Skip to content

7. Computer cloud security

Introduction 1

  • By 2023 the public cloud service market would reach about $623.3 billion.
  • 94% of enterprises use cloud services.
  • 50% of enterprises spend an average of $ 1.2 million annually on cloud services.
  • 30% of the IT budget is allocated towards cloud computing.

Cloud computing basics 2 3 4

  • Cloud is a model that allows worldwide, appropriate, and on-request access to a shared pool of configurable computing resources. For example- networks, servers, storage, applications, and services that can be rapidly provided. It is published with minimal management effort or interaction with the service provider 16.
  • Cloud vs On-premise3:
On-premise Cloud
1 Pay upfront; Higher pay, less scalability Pay as you go
2 More space is required for servers Less space
3 Dedicated Team of hardware experts to manage this infrastructure No need to manage infrastructure
4 Poor security, due to lack of expertise Better security
5 Less chance of data recovery Data replicas and disaster recovery are guaranteed
6 Less flexibility More flexibility
7 Manual servers and OS updates, a dedicated team is required Automatic
8 Collaboration is difficult Collaboration is easy
9 Data can not be accessed remotely Remote access is possible
10 Implementation is time-consuming and slow Implementation is easy
  • Types of cloud computing3:
    • Deployment Model:
      • Public Cloud:
        • The cloud infrastructure is owned by a third-party cloud service provider, which is available to the public over the Internet.
        • Leading providers: Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), IBM Cloud, Oracle Cloud Infrastructure (OCI), Alibaba Cloud, Sun Cloud, and DigitalOcean.
      • Private Cloud:
        • A cloud infrastructure is owned by a single organization and is available only to the organization’s users over the Internet.
        • May be managed by third-party service providers.
        • It can be on-premise or off-premise.
        • Providers: AWS, VMware.
      • Hybrid Cloud:
        • It consists of both public and private cloud infrastructure.
        • Example: Federal government agencies use private clouds for sensitive applications and public clouds for public-facing applications.
    • Service Model:
      • Infrastructure as a Service (IaaS):
        • Hire only the infrastructure, such as servers, storage, and networking.
        • The company is expected to have dedicated IT Administrators to manage the infrastructure, and a software team to develop the software.
        • Users: IT Administrators, Software Developers.
      • Platform as a Service (PaaS):
        • Hire the infrastructure and the platform (runtime), such as the operating system, database, and web server.
        • The company is expected to have a dedicated software team to develop the software.
        • Users: Software Developers.
        • Examples: Lambda, Elastic Beanstalk, and Heroku.
      • Software as a Service (SaaS):
        • It is a complete product that is ready to use.
        • The company is not expected to have a dedicated software team, as the product is ready to use by the company’s employees.
        • Users: Company’s employees (end-users).
        • Examples: Dropbox, G Suite, Microsoft Office 365, and Slack 4.
  • Comparison between cloud types3: comparison between cloud types
  • Lifecycle of cloud computing solution3:
    • Define the purpose of the solution: requirements, goals, and objectives.
    • Define the computing hardware: depending on the requirements, expected scale, and budget; EC2, Lambda, ECS, etc.
    • Define the storage solution: S3, Glacier, EFS, etc.
    • Define the network solution: VPC, Route 53, CloudFront, etc.
    • Define the security solution: IAM, KMS, or Cognito.
    • Define the deployment, monitoring, and automation tools: CloudFormation, CloudWatch, CloudTrail, etc.
    • Define the testing, building, and deployment tools: CodeCommit, CodeBuild, CodeDeploy, etc.
    • Define the analytics tools: Athena, EMR, Redshift, etc.
  • Benefits of Cloud Solutions4:
    • Enhance the ability to scale up and down: adding/removing works forces, storage, and computing power.
    • Lower costs.
    • Increase flexibility: access to the cloud from anywhere.

Network security and compliance in the cloud 5 6 7 8

  • Networks available in the cloud 5:
    • Internet access and DNS.
    • Subnets and IP addressing.
    • Cloud interconnects.
    • Segmentation and isolation (policies).
    • High availability and load balancing.
    • VPNs, NAT, and L4-L7 services.
  • Network Administrators play a vital role in Cloud Security.
  • Networking on AWS5:
    • VPC (Virtual Private Cloud): a network that is logically isolated from other networks in the cloud.
    • VPCs are equivalent to VRFs (Virtual Routing and Forwarding) in the on-premise world.
    • Default VPCs are pre-configured but with minimum security.
    • VPCs can have CIDR blocks, subnets, route tables, and security groups.
    • CIDR blocks are the IP address ranges that are assigned to the VPC.
    • VPCs are connected to the Internet through Internet Gateways (IGWs).
    • Subnets are derived from the VPC’s CIDR block.
    • Subnets can be public or private.
    • VM NICs are attached to subnets.
    • Security Groups are similar to ACI EPGs (Application Centric Infrastructure Endpoint Groups).
    • SGs control the inbound/outbound traffic to/from the Subnets.
    • NACLs (Network Access Control Lists) are similar to ACLs (Access Control Lists).
    • All rules are stateful, meaning that the return traffic is allowed by default.
    • All rules happen on L3 (IP addresses), not L2 (MAC addresses).
    • Broadcast and multicast are not supported.
  • Connection multiple VPCs 5:
    • VPC Peering: connecting two VPCs in the same region, or different regions.
    • Virtual Private Gateway.
    • Transit Gateway: connecting multiple VPCs in the same region, or different regions.
  • Cloud networking is a type of IT infrastructure in which some or all of an organization’s network capabilities and resources are hosted in a public or private cloud platform, managed in-house or by a service provider, and available on demand 6.
  • Security vs Compliance 8:
    • Security:
      • It is the process of protecting data, applications, and infrastructure from unauthorized access, use, disclosure, modification, or destruction to provide confidentiality, integrity, and availability.
    • Compliance:
      • It is the process of meeting a set of requirements, such as laws, policies, and regulations (aka standards).
      • Compliance may improve security, but it does not mean that the system is secure.
      • You can still be as secure as possible, but still not be compliant with particular standards.
      • Compliance requires a standard and audit, where a third-party auditor verifies that the organization is compliant with the standard.
      • Example: PCI DSS (Payment Card Industry Data Security Standard) is a standard that requires organizations to protect cardholder data.

Security and compliance management in cloud computing 7

  • The public cloud is open, hence it is considered to be less secure.
  • SECaaS (Security as a Service) is a cloud computing model that delivers managed security services over the Internet.
  • When the application or data is shifted to the cloud then the customers have limited visibility or there is no control and consideration over where the infrastructure is hosted. This unawareness of the actual location of data can cause security issues in this model.
  • Disadvantages of public Cloud:
    • Low security: the customer has no control over the physical location of the data.
    • Less customizable: compared to private cloud or on-premise.
  • Private cloud infrastructure is controlled by an IT department of the customer (not the cloud provider), so it is like an on-premise cloud.
  • Disadvantages of private cloud:
    • Restricted area: the infrastructure is only deployed at the chosen location.
    • Limited scalability: the scalability is limited to the infrastructure at the chosen location.
  • Challenges of Cloud:
    • Security.
    • Compliance.
    • Privacy.
  • HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) is a set of laws that are supposed to keep the health records and data of the patient secure and intact. It helps in maintaining the standard of electronic health recording systems.
  • FISMA: Federal Security Management Act.
  • Challenges of Compliance:
    • Reference Software Architecture: there is no one golden standard for cloud computing, that providers can compare their services to.
    • Patterns: following existing patterns in a specific domain, however, it is not always possible for innovative solutions.
  • The tools of SECaaS as defined by Cloud Service Alliance (CSA) (SECaaS tools):
    • Identity and Access Management (IAM).
    • Data Loss Prevention (DLP).
    • Web Security.
    • Email Security.
    • Security Assessments.
    • Disaster Recovery.
    • Intrusion Management: detecting and preventing intrusions between virtual machines.
    • Encryption: managing encryption keys, processes, and policies in a proper way.
    • Network Security: managing firewalls, VPNs, and IDSs.
  • Examples of SECaaS providers:
    • Oracle CASB (Cloud Access Security Broker):
      • Automated security monitoring, threat detection, visibility, compliance management, and detection of uneven user behavior.
      • Features:
        • Threat detection using UBAs (User Behavior Analytics).
        • Complete visibility into cloud usage.
        • Integration with existing security tools, such as DLP, NGF (Next Generation Firewall), and SWG (Secure Web Gateway).
    • Qualys VM (Vulnerability Management):
      • It is a cloud-based service that provides continuous security and compliance monitoring.
      • Features:
        • Continuous monitoring of vulnerabilities and alerts.
        • Agent-based detection of vulnerabilities: self-updating programs (called agents) that are installed on the target machines and require no maintenance or configuration.
        • Automatic documentation of compliance and incidents.
    • Okta Sign-On:
      • It is a cloud-based service that provides single sign-on (SSO) for cloud applications.
    • WhiteHat Sentinel Dynamic:
      • It is a dynamic platform that enables the deployment of scalable web security programs.
      • Features:
        • Automatically assess code changes and detect vulnerabilities.
        • Open API that can be integrated with GRC (Governance, Risk, and Compliance) and SIEM (Security Information and Event Management) tools.
        • PCI DSS (Payment Card Industry Data Security Standard) compliance.
  • To summarize the SECaaS tools:
SECaaS Tools Specialization
Oracle CASB Identity and access management
Qualys VM Network security
Okta Sign-On Identity and access management
WhiteHate Sentinel Dynamic Web application security

Identity Management System (IMS) 9 10 11 12

  • 81% of data breaches are caused by compromised usernames and passwords 9.
  • 300% increase in identity-based attacks in 2020 9.
  • Turning on MFA (Multi-Factor Authentication) can prevent 99.9% of identity attacks 9.

  • Building blocks of Enterprise IAM 11:

    • Corporate Directory (User Store):
      • It is a database that contains information about the employees, such as their names, emails, phone numbers, and job titles.
      • It can implement LDAP Lightweight Directory Access Protocol, AD or Active Directory (Microsoft version of LDAP).
      • Both LDAP and AD are used to store and manage distributed files.
    • Web SSO:
      • It is a centralized SSO built by the organization for its internal applications.
      • It uses non-standard methods to authenticate users and achieve web access management.
      • It is no longer used in favor of Federated SSO.
    • Federated SSO:
      • This uses standard methods, thus it is possible to integrate with other organizations, external applications, and cloud services.
    • Multi-Factor Authentication
    • Automated Provisioning.
    • Compliance/Identity Governance.

Data risks in Cloud security 13 14 15

References


  1. Galov, N. (2021, August 9). Cloud adoption statistics for 2021. hosting tribunal. https://hostingtribunal.com/blog/cloud-adoption-statistics/#gref 

  2. Amazon Web Services. (2021, July 15). What is cloud computing? | Amazon web services [Video]. YouTube. https://www.youtube.com/watch?v=mxT233EdY5c 

  3. Simplilearn. (2018, May 18). Cloud computing tutorial for beginners | cloud computing explained | cloud computing | simplilearn [Video]. YouTube. https://www.youtube.com/watch?v=RWgW-CgdIk0 

  4. What is a cloud service? (n.d.). Citrix. https://www.citrix.com/solutions/digital-workspace/what-is-a-cloud-service.html 

  5. Cisco Data Center and Cloud Made Easy. (2020, November 19). Cloud networking overview (Using AWS as reference) [Video]. YouTube. https://www.youtube.com/watch?v=WmyiE27uKOo 

  6. Cloud networking. (n.d.). VMware. https://www.vmware.com/topics/glossary/content/cloud-networking 

  7. Hashmi, A., Ranjan, A., Anand, A. (2018, January 31). 7(1). Security and compliance management in cloud computing. International journal of advanced studies in computer science and engineering IJASCSE. https://my.uopeople.edu/pluginfile.php/1808722/mod_book/chapter/471234/unit%207%20Security%20and%20Compliance%20Management%20in%20Cloud%20Computing.pdf 

  8. Tripwire, Inc. (2019, October 16). Understanding security vs. compliance: What’s the difference? [Video]. YouTube. https://www.youtube.com/watch?v=2PJEPEn1spA 

  9. Microsoft Security. (2020, September 17). What is identity and access management (IAM) and how to use it [Video]. YouTube. https://www.youtube.com/watch?v=iHKkzK-WR-c 

  10. What Is federated identity? (n.d.). okta. https://www.okta.com/identity-101/what-is-federated-identity/ 

  11. VMware End-User Computing. (2019, June 7). Identity and access management: Technical overview [Video]. YouTube. https://www.youtube.com/watch?v=Tcvsefz5DmA 

  12. Yeluri, R., & Leon, E.C. (2014, March 27). Identity management and control for clouds. Building the infrastructure for cloud security, 141- 161. https://link.springer.com/content/pdf/10.1007%2F978-1-4302-6146-9.pdf 

  13. Bushkovskyi, O. (2019, July 26). Cloud computing security risks in 2021, and how to avoid them. The APP solutions. https://theappsolutions.com/blog/development/cloud-security-risks/ 

  14. Enigma Forensics, Inc. (2020, March 4). Securing data in the cloud [Video]. YouTube. https://www.youtube.com/watch?v=oiuRZxQ-IpA 

  15. Google Cloud Tech. (2020, March 3). Top 3 data risks in cloud security [Video]. YouTube. https://www.youtube.com/watch?v=QJcRkpzW8Mw&t=24s 

  16. UoPeople (2023). Learning Guide Unit 7. Uopeople.edu. https://my.uopeople.edu/mod/book/view.php?id=392940&chapterid=471233