Cloud security best practices: part 1

One of cloud computing’s basic architectural features is muti-tenancy. Muti-tenancy is simply shared underlying resources for multiple tenants. A cloud provider offers customers nearly unlimited compute, network, and storage on a common infrastructure. Shared resources allow providers to offer much lower costs and efficiency. The caveat for customers, of course, is that shared resources are not completely private.

Cloud users must adapt security policies and practices to multi-tenant environments. The concepts behind security remain the same regardless of where or how your vital data resides. Both in cloud and on-premises, the goal of security is essentially to “deter, detect, delay, and deny” malicious actors. As the CSA’s Security Guidance states:

The notion of how cloud services are deployed is often used interchangeably with where they are which can lead to confusion. Public or private clouds may be described as external or internal, which may not accurate in all situations. […] the notion of a well demarcated perimeter is an anachronistic concept for most organizations.

OSI Layer Review

The OSI model (7 Layers) divides network architecture into 7 logical layers from the physical devices up to data, routing, requests and responses, data representation, network protocols, up to the actual applications.

A quick review of layers:

Encapsulation

As information passes through each layer relevant information to that layer is attached — this process is commonly known as encapsulation. This encapsulation is how each layer can communicate with its relevant layer at the destination.

To being understanding cloud and network security, the “starting point should be understanding the OSI model.” See the excellent report from the SANS Institute: “Understanding Security Using the OSI Model” Here are a few highlights from that paper about the OSI layers:

  • Good network administrators need to be security conscious in order to protect their organisation’s IT assets.
  • Each layer can communicate with only the layer above and below it.
  • Each layer is developed independently.
  • The OSI layers are 7 independent layers working cohesively

Layer 0–3 Security: Strong Cloud Provider Security

From here on, we’ll assume all cloud computing is purely public cloud or a public cloud-to-public cloud hybrid model for simplicity’s sake. One of the key benefits of cloud computing is the ability to offload security concerns to the provider. Clearly this does not absolve users/ customers from all security responsibility. A well-written service-level agreement (SLA) with a cloud vendor can replace the need for small organizations to spend a debilitating amount of money on facilities, physical networks, servers, systems, security people, and the costs of managing all of the layer 1–3 requirements.

Image: Cloud Security Alliance

The flip side of managed security on layers 1–3 is the need for up-front due diligence in selecting cloud vendors, as well as continuous security monitoring at higher OSI network layers. In the Shared Responsibility Model from Amazon, the provider does point out areas where they offer security services, but users must enable, monitor, and control those services. Security in cloud does require more involvement in reviewing terms and conditions, laws, standards, and regulations. All organizations using cloud should have a role internally for vetting vendors and reviewing contracts for how security measures fit with each customer’s use case.

As the paper from IDC notes, “there is a perception that the cloud takes away this control but not the corresponding accountability.” By now, a few studies have shown that cloud providers can offer even better security than enterprises. It is no surprise that a global leader can better secure massive data centers than hundreds of small businesses with a small server closet. Again from the IDC paper: “new cloud environments provide an opportunity to rethink, renew, and reinforce controls that are more likely to match the highly distributed, loosely coupled, component-oriented application architectures being developed today.”

Moving up the stack, technical teams can focus on security features they can control and access. “Most large data security breaches are the result of poor application security,” according to the CSA’s Security Guidance. Some of the best security advice? Defense in depth.

Next in part 2: Preventing exploits using defense in depth at each OSI network layer

Make sure to also read:

Follow all the Cohesive Networks stories on Medium and sign up to get our weekly RSS update delivered to your inbox!


Originally published at cohesive.net on May 25, 2017.