Transforming technical IT security architecture to a cloud era

Abstract

Like many other organizations, Aalto University has enabled its users to take advantage of the flexibility and ease of data processing provided by SaaS cloud services. SaaS cloud services can be usually described as separate island tied to organization identity, separate from the rest of the organization’s IT infrastructure, to which the user has access regardless of time and place. The user's easy access to the data also allows easy access for the cybercriminals in case user's credentials got into the wrong hands. Different threats also affect data processed in the cloud in different ways. However, during the cloud transition, the security architecture of organizations has often remained almost unchanged and reflected a time when security focused mainly on protecting the local network from external threats. This raised the question of how the cloud transition will affect an organization’s security capabilities.

The answer to the question was sought by looking at the capabilities of the perimeter-centric security architecture against cloud security threats. It was very quickly noticed, that if there is no connection between the on-premises security systems and the cloud, other than the identity synchronized or projected into the cloud, there is no visibility to cloud security events. To address this, a proposal for a security architecture was designed. Architecture proposal took advantage of the security features included with the Microsoft 365 A5 and EMS E5 licenses. Once the architecture with better cloud security was designed, it was also put into practice. The security situation, alerts and observations were examined over a period of one month and the results obtained were analyzed. A technical security expert, who is also responsible for the organisation's SOC activities, was interviewed in order to obtain a qualitative view of the implemented architecture and its security capabilities.

The results showed that perimeter-centric security is not sufficient in the era of cloud services. Some visibility into the cloud can be achieved by importing the logs, provided by the cloud, into the SIEM system. But the best result was obtained when the log data was processed with CASB and Sentinel products in the cloud. The limitations of the local SIEM system in handling cloud logs were also noted. Even if the logs were imported into the SIEM system, it does not eliminate the problem, that security controls are not present in the cloud security. Cloud security controls should be implemented using cloud tools, utilizing advanced ma-chine learning and artificial intelligence products whose alarms were found to be less frequent.