Cloud security fundamentals, Cloud security services, Design principles, Secure Cloud Software Requirements, Policy Implementation,

1. Cloud Security-Unit 4
By Dr. M Zunnun Khan

2. What is Cloud Security?
 Formal definition - Cloud Security is using effective guardrails to ensure
company assets (data, application, infrastructure) using cloud services can
function as expected and respond to unexpected threats.

3. What is Cloud Security?
 Cloud security is a set of control-based safeguards and technology protection designed to protect resources stored online from
 leakage,
 theft,
 data loss.
 Protection encompasses cloud infrastructure, applications, and data from threats.
 Security applications operate as software in the cloud using a Software as a Service (SaaS) model.
 The umbrella of security in the cloud include:
 Data center security
 Access control
 Threat prevention
 Threat detection
 Threat mitigation
 Redundancy
 Legal compliance
 Cloud security policy

4. Benefits of a Cloud Security System?
 Cloud-based security systems benefit your business through:
 Protecting your business from threats
 Guarding against internal threats
 Preventing data loss

5. Security On the Cloud - Design
Principles
 Learn about the five best practice areas for security in the cloud:
 Identity and Access Management
 Detective Controls
 Infrastructure Protection
 Data Protection
 Incident Response
 The security pillar includes the ability to protect information, systems, and
assets while delivering business value through risk assessments and mitigation
strategies.
 The security pillar provides an overview of design principles, best practices,
and questions

6. Design Principles
 There are six design principles for security in the cloud:
 Implement a strong identity foundation:
 Implement the principle of least privilege and enforce separation of duties with
appropriate authorization for each interaction with your AWS resources.
 Centralize privilege management and reduce or even eliminate reliance on long
term credentials.
 Enable traceability:
 Monitor, alert, and audit actions and changes to your environment in real time.
 Integrate logs and metrics with systems to automatically respond and take action.

7.  Apply security at all layers:
 Rather than just focusing on protecting a single outer layer, apply a defense-in-depth approach with
other security controls.
 Apply to all layers, for example, edge network, virtual private cloud (VPC), subnet, load balancer,
every instance, operating system, and application.
 Automate security best practices:
 Automated software-based security mechanisms improve your ability to securely scale more rapidly
and cost effectively.
 Create secure architectures, including the implementation of controls that are defined and managed
as code in version-controlled templates.
 Protect data in transit and at rest:
 Classify your data into sensitivity levels and use mechanisms, such as encryption and tokenization
where appropriate.
 Reduce or eliminate direct human access to data to reduce risk of loss or modification.

8.  Prepare for security events:
 Prepare for an incident by having an incident management process that aligns to
your organizational requirements.
 Run incident response simulations and use tools with automation to increase your
speed for detection, investigation, and recovery.

9. CLOUD SECURITY REQUIREMENTS
 Storage and transmission, integrity, data consistency and availability, data backup
and recovery, security tag, key management, remote platform attestation,
authentication, access control
 Workload state integrity, guest OS integrity, zombie protection, denial of service
attacks, malicious resource exhaustion, platform attacks, platform attacks
 Auditability, non-reputability, access control
 Auditing, attack detection, access control, non-repudiation, privacy and integrity
 Physical security, data integrity, auditability, privacy
 Trust, privacy Data handling
 Individual-stakeholder’s security Not-proposed
 CSU experience and security Not-proposed
 Privacy, integrity and non-repudiation
 Integrity, access control and attack/harm detection

10. Six simple cloud security policies
 1. Secure cloud accounts and create groups
 Ensure that the root account is secure.
 To make daily administration easier and still adhere to cloud security policies,
create an administrative group and assign rights to that group, rather than the
individual.
 Create additional groups for fine-grained security that fits with your organization.
 Some users need read-only access, as for people or services that run reports.
 Other users should be able to do some ops tasks, such as restart VMs, but not be
able to modify VMs or their resources.
 Cloud providers make roles available to users, and the cloud admin should research
when and where to use them.
 Do not modify existing roles, as this is a recipe for disaster: Copy them instead.

11.  2. Check for free security upgrades
 Every major cloud provider allows and encourages the use of two-factor
authentication (2FA).
 There is no reason not to have 2FA on your cloud security checklist for new
deployments, as it increases protection from malicious login attempts.
 3. Restrict infrastructure access via firewalls
 A lot of companies use webscale external-facing infrastructure when they adopt
cloud.
 They can quickly protect private servers from external access.
 Check for firewall polices.
 If the cloud provider makes it available, use firewall software to restrict access to
the infrastructure.
 Only open ports when there's a valid reason to, and make closed ports part of your
cloud security policies by default.

12.  4. Tether the cloud
 Some cloud-based workloads only service clients or customers in one geographic
region.
 For these jobs, add an access restriction to the cloud security checklist:
 Keep access only within that region or even better, limited to specific IP addresses.
 This simple administrator decision slashes exposure to opportunistic hackers,
worms and other external threats.

13.  5. Replace passwords with keys
 Passwords are a liability: cumbersome, insecure and easy to forget. Every seasoned
administrator knows that Monday morning user-has-forgotten-password scenario
 Make public key infrastructure (PKI) part of your cloud security policies. PKI relies
on a public and private key to verify the identity of a user before exchanging data.
 Switch the cloud environment to PKI, and password stealing becomes a nonissue.
PKI also prevents brute force login attacks.
 Without the private key, no one will obtain access, barring a catastrophic PKI code
failure.
 While this might seem obvious, include a note on the cloud security checklist that
the private key should not be stored on the computer or laptop in use.
 Investigate vendors, such as YubiKey, that provide secure key management. For
some programs, the user has to touch the device.
 Cloud key management for multiple users is easier with these tools.

14.  6. Turn on auditing and system monitoring
 A lot of administrators don't think about monitoring until it's too late.
 Systems create logs in huge amounts.
 Use tools that capture, scan and process these logs into something useful for cloud
capacity planning, audits, troubleshooting and other operations.
 Log monitoring and analysis tools sum up all those warnings, alerts and information
messages into something useful.
 Again, many cloud providers do offer auditing tools, and there are many good tools
you can try with no commitment, such as Splunk and its visual tools.