Three areas of cloud (IaaS, PaaS, SaaS)

Cloud services can be broadly classified into the following three categories.

• IaaS (Infrastructure as a Service): Providing infrastructure represented by AWS and GCP
• PaaS (Platform as a Service): Provides a platform for running application software, represented by Azure and Google App Engine
• SaaS (Software as a Service): Providing software represented by Office 365, Box, Salesforce, and G Suite

IaaS, PaaS, and SaaS each have different roles and characteristics, and each service has its own security issues. In order to deal with this, it is first necessary to accurately understand what kind of cloud service is being used within the company in what area. In addition, there are various systems related to the cloud, such as customer business systems built on IaaS such as AWS, and in-house OA business systems that have migrated from conventional packages to SaaS services on the Internet. It is also important to understand the current situation.

Scope of Security Covered by Cloud Vendors

As shown in the diagram below, cloud services are classified into three categories, and each vendor's scope of responsibility differs. However, do you know that in any area, the scope of responsibility for all "data (information)" on the cloud lies with the user? It is a misconception that "the cloud vendor takes responsibility for security measures and guarantees safety." This point should be recognized first.

As a result of the shift to the cloud, a different approach was required from the traditional security methods used in on-premises environments. Unlike the conventional system, which was highly visible in a "closed environment" and the operation could be controlled by the company, in the "open to the outside" cloud, it is difficult to visualize and control, and in case of information leakage, etc. If an incident of It is necessary to deal with cloud-specific security, which differs from on-premises, from the perspective of both internal audits and external attacks, based on the characteristics of IaaS, PaaS, and SaaS.

What are the challenges of cloud security?

Security elements required for each of IaaS, PaaS, and SaaS

So, what kind of security is suitable for each cloud service?

• IaaS issues and countermeasures

In July 2019, a major U.S. financial company was subjected to an SSRF (Server Side Request Forgery) attack due to a WAF (Web Application Firewall) configuration error, resulting in illegal access to the personal information of approximately 100 million people on AWS. An information leak incident occurred.
Even in IaaS, the same security as in the on-premise era is essential for servers and networks. CWPP (Cloud Workload Performance Platform), a security solution suitable for IaaS that provides security equivalent to on-premises on the IaaS platform and also covers support for containers, serverless environments, etc., is effective.

• PaaS/IaaS Issues and Countermeasures

There have been many information leakage incidents due to user configuration errors in AWS S3. Because users cannot keep up with the speed of AWS service releases, there are many cases where personal information data is exposed to the outside through vulnerable settings. Attackers exploit these vulnerabilities due to user misconfiguration of AWS-specific features. It can be said that it is an external attack risk similar to hijacking of administrator accounts. It is also necessary to deal with internal risks such as not noticing vulnerable settings and users acting suspiciously.
CSPM (Cloud Security Posture Management), which detects attacks on administrator accounts, vulnerable settings, and suspicious behavior, is effective against these PaaS/IaaS-specific risks.

• SaaS issues and countermeasures

SaaS services such as Office365, box, and G Suite that are often used for internal business. It is necessary to take security measures against both external attack risks, such as unauthorized login without knowledge, and internal risks, such as unauthorized use by employees (not necessarily intentional). For example, in one case, an employee uploaded a confidential document to a self-contracted SaaS to work from home and used a shared link to share sensitive information to a personal email account, leading to a major incident.
A major issue with using SaaS is that system administrators cannot monitor who is using what and how, even if the service is contracted and used by the company (Sanctioned IT). This is because usage visualization, log tracking, and operational control that were possible on-premises are difficult in the cloud. CASBs (Cloud Access Security Brokers), which have control functions such as visualizing cloud usage and controlling access, are effective for these SaaS-specific issues.

• Issues and countermeasures common to the entire cloud environment

An issue that affects all areas of cloud services is the existence of "shadow IT." Cloud services such as file storage, data sharing, and e-mail, which do not guarantee safety, are used without permission because they are convenient. Managers don't know how much their employees are using the Internet. In some cases, confidential information was leaked through the use of free storage services not permitted by the company at their own discretion.
A McAfee study found an average of 1,935 cloud services when analyzing Internet access logs within companies. You should be able to visualize the usage of all clouds in your company and check the usage status and whether dangerous services are included. CASB is also an effective countermeasure against such shadow IT.

Summary

The security risks in each of the cloud services discussed so far are often only noticed after an incident occurs. However, now that many companies are deploying business systems in a cloud environment that would be a problem if they stop operating, it is too late to respond after an incident occurs. According to McAfee research, 90% of confidential information on the cloud is in contracted SaaS/IaaS. It can be said that it is an urgent management issue to understand what kind of data is shared and how to implement security measures on the contracted cloud.

McAfee proposes "MVISION Cloud" as a CASB product that addresses these security risks on the cloud. First of all, please consult with us about whether or not you have security measures suitable for the cloud you have a contract with.

*Information at the time of interview.