Cloud Computing

What is Cloud computing?

Cloud computing involves remote servers hosted by third parties that store, process, and manage data and operations instead of local computers. This is commonly known as the public Cloud. The Cloud provides advantages such as speed and efficiency via dynamic scaling. It also presents security risks including: 

  • Data breaches
  • Malicious insiders
  • Account hijacking
  • Malware infections
  • Key management
  • DoS attacks

Security is one of the top reasons why companies don’t use the Cloud. However, in reality, the Cloud is more secure than local servers.

Security continues to be the most commonly cited reason for avoiding the use of the public Cloud."

Hype Cycle for Cloud Security, 2015

|

Cloud providers often deploy security controls to protect their environments. However, it is the organizations themselves that are responsible for protecting their own data in the Cloud. In fact, research shows that over 90% of security issues actually originate with the enterprise—not the Cloud. In other words, no matter where you run an application, its vulnerabilities will follow.

What is a Cloud server?

Cloud servers are comprised of bare-metal hypervisors that run systems in virtual machines (or in other forms of containers). Cloud computing takes advantage of this virtualization. It allows for customers to spin up, or down, additional virtual machines at will. Cloud computing also allows customers to pay for usage rather than hardware.

In the Cloud, storage becomes more decentralized. It takes advantage of the host’s scale rather than the local resources available. This allows for large amounts of storage at a more economical cost. Providers can buy redundant storage systems at a much lower cost and larger scale than most organizations.

Using Cloud services are particularly attractive for smaller organizations and start-ups. In the case of a small organization, Cloud services provide access to enterprise-class hardware and fault-tolerant features that would otherwise be cost-prohibitive. Similarly, start-ups benefit from Cloud services because they can get their operations running quickly. Additionally, they can do so without having to invest in on-premise data center resources. 

What does security look like in the Cloud?

Cloud security may be a fairly new concept, but the underlying principles of building security in remain the same. Using the same tests and services we’ve mastered over the past 20 years, Synopsys can help you take advantage of all the Cloud has to offer without sacrificing your security risk profile.

There are three Cloud deployment models:

  • Public Cloud: (e.g., Google Cloud, AWS, Azure) Generally Internet-accessible, shared-tenant, and widely available for use.
  • Private Cloud: (e.g., OpenStack, VMWare vCloud Suite, OpenNebula) Similar to a traditional on-premise data center, but using Cloud-native orchestration and instrumentation. Typically single-tenant with private networking.
  • Hybrid Cloud: Combines elements of public and private deployment models. Typically involves using public Cloud providers, software-defined networking, and “bridge” network links such as IPSec or leased lines to connect to the corporate network. With this flexibility comes increased complexity, warranting increased security scrutiny as data and software components criss-cross and redefine trust boundaries.

Most Cloud providers take security seriously. Their goal is to provide a secure hosting platform for clients to implement services. However, security implementation changes from one Cloud provider to another. It is important to build a solid understanding of these security features and capabilities. Leverage built-in Cloud security features when possible. Examples of these features include:

  • AWS Key Management Service
  • AWS Certificate Manager
  • Virtual Private Network in Google Cloud or Microsoft Azure

Utilize third-party services with built-in security that deploy directly to an organization’s Cloud account. Ensure that these offerings also focus on specific use cases. This guarantees that they have already established the details of running securely in the Cloud. While they feel like a remote managed service, these services can run within the organization's own Cloud. 

Not only do these third-party offerings enjoy the turnkey functionality of such services, they also have secured deployment out of the box. Their Cloud data never has to leave the Cloud trust zone. Such services include MongoDB Cloud Manager (running MongoDB in their Cloud) and ParaStack (running automated data analytics pipelines in their Cloud).

How does Cloud migration work?

The popularity of Cloud migration is on the rise. However, certain aspects are often at risk when transitioning to third parties. There are data integrity, intellectual property, and customer data concerns. Many organizations work around this by using a hybrid infrastructure. In a hybrid environment, the most sensitive data is kept in-house while day-to-day operations take place in the Cloud.

Migrating to the Cloud can be a challenge for many businesses. Some vendors provide heavy integration to make it simple. For example, Office365 is designed to sync with Active Directory to make migration as painless as possible. Moving a custom application may take additional time and effort. However, the cost of migrating to the Cloud is often offset by the reduced resource and hosting costs in the long-term.

Another challenge for some organizations when moving to the Cloud is data residency. Cloud data residency maintains control over the location where regulated data and documents are physically located. Organizations needs to consider the data residency requirements for the location in which they operate. They must also consider the rules that govern the treatment of data at the Cloud service provider’s data centers.

To tackle the data residency requirement, use Cloud data tokenization. This keeps sensitive data local while storing and processing tokens (i.e., replacement data) in different locations.

When it comes to data security, Cloud storage becomes a risk for certain types of information. If a piece of information shouldn’t be visible to the hosting provider, it should be encrypted at rest and in transit. Encryption in transit, while not processed in the Cloud, still allows for scaled endpoints.

When is Cloud storage the best option?

Organizations should consider more efficient computer storage and procedures for a given task. If the task requires higher security requirements (e.g., secret key generation for servers), the Cloud isn’t appropriate. If an application needs scaled Web services, a more appropriate risk assessment can be made with more information. Additional information includes the type of data handled and how that data is stored.

At Synopsys, our solutions to secure data in the Cloud include continuous and comprehensive security risk identification and mitigation for your organization. Adapt the fundamentals of risk management to the unique features of the Cloud ecosystem with:

  • Architecture risk analysis and threat modeling. Identify missing or weak security controls, understand secure design best practices, and mitigate security flaws that increase your risk of a breach.
  • Security testing. Test your Cloud applications using static application security testing (SAST), dynamic application security testing (DAST), and penetration testing.
  • Network security. Infrastructure and network considerations affect Cloud security as much as application security. Considerations such as virtual private Cloud architecture, operating system and Cloud service hardening, storage architecture, key management, business continuity planning, and disaster recovery processes must be specified and configured properly with the Cloud provider.
  • Developer training. Teach secure coding assurance.