Emerson’s Alejandro Cruz and Nick Janouskovec presented Cloud & Security for Cloud Environments at the 2024 Ovation Users Group conference. Here is their presentation abstract.
This breakout session will introduce the different cloud service offerings and discuss the basic security concepts that are essential to protecting cloud environments. We will define some of the benefits and disadvantages provided to stakeholders when transitioning to the cloud. Discuss the adoption of regulatory standards such as FedRAMP, NIST SP 800-171 and SOC 2 to improve the overall security posture, and close with an overview of regulatory guidance concerning cloud services such as GPDR and NERC.
They open by defining the cloud. The cloud is a set of services delivered via the internet rather than a product. The term is commonly used to refer to the selection of services a cloud provider offers to access over the Internet. The cloud provider provides access remotely to services of hardware (infrastructure), operating systems/databases (platform), and applications (software) on a consumption model (pay for the time consumed of resources).
Some popular cloud providers and services include Microsoft’s Azure, Google’s Google Cloud Platform (GCP), and Amazon’s AWS. Clouds can be public, private, or a hybrid combination. Each has its advantages. A public cloud requires no capital expenditures to scale up, and applications can be quickly provisioned and de-provisioned on a pay-as-you-go model. The downside is that organizations don’t wholly control resources and security.
With private clouds, organizations have complete control over resources and security, but they also incur significant capital expenditures and are responsible for ongoing support and maintenance. Hybrid clouds provide more flexibility in choosing which applications to host where.
Cloud services can be offered as infrastructure as a service, platform as a service, and software as a service.
Cloud services have advantages in terms of capital expenditure savings, deductions for operating expenses, and scalable methods of payment based on usage.
For power generation companies, there are NERC drivers for cloud adoption. These include changing resource mix, digitalization, resilience, advanced analytics, widespread adoption in other sectors, managing costs, focus on core business activities, and available expertise and resources.
Security is a critical consideration for cloud services. For infrastructure as a service (IaaS) applications, the user is responsible for data, applications, virtual network controls, operating systems, and user access.
For platform-as-a-service (PaaS) applications, the user is responsible for data, user access, and applications. For software-as-a-service (SaaS) applications, the user is responsible for data and user access. The cloud provider handles the other responsibilities at each level.
Here are some of the challenges associated with cloud security.
Regulatory and standards compliance is a shared responsibility between the cloud provider and the user. The user may choose to comply with specific standards and regulatory compliances for their organizational resources in the cloud. In contrast, cloud providers have independent certifications for their services.
For example, a cloud service provider may have its platform certified to comply with ISO 27001. However, users may independently have their workload certified to ISO 27001.
The Security, Trust, Assurance, and Risk (STAR) by the Cloud Security Alliance (CSA) is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. Organizations listed in the registry, such as CSA Trusted Cloud Providers, are CSA Corporate Members that have also fulfilled additional training and volunteer requirements with CSA.
The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized way to assess, authorize, and monitor the security of cloud services and products. Considerations include standardization, security requirements, authorization levels, authorization processes, and continuous monitoring.
NIST SP 800-171 is a cybersecurity standard that outlines the requirements for non-federal computer systems to protect Controlled Unclassified Information (CUI). Organizations that process or store sensitive, unclassified information on behalf of the US government or that handle CUI as part of a contract with the US government must comply with NIST SP 800-171.
This standard outlines 14 families of security requirements, encompassing 110 specific controls. These requirements cover various aspects of information security, including access control, incident response, personnel security, and system and communications protection.
Service Organization Control 2 (SOC 2) was developed by the American Institute of CPAs (AICPA). It is a framework for managing and auditing how service providers handle data to ensure they meet specific security and privacy standards. Companies that outsource services often seek a SOC 2 report to assess and address risks associated with third-party providers handling sensitive data. It assures these service providers have adequate controls and safeguards to protect their clients’ data and systems.
For NERC CIP on cloud environments, registered entities are responsible for internal or external audits, including NERC CIP for bulk electric system (BES) systems or bulk electrical system cyber system information (BCSI) leveraging cloud service provider services. Cloud service providers and third-party vendors aren’t subject to NERC CIP standards. BCSI information should reside within the country’s boundary for which that entity operates.
Visit some of the links above to learn more about ways to build cyber resiliency into your cloud-based applications.
The post Security for Cloud-Based Applications appeared first on the Emerson Automation Experts blog.