Cloud Security 101 by@z3nch4n

Cloud Security 101

image
Zen Chan HackerNoon profile picture

Zen Chan

Interested in Infosec & Biohacking. Security Architect by profession. Love reading and running.

Introduction of five essential characteristics, three service models, and four deployment models of Cloud Security

Cloud computing, which delivers information technology services over the internet, has grown a must for businesses and governments seeking to accelerate innovation and collaboration. On the other hand, Cloud security involves the procedures and technology that secure cloud computing environments against external and insider cybersecurity threats.

According to "The NIST Definition of Cloud Computing" (Special Publication 800–145):

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.

This article will introduce the basics of Cloud Security and the differences with existing security architecture.

What Makes Cloud Security Needs Special Attention?

Conventional IT security has undergone an immense evolution due to the shift to cloud computing. While cloud models allow for more convenience and always-on connectivity, it requires new considerations to keep them secure. However, as a modernized cybersecurity solution, cloud security stands out from conventional IT models in a few ways.

On-demand Self-service

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad Network Access

Capabilities are available over the network and accessed through standard mechanisms that promote heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).

Resource Pooling

The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

Rapid Elasticity

Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured Service

Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). As a result, resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Segmentation of Cloud Security Responsibilities

Most cloud providers try to build a secure cloud for customers. However, their business model hinges on preventing breaches and maintaining public and customer trust. Cloud service providers (CSPs) can avoid cloud security issues with their service but can't control how customers use the service, such as what data they add to it and who has access.

In each public cloud service type, the cloud provider and cloud customer share different levels of responsibility for security. By service type, these are:

  • Software-as-a-service (SaaS) — Customers are responsible for securing their data and user access.
  • Platform-as-a-service (PaaS) — Customers are responsible for securing their data, user access, and applications.
  • Infrastructure-as-a-service (IaaS) — Customers are responsible for securing their data, user access, applications, operating systems, and virtual network traffic.

The Concept of Shared Responsibilities

image

Within all public cloud services, customers are responsible for securing their data and controlling who can access that data. Therefore, data security in cloud computing is fundamental to successfully adopting and getting the advantages of the cloud.

Cloud service providers' responsibility — CSPs are responsible for protecting the infrastructure that runs all of the services offered in the Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run the Cloud services.

The customer's responsibility —will be determined by the Cloud service model that a customer selects. This determines the amount of configuration the customer must do as part of their security responsibilities.

For example, organizations considering typical SaaS offerings like Microsoft Office 365 or Salesforce only need to plan how to fulfill their shared responsibility to protect data in the cloud.

For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and applying IAM tools for the appropriate permissions.

Alternatively, those considering IaaS offerings, like Amazon Web Services (AWS) or Microsoft Azure, require a more comprehensive plan that starts with:

  • data and covers cloud app security,
  • operating systems, and
  • virtual network traffic.

Each of the above can also increase data security risk; it requires the customer to perform security configuration and management tasks. For instance, if customers deploy an Amazon EC2 instance, they are responsible for:

  • the management of the guest operating system (including updates and security patches),
  • any application software or utilities installed by the customer on the instances, and
  • the configuration of the AWS-provided firewall (called a security group) on each instance.

Where is Your Cloud?

There are mainly four cloud deployment models. Each one is unique with its offerings, specifications, advantages, and security concerns.

  • Public cloud environments are composed of multi-tenant cloud services where a client shares a provider's servers with other clients, like an office building or coworking space. These are third-party services run by the provider to give clients access via the web.
  • Private third-party cloud environments are based on a cloud service that provides the client with exclusive use of their cloud. These single-tenant environments usually are owned, managed, and operated offsite by an external provider.
  • Private in-house cloud environments are also composed of single-tenant cloud service servers but operated from their own data center. In this case, the business runs this cloud environment to allow complete configuration and setup of every element.
  • Multi-cloud environments include the use of two or more cloud services from separate providers. These can be any blend of public and private cloud services.
  • Hybrid cloud environments use a mix of private third-party cloud and onsite private data centers with one or more public clouds.

By framing it from this perspective, we learn that cloud security varies based on the type of cloud models.

Final Words

Introducing cloud technology has forced everyone to reevaluate cyber security. Your data and applications might be floating between local and remote systems — and always internet-accessible.

For example, if you access Google Docs on your smartphone or use Salesforce software to look after your customers, that data could be held anywhere. Therefore, protecting it becomes more difficult than when it was just a question of stopping unwanted users from gaining access to your network.

Unfortunately, malicious actors realize the value of cloud-based targets and increasingly investigate them for exploits. Furthermore, despite cloud providers holding many security roles on behalf of clients — they do not manage everything. All that leaves even non-technical users with the duty to self-educate on cloud security.

That said, you are not alone in cloud security responsibilities. Being aware of the scope of your security duties will help to stay safe.

Thank you for reading. May InfoSec be with you🖖.



Tags