10

The Cloud

There is no cloud; it’s just someone else’s computer.

Of course, the preceding sentence is a sort of nerdy joke but isn’t really far from the truth.

While in the previous chapter, we delved into social engineering and checking various aspects of it, it’s now time to understand how the cloud works, focusing on cloud security and privacy.

In this chapter, we will cover the following topics:

• How did the cloud emerge?
• The seven pain points of cloud computing
• Cloud and GDPR concerns
• The GDPR code of conduct for Cloud Service Providers (CSPs), that is, the companies offering services as storage over the internet

How did the cloud emerge?

Due to the proliferation of gadgets such as smartphones, tablets, and laptops, we can now access the internet from almost anywhere, with all the advantages and disadvantages that this may involve. Occasionally, you may create a file on your home computer but forget to bring it with you to the office the following day. Sometimes, though, you may find yourself with many copies of the same file and be unable to determine which copy is required. In a worst-case scenario, you may lose your smartphone, tablet, or laptop with all of your information, or even worse, your preferred gadget could suddenly cease to function. So, collaboration is the keyword here.

What exactly is the cloud? How does it work?

To solve these and other similar issues, the cloud was created. The cloud is nothing more than a personal storage space, sometimes referred to as cloud storage, which is accessible from any location with an internet connection. It should be noted, however, that in addition to cloud storage, the word cloud can also apply to various services provided by cloud computing.

From a compliance perspective, according to NIST, “Cloud computing [is] a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction,” while the German government adheres to an attestation scheme (also roughly adopted in France) by the Federal Office for Information Security (BSI). The standard is named the Cloud Computing Compliance Controls Catalogue (C5). They claim that “Cloud computing is a new paradigm in ICT (information and communication technology). It consists of IT services being adjusted dynamically to the customers need and made available through a network in a billable manner.” Also, new associations have appeared to support the cloud experience (in Europe at least), such as the Cloud Security Alliance (CSA) (https://cloudsecurityalliance.org/) and, more recently, the European Cloud User Coalition (ECUC) (https://ecuc.group/) which, with no costs, “aims to promote a structured dialog between cloud users, providers, and other parties.”

Cloud storage just synchronizes all of your favorite data in a single location, providing the benefit of re-downloading, altering, deleting, and/or upgrading it without the need to carry external hard disks, a USB drive, or any other item that is generally susceptible to loss or forgetfulness. In addition, with cloud storage, you will have the option of creating backup copies and sharing all of your favorite files with anyone you want, for as long as you want, with undeniable benefits in terms of time and convenience. Of course, where there are benefits, there are also hassles; let’s go a bit into detail now.

What is cloud security?

Cloud security refers to the set of technologies, protocols, and best practices that allow you to protect data and information in a cloud architecture.

Cloud security is a shared responsibility. On the one hand, cloud service providers must guarantee an adequate and protected infrastructure. On the other hand, users must also use it correctly and implement adequate measures, as they too are responsible for protecting the applications and data managed.

Cloud security can differ depending on the type of cloud service and the deployment model. Let’s clarify immediately, seeing an overview of the main ones.

Types of cloud services

Cloud services consist of infrastructures, platforms, or software hosted by external providers, and the various services are made available to the user via the internet. The types of cloud computing can be mainly divided into three categories:

• Infrastructure as a Service (IaaS): The service provider manages the infrastructure (i.e., the physical servers, networks, virtual machines, data storage, and operating systems) on behalf of the customer, via an internet connection. It is up to the customer to secure what is added to the operating system and to manage the access, devices, and networks of end users.
• Platform as a Service (PaaS): This is designed for developers and programmers. With this service, a host is provided to customers who can create and host their own applications, without having to create and manage the infrastructure of servers, storage, networks, and databases.
• Software as a Service (SaaS): Here, the customer is provided with access to software applications managed by the cloud service provider, without the need for a computer or server. The customer can access online services (without necessarily having to install an app on the computers of individual users) by checking the software configuration but without managing the infrastructure (examples of SaaS include Microsoft Office 365, Dropbox, iCloud, and apps by Google).

Distribution models

In addition to the type of cloud service, the cloud computing distribution model is then defined. In this case, the main distribution methods are as follows:

• Public model: Cloud services are made available by an external provider and are available to anyone, free or paid. Some examples include Microsoft Azure and Amazon Web Services.
• Private model: Cloud services are made available for access by a single organization, via the internet or a private internal network. The private cloud can be managed by an external provider or even internally by the company itself.
• Hybrid model: Cloud services are provided by combining private clouds (third-party or in-house) with public clouds as needed, taking advantage of the best of both infrastructures.
• Other models: These include community cloud, multi-cloud, poly cloud, and HPC cloud. Without going into detail, suffice it to say that – in addition to the aforementioned – there are also other less popular solutions that can be used as needed.

Cloud security – examples of measures that can prevent risks

Cloud security, as anticipated, concerns a set of strategies aimed at achieving multiple objectives. This includes archiving and network protection against cyberattacks, recovering any lost or stolen data, and generally reducing the impact of compromised systems or personal data breaches.

Too often, migrations to the cloud are carried out without first evaluating which data and processes to move and without having defined cybersecurity measures suitable for your specific case.

Everything must start, therefore, from the awareness of how data has been secured up until now, of the infrastructures used, and of the weak points on which it is necessary to intervene. Therefore, have a snapshot of the current situation to evaluate which cloud service offers adequate levels of security and plan an adequate migration strategy.

Depending on the case and the needs, there are different tools that a company can implement for solid cloud security. Here are some examples:

• An Identity and access management (IAM) system, for identity and access management
• Micro-segmentation, thanks to which the implementation of the cloud is divided into distinct segments, down to the level of a single workload, minimizing the damage of a possible attacker
• Next-generation firewalls – compared to traditional ones, they add advanced features, such as application-aware filters, deep packet inspection, and intrusion prevention systems
• Cryptography so that data can only be decrypted using a specific key
• Threat intelligence, monitoring, and prevention, or features aimed at analyzing traffic to identify, block, or at least mitigate a malware attack

The seven pain points of cloud computing

Security is an issue for all firms, regardless of whether they operate in the cloud. You will be exposed to threats such as denial of service, malware, SQL injection, data breaches, and data loss – all of which may severely affect your company’s reputation and financials.

Moving to the cloud introduces a new set of hazards and modifies the nature of others. This does not imply that cloud computing is insecure. In reality, many cloud service providers provide access to very advanced security technologies and resources that you would not have otherwise.

It simply implies that you must be aware of changing hazards in order to manage them. Consequently, let’s examine the particular security vulnerabilities of cloud computing.

Reduced visibility

The majority of businesses will access a variety of cloud services through numerous devices, departments, and geographic locations. Without the proper tools, this level of complexity in a cloud computing arrangement might lead you to lose awareness of access to your infrastructure.

Without the proper procedures in place, it is possible to lose track of who is using your cloud services, including the information they access, post, and download.

Just remember, an asset in the cloud may not be visible. And if it is not visible, it cannot be protected, increasing the likelihood of data loss and data breaches.

Of course, the same or similar controls that apply to on premises are applied to the cloud.

Compliance violations

With the expansion of regulatory oversight, you must comply with a variety of strict compliance criteria. If you are not cautious, migrating to the cloud might expose you to compliance issues.

Many of these requirements require your organization to be aware of the location of your data, who has access to it, how it is handled, and how it is safeguarded. Other requirements may say that your cloud service provider needs to possess certain compliance certifications.

Transferring data inattentively to the cloud or migrating to the incorrect provider might place your firm in a position of non-compliance, introducing the possibility of severe legal and financial consequences (we spoke already of data transfer and Schrems II sentences, in Chapter 4, Data Processing).

Absence of a strategy and architecture for cloud security

You can simply avoid this cloud security risk, but many do not. In their rush to shift systems and data to the cloud, many firms become operational before the security mechanisms and plans to defend the infrastructure are in place.

Ensure that you create a cloud-specific security policy and architecture before deploying your systems and data to the cloud.

Internal threats

Your most trusted workers, contractors, and business partners may pose the greatest security threats. These internal risks may bring harm to your organization, even without malice. In truth, the majority of insider occurrences are the result of inadequate training or carelessness.

Despite the fact that you now encounter this difficulty, switching to the cloud modifies the danger. When you transfer over management of your data to your cloud service provider, you create a new level of insider danger posed by the company’s personnel.

Contractual violations

Any contractual relationships you have will have constraints on the use, storage, and allowed access of any shared data. Inadvertently transferring limited data to a cloud provider without authorization might constitute a contract violation and result in legal action.

Make sure you read the terms and conditions of your cloud provider. Even if you have permission to transfer data to the cloud, several service providers reserve the right to share any data uploaded to their infrastructure. You may accidentally violate a non-disclosure agreement due to ignorance.

Unprotected user interface (API)

When running systems on a cloud infrastructure, you can implement control via an API. Any API included in your web or mobile apps may be accessed both internally and externally.

An external API may create a security risk to the cloud. Any unsecured external API provides thieves with unauthorized access to steal data and modify services.

The Facebook–Cambridge Analytica scandal is the most notable instance of an unsafe external API. Cambridge Analytica gained extensive access to Facebook user data through Facebook’s unsecured external API.

Errors in the configuration of cloud services

Another possible cloud security concern is cloud service misconfiguration. This is a developing concern as the breadth and complexity of services expand. A misconfiguration of cloud services may result in data being exposed to the public, altered, or even erased.

Common reasons include retaining security and access control settings by default for extremely sensitive data. Others include mismatched access management, which gives unauthorized users access, and twisted data access, in which personal information is left accessible without authorization.

Cloud and GDPR concerns

Although the GDPR takes a risk-based approach to data protection, it makes no mention of the cloud directly. The regulation, on the other hand, is technology-neutral in that it applies regardless of the method used to treat personal data. The fragmented processing environment of the cloud, where such standards may not always apply, makes it difficult to implement the GDPR. The challenges are broken down in some detail in the following sections.

Security concerns specific to the cloud

The European Data Protection Supervisor (EDPS) and the European Union Agency for Network and Information Security (ENISA) have stated that the specific features and processes linked to the different service and deployment models of a cloud infrastructure imply specific risks compared to a “traditional” on-premises data center.

NIST defines three service models (SaaS, PaaS, and IaaS) and four deployment models: public, private, community, and hybrid (a composition of the former three models) cloud environments. Each represents different models of outsourcing with disparate security and privacy risks.

Some of the security tasks (such as monitoring, patching, and incident response) are outsourced. Depending on the type of cloud service, some tasks remain under the responsibility of the customer, while other tasks remain under the responsibility of the provider. Division of responsibilities can sometimes be a major source of problems, as it is often based on assumptions and is poorly documented, leading to overlaps and gaps. For example, in IaaS/PaaS, the customers run their own code on top of the cloud service and often remain responsible for this (application) software. In SaaS, on the other hand, the application software is usually under the control of the provider.

Therefore, it is not uncommon for customers to be confused about their responsibilities concerning security – that is, which security tasks are outsourced to the provider and which security tasks remain under their own responsibility.

What effect is GDPR having on the cloud industry?

Businesses still struggle to comply with the GDPR regulatory criteria nearly 5 years after the rule was enacted. Additionally, it has become necessary for both organizations and cloud service providers to modify their business models as a result of the fast use of cloud services by businesses. In order to comply with the regulations, they must significantly alter their business practices. GDPR lays out specific requirements for data controllers and processors to adhere to in Chapter 4, Article 24–43. The regulation outlines the obligations, specifications, and guidelines that must be followed when handling personal data. Let’s take a deeper look at the specifications listed in that section in order to better comprehend the effects of GDPR on data controllers and processors as they apply to cloud service providers.

Requirements for cloud service providers under GDPR

When a cloud service provider stores or processes data belonging to EU persons on behalf of the data controller, it is said to be in scope. A cloud service provider and a data controller can become joint data controllers depending on how and why the data is processed, which entails additional important duties and responsibilities for the data processor. To implement the essential controls and specifications for compliance, the cloud service provider must define its function in accordance with the regulations established by GDPR.

The function role must be identified to make it simple to find the GDPR rules that apply. Therefore, defining roles and duties is the first stage in creating a suitable data protection policy. Once roles have been defined, the development of a data protection strategy is needed for cloud service providers in order to execute and manage the relevant GDPR standards.

Normative requirements

The following is a list of specifications that would be applicable to cloud service providers, paraphrasing the language of the law:

• Establish guidelines for the handling of personal data
• Establish procedures for processing data and upholding the rights of data subjects, such as the right to information, the right to access, the right to revoke consent, the right to alter information, and the right to object to the processing activities carried out by the cloud service provider
• Establish privacy requirements from the start for anybody handling or controlling data
• Create and implement rules for data portability and ownership
• Implement security measures to protect data privacy
• Establish guidelines for the handling of personal data for third parties and foreign organizations
• Create policies and processes for handling violations and incidents
• Create policies for the creation of contracts, data retention periods, and other necessary needs

The regulations that apply to cloud service providers with regard to data security and compliance are summarized in the following outline:

• Security control requirements: Cloud service providers must offer sufficient assurances that the necessary organizational and technical safeguards are in place to ensure GDPR compliance. Both the controller and the processor must apply the necessary steps to provide a degree of security appropriate to risk, which may include the following:
  • Pseudonymization and personal data encryption
  • Continually ensure the privacy, accuracy, availability, and robustness of processing systems and services
  • In the case of a technical failure or physical attack, immediately restore access to and the availability of personal data
  • Create a procedure for routinely testing, analyzing, and reviewing the efficiency of organizational and technical safeguards for processing security
  • Adherence to a recognized code of conduct, as described in Article 40, or a recognized certification method, as described in Article 42, may be used as a component to show conformity with standards
  • Unless compelled to do so by union or member state law, the data controller and data processor must make sure that anyone operating on their behalf and having access to personal data does not handle it without the controller’s permission
• Contractual requirements: The commercial service contract outlines specific responsibilities for cloud service providers’ GDPR and that the following contract clauses be included:
  • The cloud service provider or its subprocessors may only follow instructions from the data controller when processing data
  • A guarantee from the cloud service providers about security precautions and how Article 32 GDPR standards will be met
  • A list of the subprocessors that the processor uses, together with information on how updates to these are handled by the controller
  • Information required to prove the cloud provider complies with Article 28 of GDPR, as well as how the processor will support the data controller’s audits and inspections
  • The safeguards in place to ensure the security of personal data handled outside the European Economic Area
  • The allocation of responsibility between the controller and processor in the event of a GDPR violation or personal data breach, as well as how the controller should be informed of such incidents
  • How the processor is carrying out its responsibilities to uphold the rights of data subjects
  • How types and categories of personal data are handled at the beginning and during transfer, normal processing, and end-of-life – including return and deletion – as well as the subject matter, extent, nature, context, purpose, and length of the processing
• Documentation requirements:
  • Data controllers: Where applicable, each controller shall keep a record of processing actions as well as a record including the following information:
    • Name and contact information for the controller, joint controller, controller’s representative, and data protection officer, if applicable
    • Purpose of the processing
    • Categories of data subjects and types of personal data are described
    • Receivers in foreign nations or international organizations are among the categories of recipients to whom personal data has been given or will be given
    • Transfers of personal data to a third country or an international organization, including the name of the third country or international organization and the evidence of appropriate safeguards, as per Article 49
    • Predicted time limits for erasing the various categories of data, whenever possible
    • A general overview of the technical and organizational security measures mentioned in Article 32, whenever possible
  • Data processors. The following information must be included in each processor’s record of all categories of processing actions performed on behalf of a controller, when applicable:
    • Name, address, and phone number of the data protection officer and any other processors
    • Categories of processing activities performed
    • Transfers of personal data to a third country or an international organization, including the mention of the third country or the international organization and the proof of the necessary protections, as outlined in Article 49
    • A general overview of the organizational and technical security measures mentioned in Article 32

The GDPR code of conduct for CSPs

Cloud service providers and processors are required by GDPR to adopt approved codes of conduct or take part in certification or seal programs that have been authorized by supervisory authorities, in order to demonstrate compliance with GDPR standards. This assists in demonstrating conformity with the regulation, offering guarantees and assurances of cross-border transfer safeguards. The creation of codes of conduct that support the correct implementation of GDPR is encouraged under Article 40. The rule makes it clear that the proposed code of conduct must include particular elements related to how GDPR must be applied. The following ought to be mentioned:

• Fair and transparent processing – controllers’ legitimate interests
• Gathering of personal information
• Anonymization of personal information
• Data made available to the general public and data subjects
• Exercising data subjects’ rights
• Information given to children, their protection, and the process of obtaining approval from those who have parental responsibility for them
• Processes and policies mentioned in Article 24 and Article 25, as well as the security-related procedures and policies mentioned in Article 32
• Notification of breaches of personal data to supervisory authorities and dissemination of such information to data subjects
• Transfer of personal data to international organizations or third nations
• Resolution of processing-related issues between controllers and data subjects through out-of-court actions and other dispute resolution processes, while upholding all protections for data subject rights under Article 77 and Article 79

The regulation’s enforcement has made it very clear that no company can shirk its obligation to process customer data safely. As previously mentioned, we can take into consideration associations such as ECUC (an interest group for European Financial Institutions in Cloud (ECUC) related questions https://ecuc.group/), BSI – Cloud Computing Compliance Criteria Catalog (BSI C5 of the German Federal Office for Information Security, https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_Einfuehrung/C5_Einfuehrung_node.html), or Cloud Security Alliance (CSA, a cloud computing environment, https://www.cloudsecurityalliance.org) for references. Every organization involved directly or indirectly in data processing or that has access to the personal data of an EU citizen will be required to comply with the legislation, regardless of whether it is outsourced to a third party or done in-house. Businesses, particularly data controllers and data processors, may incur significant fines for negligence or misunderstanding of these regulations. Cloud service providers must be aware of their individual responsibilities and tasks under GDPR and keep in mind that compliance with the law and the dangers of not doing so must be given top priority.

Summary

In this chapter, we spoke a lot about the cloud, talking about security, risk management, the types of cloud, and all the pain points related to it, concluding with GDPR. As a consumer, even if you use the cut-down versions of these services, usually for free, you’ll find that the main players in the market comply with the main standards. From an entity perspective, you could be involved either in the adoption of a cloud platform or with a cloud company to create and improve a cloud governance program.

The realm of US privacy will be explored in the next chapter, along with the Federal Trade Commission (Section 5) and a review of local privacy laws. Finally, we’ll look at two distinct yet related phenomena – Bring Your Own Device (BYOD)- and remote working.