Hello everyone, Today I will be talking about cloud security. Cloud security is an art and a science. Cloud security is a branch of cyber security that focuses on protecting cloud computing platforms. This involves safeguarding data across internet infrastructure, apps, and platforms. Cloud providers and clients, whether individuals, small to medium businesses, or enterprises, work together to secure these systems.
Cloud service providers use always-on internet connections to host services on their servers. Because their firm relies on consumer trust, they deploy cloud security solutions to keep client information private and secure. Cloud security, on the other hand, is partly in the hands of the customer.
At its core, cloud security is composed of the following categories:
· Data security
· Identity and access management (IAM)
· Governance (policies on threat prevention, detection, and mitigation)
· Data retention (DR) and business continuity (BC) planning
· Legal compliance
Cloud security may appear like legacy IT security, but this framework actually demands a different approach. Before diving deeper, let’s first look at what cloud security is.
What is cloud security?
Cloud security is the whole bundle of technology, protocols, and best practices that protect cloud computing environments, applications running in the cloud, and data held in the cloud. Securing cloud services begins with understanding what exactly is being secured, as well as the system aspects that must be managed.
As an overview, backend development against security vulnerabilities is largely within the hands of cloud service providers. Aside from choosing a security-conscious provider, clients must focus mostly on proper service configuration and safe use habits. Additionally, clients should be sure that any end-user hardware and networks are properly secured.
The full scope of cloud security is designed to protect the following, regardless of your responsibilities:
Ø Physical networks — routers, electrical power, cabling, climate controls, etc.
Ø Data storage — hard drives, etc.
Ø Data servers — core network computing hardware and software
Ø Computer virtualization frameworks — virtual machine software, host machines, and guest machines
Ø Operating systems (OS) — software that houses
Ø Middleware — application programming interface (API) management,
Ø Runtime environments — execution and upkeep of a running program
Ø Data — all the information stored, modified, and accessed
Ø Applications — traditional software services (email, tax software, productivity suites, etc.)
Ø End-user hardware — computers, mobile devices, Internet of Things (IoT) devices, etc.
With cloud computing, ownership over these components can vary widely. This can make the scope of client security responsibilities unclear. Since securing the cloud can look different based on who has authority over each component, it’s important to understand how these are commonly grouped.
To simplify, cloud computing components are secured from two main viewpoints:
1. Cloud service types are offered by third-party providers as modules used to create the cloud environment. Depending on the type of service, you may manage a different degree of the components within the service:
ü The core of any third-party cloud service involves the provider managing the physical network, data storage, data servers, and computer virtualization frameworks. The service is stored on the provider’s servers and virtualized via their internally managed network to be delivered to clients to be accessed remotely. This offloads hardware and other infrastructure costs to give clients access to their computing needs from anywhere via internet connectivity.
ü Software-as-a-Service (SaaS) cloud services provide clients access to applications that are purely hosted and run on the provider’s servers. Providers manage the applications, data, runtime, middleware, and operating system. Clients are only tasked with getting their applications. SaaS examples include Google Drive, Slack, Salesforce, Microsoft 365, Cisco WebEx, Evernote.
ü Platform-as-a-Service cloud services provide clients a host for developing their own applications, which are run within a client’s own “sandboxed” space on provider servers. Providers manage the runtime, middleware, operating system. Clients are tasked with managing their applications, data, user access, end-user devices, and end-user networks. PaaS examples include Google App Engine, Windows Azure.
ü Infrastructure-as-a-Service (IaaS) cloud services offer clients the hardware and remote connectivity frameworks to house the bulk of their computing, down to the operating system. Providers only manage core cloud services. Clients are tasked with securing all that gets stacked atop an operating system, including applications, data, runtimes, middleware, and the OS itself. In addition, clients need to manage user access, end-user devices, and end-user networks. IaaS examples include Microsoft Azure, Google Compute Engine (GCE), Amazon Web Services (AWS).
2. Cloud environments are deployment models in which one or more cloud services create a system for the end-users and organizations. These segments the management responsibilities — including security — between clients and providers.
The currently used cloud environments are:
· Public cloud environments are composed of multi-tenant cloud services where a client shares a provider’s servers with other clients, like an office building or coworking space. These are third-party services run by the provider to give clients access via the web.
· Private third-party cloud environments are based on the use of a cloud service that provides the client with exclusive use of their own cloud. These single-tenant environments are normally owned, managed, and operated offsite by an external provider.
· Private in-house cloud environments also composed of single-tenant cloud service servers but operated from their own private data center. In this case, this cloud environment is run by the business themselves to allow full configuration and setup of every element.
· Multi-cloud environments include the use of two or more cloud services from separate providers. These can be any blend of public and/or private cloud services.
· Hybrid cloud environments consist of using a blend of private third-party cloud and/or onsite private cloud data center with one or more public clouds.
By framing it from this perspective, we can understand that cloud-based security can be a bit different based on the type of cloud space users are working in. But the effects are felt by both individual and organizational clients alike.
How does cloud security work?
Every cloud security measure works to accomplish one or more of the following:
§ Enable data recovery in case of data loss
§ Protect storage and networks against malicious data theft
§ Deter human error or negligence that causes data leaks
§ Reduce the impact of any data or system compromise
Data security is an aspect of cloud security that involves the technical end of threat prevention. Providers and clients can use tools and technology to create barriers between sensitive data access and visibility. Encryption is one of the most powerful technologies accessible among these. Encryption scrambles your data so that only those with the encryption key can read it. Your data will be effectively unreadable and worthless if it is lost or stolen. In cloud networks, data transit safeguards such as virtual private networks (VPNs) are also stressed.
Identity and access management (IAM) pertains to the accessibility privileges offered to user accounts. Managing user account authentication and authorization applies here as well. Users — both legitimate and criminal — must be able to enter and compromise sensitive data and systems, therefore access restrictions are critical. The scope of IAM includes password management, multi-factor authentication, and other approaches.
Governance focuses on policies for threat prevention, detection, and mitigation. With SMB and enterprises, aspects like threat intel can help with tracking and prioritizing threats to keep essential systems guarded carefully. However, even individual cloud clients could benefit from valuing safe user behavior policies and training. These apply mostly in organizational environments, but rules for safe use and response to threats can be helpful to any user.
Data retention (DR) and business continuity (BC) planning involve technical disaster recovery measures in case of data loss. Methods for data redundancy, like as backups, are essential components of every DR and BC plan. Additionally, having technological mechanisms in place to ensure continuous operations might be beneficial. A good BC strategy should include frameworks for validating the veracity of backups as well as specific employee recovery instructions.
Legal compliance revolves around protecting user privacy as set by legislative bodies. Governments have recognized the significance of preventing the commercial exploitation of private user information. As a result, in order to comply with these standards, businesses must follow legislation. One option is to utilize data masking, which uses encryption technologies to disguise identify inside data.
What makes cloud security different?
Because of the move to cloud-based computing, traditional IT security has undergone a significant transformation. While cloud models provide more convenience, always-on connection necessitates new security issues. In a few aspects, cloud security, as a modernized cyber security solution, differs from traditional IT architectures.
1. Data storage:
The most significant difference is that traditional IT architectures mainly rely on local data storage. Building all IT frameworks in-house for thorough, specific security measures has long been discovered to be expensive and restrictive by organizations. Cloud-based frameworks have reduced system development and maintenance expenses, but they have taken away some autonomy from users.
2. Scaling speed:
Similarly, when increasing an organization’s IT infrastructure, cloud security requires special consideration. Cloud-based infrastructure and apps are extremely modular and easy to deploy. While this capability ensures that systems are universally adjusted to organizational changes, it does raise difficulties when an organization’s need for updates and convenience outpaces its capacity to keep up with security.
3. End-user system interfacing:
Cloud systems interact with a variety of additional systems and services that must be protected, both for companies and individual users. Access permissions must be maintained at all levels, from the end-user device through the program to the network. In addition, providers and users must be aware of the risks that improper setup and system access practices might create.
4. Proximity to other networked data and systems:
Because cloud systems maintain a constant link between cloud providers and their customers, this vast network might put even the provider at risk. A single vulnerable device or component in a networking landscape can be used to infect the rest. Whether they are offering data storage or other services, cloud providers are exposed to attacks from a large number of end-users. Providers who provide goods live only on end-user systems rather than their own are now responsible for additional network security.
“When solving problems, dig at the roots instead of just hacking at the leaves.”
Stay home, stay safe!
Written by Osuni Abeywickrama — 2nd Year 2nd Semester -Cyber Security Student-SLIIT