Week 25: An Introduction to Cloud Security
Downloaded from Pixabay

Week 25: An Introduction to Cloud Security

The Cloud (also referred to as Cloud Computing) has become the growth engine for many businesses. Its traits include agility and flexibility, which are key to achieving innovation and customer satisfaction. But what is it??

In its simplest form, it’s a process/ technology that allows us to access resources (these include hardware, software, applications, storage, and even streaming content) over the internet, leveraging the services of Microsoft, Google, or Amazon Web Services (AWS) instead of having to worry about local computing.?

(Note: UK’s National Cyber Security Centre (NCSC) and the National Institute of Standards and Technology (NIST) offer a more technical definition).

Some of the benefits of cloud computing include:

  • Computing services, like but not limited to network storage, can be provisioned without the interaction of the service provider. This is known as On-Demand Self Service.
  • It offers a Broad Network Access. This means that services can be accessed over the network and on devices like mobile phones, tablets, laptops, and desktop computers.
  • Cloud permits its users to adopt the variable expense model. This means that businesses only pay when they consume computing resources and how much of it they consume. This paves the way for a measured service.
  • Advantage due to large economies of scale. This means that organizations end up saving money because cloud service providers purchase computing resources in bulk. So, when your business utilizes these services, the capital expenditure (CapEx) can be significantly reduced.?
  • Enhancement of both speed and agility, because resources can be provisioned in just minutes instead of weeks with an on-premises data center.?

So, what do we mean by cloud security? It’s the discipline that aims at protecting the confidentiality, integrity, and availability of data and the different applications in the cloud, as well as the underlying infrastructure. The word infrastructure may seem broad, and it is. It encompasses the following:

  • Physical networks like routers and cabling.?
  • Data storage. This covers hard drives.
  • Data servers. This includes the key network computing hardware and software.?
  • Computer virtualization frameworks like virtual machines (VMs).?
  • The operating system (OS).?
  • Middleware. This refers to the management of Application Programming Interfaces (APIs).
  • Runtime environments. These are responsible for the execution of the program.?
  • All the data that is being stored, accessed, and modified.?
  • Applications, like but not limited to email and productivity suites.
  • End-user equipment, like computers, mobile devices, and even the Internet of Things (IoT).

The level of management (also known as the Separation of Responsibilities Model, Figure 1) required of the aforementioned components will depend on the service model. These can be one of the following:

  • Software as a Service (SaaS): This is also referred to as on-demand software or cloud application services. The cloud service provider (CSP) hosts the application in their network, which can then be accessed from different devices, via a browser or app. In this model, the business is responsible for securing data and user access. The CSP, on the other hand, takes care of everything else. Examples of SaaS include Google Drive, Salesforce, and Microsoft 365.?
  • Platform as a Service (PaaS): In this model, the CSP allows organizations to streamline the development and delivery of applications. Here a framework for developing, managing, testing, and distributing applications is provided. The client here needs to focus on securing data, user access, and applications. The CSP takes care of everything else. An example is Apache Stratos.
  • Infrastructure as a Service (IaaS): In this model, the business has more control because it is responsible for the data, applications, virtual network controls, OS, and user access. The cloud provider offers compute, storage, and the physical network, including all patching and configurations. Examples include VMware, Microsoft Azure, and Google Cloud.??

(Note: You can read about the pros and cons of each of the service models here).

Figure 1: Cloud Shared Responsibility Model. Source:

Another thing to consider while migrating to the cloud is the idea of the different deployment models. These include:

  • Public cloud: This model is open to everyone. A business will use and share the CSP’s resources (like servers, storage, and networking devices) with other businesses. It's like a coworking environment.?
  • Private cloud: Here, the cloud computing resources are owned by one organization. This means that they can be physically located at your on-site data center or hosted by a third-party service provider.?
  • Hybrid cloud: This is a combination of the public and private cloud models. This approach allows data and applications to flow between the different environments. Organizations use this to meet regulatory requirements (including the concept of data sovereignty).?

(Note: Depending on the model you choose, the risks might change. You can read about the advantages of each of the models above here).

In addition to the plethora of benefits the cloud offers, we must not lose sight of the different risks. Some of these include:?

  • Misconfiguration: This is the leading cause of breaches within the cloud environment. These can include leaving default credentials or not activating data encryption.?
  • Lack of visibility: Since many cloud services run on infrastructure outside of the corporate perimeter and can be accessed by a third party, the process of data oversight (i.e., how is data being accessed and by whom?) gets more complicated.??
  • Multi-tenancy: Public clouds host resources for many organizations. There exists the possibility of a malicious threat actor exposing your data while trying to attack another entity.?
  • Dynamic workloads: Since the cloud is constantly scaling up or down resources based on the organization’s needs, legacy security tools might not be able to address such needs.?
  • Compliance: This links to the issue of lack of visibility. Organizations might find it hard to comply with data privacy and security requirements. Not to mention there’s a higher dependence on third-party solutions.?
  • Access Management: The cloud permits resources to be accessed via the public internet from any location and/ or device. This also means that attackers can gain unauthorized access through compromised credentials and inadequate access management controls.??

All these risks mean that the following are the core pillars when it comes to securing the cloud:

  • Data Security: This refers to the tools and technologies that complicate the access and visibility of data. This includes encryption and even VPNs (To be covered in Q3).?
  • Identity and Access Management.
  • Governance: This revolves around the idea of policies for preventing, detecting, and mitigating threats. Organizations of all sizes can benefit from threat intelligence to track and prioritize threats. In addition, it is also noteworthy to stress the importance of training (that covers aspects like user behavior policies).?
  • Business Continuity (BC) planning.
  • Compliance.?

So, what basic considerations/ measures can I take to be secure in the cloud?

  • Ensure data is encrypted both in transit and at rest. Using end-to-encryption would be ideal.
  • Review and change, where necessary, the default settings.
  • Use strong credentials and MFA where possible.
  • Ensure your data is backed up.
  • Configuring and monitoring access permissions is essential.?
  • Avoid accessing data via public WiFi.?
  • Use anti-malware solutions.
  • Check the CSP’s approach to security. Ask questions like, “Do you conduct independent audits?” “Is the data being segmented?” “What are the policies regarding the erasure of data? (To be covered in Q3)” and “Do you adequately manage access rights?”
  • Ask the CSP about their approach to tackling incidents (For example, whether they have in place redundant servers during a potential DDoS attack).
  • Use Data Loss Prevention (DLP) and Security Information and Event Management (SIEM).?

(Note: You can find a dictionary of cloud-related terminology here).

Next week, we’ll explore getting your business certified.?

This article is part of a project called Security Chronicles, written jointly with Walter Buyu .

Sources:


要查看或添加评论,请登录

Puneet Tanwani Manghnani的更多文章

  • Week 47: Let’s understand data classification and categorization

    Week 47: Let’s understand data classification and categorization

    Fortunately, this week’s article isn’t going to be as technically intense as the past few weeks. However, understanding…

  • Week 44: Cybersecurity Metrics

    Week 44: Cybersecurity Metrics

    In the last 43 weeks, we’ve covered the theory behind topics like, but not limited to, Risk Management, Incident…

  • Week 42: An Introduction to Cyber Threat Intelligence

    Week 42: An Introduction to Cyber Threat Intelligence

    Today’s topic is quite relevant. We aren’t quite sure why we didn’t address this in Q1, but… better late than never.

  • Week 40: PCI DSS

    Week 40: PCI DSS

    In the last two weeks, we’ve looked at ISO 27001 as well as the CIS Controls. Today we’ll focus on the Payment Card…

    1 条评论
  • Week 38: ISO 27001

    Week 38: ISO 27001

    Last week, Walter Buyu mentioned that the next few articles will deal with standards… and we’ll start with ISO 27001…

  • Week 36: VPN vs. Tor

    Week 36: VPN vs. Tor

    Walter Buyu and I addressed the basics of cryptography in Week 16. Last week (i.

  • Week 34: Vulnerability Assessment and Penetration Testing

    Week 34: Vulnerability Assessment and Penetration Testing

    This week’s article is around two types of security testing that should be part of your cybersecurity strategy –…

  • Week 31: The RACI Matrix

    Week 31: The RACI Matrix

    In the course of writing these weekly articles, Walter Buyu and I have briefly mentioned, a few times, the need to have…

  • Week 29: Data Destruction

    Week 29: Data Destruction

    Two weeks ago, we explored the topic of Data Lifecycle Management (DLM), discussing not only its benefits but also the…

    1 条评论
  • Week 27: Data Lifecycle Management

    Week 27: Data Lifecycle Management

    Organizations of all sizes recognize that data is their heartbeat. It improves their ability to make better decisions…

社区洞察

其他会员也浏览了