Cloud Security Assurance: Is Automation Changing the Game?
We explore the opportunities and limitations of automated security assurance by taking a close look at GCP and Azure cloud reports for ISO 27001.
Security assurance is crucial for larger organizations, as senior managers are increasingly accountable for security but often lack the time to dive deep into its challenges and rely heavily on security and security assurance teams. With automation and Infrastructure as Code (IaC) on the rise in the cloud, managers now have a new dream: Replace manual, costly, andhuman-centric assurance with cloud-provided, automated assurance reports to make assurance more effective. In the following, we explore the opportunities and limitations of automated security assurance by taking a closer look at cloud reports for ISO 27001 in the context of the Google Cloud Platform (GCP) and Azure – a common assurance scenario.
The Role of Security Assurance
Security assurance serves as the second line of defense in an organization’s risk management framework, typically organized according to the Institute of Internal Auditors’ (IIA) three-line model (Figure 1):
First Line: Operational teams responsible for daily tasks like patching servers, pen-testing, or network design.
Second Line: Security assurance teams that verify the presence and proper functioning of security controls across the organization, i.e., the work of the first line. They typically check against standards like NIST, CIS, HIPAA, or ISO 27001.
Third Line: Internal audit validating the work of the first and second lines. In contrast to them, internal audit reports to the board of directors or the audit committee for independence.
External auditors and regulators complete the picture.
Of all these teams, the second-line organization might benefit most from automated cloud compliance reports, as assurance teams seek a holistic overview across the organization, data centers, and applications. In contrast, all other teams have a narrower focus.
Figure 1: The Three Lines Model and the Role of Security Assurance
The Challenge of Complex Application Landscapes
Complexity in application landscapes poses significant challenges for security assurance. A hosting provider with an ISO 27001 certificate is excellent but insufficient if the application layer is not covered. Thus, a holistic understanding of data centers is essential:
The infrastructure layer covers hardware, hyperscaler functionality, cloud setup, and network. A secure architecture of the vendor’s cloud infrastructure and that of the customer data center is essential, e.g., regarding network zoning. Other aspects include resilience, such as emergency power supplies and protection against environmental impacts.
The operating system layer focuses on adequate configuration and timely updates, including security monitoring and reporting integration.
Correct configurations, regular updates, and patching are essential for middleware components such as databases, API gateways, and directory or messaging services.
The application layer encompasses software that builds on middleware components and incorporates cloud PaaS, SaaS, and external services. Secure design and software engineering practices, as well as updating and patching third-party components, are essential.
A particular focus for security assurance is integration. Applications rarely operate in isolation; they interact.Iinteraction and integration points are typical breaking points – especially when different teams and organizations’ responsibilities come together.
Figure 2: Application landscapes with underlying components and layers in real-world data centers and clouds
Cloud Provider Assurance Reports
For cloud workloads, security assurance teams must assess and gather evidence for each component’s adherence to security standards, including for components and configurations the cloud provider runs. Luckily, cloud providers offer downloadable assurance and compliance certificates. These certificates and reports are essential for the cloud providers’ business. Larger customers, especially, work only with vendors that adhere to the standards relevant to these customers. The exact standards vary by the customers’ jurisdiction and industry. Figure 3 illustrates the extensive range of global, country-specific, and industry-specific standards Azure (for example) provides for download to their customers and prospects.
Figure 3: Azure website with assurance reports
These cloud security assurance reports cover the infrastructure layer and the security of the cloud provider’s IaaS, PaaS, and SaaS services. They do not cover customer-specific configurations, patching, or operations, including securing AWS S3 buckets against unauthorized access or patching VMs (Figure 4). Whether customers configure these services securely and put them adequately together is in the customers’ hands – and the customer security assurance team must validate that.
Figure 4: Component and topic coverage of assurance reports
Assurance Reports for Customer Cloud Environments
Ensuring cloud security assurance and compliance requires verification against standards like ISO 27001:2022, which involves numerous controls. Assurance specialists must collect evidence for components and configurations not covered by cloud provider assurance reports. With cloud providers offering built-in assurance reports, there is hope for a massive reduction in assurance work due to automatic evidence collection. However, our examples from Azure and GCP show that hopes and realities do not quite match (yet).
GCP
Google approaches the topic bottom-up by mapping vulnerabilities and misconfigurations to potentially impacted controls of a specific standard such as ISO 27001 (Figure 5). For instance, if a VM has a public IP (a security no-go), GCP interprets this as violating four ISO controls: A5.10, A5.15, A8.3, and A8.4. Thus, the GCP reports help identify weak points by listing controls with many violations. However, these reports cannot replace human assessments – at least not for ISO 27001 – since they cannot cover essential operational and procedural topics that are particularly important in ISO 27001.
Figure 5: GCP ISO Reports and Assurance Needs
Azure
Microsoft’s Azure follows a different approach by implementing a top-down philosophy. It lists all controls, e.g., the ones for ISO 27001, and provides policies for each of these ISO controls to verify their implementation. Azure provides automatic compliance reporting, but only for a few of these policies. Many require manual assessment. For example, only one out of five of the control “classification of information” is automated. So, it is best to understand Azure policies as tailored to-do lists for cloud security assurance, similar to the ISO 27002 document. ISO 27002 and the Azure report provide detailed rules and guidelines for implementing ISO 27001 controls . This characterization of the Azure approach implies that Azure does not automate much of their customers’ security assurance work.
Figure 6: ISO 27001 Customer Reports in Azure with entry point (1), an overview of the ISO controls (2), detailed view of ISO 27001 control A12.5.1 (3a), and associated Azure policies and rules (3b)
To conclude, cloud provider assurance reports are terrific for identifying misconfigurations and vulnerabilities in customer application landscapes. However, replacing human specialists with automatically generated assurance reports is unrealistic, at least for ISO 27001, as explained in our discussion of GCP and Azure capabilities. The challenges are even amplified in multi-cloud environments with workloads in Azure, AWS, Alibaba Cloud, and GCP where organizations tend to aim for consistent assurance reports – or if auditors and regulators demand in-depth coverage of specific controls or detailed evidence. Thus, cloud security assurance will continue to follow the Panini booklet principle: you need a human dedicated to collecting the stickers (evidence) for all components – and you spend a lot of money until you achieve your goal.
Read more about:
Google AlphabetAbout the Author
You May Also Like