CLOUD SECURITY

This topic is intended to introduce you to cloud security.

Topics to Be Covered:

• Introduction to cloud computing and cloud service models.
• Cloud security threats and risks.
• Cloud security architecture and controls.
• Secure cloud migration and data protection.

 

Intro to Cloud Computing and Cloud Service Models

Cloud Computing

Cloud computing refers to the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of investing in and owning physical servers and data centres, with cloud providers you can gain access to computing power, storage capacity, databases services on demand at pay per use prices.

Benefits of Cloud Computing

1. Cost-Effective: Cloud computing eliminates the capital expense of buying hardware and software, setting up and running on-site data centres.
2. Scalable: Cloud computing allows businesses to easily upscale or downscale their IT requirements as and when required.
3. Performance: Cloud services run on a worldwide network of secure data centres, which are upgraded to the latest generation of fast and efficient computing hardware.
4. Speed and Agility: With cloud, vast amounts of computing resources can be provisioned in minutes.
5. Productivity: Cloud computing removes the need for many of the time-consuming "heavy lifting" tasks (such as hardware setup, software patching, and other IT management chores), allowing IT teams to spend time on achieving more important business goals.

 

Cloud Service Models

Cloud services are typically deployed based on three service models:

 

IaaS:

Infrastructure as a Service is one of the primary cloud computing services, offering IT infrastructure rental through servers and virtual machines (VMs), storage networks and operating systems on an "as you go" payment basis from providers like Azure or AWS.

PaaS: 

Platform as a Service provides organisations with an alternative method for handling infrastructure (typically hardware and operating systems) so they can focus on application deployment and management instead.

SaaS:

(Software as a Service): With this model of cloud hosting and management, providers host and administer software applications and their underlying infrastructures in an "as a Service" configuration while handling maintenance like upgrades and security patching remotely for users connected by Internet browser.

Cloud Security Threats and Risks

Cloud computing brings many advantages, yet also poses certain security threats. Let's examine some of them now:

Data Breaches

Data breaches could expose sensitive information, typically personal, intellectual property and trade secret data. A breach could expose this sensitive data and compromise both its reputation as well as cause financial losses to both individuals and enterprises involved.

Data Loss

Data stored in the cloud could be lost for reasons other than malicious attacks. Accidental deletion of data by the cloud service provider or a physical catastrophe, like a fire or earthquake, could lead to the permanent loss of customer data unless the provider or customer has taken measures to redundantly backup data.

Account Hijacking

Phishing, fraud and software vulnerabilities may lead to compromised cloud credentials being stolen by attackers allowing them to make use of that access by manipulating data, spying on transactions and redirecting clients towards fraudulent websites.

Unsafe APIs

Cloud services frequently offer APIs to their customers, with security largely depending on these APIs to protect against accidental and intentional attempts at circumventing policy. They must be designed as such.

DoS (Denial of Service) Attacks

While DoS attacks don't typically lead to theft of data or financial loss for their victims, they can cost both time and money while their system becomes unavailable.

Insider Threat

An insider with malicious intent, or a "malicious insider," can exploit their authorised access to an organisation's data in the cloud, potentially leading to the exposure or theft of that data.

Shared Technology Vulnerabilities

Sometimes, the underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture (a cloud model). This could lead to shared technology vulnerabilities.

Mitigating these risks requires the deployment of security tools, best practices and education. Cloud service providers typically implement extensive safeguards against threats on their platforms; customers should also take necessary measures to secure their own information.

Cloud Security Architecture and Controls

Cloud Security Architecture

Cloud security architecture is a part of the cloud infrastructure designed to meet your organisation's cybersecurity requirements.

Its main role is to provide strategic direction and alignment with business needs and regulatory requirements. Key elements include:

• Identity and Access Management (IAM): It controls who is authenticated and authorised to use resources.
• Data Encryption: Encryption should be used for data at rest and in transit. Consider using your own encryption keys whenever possible.
• Firewalls and Intrusion Detection/Prevention: These systems filter traffic and monitor for malicious activity.
• API Gateways: These manage and control the traffic between applications and the cloud environment.

 

Cloud Security Controls

Security controls are safeguards or countermeasures used to avoid, detect, counteract, or minimise security risks. 

Some essential cloud security controls are:

• Preventive Controls: These are designed to prevent an incident from occurring. Examples include secure coding standards, security training, and network segmentation.
• Detective Controls: These controls are designed to discover or detect unwanted or unauthorised activity. Examples include intrusion detection systems (IDS), log reviews, and violation reporting systems.
• Corrective Controls: These controls limit the extent of any damage caused by the incident. Examples include disaster recovery plans (DRPs) and automated scripts to shutdown services.
• Deterrent Controls: These are designed to discourage a potential attacker. Examples are security awareness training and the use of legal agreements.
• Compensating Controls: These are alternate controls used when primary controls are not feasible or effective. These might involve additional monitoring or more frequent reviews.

Remind yourself that security in the cloud is shared responsibility: while cloud providers must uphold its integrity, customers also hold themselves responsible.

 

Secure Cloud Migration and Data Protection

Secure Cloud Migration

Migrating data securely requires careful preparation before migrating it. Below are steps for conducting an effective cloud migration:

• Step 1 - Planning: Establish your business objectives for migrating data, understand which files need to be moved over and the security controls that exist with each provider.
• Step 2 - Selecting a Service Model: Based on your business requirements and security considerations, decide between IaaS, PaaS or SaaS as your service model of choice.
• Step 3 - Risk Evaluation: Evaluate potential security threats affecting the cloud with regards to data breach, loss, account hijacking or insecure APIs.
• Step 4 - Data Migration: This should be done securely, with encryption used while data is in transit.
• Step 5 - Security Controls: Implement additional security controls as needed. This could include encryption for data at rest, improved identity and access management, and more secure application programming interfaces.
• Step 6 - Testing: Test the security of your cloud service with vulnerability scanning and penetration testing.
• Step 7 - Review and Audit: Regularly review and audit your cloud services to ensure they remain secure.

 

Data Protection in the Cloud

Data protection is a key aspect of cloud security, encompassing measures such as:

1. Keep regular backups of data outside the cloud service provider so as to guarantee its accessibility in case of failure or outages. This helps safeguard availability.
2. Encrypt data at rest and in transit. For sensitive data, consider retaining control of the encryption keys.
3. Implement strong access controls. Only authorised individuals should have access to your data in the cloud.
4. Understand the regulations governing data in your region and ensure your cloud service provider complies. This is particularly essential if your data resides outside its original jurisdiction.
5. Ensure you meet any industry-specific compliance standards for data protection. This could include standards such as GDPR, PCI DSS, or HIPAA.