Cloud computing, which delivers information technology services over the internet, has grown a must for businesses and governments seeking to accelerate innovation and collaboration. On the other hand, Cloud security involves the procedures and technology that secure cloud computing environments against external and insider cybersecurity threats.
According to "The NIST Definition of Cloud Computing" (Special Publication 800–145):
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.
This article will introduce the basics of Cloud Security and the differences with existing security architecture.
Conventional IT security has undergone an immense evolution due to the shift to cloud computing. While cloud models allow for more convenience and always-on connectivity, it requires new considerations to keep them secure. However, as a modernized cybersecurity solution, cloud security stands out from conventional IT models in a few ways.
A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
Capabilities are available over the network and accessed through standard mechanisms that promote heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.
Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
Cloud systems automatically control and optimize resource use by leveraging a metering capability1 at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). As a result, resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Most cloud providers try to build a secure cloud for customers. However, their business model hinges on preventing breaches and maintaining public and customer trust. Cloud service providers (CSPs) can avoid cloud security issues with their service but can't control how customers use the service, such as what data they add to it and who has access.
In each public cloud service type, the cloud provider and cloud customer share different levels of responsibility for security. By service type, these are:
Within all public cloud services, customers are responsible for securing their data and controlling who can access that data. Therefore, data security in cloud computing is fundamental to successfully adopting and getting the advantages of the cloud.
Cloud service providers' responsibility — CSPs are responsible for protecting the infrastructure that runs all of the services offered in the Cloud. This infrastructure comprises the hardware, software, networking, and facilities that run the Cloud services.
The customer's responsibility —will be determined by the Cloud service model that a customer selects. This determines the amount of configuration the customer must do as part of their security responsibilities.
For example, organizations considering typical SaaS offerings like Microsoft Office 365 or Salesforce only need to plan how to fulfill their shared responsibility to protect data in the cloud.
For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and applying IAM tools for the appropriate permissions.
Alternatively, those considering IaaS offerings, like Amazon Web Services (AWS) or Microsoft Azure, require a more comprehensive plan that starts with:
Each of the above can also increase data security risk; it requires the customer to perform security configuration and management tasks. For instance, if customers deploy an Amazon EC2 instance, they are responsible for:
There are mainly four cloud deployment models. Each one is unique with its offerings, specifications, advantages, and security concerns.
By framing it from this perspective, we learn that cloud security varies based on the type of cloud models.
Introducing cloud technology has forced everyone to reevaluate cyber security. Your data and applications might be floating between local and remote systems — and always internet-accessible.
For example, if you access Google Docs on your smartphone or use Salesforce software to look after your customers, that data could be held anywhere. Therefore, protecting it becomes more difficult than when it was just a question of stopping unwanted users from gaining access to your network.
Unfortunately, malicious actors realize the value of cloud-based targets and increasingly investigate them for exploits. Furthermore, despite cloud providers holding many security roles on behalf of clients — they do not manage everything. All that leaves even non-technical users with the duty to self-educate on cloud security.
That said, you are not alone in cloud security responsibilities. Being aware of the scope of your security duties will help to stay safe.
Thank you for reading. May InfoSec be with you🖖.