Cloud Security

avatar
Created by
GiganticAngonoka72710

Subdecks (4)

Cards (149)

  • Models of Cloud Computing
    Platform as a Service (PaaS)It contains all services offered in IaaS with the addition of an operating system (the user manages that in IaaS). 
    • Cloud Providers’ Responsibility: In Platform as a Service, a cloud provider offers infrastructure and platform. Customers can choose any platform as per their needs. The service provider is responsible for managing the infrastructure and platform.
    • Customer's Responsibility: Customers can install software as per their requirements.
  • Models of Cloud Computing
    Software as a Service (SaaS)It includes every service that is being provided in IaaS and PaaS.
    • Cloud Providers’ Responsibility: In SaaS, everything is managed by the cloud provider, including infrastructure, OS and software.
    • Customer Responsibility: This model is used by customers who need more technical skills in managing things. They only pay and use the services without worrying about the underlying architecture.
  • Models of Cloud Computing
  • Cloud Deployment Models
    Public Cloud
    • In the public cloud, as the name suggests, resources provided by cloud providers are shared among multiple customers. Organisation A will use resources from the same hardware that offers services to any other organisation. For example, Microsoft Azure and Amazon Web Services (AWS) are examples of public clouds. However, they also offer Virtual Private Cloud (VPC) services.
  • Cloud Deployment Models
    Private Cloud
    • In the private cloud, customers will not share the underlying resources (hardware and software) as in the public cloud, and resources are dedicated to a single customer. Organisation A will get a Virtual machine hosted on a system specifically dedicated to a particular customer.
  • Cloud Deployment Models
    Hybrid Cloud
    It is a combination of a public and private cloud. For example, Organisation A might want to use some private cloud resources (to host confidential data of the production system) but also want some public cloud (for testing of the applications/software) so that the production system does not crash during testing. 
    • Virtualisation: Virtualisation is the primary technology used in cloud computing that allows sharing of instances of an application or resources among multiple customers or users simultaneously.
    • Compute: Defined as the processing power customers require to run their applications and systems for data processing and carry out different tasks. In cloud computing, customers can get computing power from a combination of virtual machines hosted in the cloud environment. 
    • Storage: In cloud computing, we do not need to buy and maintain physical hard drives; instead, our data is stored in logical pools of physical storage on cloud provider premises, and we can scale up and scale down the resources as per needs.
    • Networking: As cloud computing is a system of computers/processes that are interconnected, maintaining a high-speed network connection is very important. The cloud provider is responsible for providing network connectivity to meet customer needs without disruption.
  • Data Classes:
    • Confidential dataConfidential data can be considered the most critical data any organisation can have. Confidential information/data, if exposed, can damage an organisation’s reputation and even includes personally identifiable information.
    • Internal data: Internal data is information that, if exposed, causes moderate risk or harm to the company.
    • Public data: Public data is any information included on (or intended for) the public. There is no consequence if public data is leaked because it’s already meant for use by everyone. 
  • Cloud Data Lifecycle Major Steps: Data life cycle means the sequence of steps a particular data goes through from its creation to its deletion phase.
    In today’s world, organisations store and use large amounts of data, including critical and sensitive data of the customers. Data on the cloud should be managed through its lifecycle to ensure its secure usage in every phase.
  • Security Aspects in Cloud Data Lifecycle
    Create/Update: The create phase is the initial phase of the data lifecycle. It includes the newly created data and data that is being freshly imported from other data sources. In this phase, the data owner should be defined, and categorisation or classification of data should be done.
  • Security Aspects in Cloud Data Lifecycle: Create/Update
    • Implementing SSL/TLS: Secure communication through SSL/TLS should be implemented so that it will be difficult for the attacker to listen to data transferred between the customer and the cloud provider.
    • Encryption: Data should be encrypted so that if data is exposed, the attacker cannot read it without decrypting it.
    • Secure connections: Secure connections and paths should be established for the data transfer so that change of data breach is minimised (ensures data security in transit).
  • Security Aspects in Cloud Data Lifecycle
    Store: Data is processed based on its form (structured or unstructured) and stored in a container generally known as a database. Security aspects at this stage are as below:
    • Encryption: Data should be encrypted to protect data at rest.
    • Backup: Backup should be taken to prevent data loss; if data is lost, it can be restored from the available backups.
  • Security Aspects in Cloud Data Lifecycle
    Use: As we know, if data is encrypted, it must be decrypted to be used by the application. Security aspects include the following means:
    • Secure connections: Encrypted paths should be established before data transfer to ensure the confidentiality and integrity of data in transit.
    • Secure platform: A secure authentication mechanism should be used, protected from attacks and vulnerabilities.
  • Security Aspects in Cloud Data Lifecycle
    Use: As we know, if data is encrypted, it must be decrypted to be used by the application. Security aspects include the following means:
    • Restrict Permissions: Data owners should set strict permissions to modify and process data from unauthorised persons.
    • Secure Virtualisation: There is the concept of virtualisation in cloud computing in which resources among users are shared. So cloud providers need to ensure that one customer's data should not visible to other customers.
  • Security Aspects in Cloud Data Lifecycle
    Share: Share data within or outside the cloud infra; challenges include:
    • Jurisdiction: Regulatory mandates/restrictions of sharing data across specific locations/regions. 
    • Data Loss Prevention (DLP): Data Loss Prevention (DLP) helps to detect and prevent data breaches or unwanted destruction of sensitive data. It contains sensitive data from being shared with unauthorised persons.
  • Security Aspects in Cloud Data Lifecycle
    Archive: Long-term storage of data and applications; security aspects include:
    • Encryption: Data should be encrypted before storing in cloud premises 
    • Physical Security: It demands that the storage servers are physically secured and prevented from unauthorised access through biometrics, CCTV, etc.
    • Location: Reflects a physical location where data will be stored. Environmental factors such as natural disasters, climate, etc., can pose risks and consider Jurisdictional aspects (local and national laws) are key factors at this stage.
  • Security Aspects in Cloud Data Lifecycle
    Archive: Long-term storage of data and applications; security aspects include:
    • Backup Procedure: How will data be recovered when required and How often full/incremental backups will be carried out?
  • Security Aspects in Cloud Data Lifecycle
    Destroy: Data should be destroyed once of no use so that it cannot be misused by any user (intentional or unintentional). Crypto shredding is a process in which encrypted data is useless by destroying cryptographic keys (without keys, data cannot be decrypted).
  • Security Issues in the Cloud & its Solution
    • Data confidentiality: When the data is hosted in the cloud, its privacy is at risk. As users have no physical access to their data once it has been outsourced, they don’t know how the confidentiality of their data is being maintained. Cloud service providers can examine the data of the users without detection.
  • Security Issues in the Cloud & its Solution
    • Virtualization issues: It allows the resources to be shared among the users. We need a mechanism to ensure isolation and secure communication between VMs. Users are not isolated in a multitenant environment, so one user can examine the data of another user.
    • Insecure interfaces and APICloud services are managed by the customers with the help of software or APIs. So vulnerable software or API can be risky, and data or customer confidentiality and integrity are at risk.
  • Security Issues in the Cloud & its Solution
    • Malicious insiders: Some malicious insiders can cause the data breach of other clients. Taking advantage of shared technology vulnerabilities, these insiders can leak the data of other users or exploit security weaknesses, thus causing security threats to the other customers on the cloud.
    • Account or service hijacking: Several methods can cause account or service hijacking. These include phishing frauds, vulnerability exploitation and password reuse among users.
  • Security Issues in the Cloud & its Solution
    • Access Control Mechanism (ACM): In a cloud computing environment, users and cloud servers are not in the same domain. Enforcing efficient and reliable access to information is critical when data is outsourced to the cloud. An unauthorised person can gain access to the data due to a lack of access control rights.
  • Cloud Computing Risks:
  • Cloud Risks:
    Private Cloud:
    • Personnel threats: This includes both unintentional and intentional threats. Customers have no control over the provider’s data centre and administrators. Any insider can cause damage to customers’ data (either intentionally or unintentionally).
    • Natural disasters: Private cloud is vulnerable to natural disasters.
    • External attacks: Multiple attacks, such as unauthorised access, Man-in-the-middle attacks, and Distributed Denial of Service, can compromise the user’s data.
  • Cloud Risks
    Public Cloud
    • Vendor Lock-In: The customer becomes a dependent service provider in the public Cloud. It becomes nearly impossible for the customer to move the data out of the cloud infra before the end of the contract term; thereby, the customer becomes the hostage of the provider.
    • Threat of new entrants: Your cloud provider may provide services to your competitor in the public cloud.
  • Cloud Risks
    Public Cloud
    • Escalation of Privilege Authorised: In the public cloud, users may try to acquire unauthorized permissions. A user who gains illicit administrative access may be able to gain control of devices that process other customers’ data.
  • Cloud Risks:
    Community Cloud: Computing & storage infrastructure is shared between a specific community or organisation members. Some risks include:
    • Vulnerability: In a community cloud, any node may have vulnerabilities, which can also cause intrusions on the other nodes. Also, in a community, cloud configuration management and baselines are almost impossible (and very difficult to enforce).
    • Policy and administration: It is challenging to enforce decisions and procedures in the community cloud, posing a severe challenge and threat.
  • Access management is an important feature that ensures that the “right people” should do the “right job” within the “right set of permissions”. Access management has a critical role in cloud security as data is stored over the internet, and due to a plethora of cyber-attacks, it is inherently insecure.
  • Access Management:
    • Create Identities: Cloud infrastructure creates “digital identities” that can relate to a person, user, API or service. An entity is a set of properties that can be recorded.
    • Authentication Factors: Each identity is allocated with a specific set of characteristics unique to that particular identity and helps to distinguish it from other identities. If they are matched, then the essence of that user is confirmed. These characteristics are called “Authentication Factors”, which include: username, password, PIN, biometric, certificate, FaceID, etc.
  • Access Management
    • Roles: Each identity has a specific role which defines the domain under which that particular identity functions. 
  • In a typical cloud environment, there are the following types of policies:
    • Identity-based Policies: Attached to identities and grant permissions.
    • Resource-based Policies: These are implemented on resources (data & services) and define who is authorised to access that resource.
    • Session-based Policies: These temporary policies allow access to specific resources for a particular time.
  • Another method of ensuring cloud security is through enforcing policies & permissions. Policies are a set of guidelines and controls which attach to identities and make permissions. The cloud infrastructure evaluates the permissions defined in the policy to determine whether the request should be allowed or denied whenever an identity requests any service.
  • Network security
    • Layer 1 – Network Security through Security Groups: Security groups are the most fundamental aspect of maintaining network security in cloud infrastructure. In simple terms, security groups are a set of “allow rules” that allows specific traffic. Contrary to traditional firewalls, security groups do not have “deny rules”. The absence of any "allow rule" against particular traffic means it is denied. So we can say that security groups operate on the principle of “deny all unless allowed explicitly”.
  • Network security
    • Layer 2 – Network Security through Network Access Control Lists (NACLs): The concept of NACL is related to protecting the Virtual Private Cloud (VPC). NACLs are used to create rules to protect specific instances of VPC. NACLs are different from Security Groups in that NACLs contain "deny rules" as well; e.g. we may make a rule to block a particular IP address from accessing the VPC.
  • Network security
    • Layer 3 - Vendor Specific Security Solutions: Cloud computing service providers are also well aware of the inherent weaknesses & cyber-attacks that can target their infrastructure. So they have deployed their specific security solutions. These solutions vary from vendor to vendor, e.g. AWS has DNS Firewall & Network Firewall both.
  • Storage security in a cloud environment aims to ensure that data must remain safe while at rest and in transit during the various phases of the data lifecycle. The following approaches provide cloud storage protection:
    • Create Geographical Boundaries: Define geographical regions and set policies permitting data access.
    • Set Role-based Authorisation: Create identities and assign roles to access a particular data set per the rights and privileges.
    • Data Encryption: Almost all cloud service providers allow data encryption at rest. With this approach, server-side encryption is applied to data.
  • Important Aspects For any storage (file, database, etc.), the following aspects are of utmost importance:
    • Connection String with database containing hostname, username and password must be used using secure means.
    • Access security policy.
    • Data encryption standards.
    • Physical security measures by the cloud service provider.
  • Disaster Recovery (DR) & Backup
    • Cloud is considered an excellent source for establishing Disaster Recovery and Backup sites. In cloud computing environments, there is a famous terminology known as Cloud Disaster Recovery (CDR), a combination of approaches, tools & techniques that ensures backup data, resources and other applications on cloud infrastructure. In case of any disaster, cloud service providers provide backups of on-premises environments to ensure the regular continuity of business operations. 
    • Cold DR: This is the most straightforward approach and inexpensive but has the largest RTO (Recovery Time Objective). It entails storing data and saving images & snapshots of machines. All snapshots must be recovered to resume business operations in a disaster situation.