Cloud security involves using effective measures to protect company assets in the cloud from threats such as data leakage and theft, utilizing a variety of safeguards and technology. Key design principles include identity management, data protection, and incident response, while policies emphasize secure access and monitoring. Proper implementation of these strategies enhances protection and compliance, ensuring safe cloud operations.

1. Cloud Security-Unit 4
By Dr. M Zunnun Khan

2. What is Cloud Security?
 Formal definition - Cloud Security is using effective guardrails to ensure
company assets (data, application, infrastructure) using cloud services can
function as expected and respond to unexpected threats.

3. What is Cloud Security?
 Cloud security is a set of control-based safeguards and technology protection designed to protect resources stored online from
 leakage,
 theft,
 data loss.
 Protection encompasses cloud infrastructure, applications, and data from threats.
 Security applications operate as software in the cloud using a Software as a Service (SaaS) model.
 The umbrella of security in the cloud include:
 Data center security
 Access control
 Threat prevention
 Threat detection
 Threat mitigation
 Redundancy
 Legal compliance
 Cloud security policy

4. Benefits of a Cloud Security System?
 Cloud-based security systems benefit your business through:
 Protecting your business from threats
 Guarding against internal threats
 Preventing data loss

5. Security On the Cloud - Design
Principles
 Learn about the five best practice areas for security in the cloud:
 Identity and Access Management
 Detective Controls
 Infrastructure Protection
 Data Protection
 Incident Response
 The security pillar includes the ability to protect information, systems, and
assets while delivering business value through risk assessments and mitigation
strategies.
 The security pillar provides an overview of design principles, best practices,
and questions

6. Design Principles
 There are six design principles for security in the cloud:
 Implement a strong identity foundation:
 Implement the principle of least privilege and enforce separation of duties with
appropriate authorization for each interaction with your AWS resources.
 Centralize privilege management and reduce or even eliminate reliance on long
term credentials.
 Enable traceability:
 Monitor, alert, and audit actions and changes to your environment in real time.
 Integrate logs and metrics with systems to automatically respond and take action.

7.  Apply security at all layers:
 Rather than just focusing on protecting a single outer layer, apply a defense-in-depth approach with
other security controls.
 Apply to all layers, for example, edge network, virtual private cloud (VPC), subnet, load balancer,
every instance, operating system, and application.
 Automate security best practices:
 Automated software-based security mechanisms improve your ability to securely scale more rapidly
and cost effectively.
 Create secure architectures, including the implementation of controls that are defined and managed
as code in version-controlled templates.
 Protect data in transit and at rest:
 Classify your data into sensitivity levels and use mechanisms, such as encryption and tokenization
where appropriate.
 Reduce or eliminate direct human access to data to reduce risk of loss or modification.

8.  Prepare for security events:
 Prepare for an incident by having an incident management process that aligns to
your organizational requirements.
 Run incident response simulations and use tools with automation to increase your
speed for detection, investigation, and recovery.

9. CLOUD SECURITY REQUIREMENTS
 Storage and transmission, integrity, data consistency and availability, data backup
and recovery, security tag, key management, remote platform attestation,
authentication, access control
 Workload state integrity, guest OS integrity, zombie protection, denial of service
attacks, malicious resource exhaustion, platform attacks, platform attacks
 Auditability, non-reputability, access control
 Auditing, attack detection, access control, non-repudiation, privacy and integrity
 Physical security, data integrity, auditability, privacy
 Trust, privacy Data handling
 Individual-stakeholder’s security Not-proposed
 CSU experience and security Not-proposed
 Privacy, integrity and non-repudiation
 Integrity, access control and attack/harm detection

10. Six simple cloud security policies
 1. Secure cloud accounts and create groups
 Ensure that the root account is secure.
 To make daily administration easier and still adhere to cloud security policies,
create an administrative group and assign rights to that group, rather than the
individual.
 Create additional groups for fine-grained security that fits with your organization.
 Some users need read-only access, as for people or services that run reports.
 Other users should be able to do some ops tasks, such as restart VMs, but not be
able to modify VMs or their resources.
 Cloud providers make roles available to users, and the cloud admin should research
when and where to use them.
 Do not modify existing roles, as this is a recipe for disaster: Copy them instead.

11.  2. Check for free security upgrades
 Every major cloud provider allows and encourages the use of two-factor
authentication (2FA).
 There is no reason not to have 2FA on your cloud security checklist for new
deployments, as it increases protection from malicious login attempts.
 3. Restrict infrastructure access via firewalls
 A lot of companies use webscale external-facing infrastructure when they adopt
cloud.
 They can quickly protect private servers from external access.
 Check for firewall polices.
 If the cloud provider makes it available, use firewall software to restrict access to
the infrastructure.
 Only open ports when there's a valid reason to, and make closed ports part of your
cloud security policies by default.

12.  4. Tether the cloud
 Some cloud-based workloads only service clients or customers in one geographic
region.
 For these jobs, add an access restriction to the cloud security checklist:
 Keep access only within that region or even better, limited to specific IP addresses.
 This simple administrator decision slashes exposure to opportunistic hackers,
worms and other external threats.

13.  5. Replace passwords with keys
 Passwords are a liability: cumbersome, insecure and easy to forget. Every seasoned
administrator knows that Monday morning user-has-forgotten-password scenario
 Make public key infrastructure (PKI) part of your cloud security policies. PKI relies
on a public and private key to verify the identity of a user before exchanging data.
 Switch the cloud environment to PKI, and password stealing becomes a nonissue.
PKI also prevents brute force login attacks.
 Without the private key, no one will obtain access, barring a catastrophic PKI code
failure.
 While this might seem obvious, include a note on the cloud security checklist that
the private key should not be stored on the computer or laptop in use.
 Investigate vendors, such as YubiKey, that provide secure key management. For
some programs, the user has to touch the device.
 Cloud key management for multiple users is easier with these tools.

14.  6. Turn on auditing and system monitoring
 A lot of administrators don't think about monitoring until it's too late.
 Systems create logs in huge amounts.
 Use tools that capture, scan and process these logs into something useful for cloud
capacity planning, audits, troubleshooting and other operations.
 Log monitoring and analysis tools sum up all those warnings, alerts and information
messages into something useful.
 Again, many cloud providers do offer auditing tools, and there are many good tools
you can try with no commitment, such as Splunk and its visual tools.