As more data, identities, and services move to the cloud, they are increasingly targets of threat actors with potentially life-altering consequences. In 2017, a breach of Equifax leaked the Social Security Numbers (SSNs) of 143 million Americans. While writing this article, Ticketmaster and its vendor, Snowflake, suffered a major data breach. Those are just two cloud breaches among a growing crowd— do you know of a recent cloud data breach that affected you?
Amazon, Google, Microsoft (collectively, the “big three”), and other Cloud Service Providers (CSPs) promise flexibility, resilience, scalability, and security in their cloud services (Amazon Web Services, Google Cloud, and Microsoft Azure, respectively). However, cloud computing relies on a “shared responsibility model,” in which everyone (WashU included) using cloud services must follow cloud security best practices. This article will introduce a few best practices; each CSP provides hundreds of services, and attack strategies constantly evolve. As a result, covering cloud security in-depth requires a multi-pronged approach and more words than this newsletter article can accommodate.
WashU IT Platform Engineering offers a Cloud Computing Service with a range of options, including a WashU-hosted on-premises Private Cloud, Microsoft Azure, Amazon Web Services, and Google Cloud Platform. All of these cloud computing options include Identity and Access Management oversight (including WUSTL Key login) and a HIPAA Business Associate Agreement(BAA), as well as other contractual protections, providing an approved location for Confidential and Protected Data and Information. For the most sensitive data, the WashU Private Cloud is often a great option because it comes with several key information security protections “baked in” to the service. If you use the WashU IT Private Cloud, the Platform Engineering Team handles patching your OS, installing critical security tools such as CrowdStrike, setting up logging with Splunk, managing nightly backups of your system, and ensuring disaster recovery paths are available.
Cloud Service Providers (CSPs) prioritize recruiting paying customers, so they make it as easy as possible to get started. Occasionally, a quick start comes at the expense of security. A good practice when using cloud services is to assume they are shared too widely by default and always review your cloud resources for excessive or public access. When you spin up a virtual machine in any of the big three CSPs, the remote management interface may be open to the entire world by default. Similarly, cloud storage (AWS S3 Buckets, Azure Blob Storage, or Google Storage) makes it easy to unintentionally over-share your or your patients’ private information. Check out the CIS Cloud Foundation benchmarks, free to anyone at WashU, for detailed guides on securing your cloud workloads.
Cloud service offerings from the “big three” CSPs provide substantial benefits compared to traditional, on-premises infrastructure but come with some caveats and extra responsibilities. The following tips can help you protect your data and WashU’s patient data in the cloud.
- Know what your cloud security responsibilities are under the Cloud Shared Responsibility model, including logging (Splunk) and anti-malware (CrowdStrike).
- The Cloud transitions the security perimeter from the network to Identity and Access Management. Check your Cloud Principals, Role Definitions, Policies, and Scope for excessive sharing and design flaws.
- Evaluate whether WashU IT Platform Engineering’s on-premises Private Cloud offering fits your use case, can save time and money, and offers easier, more consistent security.
- Help minimize cloud security risk by using Office of Information Security-approved and WashU IT-supported services for WashU cloud workloads.
Cloud Identity and Access Management (IAM) is a key security component with several core concepts – Principals, Resources, Actions, and Scope. The diagram below illustrates — that your identity is a cloud Principal. Your Principal is granted access to perform Actions on cloud Resources (e.g., servers, databases, firewall) by Policies, which take effect at the Policy’s Scope. WashU Azure, AWS, and GCP cloud users are responsible for designing the Cloud Policies assigned to their Cloud Resources, as well as the Actions and Scope, to meet the principle of Least Privilege. By securely designing your Cloud IAM strategy, you can help prevent the type of data breach that happened to Experian.
