Cloud allows users to access resources in a dynamic manner based on their needs with only paying for the resources they need. This is a fantastic invention for the digital age. But is it secure? We have an in-depth look at the main factors that make up cloud security.
Cloud security is a shared responsibility of both the customer as well as the cloud service provider (CSP). While users technically own their servers don’t control physical access to the servers. Authorization, authentication firewalls, audits, and visibility of transactions are vital elements of cloud security.
Regions and Availability Zones
In addition, availability and uptime are key elements in cloud security. Service providers operate their infrastructure in various geographic areas. In each region, there could have more than one availability zones (AZ). For instance, cloud service providers can support two regions two – India and Australia, and in each one of these regions, there may be several AZs. As an example, for instance, there might exist two AZs in Mumbai in India however, they could be in different areas of Mumbai.
The AZs are self-contained and separate with distinct power providers, separate confirmations for network connections, and more. This ensures that they are reliable since any issues in one AZ do not impact any other AZ.
We as users can benefit from this and set up our application to use the nearest area to help reduce the latency. You are also able to load-balance by using active/active or active/standby configurations. This gives us the ability to change when there is an issue or over-demands and enables high availability.
Each region’s costs may differ in relation to the services provided, and every region offers all services. Additionally, when selecting the region, the compliance rules need to be considered.
Virtual Private Cloud (VPC)
In a cloud that is public, we can also create an isolated private network referred to as a virtual private cloud or VPC. This is the same as the private cloud which includes both private and public subnets. The private cloud doesn’t provide private IP addresses to the public addresses, and can only be accessed through restricted channels. VPC is basically on the network layer and it is an IaaS service.
Similar to IT parks, various organizations are able to make use of different facilities like auditoriums and parks, however, the working area is private and only employees or those with restricted access have access to it. The VPC is like this private space. The users have full control over it, and it’s considered safe. For instance, web servers are accessible from any location, but the database is accessible only through the server that runs the backend applications.
Multiple subnets are possible to be made within a single VPC within the range of IP addresses that the VPC is built with. The subnet may be open or private, drawing a boundary for servers within these networks not to have access to information through that network.
VPC gateway endpoints let you connect to multiple VPCs and keep the information private, without the need for internet access.
Virtual Networks (VLANs) are used to partition networks and connect the groups of servers that are able to connect to each other without the Internet. This partitioning happens at the second layer within OSI. OSI model.
Virtual Private Networks (VPN) employ encryption over an internet connection, thereby making it safe and guarding against man-in-the-middle attacks.
Security groups serve as a “firewall” for situations. By using a security group, we can manage both traffic that is coming in and going out. They are stateful, meaning that all traffic permitted to leave, is allowed to return. They can only support rules, meaning that traffic can’t be blocked explicitly and only the configured traffic can be allowed in.
NACLs (network access control lists) serve as a “firewall at the subnet level. You can assign one NACL with multiple subnets however only one NACL can be assigned to a subnet.
Inbound and outbound rules that are stateless apply to every traffic. For example, if output traffic is permitted, our request will be directed to the outside however, if we are expecting an answer, the outbound rules need to be defined. Both rules for deny and allow for both outbound and inbound traffic are accepted. We can only specify an identifier for the CIDR zone (no hostname).
Cloud providers additionally provide security across different OSI layers, like WAF, also known as web application firewall that is secured in layer 7 and network firewalls protected in layer 4, etc. This improves security by blocking suspicious API calls, refusing to allow access to certain areas as well as tracking and reporting on attempts to access sensitive data.
IAM (identity and access management) Policies
The cloud access of resources is controlled by policies and permissions centrally, and audit is being enabled by default. Each policy can be linked to the user, entity group, user, or role.
There are two main policies — identity-based policy and resource-based. In the case of identity-based policies, it granted permissions to the user or group. The resource-based policy defines who has access to the data, and what tasks they are allowed to do.
Access is granted only if both policies permit access; however, if one policy blocks access, it won’t be granted. By default, all access is denied, and only an explicit “allow” permits access. If there’s an explicitly denied it will have higher priority and access is refused.
Access policies for Granular Access can be established to permit or block specific IP addresses or time and data groups, geographical places, etc.
Applications that utilize API keys or encryption keys, or credentials shouldn’t be coded in a hard way. The cloud offers services that handle secrets in a way that is elegant. Secrets are secured during transport and at rest.
Secrets management is responsible for protecting and managing access to services and applications. IAM policies ensure that not everyone has access to secret information.
Auditing and monitoring is an essential aspect of cybersecurity. Cloud computing provides the framework and tools to monitor and allow monitoring at a granular level.
IAM access and policy changes as well as changes to the infrastructure are a few of the most routine tasks for which the logs are enabled by default and stored at the main location. However, these aren’t enough and the cloud offers APIs that allow you to create custom logs that are based on the needs of the user.
The centralized logs are able to be utilized for further analysis and inspection and can be connected to every SIEM (Security Information and Event Management) solution. Simple reports can be generated using these logs.
Cloud Access Security Broker (CASB)
Every cloud service provider has a set of tools to provide security tools. However, there are holes or they might not meet the standards. As the data is stored in the provider of cloud services, following security guidelines becomes crucial. In these scenarios, CASB helps fills the gaps and complements the cloud’s security features. The broker sits between the cloud customer and the cloud service provider.
CASB offers secure software in the form of a solution, taking care of cloud service security threats, while enforcing security policy and ensuring security of data, threat protection, and compliance with laws. It is available as software that runs locally or on the cloud and it has four main attributes.
- Visibility: the visibility of the processes that run in the cloud and making sure that they are authorized; checking for validation and avoiding configuration errors.
- Conformity: Following the organization’s own or mandated policies such as HIPAA as well as PCI.
- Protection against threats: Allowing only authenticated and authorized users to the highest level of security, which includes multi-level approvals and multi-factor authentication.
- Security of data: Protecting and encrypting sensitive data both at rest as well as in transit. Making sure APIs are secure.
CASB together with next-generation secure-web-gateways (SWGs) monitoring and managing web APIs, as well as user/entity behavior analytics (UEBA), offers the ability to provide both dynamic and static control access.
CASB is developing into a large service that is known for its secure access service edge (SASE) architecture. SASE is a combination of different networking and security technology to offer complete cloud and web security. SSE stands for Security Service Edge (SSE) and refers to the combination of several cloud-based security services as part of the SASE architecture.
“Structural awareness” solutions can help to reduce risk and safeguard the data and systems.
- Compliance with cloud standards and good practices: Monitoring and continuous evaluation of the environment as well as the ability to enforce good practices that are well-known.
- Instance and visibility to containers: Monitoring and protection of containers during their life duration.
- Virtual Private Network: Safe access to programs running on the VPC for employees who work remotely.
- Secure Data: Encryption and key management solutions to safeguard data and ensure compliance with regulatory standards.
- Assessment of vulnerability and management: Visibility into the attack area to find and address security concerns.
- Analyzing the composition of software: Control of security and administration of open source licenses.
- Operational intelligence: Analyzing and aggregating information for security performance, availability, and security.
- DevSecOps: Continuous and automated process management that allows for the continuous delivery and integration of security-related applications.
- Risk management for cyber: Prioritized insight into the risks, vulnerabilities, and effects of cloud-based assets.
- Container security: Hardened or minimal operating system created to operate containers. Running the same security service on the exact host limit the extent of the intrusion.
- Backups: Maintaining backups ensures accessibility and assists in complying with the law, such as keeping information for a period of seven years.
- Permissions: Authorisation and authentication at a high level as well as continuous audits.
“Situational Awareness” solutions can detect security incidents and can respond to recover data, as well as provide continuous improvement.
- Firewalls and proxy servers: They provide a fine-grained analysis of traffic for possible dangers at the network and application level.
- Endpoint identification and responses: Guards endpoints, such as cloud workloads, from zero-day attacks and other threats.
- Intrusion detection systems: Monitor networks and the workloads for security incidents.
- Backup and restoration: Protects data from problems, errors as well as accidental deletion.
- Disaster recovery: It offers the additional ability to rapidly recover from a catastrophe by ensuring cloud workloads are accessible.
- Security information and event management: It ingests correlates and prioritizes the events to give you greater insight into suspicious behavior and threats mitigation.
- Workload isolation: Offers always-on security controls for containers, microservices and other workloads.