By Shane Albright, REN-ISAC Principal Security Engineer
On May 18th, the U.S. Senate Committee on Health, Education, Labor and Pensions held a hearing on Cybersecurity in the Health and Education Sectors, which featured invited testimony from subject matter experts from the relevant sectors. During a Q&A session with the invited experts, Senator Bill Cassidy, M.D. (LA) asked about the difference between on-premises systems versus cloud services with regard to risk. He suggested that cloud services are inherently safer due to the concentrated expertise of the cloud services’ employees. While it’s true that a cloud service has the potential to be more secure than a self-hosted service, the cloud is not a panacea for reducing information security risk.
To understand why, it’s first important to understand the Amazon Web Services (AWS) Shared Responsibility Model. The security of services hosted in the cloud is a shared responsibility between the cloud service provider (CSP) and the customer. The CSP is responsible for the security of the cloud while the customer is responsible for security in the cloud. Microsoft Azure and Google Cloud have also published similar divisions of responsibility for their cloud services.
Cloud Service Models
The demarcation between the CSP’s and the customer’s responsibility depends upon the cloud service model being used. In Special Publication 800-145, NIST identified three cloud service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). A fourth model, Function as a Service (FaaS), has emerged since the NIST Definition of Cloud Computing was originally published.
Software as a Service (SaaS)
A SaaS solution provides customers direct access to the cloud service either via a web browser or a client application. The customer is not responsible for managing the application or any of the underlying infrastructure, though they may still be responsible for managing user identities and access as well as configuration settings.
Platform as a Service (PaaS)
A PaaS solution provides a platform onto which a customers’ bespoke application can be deployed. In this model, the customer is responsible for the application, and the CSP is responsible for managing all of the underlying infrastructure.
Infrastructure as a Service (IaaS)
An IaaS solution provides infrastructure building blocks the customer can use to deploy applications in a customized environment. The customer is entirely responsible for the application, the operating system(s), database(s), supporting services, and the configuration of the underlying cloud infrastructure. The CSP is responsible for the maintenance and security of that underlying infrastructure (i.e. the virtual machine hypervisor and all physical hardware and infrastructure).
Function as a Service (FaaS)
For the purposes of this discussion, FaaS solutions are similar to PaaS solutions in that they provide a platform onto which a customers’ bespoke code can be deployed. The customer and CSP responsibilities can be considered the same for both PaaS and FaaS.
Implementation Scenarios
A look at three implementation scenarios should demonstrate how the use of cloud services can either improve an organization’s security posture or impair it and why it’s sometimes difficult to determine which outcome will result.
Scenario 1: SaaS Service Hosted by a Cloud Service Provider
In the first scenario, the customer has chosen to use a SaaS-hosted productivity and collaboration suite provided by a large CSP (e.g. Microsoft 365, Google Workspace). This is likely the scenario to which Senator Cassidy referred during his questioning, and it’s the scenario that the invited expert, Josh Corman, attempted to describe in his answer. Because the CSP is hosting the service directly, the CSP is responsible for almost every component of the environment, and the CSP is large enough to employ a number of highly-specialized resources, this scenario almost always leads to a more secure (i.e. less vulnerable) environment than if an organization were to host such a service on-premises.
Scenario 2: Customer-Managed Application Hosted on a Cloud Service Provider’s IaaS Platform
In the second scenario, the customer has chosen to host an application on a CSP’s IaaS platform (e.g. AWS EC2, Azure Virtual Machines, DigitalOcean Droplets). The customer is responsible for securing the application, operating systems, databases, supporting services as well as network configuration, configuring firewalls, encrypting data at rest and in transit, and managing user identities and access. With the exception of physical security, some aspects of network security, and potentially securing virtual machine hypervisors, the information security responsibilities of hosting an application on a CSP’s IaaS platform are the same as hosting an application on-premises. It’s important to note that if an organization does not migrate their entire environment to the CSP’s IaaS platform, almost every aspect of its information security management program is complicated due to hosting services in two environments, and more resources will be required to effectively secure the hybrid environment. So is this scenario more secure than hosting services on-premises? Probably not, unless the organization has invested the time and money in training and/or hiring the necessary resources to host their application(s) on an IaaS platform.
Scenario 3: SaaS Service Hosted by a Vendor on a third-party Cloud Service Provider’s IaaS Platform
In the third scenario, the customer has chosen to use a SaaS-hosted line-of-business application provided by the application developer. The application developer hosts its SaaS offering on a large CSP’s IaaS platform. The customer’s responsibilities are the same as in the first scenario: they’re responsible for managing user identities and access, configuration settings, and what data is processed and/or stored by the SaaS solution. The vendor’s responsibilities are the same as the customer’s responsibilities in the second scenario: the vendor must secure the application, operating system(s), database(s), supporting services, and network configuration, configure firewalls, and encrypt data at rest and in transit. The security of this environment rests on the vendor’s willingness and ability to invest the time and money in training and/or hiring the necessary resources to host its application on a CSP’s IaaS platform. Application developers often implement standards such as ISO 27001 and publish reports such as SOC 2 to demonstrate their due diligence in securing their environments, but compliance does not necessarily result in a secure environment.
Conclusion
As usual, the answer to the question of whether cloud-hosted services are more secure than services hosted on-premises is, “it depends.” If your organization does not have the necessary knowledge and experience for a secure cloud migration, it’s best to attain it prior to making that leap; even migrating to SaaS services hosted by large CSPs isn’t foolproof.
For additional information on these and other service models, please see the Cloud Security Alliance’s “Evolution of Cloud Computing and the Updated Shared Responsibility.”