Cloud Security framework• The Cloud Security Alliance (CSA) is a nonprofit organization that promotes research into best practices for securing Cloud Computing technologies. The industry group also provides security education and guidance to companies implementing cloud computing and helps vendors address security in their software delivery models.• The CSA leads a number of initiatives through which it provides white papers, tools and reports to help companies and vendors secure Cloud Computing services. For example, it provides a toolkit for assessing private and public clouds against industry-established security best practices.
Cloud provider’s responsibilities (1/2)• Physical Security – Security of the building – Keycard, round-the-clock surveillance – Authorization of personnel – Background checking• Operating system security – Utilization of a hardened operating system – An intrusion detection system – The minimum number of user accounts possible – Controls to limit administrator access to named accounts – Strong/ complex access passwords – No publicly accessible network accessible services – Hardened systems running only the necessary programs, services, and drivers
Cloud provider’s responsibilities (2/2)• Hypervisor security – Protects the hypervisor from malware and rootkits installing themselves below the operating system – Protects the hypervisor management network from unauthorized access – Ensures compliance with security policies for protecting the hypervisor from network attack – Validates the secure configuration of hypervisor network services – Use policy driven configuration for protection of the hypervisor network• Network security – Network security consists of the policies and procedures adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources – These include perimeter controls, controls to limit network access, and lists to regulate access control
Cloud customer’s responsibilities (1/3)• Firewalls – Hardware Firewalls, which are frequently built into broadband routers network of the Cloud provider. They tend to protect all the machines on the local network. Users should learn the specific features of the firewall to ensure it is configured correctly to guarantee optimum performance. – Software Firewalls, unlike hardware firewalls that protect the entire network, are installed on individual machines and protect only the particular machine within which they are installed. Software firewalls focus on averting the possibility that a third party will gain access or control of the device. Because of the virtual nature of servers in a Cloud Computing scenario, typically software firewalls are the method best suited to protect a customer’s virtual machine.
Cloud customer’s responsibilities (2/3)• Patches and backup – Patching software on individual devices with the latest version is important as software vendors generally roll out patches frequently to respond to security threats. – Generally backing up involves the copying of data from the primary location to some other locations so that, in the event of a loss, data can be restored rapidly.• Passwords – Often passwords are the weakest link in the security chain. There is little point in investing millions of dollars in security checks, firewalls, etc. only to have security breached by an insecure password. – Other element of password safety include : • Complexity - avoid passwords that are easily guessed • Expiration – Passwords should have an expiration date • Differentiation / Federation – Users should chose different passwords for different services. • History – Users shouldn’t be able to select a password that is the same as their previous few passwords.
Cloud customer’s responsibilities (3/3)• Virtual machine security – The use of encryption for communication – The checking of file integrity – The use of Audit Logging – The use of data encryption techniques (File/DB)• Access devices security – Physical Security – locking your desktop/laptop with a physical cable lock – The use of password protected screen savers – Rationalized access (often called Role Based Access) ensures that users are granted the minimum access needed to perform their jobs – Administrators should ideally have the ability to remotely wipe stored passwords, bookmarks and other potentially sensitive information – Taking security of Smart Phones, Tablet, and Notepads into account.• Staff – All potential employees should undergo a rigorous security check designed to weed out any personnel who may cause a security threat. Employees should continue to be monitored over time to ensure that this particular vector for security breaches remains watertight.