The adoption of public cloud deployments has accelerated for most organizations in recent times. In fact, around 40-50% of companies are opting some sort of public cloud services for storing their data.
However, managing the security and compliance requirements of their deployments of cloud, particularly on public clouds, is their #1 cybersecurity challenge. Most organizations find it hard to detect and respond to cloud security incidents.
What is cloud security?
Cloud security is all about the applying cybersecurity practices and programs to the protection of your data and your applications that are on public and private cloud platforms.
Cloud security couples traditional cybersecurity issues with new challenges related to cloud environments.
The benefits of cloud security are these:
· You can discover vulnerabilities and misconfigurations in cloud-based infrastructure.
· You can ensure software code undergoes security testing at every step in the development, test, and deployment process.
· You can monitor for incidents in applications on cloud platforms, including workloads running on virtual machines and in containers.
· You can detect indicators of advanced attacks, such as anomalous behaviors and evidence of credential theft and lateral movement.
· You can stop attackers from taking control of cloud platform consoles and appropriating cloud resources for criminal purposes like cryptojacking, hosting botnets, and launching denial-of-service (DoS) attacks.
-
3-TOP MOST ISSUES AFFECTING CLOUD SECURITY
Although there are many factors which contribute to main issues, w.r.t., deploying and managing the security of cloud environments effectively.
Information security is said to be about "protecting confidentiality, integrity and availability," and this is a fundamental idea that is no different whether you are on-premises or in the cloud.
I would like to discuss at least three major issues here:
1. Shared Responsibility
2. Lack of Visibility
3. Misconfiguration or Configuration Drift
I would be discussing Shared Responsibility at the end of this post...
-
1. Shared Responsibility
This is perhaps the most important building-block of cloud security. AWS, for example, has tried to define it as clearly as possible that what is the scope of responsibility for security measures, for 'cloud service provider' and 'cloud users'
This is time to observe 'Responsibility Zones' in the diagram given above...
You can observe that--
· When the customer (user) is using/deploying Saas (Software as a Service), his responsibilities are minimum.
· When he is using it as PaaS (Platform as a Service), his responsibilities are increasing.
· When he is using it as IaaS (Infrastructure as a Service), his responsibilities are even higher.
That's why it is very very important for YOU as an organizations to know which cloud components and associated security controls you’re responsible for, so that you can implement appropriate controls and monitor them over time effectively.
Not only Security, but Compliance is also a shared responsibility between Cloud Service-Provider and the customer.
2. Lack of Visibility
Most security people feeling hugely challenged to have a complete and up-to-date visibility into their cloud deployments. It is hugely important for you to realize that the visibility into your workloads/VMs and all associated resources is a key requirement.
Not only this, you would need high visibility into the configuration and security controls of the overall public cloud account.
If you don't have complete picture, it would become impossible for you to effectively protect your public cloud deployments, and to ensure that they also remain protected over time.
-
3. Misconfiguration / Configuration drift
Next important area where you would want to dwell more is establishing, maintaining and enforcing APPROVED configurations. When you would set out to define such approved configurations, I would recommend you to include the followings:
• Your internally defined security controls
• You compliance related controls
• Applicable 'Industry Standards'
• Applicable Best Practices
This will require a lot of deliberations. But once those configurations are defined, approved and deployed, it’s critical that you continuously monitor and enforce these approved configurations to all the assets and associated resources.
-
Security of The Cloud Vs Security in The Cloud
When you look at the AWS' Shared Security Model (right-side in the graphic), you would find that--
AWS is responsible for the 'Security of the cloud'.
It is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
Customer is responsible for 'Security in the cloud'.
You can discern that Customer responsibility will be determined by the services (of AWS Cloud) that a customer selects. This will also determine the amount of configuration work the customer must perform as part of their security responsibilities.
For example, If you have chosen Amazon EC2 service (Amazon Elastic Compute Cloud) which is basically an IaaS, then it is your responsibility to perform all of the necessary security configuration and management tasks. You are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by you on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.
For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. As a customer, you are responsible only for managing your data (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions.
-
Similarly, when it comes to CONTROLS, I mean security controls, then the responsibility is shared once again...
Well, as far as Physical and Environmental controls are concerned, these are you inherit fully from AWS.
There are some Controls where you are totally responsible based on the application you are deploying within AWS services. For example, Service and Communications Protection, or Zone Security which may require you to route or zone data within specific security environments.
Now let us understand Shared Controls...
These are controls which, though, apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services.
Here are some examples which will make it easier for you to understand:
· Awareness & Training
AWS trains AWS employees, but you as a customer must train your own employees.
· Patch Management
AWS is responsible for patching and fixing flaws within the overall infrastructure, but you are responsible for patching your guest OS and your applications.
· Configuration Management
AWS maintains the configuration of its infrastructure devices, but you as a customer are responsible for configuring your own guest operating systems, databases, and applications.
-
Kindly write your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM