Cloud security, at the highest level of governance, must take into account two important considerations. Firstly, cloud security can be likened to the ‘global commons. It affects everyone, sees no borders or boundaries, and requires global solutions. The nature of the cloud is such that, despite the main server located within one’s country, both the disaster recovery site and back-ups are likely to be positioned elsewhere. The vastness of the field is reflected in the spectrum covered by the U.S.’s National Institute of Standards and Technology (NIST) for cloud security.
Some of these elements include reference architecture, service orchestration, cloud service management, security and privacy, cloud auditor, cloud broker, and cloud carrier. However, there is a silver lining, which foregrounds the second point. There are positive signs which indicate that the world is willing to collaborate to solve global problems concerning cybersecurity. Recently, the UN member states reached a consensus on the 11 norms for promoting responsible state behaviour in cyberspace.
In fact, Trojan Shield is a recent operation undertaken against encrypted communication. The international coalition of law-enforcement agencies behind this, consisting of sixteen countries, led by the U.S. and Australia, have arrested 800 criminals.
Digital transformation has only sped up matters for cloud security and its aspects. As a result, security architecture has been flipped on its head. However, the industry has been swift in coming up with solutions and addressing identity and access management issues, Work-from-Home, and the shift from a castle-and-moat concept to a distributed architecture.
There are four critical areas of cloud security. Firstly, application security covers everything from early design and threat modelling to maintaining and defending the product application. Security must be built into the design process. Since cloud deployments are often greenfield, new opportunities can be created to engage with the security aspects.
Secondly, there is data security and encryption. The Cloud Access Security Broker (CASB) can be considered to monitor data flowing through its system and use appropriate encryption options based on the website model. One can also consider the use of provider- managed encryption and storage options.
Thirdly, there is the issue of identity and access management. Here, organisations must develop comprehensive formulae, plans, and processes, for managing identities and authorisations with cloud services. When connecting to external cloud providers, federations must be employed, if possible, to extend the existing identity management. Multi-factor authentication for all external cloud accounts must also be considered, especially for privileged identities. We can also have attribute-based access control over the roll-based access control for cloud computing.
Finally, there is the matter of Security-as-a-Service (SECaaS). These providers offer security capabilities for cloud service, including dedicated SECaaS providers and packaged security features from general cloud computing providers. However, care must be taken to ensure they meet the essential NIST characteristics for cloud computing. Cloud services imply more than just infrastructure as service, software, or platform as service. For instance, on the Amazon Web Services (AWS) website, all security features are listed, including quantum computing.
CLOUD VIS-A-VIS TELECOM
India’s telecom infrastructure in the urban areas is in stark contrast to its rural counterparts. The high bandwidth and the wireline options at the backend required by the cloud are unavailable in villages. While it is true that the cloud has democratised technology by providing an equitable distribution of services to anyone who wishes to make use of it, the question of accessibility precedes it.
The government has been tirelessly working towards this infrastructure problem because Optical Fibre Cables have replaced only 25 per cent of our telecom structure. However, the situation will undoubtedly improve five years down the line, considering the ongoing capacity-building, lessons learnt every day, and good practices that cloud service providers will follow. The newly unveiled Trusted Telecom Portal by the Government of India also promises to usher in a new era of telecom security where every product connected to our networks will be a trusted product.
Lt General (Dr) Rajesh Pant (Retd), is the National Cyber Security Coordinator at the National Security Council Secretariat of India. He had earlier headed the Army’s Cyber Training establishment. He served in the Army Signals Corps for 42 years. Post his retirement, he was also the Chairman of Precision Electronics Ltd and also a Governing Council member of IETE(India). This article is based on his views at the 103rd Synergia Forum on the ‘Future of Cloud Security’.