September 8, 2017

By: Amol Manthalkar, Sr. Technical Architect - Azure PaaS Cloud

With rapid scalability, fast deployment options and increased cost savings, it’s no surprise that organizations are shifting IT to Cloud PaaS Services. The worldwide cloud computing market is expected to grow $167 billion by 2020. According to surveys, the market for Cloud PaaS Services is expected to grow $14.80 billion by this year-end itself. With enterprises now massively migrating their Applications and Data to Cloud PaaS, it poses huge risk on the security of these apps and data in cloud, as they are on public cloud over internet and prone to attacks. Microsoft Azure, AWS, Google, OpenShift, IBM are the few leading PaaS service providers in the market.

Cloud Security is a practice for defining compliance policies, technology features and action controls to protect data in the cloud world. As the apps and data start residing in the cloud, they are vulnerable for different threats, which can impact the organization’s brand value and financials.

Piracy of Intellectual Property:
As companies increasingly store sensitive data in the cloud, it is prone to malicious access. Thus, it can result into loss of Patents and IPs developed inside the organization.

Compliance Violations and Regulatory Actions:
Corporates typically have compliance policies for on-premise data, which has governance/regulatory guidelines for data storage location, access levels and protection & privacy. Any violations of these compliance policies on cloud can cause data breach and data loss.

Phishing:
User Account hacking, or Service Account hacking is a common threat for any cloud-lived application.
Hackers with control over a user account can affect transactions, manipulate data or manipulate user responses to customers.

Malware Attacks:
Data on cloud is prone to Malware attacks, it can inject viruses into the data centers, and also introduce threat of Ransomware.

Other common threats are Contractual breaches, service denials, misuse of cloud services, etc.

Ensuring Cloud Security:
Customers need to device strategies to ensure that their data is safe in cloud, and that will help them select best Cloud Service Provider in the market.

Evaluating Cloud Service Provider:

Organizations need to assess and evaluate the Cloud Service Provide for their best practices in securing the data and its governance policies over the data centers.
Certain questions to CSP can help us analyze the maturity of the CSP in cloud security.

What kind of CSP users or CSP employees have physical and virtual access to my data?

How the data is retained in cloud, and what are its policies?

What kinds of third-party audits are performed to ensure that the data is in the best state of security?

Is there any sensitive data collected from our organization?

What practices the CSP engages to encrypt our data?

What locations are we using to store the data?

What will be the level of data loss in case of vulnerabilities? How can lost data be recovered?

The service agreement between the customer and the Cloud Service Provider (CSP) should mention CSP liabilities for mishandling sensitive information, data loss & violations of data governing rules and geographical locations of the data storage.

Adopting measures for Cloud PaaS security:

Customers of Cloud PaaS should adopt certain security measures to ensure data in cloud is secured and confidential. This needs a proactive effort from the organization, so that their PaaS environment has least security threats.

Define Access policy so that minimum access is granted to third-party vendors and users.

Avoid storing sensitive information in the cloud.

Read the user agreement to find out all security features the CSP provides, and how your cloud PaaS storage service works.

Look out for encryption techniques of data at rest, and data in transit on cloud.

Do not upload personal information of the employees on cloud.

Implementing Cloud Security Gateways:

There are different products in market which can help organizations monitor data movement over cloud, forecast the threat and evaluate different preventive measures to secure the data and apps.
These are known as Cloud Security Gateways, which enable customers to gain visibility, achieve compliance, implement threat protection, and ensure data security over Cloud PaaS.

The CSP typically does two tasks:
1) Intercept and monitor network traffic, as it moves between the corporate network and cloud platforms
2) Monitor the APIs of cloud PaaS platforms to show how data enters and leaves these platforms.

BitGlass, Symantec Blue Coat Elastica CloudSOC 2.71, Cloud Security Gateway v4.5, and SkyHigh Networks CASB, are some of the well-known products which can be evaluated.
Microsoft has come up with a new feature – Azure Security Center – which helps customers to prevent, detect, and respond to threats, with increased visibility into and control over the security of your Azure PaaS resources. Security Center delivers easy-to-use and effective threat prevention, detection, and response capabilities that are built in to Azure.
Last but not the least, organizations must realize that Cloud PaaS security is a combined effort of the Customer and the Cloud Service Provider, which will make the Cloud PaaS environment more productive, cost-efficient and highly secure at the same time.