KuppingerCole Report
Advisory Note
By Mike Small

Cloud Services and Security

This report provides a review of the major security risks from the use of cloud services, how responsibility for security is divided between Cloud Service Provider and customer and the key controls that an organization should implement to manage these risks.
By
sm@kuppingercole.com

1 Executive Summary

This report is one of a series of documents around the use of cloud services. It identifies the information security risks associated with their use ...

Login Free 30-day Select Access Get full Access

2 Highlights

The report identifies security risks associated with the use of cloud service and defines a set of controls that organizations using cloud services sh ...

Login Free 30-day Select Access Get full Access

3 Cloud Governance

KuppingerCole recommends taking a good governance approach to all IT services and this approach is fundamental to securely embracing the cloud service ...

The governance process starts from business objectives and defines a policy for the IT services to deliver on those objectives. This leads to the pro ...

Login Free 30-day Select Access Get full Access

4 Risk and Responsibility for Cloud Services

How the responsibility for security is shared between the CSP and the cloud customer depends upon the cloud service model and the risks depend upon th ...

Login Free 30-day Select Access Get full Access

4.1 Cloud Service Models

There are several different kinds of service that can be delivered through the cloud. These can be described in terms of layers each providing more b ...

A commonly used definition of cloud computing is provided by the US standards body NIST.

The NIST document describes the 5 essential characte ...

Login Free 30-day Select Access Get full Access

4.2 Shared Responsibility

The responsibility for security and compliance when using cloud services is shared between the cloud customer and the CSP.
How responsibility is sh ...

For IaaS services the CSP has no control over how the service is being used by the customer and is only responsible for securing the infrastructure us ...

Login Free 30-day Select Access Get full Access

4.3 Deployment Models

The level of security risk associated with the use of cloud services depends upon how the service is deployed.

Public cloud services are available ...

Public cloud services are available for anyone to subscribe to and use and data is processed in a shared infrastructure.

The key benefit of a Pu ...

Login Free 30-day Select Access Get full Access

5 Security and Cloud Services

Organizations need to take an information centric approach to the security of cloud services.

Organizations depend upon information to operate, thri ...

Login Free 30-day Select Access Get full Access

6 Cloud Security Risks and Controls

This chapter describes the most important security risks around the use of cloud services and recommends the controls that an organization should impl ...

Login Free 30-day Select Access Get full Access

6.1 Overview of Risks and their Inherent Impact

The following table summarizes the inherent risks and their potential impact unless the recommended controls are implemented. (Note that this does no ...

Login Free 30-day Select Access Get full Access

6.2 Loss of Governance

Impact on – business continuity, compliance, data security, cyber security

In the absence of good governance cloud services may be used inappropriat ...

Login Free 30-day Select Access Get full Access

6.3 Lock-in / Return of Data

Impact on – business continuity

Lack of general cloud standards can make it extremely difficult for a customer to migrate from one cloud provider to ...

Login Free 30-day Select Access Get full Access

6.4 Non-Compliance processing of data

Impact on - compliance

Using a cloud-based service may put compliance of the organization with laws and industry regulations at risk. The data proc ...

Login Free 30-day Select Access Get full Access

6.5 Ineffective Identity and Access Management

Impact on – compliance, cyber security

The need to identify users, control access and audit activities is even more important when using cloud servi ...

Login Free 30-day Select Access Get full Access

6.6 Support for Privacy Laws or Regulations

Impact on – compliance

An important risk is the failure to comply with privacy laws and regulations. There are many privacy laws that apply depende ...

Login Free 30-day Select Access Get full Access

6.7 Cloud Service Termination, Acquisition and Supply Chain Failures.

Impact on – business continuity, compliance.

Competitive pressure, change of business strategy, lack of financial support, and other similar causes ...

Login Free 30-day Select Access Get full Access

6.8 Natural Disasters / Business Continuity

Impact on – business continuity.

A key objective of IT services is that systems, data, and applications are available to authorized users when and w ...

Login Free 30-day Select Access Get full Access

6.9 Denial of Service / Malware

Impact on – business continuity, compliance, data security, cyber security.

The scale of cloud services and their use of the Internet make them a ...

Login Free 30-day Select Access Get full Access

6.10 Isolation Failure / Service Platform Vulnerabilities

Impact on – business continuity, compliance, data security, cyber security.

The cloud service platform sits above the physical hardware resources a ...

Login Free 30-day Select Access Get full Access

6.11 Insider Abuse of Privilege

Impact on – business continuity, compliance, data security, cyber security.

The infrastructure upon which the cloud service is built needs to be ma ...

Login Free 30-day Select Access Get full Access

6.12 Management Interface Compromise

Impact on – business continuity, compliance, data security, cyber security.

The internet facing customer management interfaces of public cloud prov ...

Login Free 30-day Select Access Get full Access

6.13 Interception of data in transit

Impact on – compliance, data security, cyber security.

The distributed nature of cloud computing inherently involves more data in transit over publ ...

Login Free 30-day Select Access Get full Access

6.14 Ineffective data selection

Impact on –compliance, data security.

Deleting data held on storage media in a cloud service may not result in the data being unrecoverable and bac ...

Login Free 30-day Select Access Get full Access

6.15 Loss of storage media / data breach

Impact on – compliance, data security, cyber security.

The storage media containing customer data may be lost or the customer data that it contains ...

Login Free 30-day Select Access Get full Access

6.16 Loss of cryptographic keys / passwords

Impact on – compliance, data security, cyber security.

The use of a cloud service involves data that must be kept secret if security is to be main ...

Login Free 30-day Select Access Get full Access

6.17 Data Backup and Recovery

Impact on – business continuity.

The business data processed in the service needs to be backed up to enable the service to be restored in the event ...

Login Free 30-day Select Access Get full Access

6.18 Compromise of Log or Journal Files

Impact on –compliance, data security, cyber security.

Log and journal files may be written as part of the normal operation of the cloud service. T ...

Login Free 30-day Select Access Get full Access

7 Recommendations

Organizations need to take a risk-based approach to the security challenges from the use of cloud services. This should be part of a consistent gover ...

Login Free 30-day Select Access Get full Access

7.1 Implement Good Governance

Avoid the risks that arise from poor governance and organizational structures.

There are several existing frameworks for the best practices around ...

Login Free 30-day Select Access Get full Access

7.2 Managing Compliance Risks

These are risks where the use of a cloud service could lead to a failure to comply with laws or regulations that apply to the organization.

In add ...

Login Free 30-day Select Access Get full Access

7.3 Managing Business Continuity Risks

These are risks which could result in a loss of the capacity to perform business processes.

Although cloud services claim to be more resilient than ...

Login Free 30-day Select Access Get full Access

7.4 Managing Data Security Risks

These are the risks that could result in the loss, leakage, or unauthorized access to the applications or data processed in a cloud service.

Imple ...

Login Free 30-day Select Access Get full Access

7.5 Managing Cyber Security Risks

These are the risks that could result in exposure to the activities of malicious external or internal threat actors.

They exploit vulnerabilities an ...

Login Free 30-day Select Access Get full Access

Copyright

©2019 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top