CLOUD

SECURITY
By Manoj Kumar (CISSP,
CCSP, CISA, CISM)
 Content
 Introduction to Cloud Computing (Definition, Deployment and Service
models)
 Cloud Logical Structure
 Shared Responsibility Model
 Cloud Governance, Compliance and Audit Management
 Information Governance in Cloud
 Management Plan Security and BC/ DR in Cloud
 Infrastructure security in Cloud
 Containers Security
 Application Security in Cloud
 Data Security in cloud
 Identity and Access Management
 Common Risks in Cloud
 Important Resources related to Cloud Security
Introduction to Cloud Computing
NIST definition - Model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable computing resources that can be
rapidly provisioned and released with minimal management effort or service
provider interaction.

Essential Characteristics
 Broad Network Access
 On demand self service
 Resource pooling
 Rapid elasticity
 Measured Services

ISO adds multi-tenancy as well in essential characteristics

 Introduction to Cloud Computing
Service Models

 Software as a Service – Office 365

 Platform as a Service - development or application platforms
 Infrastructure as a Service (IaaS) – compute, network or storage

Deployment Models
 Public Cloud – shared by multiple tenants
 Private Cloud – dedicated to one organisation
 Community Cloud – specific community
 Hybrid Cloud- combination of two or more deployment models
Introduction to Cloud Computing
Cloud Roles and Logical Structure
 Cloud service provider – who offers cloud services
 Cloud Customers – consumers of the services

Refer ISO 17788 and 17789 for more information

Logical Structure

 Infrastructure: core components compute, network, and storage.

 Metastructure: interface between the layers
 Infostructure: The data and information
 Applistructure: The applications deployed in the cloud and the underlying
application services used to build them
Shared Responsibility Model
 Sharing of security responsibilities by provider and consumer
 Depends upon the service/ deployment models & contract
 Not prescriptive but a guide for contract negotiation
 Cloud Governance
 Governance is policy, process, and internal controls to run an
organization

 Cloud affects governance as introduce third party into the

process

 Organization can never outsource responsibility for governance

Tools for Governance

 Contracts – guarantee of commitment

 Supplier (cloud provider) Assessments – financial viability,

feedback from peers etc.

 Compliance reporting – SOC reports, CSA STAR registry

 Compliance and Audit Management
 Compliance Management – shared responsibility;
customer may have to rely on third-party attestations for
provider compliances

 Audit Management – on- premises audit are very rare in

cloud;

 It’s important to remember that attestations and

certifications are point-in-time activities
Information Governance in
Cloud
Phases
 Create - whenever data is considered new
 Store – near term storage
 Use – when in active use
 Share – sharing of data
 Archive – long term storage
 Destroy – permanent destruction

Know about controls in each phase

Information Governance in Cloud

Challenges
 Multitenancy: shared infrastructure; untrusted tenants

 Shared security responsibility: know about the difference between data

custodianship and data ownership

 Jurisdictional boundaries and data sovereignty: broad network access, so

data can be hosted in more locations (jurisdictions)

 Compliance, regulations, and privacy policies : customer agreement may

not allow to share/use data on a cloud provider

 Destruction and removal of data: Ensuring the destruction and removal

of data in accordance with policy
Management Plan Security
Management plane – a major difference between traditional infrastructure and
cloud computing.

Best Practices for security:

 Use strong authentication and MFA.

 Maintain tight control of primary account holder/root account credentials

 Establishing account granularity to limit blast radius

 Use separate super administrator and day-to-day administrator accounts

instead of root/ primary account

 Consistently implement least privilege accounts

BC/ DR Considerations
Architecture for Take a risk-based
failure approach

Prepare for graceful

Backup
failure in case of a
Metastructure and its
cloud provider
configuration as well
outage

For super-high-
Design for high availability
availability within applications, start
your cloud provider with cross-location
BC before attempting
Infrastructure security in Cloud
Network

Prefer Software Defined Networking (SDN) when available.

Separate accounts and virtual networks dramatically limit blast radius

Implement default deny with cloud firewalls.

Apply cloud firewalls on a per-workload basis as opposed to a per-network

basis.

Minimize dependency on virtual appliances that restrict elasticity or cause

performance bottlenecks.
Infrastructure security in
Cloud
Compute/workload
Leverage immutable workloads whenever possible.

Choose security agents that are cloud-aware

Store logs external to workloads.

Understand and comply with cloud provider limitations on

vulnerability assessments and penetration testing
Configure hypervisors to isolate virtual machines from each
other
Containers Security
Container - a virtual execution environment that features an
isolated user space, but uses a shared kernel
Secure them by:
 Group containers of the same security contexts on the same
physical and/or virtual hosts.
 Ensuring that only approved, known, and secure container
images or code can be deployed.
 Appropriately securing the container
orchestration/management
 By Implementing appropriate role-based access controls
and strong authentication
Application Security in Cloud
 Understand the security capabilities of cloud providers
 Build security into the initial design process
 Consider moving to continuous deployment and
automating security into the deployment pipeline.
 Threat modeling, SAST, and DAST to be integrated.
 Use software-defined security to automate security
controls.
 Use event-driven security, when available, to automate
detection and remediation of security issues.
Application Security in Cloud
DevOps and CI/ CD pipeline:
Deeper integration of development and operations teams
through better collaboration and communications
Continuous Integration and/or Continuous Delivery
(CI/CD) through automated deployment pipelines
Security Advantages:
Standardization: With DevOps, anything that goes into
production is created by the CI/CD pipeline on approved
code and configuration templates.
Automated testing: variety of security testing can be
integrated into the CI/ CD pipeline
Immutable: CI/CD pipelines can produce master images for
virtual machines, containers, and infrastructure stacks very
quickly and reliably.
Data Security in Cloud

Know about various cloud storages and applicable threats

data security tools such as Cloud Access and Security

Keep
Brokers (CASB) and DLP etc.

provider’s data migration mechanisms (through TLS) to

Prefer
secure Cloud Data transfers

FIPS 140-2 certified Hardware Security Module (HSM)

Ensure that
are used for key storage and management etc.
cloud provider data security. In many cases it is more
Aware of secure than building your own, and comes at a lower
cost.
appropriate encryption option based on the threat model
Use
for your data, business, and technical requirements.
Identity and Access Management (IAM)
IAM – Enabling right individuals to access the right resources at
the right times for the right reasons (Gartner)

 Develop a comprehensive and formalized plan and processes for managing

identities and authorizations with cloud services.

 When connecting to external cloud providers, use federation, if possible, to

extend existing identity management.

 Cloud users should prefer MFA for all external cloud

 Privileged identities should always use MFA.

 Develop an entitlement matrix for each cloud provider and project, with an
emphasis on access to the metastructure and/or management plane.

 Prefer ABAC over RBAC for cloud computing.

Common Risks in Cloud
 Vendor Lock-In – over dependency on provider
 Ensure favorable contract terms for portability; avoid
proprietary formats; ensure there are no physical or technical
limitations to moving

 Vendor Lock-Out - when the cloud provider goes out of

business, is acquired by another company, or ceases operation
for any reason
 Check provider longevity, Core Competency, Jurisdictional
Suitability and Supply Chain Dependencies

 Information Bleed – cause of concern in multi-tenant

environment; there is the possibility that data belonging to one
customer will be read or received by another;
 Ensure proper segregation among multiple tenants
Common Risks in Cloud
 Lack of Audit Access - Reliance on a third party
 Ensure favorable contract terms for portability; avoid
proprietary formats;

 Contractual Failure - Poorly crafted contract lead to vendor

lock-in, unfavorable terms, lack of necessary services, and other
risks
 Consider full offsite secured backups

 Legal Seizure - Results in unannounced or unexpected loss or

disclosure of the organization's data
 Consider using encryption or possibly employing data
dispersion
Important Resources
related to Cloud Security
 Cloud Security Alliance (CSA)
 Security Guidance for Critical Areas of Focus in Cloud Computing
4.0 – Cloud Security Best Practices
 Cloud Controls Matrix (CCM) - cybersecurity control framework
for cloud computing aligned to the CSA best practices
 Consensus Assessment Initiative Questionnaire (CAIQ) - provides
a set of “yes or no” questions based on the security controls in
the CCM
 CSA STAR (Security, Trust, Assurance, and Risk) Registry -
publicly accessible registry that documents the security and
privacy controls provided by popular cloud computing
offerings
 CSA Pandemic Eleven – documents top ‘11’ threats related to
cloud computing
 European Union Agency for Cybersecurity (ENISA) Risk
Assessment