Skip to main content
  1. Posts/

Security considerations before choosing a cloud solution

Table of Contents

Is your data safer “on-premises”, in a datacenter and on a server controlled by IT, or in the cloud? Well, depends. What’s “The Cloud” anyway, and which cloud are we talking about?

There are three main types of Cloud services #

  • IaaS (Infrastructure as a Service) - e.g., renting a virtual machine in the provider’s datacenter, which gives access to the operating system.
  • PaaS (Platform as a Service) - renting a service in the cloud, like a shared web hosting environment, or a service that provides a database (but without accessing the underlying operating system).
  • SaaS (Software as a Service) - subscribing to a fully-ready service online, like Office 365, an expense app, a fitness app, etc.

Roles and responsibilities #

Typical responsibilities would be:

  • Hardware: ensuring physical security, keeping the (virtual) infrastructure up-to-date and secure.
  • Server: maintaining a good monthly patching regime, a secure configuration, adequate backups, auditing, and detecting incidents before it’s too late.
  • Source code: ensuring secure development practices, security testing, maintaining third-party libraries up-to-date, etc.
  • User/Admin access: ensuring adequate management of the service (deciding who has access to the back-office admin page, closing accounts when people leave, deploying multi-factor authentication, and any other configuration available).

Let’s say you are developing a website to manage projects. These responsibilities would be shared as follows:

Hosting Hardware Server Source code User/Admin access
On-premises: Your infrastructure team prepares a (virtual) server hosted in your own datacenter, installs a web server, and deploys the code prepared by your developers ❗ Your team ❗ Your team ❗ Your team ❗ Your team
IaaS: Same as above, but this time, your infrastructure team prepares a (virtual) server hosted on Azure/Google Cloud/AWS/etc. ✅ Your cloud provider keeps it secure and running 24/7 ❗ Your team + ✅ Some level of automation/security provided by the cloud provider ❗ Your team ❗ Your team
PaaS: No one prepares any server, you subscribe to a service with a shared Web Hosting provider, which gives you access to a code repository (through FTP or git) where you deploy your code ✅ Your cloud provider ✅ Your cloud provider (you don’t even know if the server is Linux or Windows) ❗ Your team ❗ Your team
SaaS: Actually, you don’t even develop your website in-house, you subscribe to an existing service (in this example, a project management website) developed by a specialized company ✅ Your provider ✅ Your provider ✅ Your provider ❗ Your team

Does your provider take its responsibilities seriously? #

I almost blindly trust Microsoft and Google to manage “the servers behind Office 365 / GMail” correctly, and if we play our part (what I call “User/Admin access” above: limiting admin rights, reviewing access, enabling multi-factor authentication / SSO, etc.), it’s rather safe.

But not all clouds are created equal. Most often, services (SaaS) are provided by small-ish providers that install a server somewhere and call it a “Cloud offering”. And providers will even gladly confirm that there’s nothing to worry about because the server is hosted by an ISO27001-certified company - which only means that the server may be hosted by Azure, AWS, or Google Cloud (all three are ISO27001-compliant), but does not say anything about how they (the provider, not Azure) keep their Linux up to date!

That’s where you, as a service purchaser, must absolutely ensure that your service provider (Trello, Slack, Asana, Atlassian, Zoom, Zendesk, Taleo, GitHub, MailChimp, Tableau, SAGE, Workday… and all others) understands its responsibilities:

  • How do they secure their servers, source code, workstations/user data, and user/admin accounts? Do they share these responsibilities correctly with their own hosting providers?
  • Do they have adequate processes and tools to audit their environment & detect incidents, would you be informed swiftly?
  • What is your role in the process, which tasks must be done on your side? (user account reviews for instance)

We ask these kind of questions through a Security Questionnaire - not to meddle with their internals, but to gain trust that they know what they’re doing. The best companies happily show audit reports, and the least mature ones should at least fill the Questionnaire and come in for a chat. This Questionnaire must be reviewed and:

  • If completely unsatisfactory, Security must have the ability to say no before the beginning of the cooperation.
  • If it needs improvement (most cases), Security must discuss an action plan with the third-party and follow-up on implementation (multi-factor authentication, typically, or a full external audit).

It’s absolutely not a formality; just last year in 2020, GE was breached through its HR Document Management vendor; SpaceX, Tesla and Boeing through a parts vendor; Expedia and Hotels.com too. It’s often easier to breach a company through its smallest specialized providers (often contracted without IT involment), than to enter through the front door.

When is a Cloud offering the best option? #

It’s probably a combination of these:

  • When acquiring the service is easier than building it, just like you didn’t build your own office building yourself.
  • When the provider is better at something (hardware hosting, 24/7 support, etc.)
  • When the provider has been tested, audited, certified and answers questions with confidence and extensive documentation.
  • When the provider is a global provider with a large, shared platform like Office 365 (to compare with a provider that deploys a server just for a single client and forgets to update it).
  • When the regulations and the threat model allow it (e.g., when data access by this third-party is not an issue)

In any other case, it’s a risk-vs.-benefit calculation: is the partnership worth the security risk, can we limit the data shared with them, is there anything we can do to progressively improve this small provider’s security posture?

As an example - when you choose Office 365 / Exchange Online to host your email service (SaaS) instead of hosting an Exchange server on-site, Microsoft can read your emails and Teams chats, but you won’t be hacked by random passer-by that used commonly-available exploitation tools to break your email server in one-click if you haven’t applied the latest available patch within three weeks of its release. Which is more likely?

Initially published 2021-02-18, reviewed and completed 2023-07-21