KuppingerCole Report
By Mike Small

Securing your IaaS Cloud

While the major CSPs (Cloud Service Providers) go to great lengths to secure the services that they provide it is up to the client of the Cloud service provider to secure their use of these services. The responsibility for security and compliance is shared. This report describes the approach that clients (or in other words tenants) of Cloud infrastructure need to take to ensure that they use IaaS services in a way that is secure and compliant, including examples of how to realize this with Amazon Web Services. In our recent independent 2021 "Kuppinger Cole Market Compass report on Global IaaS Providers Tenant Security Controls", AWS was evaluated as an outstanding provider. This report also contains an extract of our evaluation of AWS from the Market Compass report.

1 Introduction / Executive Summary

The cloud has established itself as an important enabler of digital transformation. It has changed the way organizations do business and the events of 2020 have dramatically accelerated this digital transformation. Retailers had to increase their online presence, manufacturers had to reorganize their shop floors and employees worked remotely for large stretches of time to name just a few examples. This was only made possible by the way in which cloud services provide the ability to respond rapidly to changing business needs. The cloud has now become an integral part of business-critical operations where security and compliance are essential considerations.

The major CSPs (Cloud Service Providers) go to great lengths to secure the cloud infrastructure underneath the services that they provide but it is up to the cloud clients (or Cloud Infrastructure tenants) to secure the way they use them. When companies use the cloud, they must ensure that they meet their responsibilities and verify that the CSP meets theirs. Many of the security related incidents around the use of cloud services that have been reported result from failures by the cloud client to meet these responsibilities.

This report describes common security related business risks that can arise from the use of cloud services and covers the approach that cloud clients should take to mitigate these risks. Some of the risks that can be mitigated with the right strategy include using backups to protect data, preventing public access to sensitive data, and removing well-known technical vulnerabilities that can be exploited in cyber-attacks. It also provides examples of the support and building blocks that Amazon Web Services offers to help their clients to achieve this. In our 2021 independent "Market Compass report for Global IaaS Providers Tenant Security Controls", Kuppinger Cole ranked AWS as an outstanding vendor for the range of the security capabilities it provides to help its clients run their cloud workloads. An excerpt of the AWS profile from the Market Compass report can be found at the end of the document.

Most organizations now have a hybrid IT environment. The best approach to meeting the security and compliance challenges of this is good governance with a consistent approach to the security of IT services regardless of how they are delivered. When using the Public Cloud, the responsibilities for security and compliance are shared between the cloud client and the CSP. The client does not manage or control the underlying cloud infrastructure but is responsible for managing everything above the service provided. The client is also responsible for compliance with laws and regulations governing the processing of data.

Governance sets measurable business-related objectives for IT services and monitors how well these objectives are being met. This approach allows the organization using the IT service to focus on their business and the service providers to focus on delivering the required service.

This governance-based approach to the use of a cloud service means that clients of the cloud must clearly set out their business, security, and compliance objectives for the service. This provides benefits that stretch beyond governance and compliance.

2 Highlights

  • This report focusses on the steps an organization needs to take to manage common business risks when using an IaaS cloud.

  • These risks includ ...

Login Get full Access

3 Why you need to Secure your use of Cloud

The Coronavirus epidemic forced organizations to change the way that they do business. Retailers have had to move online, manufacturers have had to re ...

Login Get full Access

4 Securing your Cloud

Good governance, with a consistent approach to the security of IT services regardless of how they are delivered, is the best approach to the hybrid IT environment that most organizations now have. This sets measurable business-related objectives for IT services and then monitors that these objectives are met. This approach allows the organization using the IT services to focus on their business and the service providers to focus on delivering the required service.

A governance-based approach to the use of a cloud service means that the client must clearly set out their business, security, and compliance objectives for the service.

Figure 1 illustrates the responsibilities of an IaaS tenant (or cloud client) within the context of an overall security governance fabric. This fabric should cover all of the elements that need to be secured to ensure a consistent and cost-effective approach. It should provide a common set of services that use appropriate tools to achieve the business defined security and compliance objectives.

There are several existing frameworks for the governance of and the best practices for IT security management. For example, the NIST Cybersecurity Framework (CSF) focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes. The ISO 27000 series of standards provides best practice recommendations for the management of information risks through security controls. There are also other industry-specific frameworks such as the PCI-DSS (Payment Card Industry Data Security Standard). Organizations should adopt the appropriate elements of these frameworks and apply them consistently across all of the IT services that they use. This report will revisit this topic later and includes examples for how AWS technology provides support for the areas shown in this illustration.

4.1 Understand your Responsibilities as a Cloud Client

Most of the reported cloud related cyber incidents have been due to errors by the cloud client (or in other words cloud tenant).

The CSP is responsi ...

For basic IaaS services, such as compute, network, and storage, the CSP is responsible for securing the infrastructure used to provide the service up ...

Login Get full Access

4.2 Identity and Access Governance

Your cloud administrative access rights are a prime target of cyber adversaries - make sure that you protect them.

The client is always responsible ...

Login Get full Access

4.3 Data Protection

Your business-critical data could be at risk from cyber-attacks, ransomware, and misuse as well as system failures. Make sure that you protect it.

T ...

Login Get full Access

4.4 Technical Vulnerability Management

Most cyber-attacks exploit well known technical vulnerabilities - implement automated processes to identify and remove common vulnerabilities.

There ...

Login Get full Access

4.5 Network Security Management

The network provides a route for cyber adversaries to attack your systems - take a zero-trust approach to network security.

Internet access could pr ...

Login Get full Access

4.6 Service Management

Adapt your existing service and security management processes to include your use of cloud services.

Managing and administering the cloud service is ...

Login Get full Access

4.7 Compliance Management

Make sure that the cloud is independently verified and use the capabilities provided to ensure that you use the service in a way that complies with yo ...

Login Get full Access

4.8 AI Support

Look for AI based support in the tools you use.

Machine Learning systems are ideally suited to the tasks of systems and security management where th ...

Login Get full Access

4.9 Security of the infrastructure

Trust but verify.

For IaaS, the CSP is responsible for the infrastructure and the managed services that their platform provides, and the client is r ...

Login Get full Access

5 Recommendations

Organizations need to take a business led approach to the use of cloud services. Will the use of a cloud service provide a better business outcome tha ...

Login Get full Access

6 Evaluation of AWS Tenant Security Controls

This is an excerpt from the 2021 Kuppinger Cole Market Compass report on Global IaaS Providers Tenant Security Controls.

The 2021 KuppingerCole Mark ...

Login Get full Access

6.1 Outstanding for Range of Tenant Security Capabilities: AWS

AWS provides a comprehensive range of capabilities out of the box for the tenant to use their service in a secure and compliant manner. Many of these ...

Figure 4: AWS Ratings
Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.