Abstract
Chapter 2 investigates the risk and compliance conundrum as fundamental principles that better inform the governance of cyber security in organizations. Public cloud computing examples are used to highlight the deficiencies of legacy risk assessment methods but also to provide a stark warning about using compliance mapping approaches instead of considered security control implementations. Ultimately using blanket compliance frameworks does not necessarily influence, but rather conversely, creates a vacuum that does not drill deep enough into the controls needed to safeguard cloud environments; this is particularly relevant since public cloud systems are connected to and accessed via the internet and therefore exposed to external threats. This chapter explores the use of threat modelling to contextualize risks more accurately in order to mitigate them more effectively.
TopIntroduction
Public cloud platforms provide a number of different deployment formations comprising a range of service models (Smith, 2012). Customers are then able to lease or purchase processing, storage, and services from different global regions. Today, researchers use several methods of virtualization in cloud formations (Symons, 2016), and they host them on Cloud Service Provider (CSP) third-party infrastructure. Following sets of defined and publicized CSP service criteria, the customers are ultimately accountable for the protection of their data under their own control. This is called the ‘shared security responsibility’ (Alert Logic, 2016; Trend Micro, 2016; Provos, 2016). The importance of cloud computing has now reached a turning point with end-user organizations deploying systems and applications into the Cloud more readily and using Software-as-a-Service (SaaS) in some cases to replace customer on-premises productivity applications. Additionally, the innovation of cloud-based database management systems is drawing wider end-user adoption (Ronthal, 2019). Inherently, the datacenter and configuration of the underlying hardware or software infrastructure for cloud computing are under the control of third-party CSPs. This is a step change compared to normal enterprise solutions, in which the responsibility lies either with customer IT support teams or a contracted outsourced service provider utilizing dedicated infrastructure; in such cases, customers usually articulate, as part of their contract with the supplier, specific requirements criteria that can be auditable by the customer.
The top three CSPs are Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). AWS is renowned for its breadth of services, Azure for its enterprise feel, and Google for its Big Data offerings (Harvey & Patrizio, 2020). As discussed in Chapter 1, cloud platforms have come to the fore in recent years with regard to AI led by Google and Amazon in particular (Stanek, 2017) with Microsoft Azure also breaking into this market (InsideBIGDATA, 2020). CSPs provide supporting documentation and evidence of their conformity to global certifying standards. Tables 1 and 2 illustrate this. Trusted Third Parties (TTP), such as Ernest and Young, audit the CSPs (Ernest & Young, 2014) rather than the customers themselves. Therefore, it is up to the customer to check TTP certifications prior to contracting with the CSP. The Internet has global reach, so it is feasible for customers to access regional CSP datacenters within or outside their own country in which services can differ from region-to-region. In addition, the configuration, context of implementation, continued support, management, and policy of controls required from the customer perspective can be obscured. The CSPs provide recommended configuration and guidance on how to use their platform, yet data stored in cloud-hosted databases and storage were inadvertently exposed in 2017 (Bird, 2017).
Table 1. Compliance to United Kingdom and international standards
| CSP | Compliance to U.K. and International Standards |
CSA
Security Trust | ISO27001 | ISO27017 | ISO27018 | Payment Card Industry Data Security standard
(PCI-DSS) | System Organizational Controls 1, 2, 3 | Cyber Essentials Plus | Government Cloud |
| AWS | X | X | X | X | X | X | X | X |
| Azure | X | X | X | X | X | X | X | X |
| GCP | X | X | X | X | X | X | | |
Sources: Amazon Web Services, 2020; Google, 2020; Microsoft, 2020.
Key Terms in this Chapter
Threat Vector: Is the approach a threat actor may take to exploit a vulnerability.
Impact: The potential consequence if an attacker can persecute an identified and exploitable vulnerability.
Risk: Traditionally is considered to be the likelihood and impact of one or more vulnerabilities being realized.
Threat Actor: An attacker who undertakes a cyber-attack based on their skillset to achieve their aims.
Vulnerability: A weakness to an asset or system that can be exploited by a threat actor.
Asset: A standalone computer or a component of a larger system that can process, transmit, or store data that has some intrinsic value to a person or organization.
Platform-as-a-Service: Is a cloud model that provides the hardware and software computing capability for customers to deploy their applications and process their data.
Compliance Mapping: Is a technique using a table or spreadsheet to correlate an organization’s implementation of control-set types against defined control-set categories through a standard or some other kind of framework.
Infrastructure-as-a-Service: This Cloud model enables customers to deploy VM instances comprising operating systems and applications to interoperate with hosted servers, storage, and networking infrastructure.
Threat Source: A category of threat actor based on allegiances or political or financial motivations, such as nation-state or cyber-crime hacker.
Shodan: An online security search tool that fingerprints open ports and misconfigurations of computerized systems revealing vulnerable devices exposed to the Internet.
Cloud Computing: A fundamental principle of public cloud computing is the division of security responsibility between the CSP infrastructure-led perspectives and that of the customers depending on the model used. Cloud computing models comprise Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service in which the customer has more responsibility for the former than for the latter.
Simple Storage Service: Is an object-based storage service in AWS that can be used to store files or host simple websites.
Software-as-a-Service: A cloud model that provides the entirety of the hardware and software stack including applications from which customers can process their data.