Cloud Infrastructure

Could someone explain the issues in network, host, and applications levels of cloud infrastructure security?
K KAsked:
Who is Participating?
 
Fadi SODAH (aka madunix)Connect With a Mentor Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
Cloud Deployment Models
  • Private (exclusive use by single organization);
  • Community (exclusive use by specific community);
  • Public (used by general public);
  • Hybrid (composed of two or more deployed models);


Cloud Service models
  • Software as a Service (SaaS), Example: Web mail customer uses providers applications;
  • Platform as a Service (PaaS), Example: Web service hosting; customer controls apps;
  • Infrastructure as a Service (IaaS),  Example: Linux server hosting; customer controls-operating systems, storage and applications;


Notice: It is important that you carefully review the terms of service when
evaluating a potential contract for cloud services and consider them in the
context of your organization’s security, so review contracts to ensure security and protection levels are agreed upon and ensure they have a business continuity plan (BCP) in place
0
 
btanConnect With a Mentor Exec ConsultantCommented:
It is not really issue in the 3 areas per se of the security architecture. Instead you should ask the challenges in ensuring those domains are secured against threats such as

- data leakage or theft due to misconfiguration, infection esp for exploitation due to co-sharing of host and network in cloud vm environment and no proper security segregation of data based on sensitivity or classification

- Unauthorised access and abuse via 3rd party contractor or privileged user esp from remote access and not using any form of 2FA (rely on username and password), lack of audit trail and no proper access matrix done

- No data integrity and unable to detect tampering or hijacking attempt esp when data are not end to end encrypted and no protection when data at rest, data in transit and data in use.

- Lack of oversight of the whole posture of setup due to over reliance & manual checking with outsourced vendor, no form of regime for penetration test and vulnerability scanning to establish snapshots of security health and using no compliance outdated application/system

Key for above the cloud security architecture need a security by design strategy and always Adopt a trust but verify mindset to ascertain the claims - e.g. verified to be working as it is expected.
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Can also check out the checklist in Cloud Security Alliance Cloud Controls Matrix (CCM)

As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.

The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
 https://cloudsecurityalliance.org/group/cloud-controls-matrix/
0
 
Fadi SODAH (aka madunix)Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
Look at Statement on Auditing Standards (SAS) 70 audit report; SAS 70 is an internal controls audit carried out by a third-party auditing organization. http://sas70.com/
0
 
bbaoIT ConsultantCommented:
a broad question. could you please tell us your particular requirement or the things you most worry about?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.