Information security is a critical part of your IT operations. Cyberattacks and carelessness can harm the operations and reputation of your business, possibly threatening its survival. Via your systems and data, attackers can also do damage to your customers and business partners. On the other hand, good information security can help you maintain the right levels of Confidentiality, Integrity, and Availability (the “CIA” of security) of your data, your applications, and your systems, to optimize both protection and productivity.
Attackers exploit holes and vulnerabilities in security to penetrate IT systems and steal, misuse, and sabotage assets. As the complexity of software and systems increases, so does the challenge of information security. With the constant evolution of IT, new gaps and weaknesses appear frequently. From early attacker targets of programming errors and unexpected corner cases, today’s opportunities for hackers include system setups, operational practices, and careless or naïve end-users and IT administrators.
Effective information security, whether in the cloud or on-premise, is a matter of understanding the interaction between an IT solution and the following environments:
Key principles of information security inside and outside the cloud include:
- “Security in depth”, an approach in which you accept the failure sooner or later of primary security controls but implement back-up controls to contain risk and damage if a primary control fails.
- “Zero Trust”, meaning that you never take security assurances for granted and always validate them before allowing access to an IT resource.
Cloud architectures may help a business manage its information security more easily and more effectively. This depends on cloud provider security specialist resources and proper implementation of shared responsibilities between the business and provider.
Cloud providers must protect their own installations to at least IT regulatory requirements. Economies of scale mean that a cloud provider can invest in levels of security management that exceed the possibilities of many individual customers, especially smaller businesses. A cloud security team can achieve greater specialization and effectiveness in common elements like physical security and system patching. This team can then provide an improved security posture at a lower cost per customer for multiple customers.
However, it would be a mistake to think that your business no longer had any security responsibilities of its own when using a cloud solution. While cloud architectures mean that some aspects of information security are built into the cloud solution, others must be correctly managed by both you as the customer and your cloud provider, and yet others remain clearly your sole responsibility as the customer.
- The cloud provider typically manages the security of physical hosts, networks, and datacenters. Note that as a customer, you should still verify this security.
- Operating systems, network controls, applications, and identity management may be shared responsibilities. Providers may do all or most of the security for these items for Software as a Service (SaaS) solutions. They may do some of the security for Platform as a Service (PaaS) solutions. They usually do not offer security for these items for Infrastructure as a Service (IaaS) solutions.
- Customer data, devices used for access, accounts, and identities remain your responsibility as a customer in all cases.
Security trade-offs and strategies
If your information security is too lax, it can leave your organization vulnerable to attack. But if it is too tight, it can make it difficult for the employees of your organization to get their work done. Other factors that may need to be considered in parallel include scalability as workloads change, security costs, and ease of operations. Note that while some balancing between these items may be appropriate, you should not systematically trade off information security to benefit other areas.
In general, there are 3 fundamental cloud security strategies for every organization:
- Establish a suitable security perimeter – Traditional gateway strategies are no longer suitable, because they do not allow for cloud computing situations. Instead of traffic-centric network firewalls, consider identity management to protect individual IT resources.
- Leverage the appropriate technology – For example, software-defined cloud resources, like those of Azure, allow easy and efficient discovery of all servers, compared to traditional datacenters where administrators must work with records of physical systems.
- Verify each cloud provider that you work with – For security elements controlled by the cloud provider, you should check that provider’s security operations and regulatory compliance satisfy the requirements of your organization.
In the following chapters and as part of the Azure architecture framework, we discuss in more detail the information security topics below.
Security design principles
By adhering to these principles, you can improve the confidentiality, integrity, and availability of your systems in the cloud, on your premises, or both at the same time.
Resistance and resilience against attacks
Information security must protect systems against attacks and enable rapid recovery from interference to restore secure, productive operations.
Information security is a continual process, not a one-time project. As risks change or multiply, information security must adapt.
To help businesses to establish suitable information security and prevent carelessness, governments and other entities publish information on proper security practices and standards.
Risks relating to your business information must be assessed and requirements for security controls identified for your business. Your information security must be defined, tracked, audited, and reported across the organization, while making sure that your business objectives and cyber defense are optimally aligned with one another.
Identity and access management (IAM)
Proper authentication (identity) and authorization (access privileges) are a major part of successful information security.
Security paradigms may change with cloud computing. Information security must consider the cloud environment and new needs for defense mechanisms like data encryption and identity management.
Whether at rest (storage), in transit (network), or in processing (application), the data for which your business is responsible must be adequately protected to ensure correct levels of confidentiality, integrity, and availability.
Applications and services
Increasingly, business operations and services are driven by software. Applications and data, including those located in the cloud, represent ever higher levels of value for businesses. Protection must be reinforced accordingly.
While operating, monitoring, and maintaining IT systems all contribute to providing the level of service needed by your business, these administration activities have their own special risks because of the privileged access associated with them.
Detect, respond, and recover are three pillars of security operations. Attackers never sleep, so security operations must be continual, as well as effective.
Confidentiality, integrity, and availability are three key dimensions of information security. They must be balanced by adhering to the right principles to optimize both protection and productivity.
Cloud architectures can offer security advantages to a business, offering greater protection more cost-effectively. However, businesses must still accept their share of responsibilities for the overall security of the cloud solutions that they use.
About the Author:
Jason is a 1st Vice President, Cloud Solutions Architect at City National Bank of Florida headquartered in Miami, Florida. Jason has been working with computers ever since he bought his first, a Timex/Sinclair 1000 in 6th grade and taught himself BASIC programming. Jason was educated at the University of Cincinnati and the Massachusetts Institute of Technology – Sloan School of Management. He is a Microsoft Azure MVP (2010-present), a young adult author, and a cellist.
Milgram, J. (2020). Overview of the Security Principle for Success in Azure. Available at: https://www.linkedin.com/pulse/overview-security-principle-success-azure-jason-milgram/. [Accessed: 20th May 2020].
Check out more great Azure content here