In todays article I hope to address some common misconceptions regarding who is responsible for cyber security and data protection for your cloud based services. In this article I will be referring to an example company called ACME, ACME has decided to migrate some of their computing services to the cloud, such as their customer database and webserver. In the article, I will be explaining the difference between PAAS & IAAS cloud based models and who is responsible for securing cloud based services and backing up, securing and restoring customer data.
ACME has opted to use the PAAS (Platform as a service) model for their customer database and the IAAS (infrastructure as a service) model for their webserver. In laypersons terms, PAAS is like purchasing a preconstructed home & IAAS is like purchasing a block of land and the lumber to build your own home.
ACME has decided to use a cloud providers PAAS model that provides a preinstalled customer database, such as an SQL database and has also decided to use the IAAS model for their website, as ACME has prebuilt their own website from the ground up. The Cloud based provider is providing the infrastructure, such as the server space for ACME to host their database & website. However, who is responsible for cyber security and data protection?
In laypersons terms, imagine you are a tenant, and you are renting a house. Who is responsible for making sure that you have locked your doors and windows? The tenant or the landlord? Also, who is responsible for making sure that no one steals that bike that your child left on the front lawn, and if that bike is stolen, who is responsible for replacing it? The tenant or the landlord?
As ACME is renting server space from the cloud service provider ACME is responsible for the security and data protection of their customer database and their website, the cloud provider will not automatically protect them from cybercrime, but the cloud provider will provide ACME the tools to protect themselves. In laypersons terms, a landlord who is renting out a house will install a lock on the door, but its the tenants responsibility to lock that door.
When it comes to the PAAS model, the tenant, being ACME in this example will be responsible for configuration of their database application, such as making sure that their customer database is not vulnerable to SQL injection attacks, or unauthorised access. The same is for the IAAS model, ACME is responsible for mitigation of DoS attacks, preventing unauthorised access, encryption of data in transit and preventing cross site scripting attacks to name a few examples.
ACME is also responsible for their own business continuity, regarding their ability to weather and recover from a crisis, such as if their database server is hit with a ransomware attack. A ransomware attack is when cyber criminals will gain unauthorised access to a database, encrypt all your data making it inaccessible and then demand a payment to decrypt your data. There are typically two options to recover from a ransomware attack, you can pay the criminals, or you can delete the database server and restore from a previous backup.
While cloud based service providers do offer backup solutions, if a cyber criminal is able to compromise your cloud based service, or your server in the cloud they can also infect your backups within the cloud. This is why is important to preform regular offnetwork full backups of your database and file systems. It is recommended for ACME to preform a full offnetwork backup at least once a month as well as daily differential or incremental backups.
Furthermore, ACME should also make sure that any data, especially customer data that they store within the cloud is encrypted. Meaning that if cyber criminals compromise your cloud based server and extract your customer data the cyber criminals will not be able to interpret the data. With encrypting your customer records, cyber criminals will not be able to demand a ransom of payment over threats of releasing your customers personal details to the public.
So in conclusion, if you are a company dont fall for the common misconception that once you offload your databases and webserver to the cloud that you dont have to worry about maintaining cyber security anymore. When engaging with cloud based services, you are a tenant, you are responsible for locking your front door, you are responsible for replacing your childs stolen bike from the front lawn. If the complexities of cyber security overwhelm you, then its best that you engage with a qualified cyber security professional.