitor ports and who has access to certain IP addresses, it can also help identify unusual patterns.

Monitoring can also be done on authentication and access control, as well as on how access authorizations are being managed. A typical security problem in organizations is that staff accumulate more and more access authorizations which they do not need for their job functions. While having keypads and card scanning has to be done for physical access control, it is also important to monitor and secure devices and information shared across and internally in an organization, specially now that employees are encouraged to work from home, or even work while traveling. Access control monitoring consist of, but not limited to ensuring that access is not granted to unauthorized personnel, and that alerts are triggered when an entrance is forced or fraudulent in some way.

Logging means managing all the log data produced by applications and infrastructure. This includes log aggregation⁸, log storage, controlling log quality, ensuring the privacy and security of such logs, log enrichment⁹ and log

8The process of collecting log data from separated sources and moving them to a central location.

9The process of adding context to certain log data.

(27)

analysis. The amount of logs that can be collected will vary depending on the complexity of the infrastructure, how widely distributed the infrastructure is, and which data are available.

Logging and monitoring are closely related, since without effective logging, it is difficult to do effective monitoring. Having both in place will also provide an easier and quicker response to data breaches and other security incidents as well as ensuring that policies, regulations and audits are enforced and compliant.

4.1.2 Risk Assessment

Risk assessment is the joint processes of risk analysis and risk evaluation [9]. Risk identification is the process of mapping relevant combinations of threats and vulnerability which can lead to a security incident. Risk analysis is to estimate the levels of risks that can be identified based on relevant threats and vulnerabilities. Risk evaluation is the process and judgment on different risks based on the risk analysis and how tolerable they are while also considering socioeconomical and environmental factors.

Risk Analysis

There are three main steps that should be carried out for each risk in a risk analysis [9].

1. Identification. The hazard and possible threats are identified along with the relevant vulnerabilities that can be exploited by each threat.

(28)

2. Frequency analysis. A deductive analysis to the frequency in which such security incident might occur based on past events and/or professional judgment.

3. Consequence analysis. An inductive analysis to identify all potential consequences and end outcomes of such security incident as well as the probability of them occurring.

A risk analysis can also either be qualitative or quantitative and it depends on the object being assessed.

Risk Evaluation

A risk evaluation may sometimes include making a comparison of the results from the risk analysis and a risk acceptance criteria. It is also therefore important that there is clear communication between those who do the risk assessment and the ones who do the risk evaluation.

4.1.3 Risk Management

Risk management is a general concept which includes risk assessment while also including risk treatment which is the selection and implementation of controls to reduce the risks to an acceptable level, and risk monitoring which is to monitor how the risks change over time. It is a continuous management process with the goal of identifying and addressing risks and threats, as well as identifying and implementing risk control features and measures to eliminate or reduce harm done to identified assets.

(29)

Figure 2: Risk assessment in the context of risk management [9]

4.1.4 Security Culture

Having a good security culture means adopting a culture in the entire company or organization where security should always be prioritized and be present. This means including security and privacy requirements early in development cycles, enforcing policies to protecting employees - especially remote employees from security attacks. In the current situation where many employees work from home, or work remotely, or companies allow employees to bring and use their own devices for work, it is increasingly difficult, but still important, to secure these devices and to ensure proper accessibility to information shared internally. This also means skilling up employees in rec- ognizing possible threats and risks, and how to properly classify documents and materials.

Zero Trust

(30)

Zero trust is a strategy and a change in mindset. Changing from traditional measures such as to lock devices down with a firewall, it is a mindset shift to consider all devices as a threat. This means always authenticate and perform access control on all data points with user identity as well as context data such as location, device health¹⁰, data classification and anomalies. It also means using a least-privilege approach in terms of limiting user access which includes just-in-time and just-enough-access policies. In addition, it means to always assume a breach. This includes segmenting access by devices, users and network to minimize breach radius, and always verify if sessions are end-to-end encrypted.

4.2 Reactive processes and measures

Reactive process and measures means having plans for minimizing losses and impact when a security incident occurs. This includes having an Incident Response plan and team and having Incident Management in place. A Secu- rity Operation Center can also help responding and minimize impact when an incident does occur.

10This usually means if a device follows all the necessary security settings and measures set in place by an organization; e.g.: only allowing password sign-on, having a certain amount of character as password, having the latest security patches, or having a network monitoring application running in the background.

(31)

4.2.1 Incident Response

Incident response in the process of how an organization handles a security incident; a data breach or other cyberattacks. The goal is to effectively manage the incident such that the breach is limited, the damage is minimized, and the recovery time and cost is kept to a minimum.

Organizations should have an incident response plan which defines what an incident is, and provides guidelines and processes on how to proceed when an incident occurs. It should also specify what roles and responsibilities the various team members have in terms of taking action and managing the response.

Incident Response Team

An incident response team, or a Computer Security Incident Response Team (CSIRT) is typically the team within an organization that is primarily re- sponsible for responding to security breaches, viruses and malware, and other incidents that companies face. A CSIRT should have security and IT staff, technical specialists, members from human resources and legal department as well as from public-relations departments. The Security Operation Center, which oversees almost all security related processes and measures, may guide the CSIRT when an incident happens and help them provide information that they need.

In order to have an effective incident response, there are six steps that should be followed [10].

(32)

1. Preparation. This phase is for preparing and responding to an incident or a security breach. Preparation means to give proper training to all employees, to have policies and response plan ready. It should also include documentation and contact information for all CSIRT members.

Proper preparation means that the CSIRT will be able to respond more effectively and efficiently.

2. Identification. This phase is the process of detecting a deviation or an anomaly as well as the determination that it is in fact an incident.

This steps requires gathering of data and information from different sources such as log files or error messages, or other systems such as intrusion detection systems and firewalls. The incident should also be communicated and reported as soon as possible such that the CSIRT can start preparing and proceeding with the coming phases. Commu- nication, coordination and cooperation between the members will also be crucial, and everything that is being done should be documented and traceable.

3. Containment. The main purpose of this phase is to limit and minimize the damage that has be done. The first step is a short-term containment. This means limiting the damage as soon as possible and can be as straightforward as isolating a network segment and have traffic routed to a backup or fail-over server. This is not a long-term solution and is only intended to limit and minimize the incident or breach before it gets worse.

(33)

The second step is to have a system back-up such that the evidences preserved in case of a criminal act. This should be done by using a proper forensic tool kit to take a capture of the affected systems as they were during the infection or the incident.

The last step is a long-term containment where the goal is to make sure the the contaminated part of the infrastructure has been cleaned and can be put back into production again. This could mean removing back-doors left by attackers and/or installing security patches on all devices while also allowing normal business to be continued as far as possible.

4. Eradication. This phase is the actual removal and restoration of affected infrastructure or systems. It is important to make sure that proper procedures and processes were followed during the removal of malicious content and to ensure that the affected systems are thoroughly cleaned. This phase should also give insight into where the defense failed and how it can be improved.

5. Recovery. This phase is the phase where infected and affected infrastructure and systems are brought back into production environment.

It is important that this process is done carefully to not lead to another incident as well as having monitoring and testing in place. The main goal in addition to bringing the systems back, is to also to prevent the same incident from occurring again.

6. Lessons learned. This is the most important phase as it entails finishing

(34)

documenting everything that has happened in the previous steps and learn from this incident on how to improve and prevent a similar attack from happening in the future.

4.2.2 Incident Management

Incident Management is the process and management of having a CSIRT and proper response plan in place. It means that all the roles and responsibilities needed during an incident response are available. It also means that the organization is properly prepared to respond as quickly and efficiently as possible once an incident occurs. In addition, it also means having tools for incident tracking, documentation, communication and cooperation as well as forensic tools.

4.3 Information Security Management System

An Information Security Management System (ISMS) is a framework which functions as a structured and systematic guideline and approach to everything related to information security in an organization.

ISMS Frameworks

ISO 27001 is the most popular and widely used standard and is regarded as a leader in information security. It outlines and recommends security controls for different security domains; everything from physical security to access control to incident management and cryptography. Being ISO 27001

(35)

certified means that an organization has followed the recommendations and best practices described.

Other popular frameworks are ITIL and COBIT. ITIL (Information Tech- nology Infrastructure Library) is a set of practices for IT Service Manage- ment (ITSM), but it also contains a section called Information Security Man- agement where the main goal is to align IT and business security to make sure that information security is managed throughout all activities. COBIT (Control Objectives for Information and Related Technologies) is another IT-focused framework that details the importance of asset management and configuration management.

4.4 Challenges

ISMS frameworks aim to provide a thorough and detailed description on how to proper handle security related processes and incidents. However, to implement and operate all these controls requires considerable resources which an organization may not have. With the increasing popularity of cloud computing and hybrid or multi-cloud adoption, it means doing efficient security management may be a challenge.

Managed Security Service Provider

When an organization is unable to manage their own security, they usually utilize a Managed Security Service Providers (MSSP). A MSSP can help with different security services that may include monitoring, hosting, log retention, and provides intrusion and detection systems. A customer or an

(36)

organization may have different MSSP’s for different services as MSSP’s may have their own specializations. This already causes complexity in monitoring and logging as well as having more dependencies when creating an incident response plan.

Managed Security Service Provider and Public Cloud Provider A centralized and effective security management is usually desired in order to have monitoring in one place and being able to access logs and data as quickly as possible when needed. There are therefore many different scenarios where this can be challenging¹¹.

• The entire organization is built on one cloud provider in a cloud native solution.

• The entire organization is built on multiple cloud providers in a cloud native solution.

• Having own security services while leveraging one cloud providers in a hybrid solution.

• Having own security services while leveraging multiple cloud providers in a hybrid and multi-cloud solution.

• Having one Security Service Provider while leveraging one cloud provider in a hybrid solution.

11This list excludes the scenario of an organization that only using and having their own security services as this paper aims to focus on the complexity and challenges of hybrid and multi-cloud solutions.

(37)

• Having one Security Service Provider while leveraging multiple cloud providers in a hybrid and multi-cloud solution.

• Having multiple Security Service Providers while leveraging one cloud provider.

• Having multiple Security Service Providers while leveraging multiple cloud providers.

• Having own security services while also having one Security Service Provider and also leveraging one cloud provider.

• Having own security services while also having multiple Security Service Providers and also leveraging one cloud provider.

• Having own security while also having multiple Security Service Providers and also leveraging multiple cloud providers.

This list increases in complexity both in terms of infrastructure and architecture. Logs are dispersed onto different platforms and a each platform may have their monitoring system. How easy will it be to create an incident response plan around these type of infrastructure, and will the customers or Security Service Providers have access to the required logs, data, and information? Will there be a risk of vendor lock-in if a customer chooses a Cloud Service Provider as their Security Service Provider? How does Cloud Providers ensure that logs and data can be access by other cloud providers or other security service providers?

(38)

5 Information Security Challenges In The Cloud

Managing Information Security in the cloud can be very different yet similar to traditional Information Security Management mentioned in the previous section. Large enterprises have the advantage over SMB (Small And Midsize Business) because they are usually somewhat already familiar with information security, and may already have systems, services, applications and plans in place. They also have competence and resources to manage something similar in a public cloud. However, in 2019, it is still reported that 77% of companies have listed Cloud Security as their top 5 challenges, wherein 26%

of those said it was a significant challenge, and of Enterprises the percentage was at 81% [1].

When it comes to information security, it is easy to think about technical requirements and challenges such as firewalls, network, access control and intrusion detection systems. However, it is also important to remember the non-technical aspects such as privacy, transparency, and visibility. The complexity and dependencies of all these challenges may also grow and increase and as more actors and service providers are in the picture.

Technical challenges are important and are a major part of what comes to mind for most people when talking about Information Security challenges on-premises and in the cloud. Technical requirements, in terms of security, such as having a properly configured firewall that communicates and can be integrated into a company’s existing or new systems are crucial and important in terms of network security. These types of requirements are normally

(39)

more easy to implement as it is something which the IT-team can implement themselves to a part of the system.

Non-technical challenges are just as important as technical challenges in terms of Information Security such as having proper privacy in place, having proper visibility and transparency in the systems, applications and flow of data is vital. However, these requirements can be more challenging to implement compared to technical strategy - it is something that has to be a part of a company’s culture, and implemented consciously into every part and aspect of the company.

This section primarily focuses on non-technical aspects of Information Se- curity in the cloud, and it is important to remember that leveraging public cloud is a shared responsibility as shown in Figure 1. When as a company moves from On-premises to IaaS to PaaS or to SaaS, the less requirements and responsibilities the company is in charge of, and in broader aspects, it is the technical challenges that the cloud provider gains more responsibility for. In addition, this section will not look into physical security controls and infrastructure.

5.1 Information Security Services

Different companies have different requirements for service providers and cloud providers based on their needs and use cases. However, it is important to evaluate each provider based on their security services, and how well they are able to follow and fulfill certain requirements.

(40)

Governance and Compliance

Most organizations have different requirements and policies they need to follow such as security, privacy and compliance policies. This are in place to protect IPs (Intellectual Property), data, and assets. Cloud providers should have tools and controls in place to enforce these policies in the cloud, as well as in hybrid and multi-cloud scenarios.

It is also important to outline and establish a proper governance framework for the company that mentions who has which responsibilities, authorities and communication. In a company that utilizes cloud, this would mean more people and more responsibilities has to be included.

Identity and Access Control

A cloud provider should also have a service that manages people, roles and identities. In order to have proper access control to different services and resources. Using cloud means that the cloud providers will be sitting on some access to their systems in addition to internal staff. The IT-staff might want and need access to different part of the test and production environments, while management staff might want access to view the operational costs and service availability.

The cloud provider must be able to allow their customers to assign, create and manage roles and levels authorization for their users. The provider should also have a service in place that allows for on-premise identities and users to access the cloud or other cloud provider’s resources in a user-friendly manner.

They also need an access-management tool to more easily have overview of

(41)

Data Security

Data is, for many companies, a major asset that needs to be protected.

This means that data at rest, during processing and transportation should always be secure. This means that a cloud provider should be able to provide controls and services such that their customers can configure and implement these requirements.

This also means data that travels between on-premises and cloud, to other security service providers, and even to other cloud providers, should always be secure and encrypted. Data security also means having frequent backup and data recovery tools as well as fail-over tools in case of an attack or accident happening to the data-center of the cloud provider.

Network Security

Network Security is a key aspect in information security, it must allow legit- imate network traffic and block malicious traffic, and these rules should be configured by the customers. There should also be intrusion detection tools to help detect and prevent an attack, both in terms of an active malicious entity trying to for example perform a DDoS (Distributed Denial of Service) attack, or an employee receiving a malicious spam email which redirects to a suspicious website.

In addition, there should be VPN (Virtual Private Network) options, especially nowadays where employees can work wherever they want, and also when connecting on-premise services to the cloud.

Monitoring

(42)

As mentioned before, having a centralized monitoring system is essential for a cloud provider in terms of Information Security. In order to quickly and easily understand and react to an attack, it is important to be able to assess the overview of the situation quickly. Being able to track what happened, where it happened and how it happened as quickly as possible requires a tool that has access to all the necessary logs and behaviors of all systems and applications in interest. This includes infrastructure that may not lay in the domain of the cloud provider itself, or that if the monitoring services done by a different cloud or service provider, the cloud provider should still be able to communicate and integrate well with that system.

5.2 Compliance Offering

Being able to fulfill all the boxes and requirements mentioned above is a challenge for cloud providers, especially when it comes to communicating with third-party security service providers, or other public cloud providers.

However, in addition to having different security services being provided, it is also important that all their security services also are compliant in terms of security and privacy laws and policies which may differ from country to country.

Security and privacy laws go hand-in-hand in this section as they are often addressed together. When a public cloud provider has a services which can enforce policies such that every resource created and used by a customer has to follow a certain set standard, such as every password created has to be

(43)

a certain length, it is also important that their own services fulfill, and can help customers enforce and follow different information security laws, policies and standards, such as the GDPR (General Data Protection Regulation).

The list below is not exhaustive, but shows the magnitude and abundance of different policies and laws in place across the globe. For a cloud provider that wants to grow their market share as widely as possible, not only is it important and crucial for them to follow as many of these as possible in order to be able to operate in certain regions or industries, but it is also a way to gain trust and reliability.

5.2.1 Global

There are many global frameworks and standards which are widely followed and used as mentioned in Section 4.3. These are well regarded frameworks that the public cloud providers also should implement and follow, as well we being able to easily help their customers follow as well.

Cloud Security Alliance is an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, and has also provided a security control framework for cloud computing called The CSA Cloud Controls Matrix (CCM).

(44)

5.2.2 Regional

In addition to frameworks and standards that can be applied to every company across the world, there are some standards and laws which needs to be followed in certain regions of the world if a company wishes to operate in that geographical area.

European Union

GDPR is a privacy law which states rules that must be followed by companies that wishes to operate and offer services to people in the European Union (EU), or that collect, processes and analyze personal data that belongs to EU residents. The GDPR requires that data controllers (such as a public cloud customer) only use data processors (such as a cloud provider) that provide enough guarantees to meet key requirements of the GDPR [11].

European Union Model Clauses are a set of data protection law which helps regulate the transfer of EU personal data to countries outside the European Economic Area (EEA). The EU Model Clauses are used in agreements between service providers and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law.

Some individual countries within the EU also have their own laws and regulations, such as C5 in Germany. C5 (Cloud Computing Compliance Con- trols Catalog) is an audited standard that lays down a mandatory minimum baseline for cloud security and the adoption of public cloud by German government agencies and companies that work with government. It is based on

(45)

internationally and globally recognized IT security standards like ISO/IEC and the Cloud Security Alliance Cloud Controls Matrix. C5 has also been increasingly adopted and followed by the private sector in Germany.

The United Kingdom also has multiple laws and standards that are enforced, such as the UK Cyber Essentials PLUS, a UK government-backed standard helping organizations assess and mitigate Information Security risks as well as identity security controls for a company.

United States

The US National Institute of Standards and Technology (NIST) has a set of measurement standards they maintain which serves as guidelines to help protect the information and information systems of federal agencies. It provides a set of policies on how federal information should be accessed, transmitted, and stored in non-federal information systems and organizations.

The US Federal Risk and Authorization Management Program (FedRAMP) also provides a standard for assessing, monitoring, and authorizing cloud computing services under the Federal Information Security Management Act (FISMA), and to help increase and accelerate the adoption of secure cloud solutions by federal agencies.

Asia

The Korean government introduced the Korea-Information Security Manage- ment System (K-ISMS), which is an ISMS framework that defines different control requirements that help to ensure that organizations in Korea consis- tently and securely protect their information assets. The K-ISMS framework

(46)

is built on information security strategies and policies, as well as security counter measures and threat response procedures to minimize the impact of any security breaches.

In order to operate in mainland China, there are also sets of standards that myst be followed, such as the Information System Classified Security Pro- tection (DJCP) which states different requirements in terms of information security protection classification. There is also Trusted Cloud Service Certi- fication, a cloud service quality evaluation system which aims to help accelerate the Chinese public cloud service market and increase users’ confidence on cloud service by evaluating domains such as data management, service quality and rights protection.

In Singapore, there is Singapore Personal Data Protection Act (PDPA) which states that all private sector organizations in Singapore will not be allowed to collect, using or disclosing certain personal information of their residents such as their national identity card numbers.

5.2.3 Industry

The laws and standards mentioned above are required on a national level or in the government, however, there are also many different policies in place for different industries, especially healthcare and financial services which handles sensitive personal information.

Healthcare

(47)

The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law which shows the requirement of the use, disclosure, and safe- guarding of individually identifiable health information. It covers areas of privacy for the patients’ confidentiality, and security of the protection of information.

In France, in order to host health data, the Hébergeurs de Données de Santé certification is required. This certificate is for entities such as cloud service providers that host the personal health data governed by French laws and collected for delivering preventive, diagnostic, and other health services.

Financial Services

The European Banking Authority (EBA) outlined a recommended approach to the leveraging of cloud computing by financial institutions in the EU. The recommendations specifies when utilizing the cloud is permitted, and specifies an approach towards measuring risk from a technology-neutral perspective.

The Australian Prudential Regulation Authority (APRA) oversees banks, credit unions, insurance companies, and other financial services institutions in Australia, and has implement a thoughtful cloud-adoption strategy with governance, risk assessment, and assurance processes. All entities that want to utilize cloud in the finance industry in Australia must comply with the APRA.

(48)

5.3 Security Needs for Services in the Cloud

In order to fulfill the many security service requirements and the many policies, a set of security goals are needed to be in place for public cloud providers.

However, these are also a challenge considering the growing complexity of IT Infrastructure of a company, and the competitive cloud market.

5.3.1 Visibility

Not fully understanding the cloud services provided or managed security services means that a company is unable to fully determine the safety or risk of the services they utilizes within their organization, which leads to restricted cloud usage visibility. Cloud services can often be accessed outside of the corporate network and from devices not managed by internal IT. This means that the IT team needs the ability to see into the cloud service in order to have full visibility over data, as opposed to traditional means of monitoring network traffic.

In order to fully gain visibility into the cloud, there are some general baseline questions that should be answered.

• What data is stored.

• Where is the data located.

• Who has access to the data.

(49)

• Where is the data being accessed.

• Which services and companies utilizes this data.

Being able to answer these points will give a company proper understanding and visibility into the cloud provider and their services, and will also provide help in occasions where these types of information are needed in the event of an attack. This also means cloud providers and their services should be able to help answer these questions truthfully and make it easily accessible for their customer to gather these information.

5.3.2 Transparency

Transparency for a service provider or cloud provider means being able to declaring clear service thresholds such as system availability, response time and uptime. This also includes policies and pricing; everything needs to be transparent and conveyed without any fine print or subtext.

Transparency can be customer facing and public-facing, and would in turn also help customers to be able to perform Information Security Manage- ment more efficiently, and also be seen as more trustworthy in the public eye. Similarly to visibility, this is an aspect which can be challenging for cloud providers in terms of market competition and wanting to protect their company secrets. Customers can sign Non-Disclosure Agreements with their cloud providers to help protect their IPs, however, it is also important to have transparency towards the public such that the provider can be seen as

(50)

trustworthy. The challenge then occurs when the customers may be utilizing multiple public clouds, or when the information given to provide transparency can be used by competitors.

Most companies provide transparency in terms of breakdown of earnings and revenue, but the same should be provided on their cloud services. A breakdown and analysis when it comes to charges related to the back-end infrastructure would provide transparency into the data-center infrastructure, and can help customers better compare different vendors.

Having more transparency will not only benefit the customers and buyers, but will also increase adaptability when the market sees a more trustworthy - when a cloud provider promises cloud computing transparency and delivers it. Customer should be able to ask for compliance audit reports or breach policies. Higher transparency will improve the level of trust between vendors and buyers, and can eventually shape the future of the cloud.

5.4 Other Security Challenges

There are also other sets of security issues that should be addressed by cloud providers who wants a hand in different countries, regions, industries and markets.

One such challenge that should be considered is related to corruption, this can relate in terms of government instability in certain regions, as well as inside an organization itself. This again ties up to visibility when it comes

(51)

to who can gain access to the data, and how a cloud service can help prevent such events from happening by having controls and policies in place that can help spot irregularities and discrepancies in the system.

Another issue to consider is in which situation does a cloud provider have to give up information if a government requests it. Even if it is regarding a criminal investigation, it is important to know what type of information a provider has to give up, or if the investigation must fulfill certain requirements in. If a cloud provider is a US company and utilized by a company in the EU, it is vital to know what type of demands the local government and the US government can make when it comes to giving away information, and how much information. This again also ties up to transparency of the provider.

(52)

6 Managed Security Services in the Cloud

It is also important to distinguish the difference between security of the cloud - entirely managed by the cloud provider, and security in the cloud - managed, to a degree, by the customer, and this case, we are looking at security in the cloud.

Managed Security Service Providers, MSSPs, should have a wide range of services provided in terms of Information Security Management - ranging from Monitoring to Risk Assessment to Incident Response. They may also have their own specializations within one specific service. When a company wants to leverage one or more MSSPs while also leveraging the Cloud, there are some other important, factors, which we have looked at throughout this paper, that the MSSPs should support.

Requirements for MSSPs in the cloud are:

• Support multi-cloud environments

• Support hybrid environments

• Wide range of compliance offerings

• Uphold security needs for services in the Cloud

These are minimum requirements in order to have an easier integration and collaboration between the service providers. However, it is also getting harder

(53)

to distinguish between MSSPs and Cloud Providers as the large Cloud Ven- dors are also becoming leading security service providers - with a wide range of partnerships as well as own security technology being developed.

There are different scenarios which can occur when a company chooses Cloud Service Providers and MSSPs; and this section will go more in-depth on each scenario and explore their pros and cons.

6.1 Cloud Provider and MSSP is the same provider

Leveraging one Cloud Provider, and also as the MSSP, means that the provider will have access to all the data needed in terms of monitoring and logging. This would also mean a more centralized solution as the company would have overview in one platform. All larger cloud providers have security solutions for hybrid environments; meaning infrastructure that sits on-premise and in the cloud, as well as cloud native solutions that are entirely developed in the cloud. This means that Cloud Providers can monitor different types of environments while still giving the customers insight from one platform. However, it is important to note that it is nearly impossible for a cloud provider to also be MSSP for a customer’s own services or part of the customer’s responsibility in regards to the shared responsibility model.

Having everything in one place means less complexity in terms of archi- tectural design and contact people to keep updated when a security incident occurs. These Cloud Service Providers also have well-trained Security Personnel working 24/7 who are available when something happens. These

(54)

teams has deep technical knowledge into their own solutions and experience in handling security incidents. However, in order to get the support needed, customers will have to buy different tiers of support plans.

It is also important to note that not all Cloud Providers may provide the exact security service that a customer wants. This means that the customer may have to re-architect their current infrastructure in order to utilize what is available to them, or find a different approach to their needs. This would require human and monetary resources that not all companies have, or find it feasible to get. In addition, if it is a new technology that the employees are unfamiliar with, it would also require upskilling of their current employees or hire new people with the required knowledge.

It is also important to recognize the possibility of technology or vendor lock- in. This means that the customer is dependent on the vendor for products and services. It would also be harder to try out or utilize other services by other providers, even if they may be better suited to the company’s needs and budget, because it would require a switching cost and may bring the company out of their comfort zone.

Amazon Web Services

The responsibility for security is shared between AWS and the customer in a shared responsibility mode. This means that AWS will manage and provide security of physical data-centers, and based on whether a customer is using an IaaS, PaaS or SaaS model, the amount of responsibilities of the customer and AWS increases and decreases accordingly [12].

Challenges around Information Security Management in the Public Cloud