There is no cloud; it’s just someone else’s computer.
Of course, the preceding sentence is a sort of nerdy joke but isn’t really far from the truth.
While in the previous chapter, we delved into social engineering and checking various aspects of it, it’s now time to understand how the cloud works, focusing on cloud security and privacy.
In this chapter, we will cover the following topics:
Due to the proliferation of gadgets such as smartphones, tablets, and laptops, we can now access the internet from almost anywhere, with all the advantages and disadvantages that this may involve. Occasionally, you may create a file on your home computer but forget to bring it with you to the office the following day. Sometimes, though, you may find yourself with many copies of the same file and be unable to determine which copy is required. In a worst-case scenario, you may lose your smartphone, tablet, or laptop with all of your information, or even worse, your preferred gadget could suddenly cease to function. So, collaboration is the keyword here.
To solve these and other similar issues, the cloud was created. The cloud is nothing more than a personal storage space, sometimes referred to as cloud storage, which is accessible from any location with an internet connection. It should be noted, however, that in addition to cloud storage, the word cloud can also apply to various services provided by cloud computing.
From a compliance perspective, according to NIST, “Cloud computing [is] a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction,” while the German government adheres to an attestation scheme (also roughly adopted in France) by the Federal Office for Information Security (BSI). The standard is named the Cloud Computing Compliance Controls Catalogue (C5). They claim that “Cloud computing is a new paradigm in ICT (information and communication technology). It consists of IT services being adjusted dynamically to the customers need and made available through a network in a billable manner.” Also, new associations have appeared to support the cloud experience (in Europe at least), such as the Cloud Security Alliance (CSA) (https://cloudsecurityalliance.org/) and, more recently, the European Cloud User Coalition (ECUC) (https://ecuc.group/) which, with no costs, “aims to promote a structured dialog between cloud users, providers, and other parties.”
Cloud storage just synchronizes all of your favorite data in a single location, providing the benefit of re-downloading, altering, deleting, and/or upgrading it without the need to carry external hard disks, a USB drive, or any other item that is generally susceptible to loss or forgetfulness. In addition, with cloud storage, you will have the option of creating backup copies and sharing all of your favorite files with anyone you want, for as long as you want, with undeniable benefits in terms of time and convenience. Of course, where there are benefits, there are also hassles; let’s go a bit into detail now.
Cloud security refers to the set of technologies, protocols, and best practices that allow you to protect data and information in a cloud architecture.
Cloud security is a shared responsibility. On the one hand, cloud service providers must guarantee an adequate and protected infrastructure. On the other hand, users must also use it correctly and implement adequate measures, as they too are responsible for protecting the applications and data managed.
Cloud security can differ depending on the type of cloud service and the deployment model. Let’s clarify immediately, seeing an overview of the main ones.
Cloud services consist of infrastructures, platforms, or software hosted by external providers, and the various services are made available to the user via the internet. The types of cloud computing can be mainly divided into three categories:
In addition to the type of cloud service, the cloud computing distribution model is then defined. In this case, the main distribution methods are as follows:
Cloud security, as anticipated, concerns a set of strategies aimed at achieving multiple objectives. This includes archiving and network protection against cyberattacks, recovering any lost or stolen data, and generally reducing the impact of compromised systems or personal data breaches.
Too often, migrations to the cloud are carried out without first evaluating which data and processes to move and without having defined cybersecurity measures suitable for your specific case.
Everything must start, therefore, from the awareness of how data has been secured up until now, of the infrastructures used, and of the weak points on which it is necessary to intervene. Therefore, have a snapshot of the current situation to evaluate which cloud service offers adequate levels of security and plan an adequate migration strategy.
Depending on the case and the needs, there are different tools that a company can implement for solid cloud security. Here are some examples:
Security is an issue for all firms, regardless of whether they operate in the cloud. You will be exposed to threats such as denial of service, malware, SQL injection, data breaches, and data loss – all of which may severely affect your company’s reputation and financials.
Moving to the cloud introduces a new set of hazards and modifies the nature of others. This does not imply that cloud computing is insecure. In reality, many cloud service providers provide access to very advanced security technologies and resources that you would not have otherwise.
It simply implies that you must be aware of changing hazards in order to manage them. Consequently, let’s examine the particular security vulnerabilities of cloud computing.
The majority of businesses will access a variety of cloud services through numerous devices, departments, and geographic locations. Without the proper tools, this level of complexity in a cloud computing arrangement might lead you to lose awareness of access to your infrastructure.
Without the proper procedures in place, it is possible to lose track of who is using your cloud services, including the information they access, post, and download.
Just remember, an asset in the cloud may not be visible. And if it is not visible, it cannot be protected, increasing the likelihood of data loss and data breaches.
Of course, the same or similar controls that apply to on premises are applied to the cloud.
With the expansion of regulatory oversight, you must comply with a variety of strict compliance criteria. If you are not cautious, migrating to the cloud might expose you to compliance issues.
Many of these requirements require your organization to be aware of the location of your data, who has access to it, how it is handled, and how it is safeguarded. Other requirements may say that your cloud service provider needs to possess certain compliance certifications.
Transferring data inattentively to the cloud or migrating to the incorrect provider might place your firm in a position of non-compliance, introducing the possibility of severe legal and financial consequences (we spoke already of data transfer and Schrems II sentences, in Chapter 4, Data Processing).
You can simply avoid this cloud security risk, but many do not. In their rush to shift systems and data to the cloud, many firms become operational before the security mechanisms and plans to defend the infrastructure are in place.
Ensure that you create a cloud-specific security policy and architecture before deploying your systems and data to the cloud.
Your most trusted workers, contractors, and business partners may pose the greatest security threats. These internal risks may bring harm to your organization, even without malice. In truth, the majority of insider occurrences are the result of inadequate training or carelessness.
Despite the fact that you now encounter this difficulty, switching to the cloud modifies the danger. When you transfer over management of your data to your cloud service provider, you create a new level of insider danger posed by the company’s personnel.
Any contractual relationships you have will have constraints on the use, storage, and allowed access of any shared data. Inadvertently transferring limited data to a cloud provider without authorization might constitute a contract violation and result in legal action.
Make sure you read the terms and conditions of your cloud provider. Even if you have permission to transfer data to the cloud, several service providers reserve the right to share any data uploaded to their infrastructure. You may accidentally violate a non-disclosure agreement due to ignorance.
When running systems on a cloud infrastructure, you can implement control via an API. Any API included in your web or mobile apps may be accessed both internally and externally.
An external API may create a security risk to the cloud. Any unsecured external API provides thieves with unauthorized access to steal data and modify services.
The Facebook–Cambridge Analytica scandal is the most notable instance of an unsafe external API. Cambridge Analytica gained extensive access to Facebook user data through Facebook’s unsecured external API.
Another possible cloud security concern is cloud service misconfiguration. This is a developing concern as the breadth and complexity of services expand. A misconfiguration of cloud services may result in data being exposed to the public, altered, or even erased.
Common reasons include retaining security and access control settings by default for extremely sensitive data. Others include mismatched access management, which gives unauthorized users access, and twisted data access, in which personal information is left accessible without authorization.
Although the GDPR takes a risk-based approach to data protection, it makes no mention of the cloud directly. The regulation, on the other hand, is technology-neutral in that it applies regardless of the method used to treat personal data. The fragmented processing environment of the cloud, where such standards may not always apply, makes it difficult to implement the GDPR. The challenges are broken down in some detail in the following sections.
The European Data Protection Supervisor (EDPS) and the European Union Agency for Network and Information Security (ENISA) have stated that the specific features and processes linked to the different service and deployment models of a cloud infrastructure imply specific risks compared to a “traditional” on-premises data center.
NIST defines three service models (SaaS, PaaS, and IaaS) and four deployment models: public, private, community, and hybrid (a composition of the former three models) cloud environments. Each represents different models of outsourcing with disparate security and privacy risks.
Some of the security tasks (such as monitoring, patching, and incident response) are outsourced. Depending on the type of cloud service, some tasks remain under the responsibility of the customer, while other tasks remain under the responsibility of the provider. Division of responsibilities can sometimes be a major source of problems, as it is often based on assumptions and is poorly documented, leading to overlaps and gaps. For example, in IaaS/PaaS, the customers run their own code on top of the cloud service and often remain responsible for this (application) software. In SaaS, on the other hand, the application software is usually under the control of the provider.
Therefore, it is not uncommon for customers to be confused about their responsibilities concerning security – that is, which security tasks are outsourced to the provider and which security tasks remain under their own responsibility.
Businesses still struggle to comply with the GDPR regulatory criteria nearly 5 years after the rule was enacted. Additionally, it has become necessary for both organizations and cloud service providers to modify their business models as a result of the fast use of cloud services by businesses. In order to comply with the regulations, they must significantly alter their business practices. GDPR lays out specific requirements for data controllers and processors to adhere to in Chapter 4, Article 24–43. The regulation outlines the obligations, specifications, and guidelines that must be followed when handling personal data. Let’s take a deeper look at the specifications listed in that section in order to better comprehend the effects of GDPR on data controllers and processors as they apply to cloud service providers.
When a cloud service provider stores or processes data belonging to EU persons on behalf of the data controller, it is said to be in scope. A cloud service provider and a data controller can become joint data controllers depending on how and why the data is processed, which entails additional important duties and responsibilities for the data processor. To implement the essential controls and specifications for compliance, the cloud service provider must define its function in accordance with the regulations established by GDPR.
The function role must be identified to make it simple to find the GDPR rules that apply. Therefore, defining roles and duties is the first stage in creating a suitable data protection policy. Once roles have been defined, the development of a data protection strategy is needed for cloud service providers in order to execute and manage the relevant GDPR standards.
The following is a list of specifications that would be applicable to cloud service providers, paraphrasing the language of the law:
The regulations that apply to cloud service providers with regard to data security and compliance are summarized in the following outline:
Cloud service providers and processors are required by GDPR to adopt approved codes of conduct or take part in certification or seal programs that have been authorized by supervisory authorities, in order to demonstrate compliance with GDPR standards. This assists in demonstrating conformity with the regulation, offering guarantees and assurances of cross-border transfer safeguards. The creation of codes of conduct that support the correct implementation of GDPR is encouraged under Article 40. The rule makes it clear that the proposed code of conduct must include particular elements related to how GDPR must be applied. The following ought to be mentioned:
The regulation’s enforcement has made it very clear that no company can shirk its obligation to process customer data safely. As previously mentioned, we can take into consideration associations such as ECUC (an interest group for European Financial Institutions in Cloud (ECUC) related questions https://ecuc.group/), BSI – Cloud Computing Compliance Criteria Catalog (BSI C5 of the German Federal Office for Information Security, https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_Einfuehrung/C5_Einfuehrung_node.html), or Cloud Security Alliance (CSA, a cloud computing environment, https://www.cloudsecurityalliance.org) for references. Every organization involved directly or indirectly in data processing or that has access to the personal data of an EU citizen will be required to comply with the legislation, regardless of whether it is outsourced to a third party or done in-house. Businesses, particularly data controllers and data processors, may incur significant fines for negligence or misunderstanding of these regulations. Cloud service providers must be aware of their individual responsibilities and tasks under GDPR and keep in mind that compliance with the law and the dangers of not doing so must be given top priority.
In this chapter, we spoke a lot about the cloud, talking about security, risk management, the types of cloud, and all the pain points related to it, concluding with GDPR. As a consumer, even if you use the cut-down versions of these services, usually for free, you’ll find that the main players in the market comply with the main standards. From an entity perspective, you could be involved either in the adoption of a cloud platform or with a cloud company to create and improve a cloud governance program.
The realm of US privacy will be explored in the next chapter, along with the Federal Trade Commission (Section 5) and a review of local privacy laws. Finally, we’ll look at two distinct yet related phenomena – Bring Your Own Device (BYOD)- and remote working.