New Era: Cloud Applications Concept and Security
This article is about Cloud Security Concept.
Many of us hear about cloud computing in our daily life, so what are these cloud computing concepts? What has changed against the traditional IT architecture and why has such a need arisen? In this article, I will briefly share an overview of this subject.
Fifteen, or even 10, years ago, suggesting that organizations hand off their data and operations to a third party that is geographically distant and run by people that most managers in the organization will never meet would have seemed absurd, especially from a security perspective.
Key Benefits of using the Cloud
Elasticity: The cloud provider uses virtualization to flexibly allocate only the needed usage of each resource to the organization, thus holding down costs while maintaining profitability. This also allows users to access their data from diverse platforms and locations, increasing portability, accessibility, and availability.
Simplicity: Proper cloud implementations allow a user to seamlessly use the service without frequently interacting with the cloud service provider.
Scalability: In general, increasing or reducing services can be more easily, quickly, and cost-effectively accomplished than in a non-cloud environment.
Cloud Computing Service Models
Cloud services are often offered in terms of three general models, based on what the vendor offers and the customer needs, and the responsibilities of each according to the service contract.
These models are infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
Cloud Deployment Models
Cloud environments are deployment models in which one or more cloud services create a system for the end-users and organizations. These segments the management responsibilities — including security — between clients and providers.
The currently used cloud environments are:
Public cloud environments are composed of multi-tenant cloud services where a client shares a provider’s servers with other clients, like an office building or co-working space. These are third-party services run by the provider to give clients access via the web.
Private third-party cloud environments are based on the use of a cloud service that provides the client with exclusive use of their own cloud. These single-tenant environments are normally owned, managed, and operated offsite by an external provider.
Private in-house cloud environments are also composed of single-tenant cloud service servers but operated from their own private data center. In this case, this cloud environment is run by the business themselves to allow full configuration and setup of every element.
Multi-cloud environments include the use of two or more cloud services from separate providers. These can be any blend of public and/or private cloud services.
Hybrid cloud environments consist of using a blend of private third-party cloud and/or onsite private cloud data centers with one or more public clouds.
How does cloud security work?
Every cloud security measure works to accomplish one or more of the following:
- Enable data recovery in case of data loss
- Protect storage and networks against malicious data theft
- Deter human error or negligence that causes data leaks
- Reduce the impact of any data or system compromise
Data security is an aspect of cloud security that involves the technical end of threat prevention. Tools and technologies allow providers and clients to insert barriers between the access and visibility of sensitive data. Among these, encryption is one of the most powerful tools available. Data motion protections like virtual private networks (VPNs) are also emphasized in cloud networks.
Identity and access management (IAM) pertains to the accessibility privileges offered to user accounts. Managing authentication and authorization of user accounts also apply here. Access controls are pivotal to restrict users — both legitimate and malicious — from entering and compromising sensitive data and systems.
Governance focuses on policies for threat prevention, detection, and mitigation. With SMB and enterprises, aspects like threat intel can help with tracking and prioritizing threats to keep essential systems guarded carefully. However, even individual cloud clients could benefit from valuing safe user behavior policies and training. These apply mostly in organizational environments, but rules for safe use and response to threats can be helpful to any user.
Data retention (DR) and business continuity (BC) planning involve technical disaster recovery measures in case of data loss. Central to any DR and BC plan are methods for data redundancy such as backups. Additionally, having technical systems for ensuring uninterrupted operations can help. Frameworks for testing the validity of backups and detailed employee recovery instructions are just as valuable for a thorough BC plan.
Legal compliance revolves around protecting user privacy as set by legislative bodies. Governments have taken up the importance of protecting private user information from being exploited for profit. As such, organizations must follow regulations to abide by these policies. One approach is the use of data masking, which obscures identity within data via encryption methods.
What are the Principal Cloud Computing Security Considerations?
Lack of Visibility & Shadow IT
Cloud computing makes it easy for anyone to subscribe to a SaaS application or even to spin up new instances and environments. Users should adhere to strong acceptable use policies for obtaining authorization for, and for subscribing to, new cloud services or creating new instances.
Lack of Control
Leasing a public cloud service means an organization does not have ownership of the hardware, applications, or software on which the cloud services run. Ensure that you understand the cloud vendor’s approach to these assets.
Transmitting & Receiving Data
Cloud applications often integrate and interface with other services, databases, and applications. This is typically achieved through an application programming interface (API). It’s vital to understand the applications and people who have access to API data and to encrypt any sensitive information.
Embedded/Default Credentials & Secrets
Cloud applications may contain embedded and/or default credentials. Default credentials post an increased risk as they may be guessable by attackers. Organizations need to manage these credentials as they would other types of privileged credentials.
Incompatibilities
IT tools architected for on-premise environments or one type of cloud are frequently incompatible with other cloud environments. Incompatibilities can translate into visibility and control gaps that expose organizations to risk from misconfigurations, vulnerabilities, data leaks, excessive privileged access, and compliance issues.
Multitenancy
Multitenancy is the backbone for many of the cloud benefits of shared resources (e.g., lower cost, flexibility, etc.), but it also introduces concerns about data isolation and data privacy.
Scalability Cuts Both Ways
Automation and rapid scalability are chief benefits of cloud computing, but the flip side is that vulnerabilities, misconfigurations, and other security issues (such as sharing of secrets–APIs, privileged credentials, SSH keys, etc.) can also proliferate at speed and scale. For example, cloud administrator consoles enable users to swiftly provision, configure, manage and delete servers at a massive scale. However, each of these virtual machines are born with their own set of privileges and privileged accounts, which need to be properly onboarded and managed.
Malware & External Attackers
Attackers can make a living by exploiting cloud vulnerabilities. Rapid detection and a multi-layered security approach (firewalls, data encryption, vulnerability management, threat analytics, identity management, etc.) will help you to reduce risk, while leaving you better poised to respond to withstand an attack.
Insider Threats — Privileges
Insider-related threats (either through negligence or malevolence), generally take the longest to detect and resolve, with the potential to be the most harmful. A strong identity and access management framework along with effective privilege management tools are essential to eliminating these threats, and reducing the damage (such as by preventing lateral movement and privilege escalation) when they do occur.
How to Secure the Cloud
Strategy & Policy
A holistic cloud security program should account for ownership and accountability (internal/external) of cloud security risks, gaps in protection/compliance, and identify controls needed to mature security and reach the desired end state.
Network Segmentation
In multi-tenant environments, assess what segmentation is in place between your resources and those of other customers, as well as between your own instances. Leverage a zone approach to isolate instances, containers, applications, and full systems from each other when possible.
Identity and Access Management and Privileged Access Management
Leverage robust identity management and authentication processes to ensure only authorized users have access to the cloud environment, applications, and data. Enforce least privilege to restrict privileged access and to harden cloud resources (for instance, only expose resources to the Internet as is necessary, and de-activate unneeded capabilities/features/access). Ensure privileges are role-based, and that privileged access is audited and recorded via session monitoring.
Discover and Onboard Cloud Instances and Assets
Once cloud instances, services, and assets are discovered and grouped, bring them under management (i.e. managing and cycling passwords, etc.). Discovery and onboarding should be automated as much as possible to eliminate shadow IT.
Password Control (Privileged and Non-Privileged Passwords)
Never allow the use of shared passwords. Combine passwords with other authentication systems for sensitive areas. Ensure password management best practices.
Vulnerability Management
Regularly perform vulnerability scans and security audits, and patch known vulnerabilities.
Encryption
Encryption will be used to protect data at rest, in transit, and in use. Encryption will be used on the remote user endpoint to create the secure communication connection, within the cloud customer’s enterprise environment to protect their own data, and within the data center by the cloud provider to ensure various cloud customers don’t accidentally access each other’s data.
Realistically, without encryption it would be impossible to use the cloud in any secure fashion.
Disaster Recovery
Be aware of the data backup, retention, and recovery policies and processes for your cloud vendor(s). Do they meet your internal standards? Do you have break-glass strategies and solutions in place?
Monitoring, Alerting, and Reporting
Implement continual security and user activity monitoring across all environments and instances. Try to integrate and centralize data from your cloud provider (if available) with data from in-house and other vendor solutions, so you have a holistic picture of what is happening in your environment.
Resources:
https://www.kaspersky.com/resource-center/definitions/what-is-cloud-security
https://www.beyondtrust.com/resources/glossary/cloud-security-cloud-computing-security
