Cloud-based versions of information security solutions: pros and cons

Ruslan Rakhmetov, Security Vision

The choice of type and specific technical solution for information protection depends on the results of cyber risk assessment, current threats, specifics of business processes and information infrastructure. Company infrastructure is changing in accordance with business needs and technology capabilities and in recent years has been actively moving to the cloud, where both specialised cloud-based protection systems and cloud-based versions of classic cyber security solutions are used. In this article, let's look at what types of cloud solutions there are, what their features are, and evaluate their main pros and cons.

First, let's look at the main features of cloud infrastructures in general. Cloud infrastructures can be divided by the principle of operation into the following types:

- Public cloud (public clouds): a cloud provider provides its infrastructure and services to various customers on a commercial basis, usually on a subscription basis;

- Virtual private cloud (VPC): The cloud provider provides customers with dedicated cloud infrastructure elements isolated from each other within virtualised networks (VLANs) with their own addressing and configurable networking within the VLAN;

- Private cloud: an organisation hosts part of its infrastructure in its own or leased data centre (datacentre) and has full control over all hardware and software components;

- Hybrid cloud: an organisation combines public and private clouds, hosting its applications and data according to its convenience and needs in one or the other infrastructure;

- Multi-cloud: an organisation uses multiple cloud providers for reliability and resilience, for example, hosting its core infrastructure in one public cloud and backups and backup services in another.

The following main cloud computing models are used to deal with cloud infrastructures:

- IaaS (infrastructure as a service): providing a service under the infrastructure-as-a-service model, where the cloud provider provides only its hardware, network access and virtualisation system hypervisor, and customers are given the opportunity to install their operating systems, application and system software, and business applications;

- PaaS (platform as a service): provision of a service on a ‘platform as a service’ model, when the cloud provider provides the installed operating system (usually giving a choice of several Windows and Linux-based operating systems), and customers install only their software;

- SaaS (software as a service): provision of a service under the ‘software as a service’ model, when the cloud provider provides the end customer with a pre-installed business application with some possibilities to customise and modify it.

The use of cloud solutions has certain advantages and features:

1. Cost reduction: building your own data centre or even equipping a small server room requires significant capital expenditure on performance hardware, storage, software (including OS, hypervisors, DBMS), networking devices, SCS, power supply, ventilation, fire suppression systems. The cloud model allows you to replace capital expenditures (CAPEX) with operating expenses (OPEX) and ‘stretch’ these investments over time.

2. Flexible management: cloud solutions are offered on a pay as you go (pay as you go) model, which allows you to pay for an IS service or cloud security solution only when it is used - for example, only the system uptime can be charged without taking into account its downtime on the consumer's initiative. In addition, some solutions allow you to pay not for the entire product, but only for the actually used functions and features. In classic on-prem solutions, the advance purchase of licences becomes both an organisational and financial burden, while cloud solutions are free from such restrictions.

3. no additional overheads: maintaining your own data centre or server room is associated with the need to ensure their functioning, including maintaining temperature and humidity, fire safety, power supply and heat dissipation, as well as the need to spend on software and hardware to ensure high availability, fault tolerance, disaster resilience, backup and disaster recovery.

4. Rapid horizontal scaling on demand: cloud infrastructure will also show advantages in case of the need to quickly increase computing power, activate additional functions, and raise additional services. Large cloud providers have a sufficient pool of resources to ensure that customers do not feel constrained during peak load periods.

5. Ease of deployment: in cloud infrastructures, access to the administrative panel is provided through a regular browser, and raising a new server is done in a few mouse clicks.

6. Ability to use unavailable on-prem solutions: due to sanctions restrictions, many foreign products may not be available to small companies, but large cloud providers often have the necessary capabilities to procure and provide such solutions to customers.

7. Cybersecurity: cloud providers provide DDoS protection, firewalling, web application protection with WAF, network intrusion protection with IDS/IPS, secure remote access to cloud infrastructure. In addition, in PaaS and SaaS models, vulnerability management and installation of OS security updates are handled by the service provider, removing this burden from the client.

8. Cloud-native technologies: creation and launch of scalable and flexible applications in clouds using containerisation, microservice architecture, serverless computing allow to effectively use the properties of cloud infrastructures.

9. Work with APIs and API-first approach: when developing modern applications, the possibilities of API-interactions with external and internal services are designed from the beginning and laid in the basis of future systems, which allows seamlessly migrating them to the cloud infrastructure.

10. Centralised expertise: the high level of services and technical support provided is ensured by the fact that the staff of large cloud providers consists of specialists and experts, which often cannot be afforded by smaller companies.

Most modern solutions, including IS products, can be deployed in cloud infrastructures - in fact, installing a solution in the cloud (using IaaS or PaaS models) does not differ from on-prem installation, you just need to make sure that communication channels are secure and network connectivity between the cloud, corporate network and devices is correct. However, the mere possibility of installing a product in the cloud does not make it a full-fledged Security-as-a-Service product, as solutions of this type are provided by the provider on a turnkey basis, removing from the client the need to administer the installation platform. The Security-as-a-Service model now offers such IS solutions as:

- DDoS protection;

- firewall as a service (FWaaS);

- Web Application Firewall (WAFaaS);

- SIEM as a service;

- DevSecOps as a service;

- AppSec as a service;

- Backup as a service;

- Disaster recovery as a service.

In addition, there is a class of solutions that have been designed specifically to protect cloud infrastructures:

- CASB (Cloud Access Security Broker): solutions for controlling user experience with cloud services, managing data processing and application access policies in the cloud, and detecting malicious or unwanted activity;

- CWPP (Cloud Workload Protection Platform): a tool for monitoring cloud applications, environments, servers, containers, functions, with support for vulnerability management, VPO and exploit detection, network micro-segmentation, cloud application permission list management, integrity monitoring, anomaly detection, cyber threat response;

- CSPM (Cloud Security Posture Management): a tool for identifying cyber risks in cloud infrastructure, detecting vulnerabilities in cloud configuration, performing compliance checks of cloud infrastructure components (e.g., controlling and restricting user and application access to personal data in the cloud);

- ZTNA (Zero Trust Network Access): solutions for providing network access based on continuous authentication of the subject (user, service, entity, device), subject access rights to the object (information resource, asset, data) with verification of the subject's cyber security status and granular network access rules (only to a specific application, service, IP address, port);

- SASE (Secure Access Service Edge): a solution for cloud and remote access network security through the use of SWG (Secure Web Gateway) and CASB security solutions, ZTNA and SD-WAN (software-defined networking) networking technologies.

When choosing a cloud provider, one should evaluate such characteristics as the level of service quality and availability (SLA metric), the level of data centre reliability (Tier I/II/III/IV), data centre compliance with GOST R 58811-2020 and GOST R 58812-2020 standards, the availability of the cloud provider's certificate of compliance with the requirements for the protection of personal data (so-called ‘Cloud 152-FZ’) and/or for the security of UCII (so-called ‘Cloud CII’).

Of course, besides the advantages described above, cloud-based IS solutions and the cloud infrastructure itself have disadvantages and complexities, such as:

- the need to trust the cloud service provider;

- the impossibility to guarantee the absence of direct physical access of the service provider's employees to the data;

- the need to ensure correct and complete data separation between clients;

- the need to protect the communication channel to the cloud;

- impossibility of full control over the place and methods of data storage and backups.