Vincent, can you tell us about the cloud and the challenges of securing it?
First of all, it is important to know that cloud security is particularly different depending on the type of cloud and the way cloud services are consumed. Among these services, there are three main categories: SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).
Overall, cloud security is quite distinct between the PaaS / IaaS part and the SaaS part. This is materialized by the principle of the shared responsibility model. When consuming a cloud service, the customer will have access to a certain perimeter with a certain number of data layers or infrastructure depending on the category of cloud service.
This model makes it possible to determine on which perimeter of the service the responsibility of the cloud provider or that of the customer is engaged. The security part will also be shared on the layers of data on which the customer will have the responsibility, it thus requires the customer to ensure the security of its perimeter.
In the context of SaaS, to give an example, Microsoft Office 365 is a service where the customer integrates his data and does not have access to all the lower layers of the service. The customer has little access to the configuration of the service and therefore on the security, they can contractually require a level of security from the provider who will have control over the configuration of the service.
On the contrary, on PaaS or IaaS solutions, the customer will have access to the lower layers and will therefore be responsible for configuring them to ensure their security if they are not managed by the service provider. The customer can still require certain elements but the customer will be responsible for a significant part of the configuration and secure use of the cloud service.
The security of the cloud raises a particularly contractual issue since it is not the customer’s service itself but that of a third party. This raises security issues, and in particular the question of what the customer can demand of its supplier in terms of data security. These requirements are likely to change depending on the nationality of the supplier.
This security issue also leads to organizational changes. The consumption of cloud services must involve rethinking the organization of the IT department and the way it operates in the broadest sense, with security included in the new processes. In this agile approach, security must also be included with DevSecOps-type practices.
What are the market trends?
Just a few years ago, customers were reluctant to move towards cloud solutions, but today, the subject has gained consensus and is becoming more and more important. One of the major factors in its development is the Office 365 solution from Microsoft Azure.
The market trend on the customer side is to launch large cloud migration programs in order to be supported in this process, especially if they have to use single or multiple providers. The topic of multi-sourcing is particularly important at the moment. Customers are also asking how to organize their IT departments to adopt agile and DevOps principles to achieve their transformation in an intelligent way. The goal, is not to “lift and shift” an existing on-premise application without making any changes or redesigns by integrating it directly into the cloud.
Customers are realizing that managing their information systems involves very high costs and that this does not correspond to their core business. The cloud offer allows companies with this expertise, the service providers, to carry out the migration of these cloud platforms. This allows the customer to focus on their business processes and reduce the time to market, the time it takes to realize an initial idea and deliver a finished product to consumers.
In terms of security, a trend for large programs is to accompany cloud migrations in a secure manner. This involves several elements:
- Support in contracting with the cloud provider regarding the shared responsibility model and what the customer can or cannot migrate;
- On the organization of the IT department to become DevSecOps, an approach that allows the integration of security in the entire life cycle of projects, from development to implementation, using flexible methods and the DevOps approach ;
- For more advanced customers who have already started a migration and who already have a multicloud, the objective is to accompany them in the harmonization of these different cloud platforms, in particular security.
The trend among cloud security vendors is to offer multi-cloud solutions, but at the same time to compartmentalize the different types of cloud (IaaS, PaaS, SaaS) in order to offer specialized tools. The latest trend in the market is the so-called CSPM (Cloud Security Posture Management) tools, which enable compliance checks to be carried out on multi-cloud platforms. In terms of encryption, which is a sensitive issue for our customers, the dynamics of multicloud support are based on service offers such as HSMaaS or KMSaaS. These enable the provisioning of keys belonging to the customer – of the BYOK type – that can be used from one cloud to another.
From a technological point of view, the underlying trend remains serverless. This is a cloud development model that allows developers to create and run applications without having to manage servers. Containerization and Dockers or Kubernetes technologies are currently being deployed on a large scale by our customers, leading to major security issues.
What are the difficulties our clients encounter on the topics covered? How is this a real challenge?
Customers with low maturity on the subject who are reluctant to migrate to the cloud are generally entities that handle data with a very high level of confidentiality (e.g. healthcare providers, military, etc.). They wonder how they can trust an American company. Currently, when we talk about the cloud, we are mainly talking about American players: Microsoft, Amazon and Google, which own almost the entire public cloud market.
To answer this question, we emphasize that when you use a cloud provider, you must have total confidence in it. The objective is to define the contractual part upstream of the customer’s migration to ensure total confidence in the supplier. This can be regarding access to the data that will be transmitted. This can be done through a contractual guarantee, security controls, etc. Note that encryption will never prevent the provider from accessing the data, so it is important to ensure that the cloud is secured against real threats.
Of course, there is a very small risk that the provider can access your data, since it is transmitted to them, but the risk is negligible compared to the risk as a customer of misconfiguring the cloud service. Thus, the main security incidents in the Cloud concern the theft of data exposed publicly through storage services (S3 bucket, Azure storage, etc.). The provider’s responsibility is not engaged in these cases since it is up to the customer to guarantee the correct configuration of the PaaS services he uses so that they are used in private and not exposed mode.
This obviously requires an effort on skills to consume cloud services in an intelligent way while securing it.
For more advanced customers, vendor locking is a dominant issue. If the cloud provider with which the customer is collaborating goes out of business or is unavailable for a certain period of time, the customer loses access to its IS. This is why customers are turning to multi-cloud strategies.
How can we address these issues and how can Wavestone help?
At Wavestone, we believe that the cloud can be a facilitator for IS security. A gateway to build an IS on a sound foundation and rely on technologies that work. You can take advantage of this to put security in the right place from the start, and one of the keys to achieving this is automation.
Automation must be implemented in deployment, infrastructure and security to achieve true value. If the customer sets the right security rules and these technical rules are translated into the integration and deployment chains (CI/CD), the customer will have the guarantee that the deployment of its resources and infrastructures will be secure as soon as they are deployed.
Wavestone also assists clients in contracting with cloud providers. We help our clients build landings zones, i.e. the basis of the security architects that will be deployed in the cloud. Our teams are embedded in cloud centers of excellence at our customers’ sites and work every day to secure cloud infrastructures. We also have the capacity to help our customers in their agile transformation, particularly on DevSecOps issues, in order to bring security closer to their projects.
The future of cloud security
The emerging trend of the moment is Zero Trust. This is a new security model that responds to the current challenges of cloud and mobility of people and data. The Zero Trust model aims at granting access on a need-to-know basis and thus putting security closer to the resources.
The objective is to put the user back at the center with the guarantee of the least privilege and to control access to a resource each time someone expresses the need for it. This verification will be done regardless of its origin even if it is an internal collaborator. Identity and authentication are at the center, as are the means of detection and control.
The definition of least privilege allocation algorithms and the systematic verification of each new entry request are vast topics around identity governance for our customers. Their technological translation, as with Azure AD to quote Microsoft’s technology, requires solid technical knowledge and change management support to be able to identify and configure the right authentication means (MFA, temporary rights allocation, etc.) and controls (Conditional Access Policy, sign-logs, etc.) available.
This model is particularly well suited for cloud use since most public cloud providers allow the use of more reliable and configurable technologies than on-premise to manage identities, authentication and detection.