Security. Security are the controls that protect data from unauthorized users. Security is often associated with information systems and technology hardware and software. From a security operations perspective, the cloud has moved things around in this field and introduced several new terms including the shared responsibility model, on-premises, single sign-on (SSO), containerization, serverless, and federated services. In other words, security of the cloud is not the same as security in the cloud. Security of the cloud is the job of the service provider such as AWS, GCP, Oracle, and Azure while security in the cloud is the responsibility of customer, meaning whatever a customer uploads to the cloud is the responsibility of the customer to secure it. Generally, the cloud provider ensures that its lines of products are free from vulnerabilities, malware, backdoors, or other threats before the customer buys the subscription. Risk is not mentioned because using any information system hardware and software carries risks if not used or set up properly, which is a customer responsibility. The cloud also introduced three important terms for companies that collect data. Private, public, hybrid, and community clouds. These terms are important as they provide different levels of assurances for data protection, personal health information (PHI), personally identifiable information (PII), and in finance cardholder data (CHD). Although data loss prevention systems (DLP) can help prevent malicious users and processes, one cannot store sensitive data on any cloud system without first making sure that data-at-rest offerings meets specific standards such as those described in NIST 800-88, in addition to being FIPS 140-2 compliant and feature at least 256-bit encryption. Some cloud providers offer also products for government only or healthcare only data that simplifies data privacy compliance assurances for an additional fee.
Cloud. The cloud is everywhere, and companies are leveraging the cloud to collect, store, and process data at a significate speed. These advantages attract good and bad actors. First, one cannot store data on any cloud. Data exflitration, unauthorized privileges, unauthorized changes, and anomalous activity can wreck havoc on privileged data your company collects, consumes, and stores in the cloud. Though social engineering attacks can still affect cloud subscribers, cloud security and access misconfigurations have made news more frequently. Specialized cloud infrastructure-as-a-service, platform-as-a-service, storage-as-a-service, software-as-a-service is necessary depending on data collection project requirements. After the inevitable data classification process is complete, data must be allocated in storage areas that correspond to their classification in order to streamline operations by reducing human engagement on sensitive data and mitigate cloud storage vulnerabilites. In private organizations, data classifications often include restricted, private, and public data types. In government, data classifications include top secret, secret, and public data types. Classifications are important, so that vulneravility scanners can detects weaknesses in the systems that hold data-at-rest. Nowadays, cloud providers have simplified this process by offering specialized data storage for specific data classification types to reduce cryptographic failures, security misconfigurations, broken access controls, and identification & authentication failures. When the cloud was in its infancy, storage was more generic, and a company was in charge of repurposing baseline storage offerings to fit a specific data classification type compliance requirement. Another aspect of cloud computing is access controls. Although cloud providers offer generous access control administration to process granular access control lists (ACL), mistakes tend to happen in the access control engineering process, especially true if the cloud user is understaffed, has few staff with specialized cloud skills, or suffers from employee attrition as ACL must be tweaked frequently if access control groups are not implemented.
Private cloud. Private cloud is a cloud model that exists within the boundaries of a company where the managerial, operational, technical, preventative, detective, responsive, and corrective controls are under local jurisdiction. This cloud model is ideal for sensitive data as the data is stored on systems that are fully maintained and administered technically by staff employed by the company itself. This makes is easier on incident declaration and escalation tasks as stackholder communication happens internally. The private cloud model differs from the public cloud model in that it does not rely on external staff for operations. It is also the most expensive cloud model in that hardware, software, development, maintenance, and staff are all financially supported by the company that owns the private cloud. Private clouds are a necessity even when public clouds may be more cost effective in that it provides an environment ideal to protect company assests including private data. It is possible to misconfigure private clouds during the access control engineering process, but the impact is not as strong as in public clouds because the hardware and software provisioning events are owned by the private company itself. Data collection projects match the private cloud model perfectly, but it also requires the company to have strong data governance programs led by data governance steering committee. The data governance steering committee is paramount, so that all departments within the company take data compliance, data privacy, and data security seriously as part of their roles, regardless of how low or high in the company echelon a employee is located.