Cloud Security in the time of COVID19.

Plain and Simple…. People are people and the bad ones are even worse in trying times. They look to take advantage of lax security standards, especially in the age of Cloud Computing, so I thought I would start putting together some general Cloud Security measures that apply to all platforms. I will keep the Azure and IPPsec write-ups coming as I have time, but I just wanted to do my part to help those new to the Cloud and even those have been with it for years.

This series will be based on ISC2’s CCSP (Certified Cloud Security Professional) exam, and I hope it helps my fellow IT community. #dontcodealone

Domain One: Architectural Concepts and Design Requirements (Part One)

Intro to Cloud Concepts

Things to keep in mind:

Managed Service Provider – Company or Organization that remotely manages a Customer’s IT Infrastructure / end user systems.

Client maintains control over the implemented technology and its day to day operations. Think, MSP provides the tools, but the client uses them.

What Drives companies to the Cloud?

  • Scalability
  • Cost Savings
  • Risk Transference and Reduction
  • Less Overhead and Pay as you Go Models
  • Elasticity of Cloud Computing – Meaning that as service demands grow and shrink so does what the customer pays. Pay for what you use Model
  • Highly Automated and Secure Storage – This is very much dependent on the Service Level Agreement. Security of the Cloud Space and Services an Organization buy usually falls on the Customer.

Note: Every Company thinking of moving to the Cloud should do be based on a Cost-Benefit Analysis!

Cloud Deployment Modes

  • Public – Most common type, shared physical resources (multitenant) and the Cloud Services are delivered through the ISP to the Cloud Service Consumer. (e.g., Azure, Amazon, Google) Lower Costs, No physical maintenance on servers\datacenter, Near unlimited Scalability and High Reliability
  • Private – Network and Compute resources dedicated solely to a CSC. Systems can be physically on site or housed by a third party. Think large organizations like Google, Microsoft, Governments. More expensive but more flexibility, control, improved security and Highly Scalable.
  • Hybrid – The linking of on-premise infrastructure with public or private clouds. Ideal for organizations with existing infrastructure, or sensitive data needs but require the Services only Cloud could provide in terms of costs, ease of use and applicability. Balanced control, flexibility, cost benefit and ease of use or transition to cloud.
  • Community – Multiple Organizations team together to pay for and use Cloud Services. Very cost effective, improved sharing of information among like organizations but still retaining the ability to protect data. (e.g., HIPAA data)

Cloud Service Models (Standard 3)

SaaS – Software as a Service

PaaS – Platform as a Services (Perfect for DevOPS

IaaS – Infrastructure as Service (Replacing traditional DataCenter

 

Cloud Computing Standards Roadmap – NIST SP 500-291

As defined by NIST, Cloud Computing is a model for enabling ubiquitous, convenient on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or Service Provider Interaction.

Cloud Computing Road-Map

  1. Broad Network Access – Prioritize Bandwidth, it should never be a bottleneck
  2. On-Demand Services – Customers should be able to scale their environment without CSP involvement.
  3. Resource Pooling – CSP shares physical resources across multiple tenants.

Note: A Private Cloud is when an organization retains sole ownership or use of the physical resources and the CSP provides the On-Demand Services

  1. Measured or Metered Service – The CSP measures or monitors the provision of services.
  2. Rapid Elasticity – The ability to scale up or down as needed.

NIST – 5 Cloud Actors

  1. Cloud Service Consumer – Entity that utilizes or subscribes to Cloud based Services
  2. Cloud Service Provider – Self Explanatory
  3. Cloud Carrier – Typically and ISP, the provides connectivity between the CSP and CSC
  4. Cloud Services Broker – a third party that acts as an intermediary between the CSP and CSC to help the CSC understand and purchase the Services they need.
  5. Cloud Service Auditor – A third party that verifies the attainment of an SLA

Example of CSA: Security Trust Assurance and Risk Registry

Cloud Actor Functions:

Cloud Service Provider

Service Orchestrations Resource Abstractions and Control Physical Resources Cloud Service Management
Service Layer   Hardware Business Support
SaaS   Facility Provisioning & Config
PaaS     Portability & Interoperability
IaaS     Security & Privacy

 

Could Auditor:

Security Audit Privacy Impact Audit Performance Audit

 

Cloud Broke:

Service Intermediation Service Aggregation Service Arbitrage

 

General Security Requirements

Security Risks

  • Shifting Capital Expenditure to Operational Expenditure
  • Distributed – Pay attention to Laws by State \ Region
  • Multitenant – Using shared physical resources
  • Responsibility Cannot be Transferred – Customer is responsible for the use and protection of resources.
  • Privacy – Determined by law and the SLA
  • CSP – May have higher requirements than the CSC

Data States

  • DAR – Data at Rest (Encryption, Redundancy)
  • DIM – Data in Motion (Separation, Isolation, Transport Security, vLANs, SSL/TLS, IPSec)
  • DIU – Data in Use (Protection of APIs, digital signatures and encryption, restricted access. Homomorphic Encryption. The idea of keeping data encrypted even while being manipulated in memory or shared with another application. *Never having to decrypt*

References:

https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CSSLP/Domain-1

https://resources.infosecinstitute.com/category/certifications-training/ccsp/ccsp-domain-overview/domain-1-architecture-concepts-design-requirements/