Cloud computing is a technology that allows individuals and organizations to access applications, store data and perform computations on remote servers via the internet, instead of on a local computer or server. It provides a range of services such as servers, storage, databases, networking, software, and analytics. The main types of cloud computing are Software as a Service (SaaS) and Infrastructure as a Service (IaaS). SaaS allows users to use the application layer of the service via the internet with an abstraction of the lower layers such as the Runtime environment, the Operating System, and the Virtualization technology. The IaaS in the other hand allows to create a complete infrastructure either compute, database or file system, linking the services with networking technologies provided as a software defined network, while separating each cloud tenant from each other.

The 2022 version of ISO 27001 adds a new control that addresses the novel risks that arise as a result of the usage of cloud computing technologies, under section '5.23 Information security for use of cloud services' of Annex A, and this to ensure the existence of proper policies that control these risks.

As part of this control 5.23, the organisation should define the following:
- Information Security Requirements: Identify all security requirements for using cloud services.
- Service Selection Criteria: Establish criteria for selecting cloud services and define their scope.
- Roles and Responsibilities: Clarify roles and responsibilities for using and managing cloud services.
- Control Management: Determine which security controls are managed by the cloud service provider and which by the organization.
- Utilizing Security Capabilities: Define how to obtain and use security features provided by the cloud service provider.
- Assurance on Controls: Outline how to gain assurance on the security controls implemented by cloud service providers.
- Managing Multiple Services: Develop strategies for managing controls, interfaces, and changes when using multiple cloud services from different providers.
- Incident Handling: Establish procedures for handling security incidents related to cloud services.
- Monitoring and Evaluation: Create an approach for monitoring, reviewing, and evaluating the ongoing use of cloud services to manage security risks.
- Change and Exit Strategies: Plan how to change or discontinue the use of cloud services, including exit strategies.

Risks of using Cloud technologies

While ISO 27001:2022 and ISO 27002:2022 do not address specifically what risks should be addressed, we will present few risks that may arise as part of using the Cloud either as a SaaS or IaaS. Some of the risks related to the usage of Cloud Computing are:

- Segregation of tenants: Cloud providers host multiple customers under the same Data Center, and this poses a risk in terms of access of one tenant to the confidential information of the other. Cloud technology providers should provide assurance that the software defined networking and software defined storage is securely segregated, but theoretically, if using an unsecure cloud provider that uses minimal security controls, tenants are exposed to this risk. In the case of choosing a Cloud Service Provider or a Managed Service Provider that does not provide an assurance regarding segregation of tenants, you should add this risk to your register and consider implementing your own security controls to address it.
- Phishing of Privileged accounts: Privileged accounts have the highest privileged access to services in resources, such as Root in AWS and Global Administrator in Azure. Phishing attempts targeted to individuals in the organization who have email addresses associated with privileged accounts used to access Cloud Resources is a security risk that should be addressed by the organization. Security controls such as the usage of Multi-factor Authentication and performing Audits and Password rotation for these accounts are one of the many controls that organizations should put in place in order to reduce the inherent risk to an acceptable level.
- Lateral movement to on-premise: Lateral movement is the way that a threat actor goes from one server or network to another server or network to get access to more data and privileges. Due to the way that Cloud technologies are used, threat actors move from cloud environments to the on-premise environment by leveraging access to Identity Providers to get credentials used on-premise or by finding vulnerabilities in on-premise services. The risk of lateral movements between the two environments should be considered and remediated.

Do you want to address the risks of using Cloud Computing technologies, especially in the world of novel threats posed by Artificially Intelligent Threat Actors (AI TA)? Reach out to your dedicated security expert at CMI via the following email: contact@certifymyisms.com