The cloud has now entered the daily vocabulary of everyone (or almost). Still, few go beyond the general concept of “data managed via the internet,” and even fewer know its security implications. In fact, the cloud does not mean only storage but also computational capacity.
The textbook definition says: “the provision of IT resources on demand, starting from a set of pre-existing resources available remotely.” Thanks to this type of service, users can therefore use physical servers worldwide, potentially drawing on “infinite” resources and spaces, with maximum flexibility, both to scale up and down.
Types of cloud
Over time, four main types of cloud have evolved, all sharing the abstraction of the scalable resources of the computing environment, their organization, and network sharing (= internet). Here is how the cloud has evolved in the four types highlighted:
- private cloud: in the beginning, it was “virtualization”; that is to say that starting from a physical server, it was possible to virtually multiply it, generating a growing number of “virtual servers” inside it thanks to the increasing performance of the microprocessors. The private cloud was initially physically located only in the company’s local data center, then evolved into “hosting” at a third-party service provider, but only for the company’s exclusive use.
- public cloud: these are environments based on an IT infrastructure that does not belong to the end user. The main public cloud providers in Italy include TIM or Aruba (to give a couple of examples, I don’t want the other providers) or global players such as Amazon Web Services (AWS), Google Cloud, IBM Cloud, and Microsoft Azure.
- hybrid cloud: a mix of the first two, where cloud computing resources are combined between the local infrastructure, or a private cloud, together with a public cloud. Hybrid clouds allow you to move data, software, and applications between the two environments.
- multi-cloud: the latter type is the evolution of the previous ones; in fact, it is the aggregate of several cloud services, which can be both public and private in nature but offered by multiple different suppliers simultaneously.
Who manages the security?
Cloud security is the natural need to defend virtual applications, data, and infrastructures from attacks or breaches that could affect their availability, integrity, and confidentiality. It is intuitive to understand how a complex environment such as multi-cloud, in addition to the enormous potential and advantages, presents the downside of an attack surface to be protected and monitored much wider. In general, for cloud services, the person responsible for the protection of the underlying infrastructure is the service provider (therefore, the providers such as TIM, Amazon, etc.), while the customer is responsible for protecting the software, applications, and data that use the provider’s infrastructure.
What are the main risks?
- Loss of Visibility: One of the benefits of cloud services is being able to access them from anywhere and from multiple devices, but without well-defined processes, you could lose complete visibility of who has access to the service or our data.
- Internal Threats: linked to the lack of visibility for unfaithful employees or inadequate training that exposes you to the risk of ransomware through phishing or incorrect use of the tools available.
- Incorrect configuration of the Cloud Services: if the services are not configured correctly, public exposure of the data can be generated, their manipulation, or in extreme cases, their cancellation.
So, where to start for proper Cloud security management?
ISO 27017 certification
Within the ISO 27000 family, there is a specific vertical for the cloud, ISO 27017. The standard introduces the security requirements for cloud services by integrating it with the guidelines proposed in the ISO27002 standard. Obtaining this certification is aimed at companies offering cloud services, so relying on provider companies that include clouding security-specific certifications is certainly the first guarantee for an infrastructure built in the correct way, but it is not enough.
It is important to follow the best practices, possibly partially according to our specific characteristics, also for the private cloud component within the company perimeter, without forgetting to set organizational processes and procedures in line with specific risks, train staff, and analyze and configure applications and software correctly on a regular basis! Always remember that the measure of safety is given by the weakest link in the chain, so all of them must be analyzed.
Also Read : Logistics And Security: Watch Out For Cyber Risk