How to Get Started with Cloud Security
What is Cloud Computing?
Cloud computing is the delivery of on-demand computing services over the internet or dedicated network. Its infrastructure is a pool of hardware or software elements like servers, data storage, software, networking, etc. It offers a lot of advantages, including but not limited to:
- Cost-saving: As storage, processing capability, etc. are outsourced, which benefits the business by reducing the initial capital expenditure. Most organizations run their applications on the cloud because it provides scalability, which means computing resources can be scaled up or down as per requirement, which ultimately limits cost.
- Outsourcing of maintenance and updating function: The critical function of updating and upgrading the cloud-based application is upon the application vendor, which relieves the organization from worrying about keeping them up-to-date.
- Mobility: It allows the users to access the cloud-based assets anytime and anywhere as long as internet connectivity is there.
- Backup and Disaster Recovery: Data loss has become a significant concern for organizations across the globe as many of them rely on traditional settings that have a risk of hard drive failures or getting corrupted, natural disasters hitting the data center, etc. If data is stored in the cloud, it remains accessible even in case of an adverse event.
Service Models of Cloud Computing:
Cloud service providers offer three different kinds of cloud computing models, where different services are provided according to the business requirement. Choosing among them needs an understanding of the architecture proposed by these cloud models, evaluating the business's requirements, and finding how the selected model can accomplish its intended objectives. The three categories of service models are as follows: (Refer: Module 2(Part 2.4), CCSK (Certificate of Cloud Security Knowledge)
- Software as a Service (SaaS): SaaS provides user access to software applications over the internet using cloud services. The whole application is running on those systems which are unknown to the user. The user can just use it. These applications are not managed by the organization, but by the software provider. This relieves the organization from software maintenance, upgrades, and other operational issues related to the infrastructure.
- Platform as a Service (PaaS): PaaS provides all the necessary hardware and software components required to build cloud-based applications. It offers a computing platform, including web-based tools, programming languages, applications, etc. Users can develop, test, and manage the applications. The platform provider manages the entire resources offered.
- Infrastructure as a Service (IaaS): It offers a standardized way of acquiring computing capabilities on demand and over the web. It virtually provisions computing resources over the cloud. An IaaS cloud provider can provide storage, container security tools, and networking hardware alongside maintenance and support.
Different Cloud Deployment Models:
Cloud deployment models are used based on business requirements. They offer varying levels of flexibility, management, and security. (Refer: Module 2(Part 2.5), CCSK (Certificate of Cloud Security Knowledge)
There are four kinds of deployment models:
- Public Cloud: It is a type of hosting where services are rendered by third-party providers over a network open for public use. This model is where a vendor provides shared hardware, software, and network devices shared with other clients of the same provider. The public cloud is available to the general public, and data is created and stored on third-party servers.
The advantages of this model include high scalability, reduced cost, and burden-free infrastructure management. This model's disadvantages raise some serious security concerns like data security, compromised reliability, and lack of customization. Some popular public cloud deployment model examples are Amazon Elastic Compute Cloud (Amazon EC2), Microsoft Azure, Google App Engine, and IBM Cloud.
- Private Cloud: It refers to a cloud deployment model operated exclusively for a single organization. The infrastructure is privately hosted and managed by the company itself, which benefits it by rendering direct control over its data. Private clouds permit only authorized users, providing the organization greater control over data and its security.
The advantages of this model include high security, privacy, and reliability. The disadvantage of this approach is the high capital expenditure required to develop an on-premise infrastructure. Not only this, but additional cost would also include resources required for day to day maintenance and operations.
Some popular private cloud service providers are Amazon, IBM, Cisco, and Red Hat.
- Community Cloud: It refers to a cloud deployment in which the setup of the cloud is shared among different organizations that belong to the same community or area with the same concern (security, compliance, etc.). If the organization has uniform security, privacy, and performance requirements, this multi-tenant data center architecture helps companies achieve their business-specific objectives. The advantages of this model include cost reduction, ease of data sharing, and collaboration. The shortcomings are the sharing of fixed storage and bandwidth capacity.
Some popular community cloud service providers are Amazon and IBM.
- Hybrid Cloud: This model encompasses the best features of public, private, and community cloud deployment models. It allows companies to blend and select what best suits their requirements.
For example, non-critical tasks such as development and test workloads can be done using a public cloud. In contrast, mission-critical tasks that are sensitive can be performed using a private cloud. The advantages of this model include cost reduction, improved security, and enhanced scalability. This model's disadvantage is that it is difficult to maintain compliance with security policies if critical and non-critical functions are not properly classified. Another issue with this model is compatibility across the infrastructure as it is built using mixed infrastructure levels.
Some popular community cloud service providers are Amazon, Rackspace, IBM, and Microsoft.
Cloud security refers to the broad set of policies, controls, procedures, and technologies that collaborate and protect cloud-based systems, data, and infrastructure. It creates and maintains preventative strategies and actions to combat any threat to networked systems and applications. It is a sub-domain of information security.
It is a joint responsibility between the business owner and the cloud service provider. The cloud user implements the cloud security strategy to protect the data, protect the customer's privacy, and adhere to regulatory compliance. (Refer: Module 8,11,12&13 CCSK (Certificate of Cloud Security Knowledge)
Information Security in Cloud Computing:
A widely established set of strategies and tools can be used to achieve confidentiality, integrity, and information stored under the cloud. These measures include, but not limited to:
- Encryption: It is a way of scrambling data so that only authorized parties can understand the information. Unencrypted data is subject to any number of malicious actions with the data, including leakage, selling, or can be used to carry out further attacks. Encrypted data is near impossible to decipher without a decryption key that only the authorized employees in the company have access to. In this way, encryption helps prevent data leakage and exposure, even when other security measures fail.
Data can be encrypted both at rest or in transit. Additionally, data should be encrypted when stored in a database or via a cloud storage service.
- Identity and access management (IAM): This tool tracks who a user is and what they are allowed to do. It authorizes users and denies access to unauthorized users as necessary. An IAM combines multi-factor authentication and user access policies, helping a company better control their applications and data. The right IAM solution will help mitigate several kinds of attacks, including account takeover and insider attacks.
- Physical Security: It is a mixture of security measures to prevent direct access and disruption of hardware housed in the cloud provider's data center. Cloud Service Providers physically secure the IT hardware (servers, routers, etc.) against unauthorized access, interference, theft, fires, floods, etc. and ensures that essential supplies are sufficiently robust to minimize disruption. It includes controlling direct access with security doors, fire protection, uninterrupted power supplies, alarms, CCTV, monitoring critical parameters, particle filtering, and more.
- Firewall: A cloud firewall provides a layer of protection around cloud assets by blocking malicious web traffic. It is hosted in the cloud and forms a virtual security barrier around cloud infrastructure. Most web application firewalls fall into this category.
Today, cloud service providers provide the functionality of Traditional as well as Next-Generation Firewall. Traditional Firewall capabilities include Packet Filtering, Stateful Inspection, Proxying, Port Blocking, and domain name blocking. Next-Generation Firewall adds the capabilities of Intrusion Prevention System, Deep Packet Inspection, Analysis of Encrypted traffic to provide comprehensive threat detection and prevention.
Cloud firewall blocks DDoS attacks, malicious bot activity, and vulnerability exploits. This lowers the chances of a cyber-attack crippling an organization's cloud infrastructure.
- Cloud Vulnerability and Penetration Testing: Scanning cloud for potential weaknesses and exploits is important because, without a hardened environment, the service is considered as a soft target. The resultant vulnerabilities can then be treated by implementing security solutions. Virtual servers should be hardened like physical servers against data leakage, malware, and exploited vulnerabilities. Scanning and penetration testing from inside or outside the cloud require to be authorized by the cloud provider.
Security Risks of Cloud Computing:
Cloud computing has changed the way companies store, use, and share data, workloads, and software. Cloud utilization has increased to such an extent that a greater mass of sensitive material is potentially risky. The reliance on cloud services will increase in the coming years, as companies implement work from home to fight against the novel coronavirus pandemic. When a company moves to the cloud besides existing risk, a new set of risks may significantly impact the business's reputation. Followed are the unique security risks of cloud computing:
- Compliance violations: With increasing laws and regulations, staying compliant is becoming more and more difficult. An organization can quickly go into a state of non-compliance, which puts them at risk of serious consequences. Privacy mandates like GDPR, PCI-DSS, CCPA, and many more, apply to cloud computing. If an organization handles PII (Personally Identifiable Data), moving to cloud computing could expose a compliance gap. If a breach occurs, the organization will ultimately be responsible for answering the regulator, paying hefty fines, and suffering the reputational loss for the breach and not the cloud service provider.
- Malware attacks: Cloud services can be an attack vector for unauthorized data transfer. Due to advancements in the cybersecurity field, attackers have found new ways to deliver malware into its internal network. Malware injection attacks are made to take control of a user's information in the cloud. If hackers successfully add an infected service implementation to a cloud solution, then a cloud user's request will be redirected to the hacker's program. This will initiate the execution of malicious code. Then the attacker can begin stealing data or eavesdropping. The most common form of malware injection attacks is cross-site scripting attacks and SQL Injection Attacks.
- End-user control: Insiders can be more of a cyber threat to an organization than outside attackers, for the obvious reason they are already inside. Companies are in the dark about how their employees are using cloud-based services. While most employees are trustworthy, it's always a good idea to have a clear understanding of who has access to certain files and documents.
- Contract breaches with customers or business partners: The control over the data is lost when the data is shifted to the cloud. Employees responsible should do due diligence while moving the data to the cloud as it may result in contract violations. Depending on business requirements, the transfer of data to the cloud is subject to certain contractual obligations that require permission from authorized authorities or business partners. The violation of these contracts results in severe penalties and loss of stakeholders' confidence.
- DoS (Denial of Service) attacks: It is an attack designed to prevent cloud computing services or resources from providing its normal services for a while. It over-saturates the capacity of the targeted device resulting in a denial of service for authorized requests. These attacks make the service unavailable for a longer time, which may heavily impact the business. In some cases, DoS is also used to render a particular service down for a more intense attack.
- Insecure APIs: API or Application Programming Interfaces are intended to streamline cloud computing processes. API assists developers by interacting with the service. API enables to automate a lot of tasks if embedded into the cloud system. But if APIs are left exposed, it can open new avenues for an attacker. Attackers can even exfiltrate the data. As an organization is getting more and more reliant towards integrating APIs into cloud systems to connect and share data among each other seamlessly, cybercriminals have found two common ways to use them for malicious purposes:
- Inadequate authentication: Developers sometimes built APIs without proper authentication. Due to this, it opens up the interface to the internet, and anyone with malicious intent can use them to access the organization's systems and data.
- The exploitation due to increased use of Open Source Software: Most developers use component-based software development approaches. It benefits by offering reusability, which ultimately reduces software development time. They assimilate open source software into their code, leaving the applications vulnerable to supply chain attacks. Open-source software is easily downloadable from the internet and may contain contaminated code that an attacker can exploit to access enterprise systems and data.
- Loss of data: There are many ways in which the organization's critical data can be at risk if stored on cloud servers. Cloud servers are subject to natural disasters and malicious attacks. If lost, the critical data have a catastrophic effect on the organization, especially if they do not have an operative response and recovery plan. This situation becomes even worse if the data gets into the wrong hands. The most critical step while selecting the appropriate cloud service provider is to review the service level agreement and their backup procedures. A right to audit clause should be mentioned in service level agreements (SLA's) to ensure that the provider is taking due diligence and is complying with the policies. Any data breach would impact the organization as it is ultimately accountable.
- A decrease in customer trust: It is challenging for customers to trust an organization after a severe data breach hits the organization. These breaches reduce customer trust in the security of their data. It will inevitably lead to a loss of customers, which ultimately impacts the firm's revenue.
- Revenue losses: Cloud service outages are frequently causing the businesses to lose revenue—even customer satisfaction declines, which can't be measured quantitatively but will result in huge business impact. Organizations are sometimes too reliant on a cloud provider's ability to protect their data, proving wrong if appropriate policies are not in place at the service provider's end. More important is, the policies should be enforced. Proper service level agreements should be in place, mentioning the needs or the requirements of the business and should be reviewed periodically.
Today, cloud computing is a buzzword as it offers businesses infinite opportunities. It allows an organization to operate at scale, lower their technology costs, and utilize agile systems that give them the competitive edge. Today organizations realize the many business benefits of moving their systems to the cloud.
However, it is crucial that organizations have credence in cloud computing security and that all data, systems, and applications are protected from data exfiltration, leakage, and corruption. As the threat landscape is constantly changing and becoming more organized, the risk of using cloud computing is no less than the traditional on-premise environment.
Security measures configured in a cloud environment should ensure cloud data protection, comply with laws and regulations, and protect customers' privacy. The way cloud security will be implemented depends on the cloud provider or security solutions. Still, the enactment of cloud security processes should be a shared responsibility between the business owner and the solution provider.
Secure implementation of cloud architecture will permit the business to have a competitive edge and utilize the many benefits of cloud computing while being compliant with laws and ensuring data secrecy.
Cybrary revolutionizes the way cybersecurity training is imparted. It has converted the conventional methods into a constructivist approach. It offers a multitude of IT Training courses online. Cybrary provides a lot of courses on Cloud Computing, ranging from beginner to advanced levels. Some of these courses can also help the security professionals prepare for renowned certifications like CCSP (Certified Cloud Security Professional), CCSK (Certificate of Cloud Security Knowledge), CompTIA Cloud+, to name a few. One of the popular course designed by Cybrary and instructor James Leone is CCSK (Certificate of Cloud Security Knowledge), which provides learners with in-depth knowledge in the following areas:
- Cloud computing architecture
- Concept of cloud governance
- Compliance and audit management
- Laws and regulations associated with cloud computing
- Cloud & application security
Finally, this course benefits the learner by providing an understanding of the cloud secure architecture, modern technologies, risks, and legal issues, business continuity, etc. It also provides eligible continuing education credits (i.e., CEU/CPE hours) and certificate upon successful completion of the course.