What is Cloud Security? Cloud Security Fundamentals #CloudSecurity
Cloud Security Fundamentals for beginners | Cloud Security vs Traditional Security | How does Cloud Security Work and more …
Hello World! :)
This is the first post in the #CloudSecurity series, my passion project for 2019. Happy New Year to all you folks :)
If you prefer consuming educational content in video format, I have you covered. For everyone else keep reading.
Levelling up the playing field for everyone!
What is Cloud?
Cloud is a service offered on the internet for public consumption either for a fee or free. It comes in different forms (IaaS, PaaS, SaaS), shapes (infrastructure, container based, abstracted) and sizes (public, private or hybrid).
What is Cloud Security?
If you are someone who enjoys a bit more of a formal definition - Cloud Security is using effective guardrails to ensure company assets (data, application, infrastructure) using cloud services can function as expected and respond to unexpected threats.
For the security folks, Cloud Security is defending the confidentiality(C), integrity(I) and availability(A) of enterprise assets (data, application, infrastructure), using cloud services, from an outside or inside threat.
For the non-security background the above mentioned CIA are the three triads of Information security. There are others considerations in the mix too e.g Authentication, Authorisation etc. but, trust me, CIA is the most commonly used one to explain the risk around a threat.
Why do we need Cloud Security? Is it different to Traditional Security?
Great question! Short answer is that Traditional security doesn’t fully work in cloud environments as it can’t scale at speed.
For this reason we need ver2.0 of traditional security in cloud. Lets explore this further…
Perimeter based vs Component based architecture
Security in data centres has been designed in a perimeter based security design with a “coconut” shaped architecture — hard on the outside, soft and mushy on the inside. As an attacker once you are in, it’s FREE REIGN!
A well-architected cloud environment will have component based segregation within itself which means even if an attacker compromises one of the resources, by design they would not get access to the rest of the resources in the environment.
Scaling security on demand
The most common security devices in a data centre will be Network Firewalls, WAFs, IDS, IPS and sometimes expense DDOS protection if you can afford it. Usually to make changes to these devices or add more of these devices, week’s worth of work and lots of man hours are required.
In a cloud environment, everyone gets access to DDOS protection (at no additional cost on certain cloud service provider security products). All Firewalls (both network and web level) are programmatically accessible which means it can be updated in minutes instead of weeks.
We can continue to explore this and discuss the likes of patch management, vulnerability management, incident response, DR, BCP etc but that’s for another post, if you would like to know more.
How does Cloud Security Work?
Short answer: The implementation of cloud security is unique per cloud provider. Each cloud provider has their own security products/services which can be used to apply relevant security guardrails in your cloud environment.
I personally recommend using “most but not all of these security products/services” for the simple reason that I have seen some of the security products released in an MVP state and lack the maturity as some of the free/paid services out in the market. However, the security products in the market being ready for cloud is a whole different story and I will reserve that for another post in the future.
How can you apply Cloud Security in my current cloud environment?
When brain-storming ways to implement cloud security into the cloud provider of your choice, please do consider the Shared Responsibility Model from that cloud service provider in your decision making process.
Shared Responsibility Model
Shared Responsibility model is the responsibility your share with the cloud provider on services you consume from them.
When you use a public services like Linkedin/Facebook , all the post/articles/images/videos you post are your responsibility, you may not worry about which server in linkedin has the data or how many servers or how many requests Linkedin is using to display your post to everyone else on the Linkedin service. However, you would care if your post doesn’t appear to any of your potential customers connected with you on Linkedin.
Similarly, in case of cloud, there are things we need to manage and there are things that the cloud provider manages for us. Depending on what service you use, you would have to consider how much input is required from your end.
I would recommend spending some time understanding the shared responsibility with regards to the service you use in your cloud environment to effectively implement your cloud security strategy.
I understand Shared Responsibility now, what’s next?
Depending on the applications or service you are implementing on the cloud provider the security considerations will always fall under some the following security parameters:
Level of Compliance ,Infrastructure Location(s), Data Storage Location(s), Encryption on-rest/in-transit, Key Management System, Backup and Recovery, Patch Management, Segregation of Duties, Access Management, Access Governance, Incident Response, Logging and Auditing, Vulnerability Management, Asset Management…
The list can go on as you can imagine. However, all these and more parameters don’t apply to every cloud deployment. e.g if you just want to host a static website on a cloud environment, you don’t need to worry about patch management, if you are using the Abstract cloud service like S3 (AWS) or Static Website hosting on Azure Storage (Azure) etc.
At this point, we have laid the foundation for Cloud Security — Have I scared you? :) I hope not! This is a good place to start going a bit deeper.
To make this series easy to consume by both non-security and security folks, I am focussing the #CloudSecurity series on the security services provided by public cloud providers and possible use cases. Let’s tackle one public cloud provider at a time.
In the next few posts, I will be going through security product suite and possible use cases in Amazon Web Services (AWS).
Disclaimer: As mentioned earlier in this post, some of the security services by public cloud service provider are not great and I will recommend against those ones, where applicable. However, the services are on-goingly being updated at a rate which is impressive, so I would encourage doing your own research on the covered services to get updated information in your decision making process.