2. What is Cloud Security?
Formal definition - Cloud Security is using effective guardrails to ensure
company assets (data, application, infrastructure) using cloud services can
function as expected and respond to unexpected threats.
3. What is Cloud Security?
Cloud security is a set of control-based safeguards and technology protection designed to protect resources stored online from
leakage,
theft,
data loss.
Protection encompasses cloud infrastructure, applications, and data from threats.
Security applications operate as software in the cloud using a Software as a Service (SaaS) model.
The umbrella of security in the cloud include:
Data center security
Access control
Threat prevention
Threat detection
Threat mitigation
Redundancy
Legal compliance
Cloud security policy
4. Benefits of a Cloud Security System?
Cloud-based security systems benefit your business through:
Protecting your business from threats
Guarding against internal threats
Preventing data loss
5. Security On the Cloud - Design
Principles
Learn about the five best practice areas for security in the cloud:
Identity and Access Management
Detective Controls
Infrastructure Protection
Data Protection
Incident Response
The security pillar includes the ability to protect information, systems, and
assets while delivering business value through risk assessments and mitigation
strategies.
The security pillar provides an overview of design principles, best practices,
and questions
6. Design Principles
There are six design principles for security in the cloud:
Implement a strong identity foundation:
Implement the principle of least privilege and enforce separation of duties with
appropriate authorization for each interaction with your AWS resources.
Centralize privilege management and reduce or even eliminate reliance on long
term credentials.
Enable traceability:
Monitor, alert, and audit actions and changes to your environment in real time.
Integrate logs and metrics with systems to automatically respond and take action.
7. Apply security at all layers:
Rather than just focusing on protecting a single outer layer, apply a defense-in-depth approach with
other security controls.
Apply to all layers, for example, edge network, virtual private cloud (VPC), subnet, load balancer,
every instance, operating system, and application.
Automate security best practices:
Automated software-based security mechanisms improve your ability to securely scale more rapidly
and cost effectively.
Create secure architectures, including the implementation of controls that are defined and managed
as code in version-controlled templates.
Protect data in transit and at rest:
Classify your data into sensitivity levels and use mechanisms, such as encryption and tokenization
where appropriate.
Reduce or eliminate direct human access to data to reduce risk of loss or modification.
8. Prepare for security events:
Prepare for an incident by having an incident management process that aligns to
your organizational requirements.
Run incident response simulations and use tools with automation to increase your
speed for detection, investigation, and recovery.
9. CLOUD SECURITY REQUIREMENTS
Storage and transmission, integrity, data consistency and availability, data backup
and recovery, security tag, key management, remote platform attestation,
authentication, access control
Workload state integrity, guest OS integrity, zombie protection, denial of service
attacks, malicious resource exhaustion, platform attacks, platform attacks
Auditability, non-reputability, access control
Auditing, attack detection, access control, non-repudiation, privacy and integrity
Physical security, data integrity, auditability, privacy
Trust, privacy Data handling
Individual-stakeholder’s security Not-proposed
CSU experience and security Not-proposed
Privacy, integrity and non-repudiation
Integrity, access control and attack/harm detection
10. Six simple cloud security policies
1. Secure cloud accounts and create groups
Ensure that the root account is secure.
To make daily administration easier and still adhere to cloud security policies,
create an administrative group and assign rights to that group, rather than the
individual.
Create additional groups for fine-grained security that fits with your organization.
Some users need read-only access, as for people or services that run reports.
Other users should be able to do some ops tasks, such as restart VMs, but not be
able to modify VMs or their resources.
Cloud providers make roles available to users, and the cloud admin should research
when and where to use them.
Do not modify existing roles, as this is a recipe for disaster: Copy them instead.
11. 2. Check for free security upgrades
Every major cloud provider allows and encourages the use of two-factor
authentication (2FA).
There is no reason not to have 2FA on your cloud security checklist for new
deployments, as it increases protection from malicious login attempts.
3. Restrict infrastructure access via firewalls
A lot of companies use webscale external-facing infrastructure when they adopt
cloud.
They can quickly protect private servers from external access.
Check for firewall polices.
If the cloud provider makes it available, use firewall software to restrict access to
the infrastructure.
Only open ports when there's a valid reason to, and make closed ports part of your
cloud security policies by default.
12. 4. Tether the cloud
Some cloud-based workloads only service clients or customers in one geographic
region.
For these jobs, add an access restriction to the cloud security checklist:
Keep access only within that region or even better, limited to specific IP addresses.
This simple administrator decision slashes exposure to opportunistic hackers,
worms and other external threats.
13. 5. Replace passwords with keys
Passwords are a liability: cumbersome, insecure and easy to forget. Every seasoned
administrator knows that Monday morning user-has-forgotten-password scenario
Make public key infrastructure (PKI) part of your cloud security policies. PKI relies
on a public and private key to verify the identity of a user before exchanging data.
Switch the cloud environment to PKI, and password stealing becomes a nonissue.
PKI also prevents brute force login attacks.
Without the private key, no one will obtain access, barring a catastrophic PKI code
failure.
While this might seem obvious, include a note on the cloud security checklist that
the private key should not be stored on the computer or laptop in use.
Investigate vendors, such as YubiKey, that provide secure key management. For
some programs, the user has to touch the device.
Cloud key management for multiple users is easier with these tools.
14. 6. Turn on auditing and system monitoring
A lot of administrators don't think about monitoring until it's too late.
Systems create logs in huge amounts.
Use tools that capture, scan and process these logs into something useful for cloud
capacity planning, audits, troubleshooting and other operations.
Log monitoring and analysis tools sum up all those warnings, alerts and information
messages into something useful.
Again, many cloud providers do offer auditing tools, and there are many good tools
you can try with no commitment, such as Splunk and its visual tools.