<

Better Security in the Cloud

Published on
4,093 Points
693 Views
4 Endorsements
Last Modified:
madunix
Over 25 years experience, been involved in systems administration, networks, open source, security and Infrastructure. Made from 100% Geek.
As more and more organizations are pushing their operations to the cloud, it's vital that you understand how threats could compromise those operations. We will focus on the aspect of the cloud security computing threats and countermeasure.

Introduction


On-premise (on-prem) computing is a type of computing in which all the computing resources are accessed and managed by or from the premises. If you're running an application infrastructure that is on-premise, all of your applications and all the servers are going to be running in your data center inside your building, and you have complete control over everything that happens with those systems. Cloud computing is a pool of resources, which can be accessed online.


Cloud computing services are platform independent; they are accessible across many devices with an Internet connection. In the NIST definition stated, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.


NIST identifies five characteristics that a Cloud Computing environment must include to implement ‘true’ Cloud Computing. The five characteristics are:

• On-Demand, Self-Service (Provisioning of services on Demand)

• Resource Pooling (Sharing of resources such as Memory, Bandwidth, etc.)

• Measured Service (Metering the usage, pay-as-you-go)

• Rapid Elasticity (Scale-out, Scale-in)

• Broad Network Access (Resources and apps available over the network)


Moving to the cloud will not stop attackers from attempting to break in. The cloud is susceptible to the same attacks as on-prem, but they are more exposed to the Internet attacks. Internet-related risks can be malware; a man in the middle attacks and eavesdropping can be experienced. However, attacks can vary, they can be on the client side or the cloud service provider (CSP) side; both are dangerous and the availability of information can be breached when using cloud computing and client data can be accessed by unauthorized entities or even modified.


The vast amount of data stored in the cloud from many different users makes cloud service providers (CSP) an attractive target for attacks. While cloud providers are responsible for providing security controls, clients are responsible for using those measures and protecting their own data. For instance, cloud providers would offer data encryption at rest, but clients are responsible for incorporating encryption in the cloud model deployment.


Cloud Computing Security Threats and Attacks


Many enterprises are looking to adopt cloud services instead of on-prem computing, but most cannot afford the risk of compromising the security of their data. Security is the greatest challenge of cloud computing. It's clear that there are a lot of challenges with how we secure applications with a number of challenges that are unique to the cloud.


The most important classes of cloud-specific risks are (ENISA - Cloud Computing: Benefits, risks, and recommendations for information security):

• Loss of governance: CSP does not commit to the necessary task

• Vendor lock-in: poorly crafted contract can lead to vendor lock-in

• Isolation failure: one tenant influences another.

• Compliance risks: i.e. Audit impossible, or no evidence

• Management interface compromise

• Data protection: protection cannot be demonstrated

• Insecure or incomplete data deletion

• Malicious insider


Security breaches happen daily, if you're looking at the news these days you'll find, every other week, an article about a company that was compromised or lost data. According to the latest reported incidents breaches, the following security issues been reported to include, but not be limited to, the following: exposed cloud storage, Bitcoin botnet, sensitive data loss due to the unencrypted storage volume, outages due to API, key leakage, etc. In the most recent edition of the report Cloud Security Alliance (CSA Top Threats research - The Treacherous 12) experts identified the following 12 critical issues to cloud security:


• Data Breaches

• Weak Identity, Credential, and Access Management

• Insecure APIs

• System and Application Vulnerabilities

• Account Hijacking

• Malicious Insiders

• Advanced Persistent Threats (APTs)

• Data Loss

• Insufficient Due Diligence

• Abuse and Nefarious Use of Cloud Services

• Denial of Service

• Shared Technology Issues


Cloud Security is the Responsibility of both Cloud Provider and Consumer


Cloud computing security is the responsibility of both provider CSP and consumer/client. Few points to be considered from CSP-side:

• Enforce data protection and backup
• Enforce legal contracts with employees
• Strong triple A’s (authentication, authorization, audit)
• Strong key generation
• Client traffic monitoring for malicious activities
• Ensure physical security

• Enforce secure standards for new installations and configurations
• Isolate memory, storage, and management network
• Implement multifactor authentication

Few points to be considered from Client-side: 
• Prohibit user credential sharing
• Use encryption to transmit and store data

• Enforce SLAs for patching and vulnerability remediation
• Analyze cloud provider security design and service level agreement (SLA)
• Assess security of APIs
• Use Multiple factor authentication

• Perform risk assessment

• Create process from breach notification

• Consider a DRP/BCP



Best Practices for Securing Cloud


Here are few important conditions to ensure security on cloud systems:

• Perform risk assessment and understand your security responsibilities.

• Analyze deployment model and align your cloud security architecture to the business.

• Apply security at all layers data, application and infrastructure.

• Implement security procedure to identify information risks associated with the cloud, assess, treat, monitor the situation and handle any changes.

• Perform your due diligence.

• Data stored in the cloud should be stored in an encrypted form to ensure confidentiality. Only users who have permission to access the data should have decryption permission.

• Incorporate identity and access management (IAM).

• Consider encryption key ownership. Rotating the keys and setting a standard password expiration policy helps prevent access due to a lost or stolen key.

• Apply multifactor authentication MFA for all critical operations.

• Enable logging will allow you to track and identify potential attempts at unauthorized access.

• Use security information and event management (SIEM) to monitor configurations, looking for an anomaly, correlating and provide alerts when a misconfiguration is identified.

• Apply web application firewall (WAF) solutions.

• The CSP platform should apply for the compliance program.

• Incorporate a patch management system to identify misconfigurations, identify missing security patches or critical updates and quickly apply to update.

• Ensure the configurations are set up securely.

• Conduct security testing such as vulnerability assessment and penetration test to identify and remediate possible vulnerabilities, and taking a closer look at overall security.

• Apply Secure DevOps, which opens up many opportunities for security to improve code hardening, change management, and production application security.

• Plan exit strategy.

• Security Awareness Training for Cloud Users.



Conclusion

Four aspects that are important to consider in deploying or using cloud services: the first aspect is to make sure security or privacy breaches in a cloud deployment are correctly addressed. Second is having a cloud computing solution that enables the enterprise to know that they deploy cloud computing platform based on proven industry frameworks. A third aspect is meeting compliance requirements including general legislation, organization policies, and contractual obligations. Finally, maintain transparency in the cloud deployment, so that the operation of a cloud deployment is sufficiently clear to all stakeholders and CSP.



Reference Documents

https://www.cybersecurity-insiders.com/wp-content/uploads/2018/03/2018-Cloud-Security-Report.pdf

https://nvlpubs.nist.gov 

https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment

https://www.skyhighnetworks.com/cloud-security-blog/aws-security-best-practices/

https://www.ibm.com/cloud/garage/architectures/securityArchitecture/implement-secure-devops/

https://www.technologyreview.com/s/425970/who-coined-cloud-computing/

https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

https://www.networkworld.com/article/2223442/tech-debates/security--on-premise-or-in-the-cloud-.html

https://www.studynotesandtheory.com/single-post/CISSP-Process-Guide-Notes-PDF-Free

4
Comment
Author:madunix
1 Comment
LVL 16

Expert Comment

by:Edwin Hoffer
Nice piece of information contains in this article.

We have to know about the latest trends in IT before going to know about Cloud Security in details.

Visit some good article link:

https://www.experts-exchange.com/articles/31708/Current-IT-Trends-and-Cloud-Security-Threats-2018.html

https://www.experts-exchange.com/articles/31694/What-is-Cloud-Based-Security-What-are-its-Security-Controls.html
1

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Join & Write a Comment

Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month