Cloud Security_ Unit 4
1 like442 views
Cloud security involves using effective measures to protect company assets in the cloud from threats such as data leakage and theft, utilizing a variety of safeguards and technology. Key design principles include identity management, data protection, and incident response, while policies emphasize secure access and monitoring. Proper implementation of these strategies enhances protection and compliance, ensuring safe cloud operations.
Cloud Security_ Unit 4
- 1. Cloud Security-Unit 4 By Dr. M Zunnun Khan
- 2. What is Cloud Security? Formal definition - Cloud Security is using effective guardrails to ensure company assets (data, application, infrastructure) using cloud services can function as expected and respond to unexpected threats.
- 3. What is Cloud Security? Cloud security is a set of control-based safeguards and technology protection designed to protect resources stored online from leakage, theft, data loss. Protection encompasses cloud infrastructure, applications, and data from threats. Security applications operate as software in the cloud using a Software as a Service (SaaS) model. The umbrella of security in the cloud include: Data center security Access control Threat prevention Threat detection Threat mitigation Redundancy Legal compliance Cloud security policy
- 4. Benefits of a Cloud Security System? Cloud-based security systems benefit your business through: Protecting your business from threats Guarding against internal threats Preventing data loss
- 5. Security On the Cloud - Design Principles Learn about the five best practice areas for security in the cloud: Identity and Access Management Detective Controls Infrastructure Protection Data Protection Incident Response The security pillar includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. The security pillar provides an overview of design principles, best practices, and questions
- 6. Design Principles There are six design principles for security in the cloud: Implement a strong identity foundation: Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize privilege management and reduce or even eliminate reliance on long term credentials. Enable traceability: Monitor, alert, and audit actions and changes to your environment in real time. Integrate logs and metrics with systems to automatically respond and take action.
- 7. Apply security at all layers: Rather than just focusing on protecting a single outer layer, apply a defense-in-depth approach with other security controls. Apply to all layers, for example, edge network, virtual private cloud (VPC), subnet, load balancer, every instance, operating system, and application. Automate security best practices: Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost effectively. Create secure architectures, including the implementation of controls that are defined and managed as code in version-controlled templates. Protect data in transit and at rest: Classify your data into sensitivity levels and use mechanisms, such as encryption and tokenization where appropriate. Reduce or eliminate direct human access to data to reduce risk of loss or modification.
- 8. Prepare for security events: Prepare for an incident by having an incident management process that aligns to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
- 9. CLOUD SECURITY REQUIREMENTS Storage and transmission, integrity, data consistency and availability, data backup and recovery, security tag, key management, remote platform attestation, authentication, access control Workload state integrity, guest OS integrity, zombie protection, denial of service attacks, malicious resource exhaustion, platform attacks, platform attacks Auditability, non-reputability, access control Auditing, attack detection, access control, non-repudiation, privacy and integrity Physical security, data integrity, auditability, privacy Trust, privacy Data handling Individual-stakeholder’s security Not-proposed CSU experience and security Not-proposed Privacy, integrity and non-repudiation Integrity, access control and attack/harm detection
- 10. Six simple cloud security policies 1. Secure cloud accounts and create groups Ensure that the root account is secure. To make daily administration easier and still adhere to cloud security policies, create an administrative group and assign rights to that group, rather than the individual. Create additional groups for fine-grained security that fits with your organization. Some users need read-only access, as for people or services that run reports. Other users should be able to do some ops tasks, such as restart VMs, but not be able to modify VMs or their resources. Cloud providers make roles available to users, and the cloud admin should research when and where to use them. Do not modify existing roles, as this is a recipe for disaster: Copy them instead.
- 11. 2. Check for free security upgrades Every major cloud provider allows and encourages the use of two-factor authentication (2FA). There is no reason not to have 2FA on your cloud security checklist for new deployments, as it increases protection from malicious login attempts. 3. Restrict infrastructure access via firewalls A lot of companies use webscale external-facing infrastructure when they adopt cloud. They can quickly protect private servers from external access. Check for firewall polices. If the cloud provider makes it available, use firewall software to restrict access to the infrastructure. Only open ports when there's a valid reason to, and make closed ports part of your cloud security policies by default.
- 12. 4. Tether the cloud Some cloud-based workloads only service clients or customers in one geographic region. For these jobs, add an access restriction to the cloud security checklist: Keep access only within that region or even better, limited to specific IP addresses. This simple administrator decision slashes exposure to opportunistic hackers, worms and other external threats.
- 13. 5. Replace passwords with keys Passwords are a liability: cumbersome, insecure and easy to forget. Every seasoned administrator knows that Monday morning user-has-forgotten-password scenario Make public key infrastructure (PKI) part of your cloud security policies. PKI relies on a public and private key to verify the identity of a user before exchanging data. Switch the cloud environment to PKI, and password stealing becomes a nonissue. PKI also prevents brute force login attacks. Without the private key, no one will obtain access, barring a catastrophic PKI code failure. While this might seem obvious, include a note on the cloud security checklist that the private key should not be stored on the computer or laptop in use. Investigate vendors, such as YubiKey, that provide secure key management. For some programs, the user has to touch the device. Cloud key management for multiple users is easier with these tools.
- 14. 6. Turn on auditing and system monitoring A lot of administrators don't think about monitoring until it's too late. Systems create logs in huge amounts. Use tools that capture, scan and process these logs into something useful for cloud capacity planning, audits, troubleshooting and other operations. Log monitoring and analysis tools sum up all those warnings, alerts and information messages into something useful. Again, many cloud providers do offer auditing tools, and there are many good tools you can try with no commitment, such as Splunk and its visual tools.