Plain and Simple…. People are people and the bad ones are even worse in trying times. They look to take advantage of lax security standards, especially in the age of Cloud Computing, so I thought I would start putting together some general Cloud Security measures that apply to all platforms. I will keep the Azure and IPPsec write-ups coming as I have time, but I just wanted to do my part to help those new to the Cloud and even those have been with it for years.
This series will be based on ISC2’s CCSP (Certified Cloud Security Professional) exam, and I hope it helps my fellow IT community. #dontcodealone
Domain One: Architectural Concepts and Design Requirements (Part One)
Intro to Cloud Concepts
Things to keep in mind:
Managed Service Provider – Company or Organization that remotely manages a Customer’s IT Infrastructure / end user systems.
Client maintains control over the implemented technology and its day to day operations. Think, MSP provides the tools, but the client uses them.
What Drives companies to the Cloud?
- Cost Savings
- Risk Transference and Reduction
- Less Overhead and Pay as you Go Models
- Elasticity of Cloud Computing – Meaning that as service demands grow and shrink so does what the customer pays. Pay for what you use Model
- Highly Automated and Secure Storage – This is very much dependent on the Service Level Agreement. Security of the Cloud Space and Services an Organization buy usually falls on the Customer.
Note: Every Company thinking of moving to the Cloud should do be based on a Cost-Benefit Analysis!
Cloud Deployment Modes
- Public – Most common type, shared physical resources (multitenant) and the Cloud Services are delivered through the ISP to the Cloud Service Consumer. (e.g., Azure, Amazon, Google) Lower Costs, No physical maintenance on servers\datacenter, Near unlimited Scalability and High Reliability
- Private – Network and Compute resources dedicated solely to a CSC. Systems can be physically on site or housed by a third party. Think large organizations like Google, Microsoft, Governments. More expensive but more flexibility, control, improved security and Highly Scalable.
- Hybrid – The linking of on-premise infrastructure with public or private clouds. Ideal for organizations with existing infrastructure, or sensitive data needs but require the Services only Cloud could provide in terms of costs, ease of use and applicability. Balanced control, flexibility, cost benefit and ease of use or transition to cloud.
- Community – Multiple Organizations team together to pay for and use Cloud Services. Very cost effective, improved sharing of information among like organizations but still retaining the ability to protect data. (e.g., HIPAA data)
Cloud Service Models (Standard 3)
SaaS – Software as a Service
PaaS – Platform as a Services (Perfect for DevOPS
IaaS – Infrastructure as Service (Replacing traditional DataCenter
Cloud Computing Standards Roadmap – NIST SP 500-291
As defined by NIST, Cloud Computing is a model for enabling ubiquitous, convenient on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or Service Provider Interaction.
Cloud Computing Road-Map
- Broad Network Access – Prioritize Bandwidth, it should never be a bottleneck
- On-Demand Services – Customers should be able to scale their environment without CSP involvement.
- Resource Pooling – CSP shares physical resources across multiple tenants.
Note: A Private Cloud is when an organization retains sole ownership or use of the physical resources and the CSP provides the On-Demand Services
- Measured or Metered Service – The CSP measures or monitors the provision of services.
- Rapid Elasticity – The ability to scale up or down as needed.
NIST – 5 Cloud Actors
- Cloud Service Consumer – Entity that utilizes or subscribes to Cloud based Services
- Cloud Service Provider – Self Explanatory
- Cloud Carrier – Typically and ISP, the provides connectivity between the CSP and CSC
- Cloud Services Broker – a third party that acts as an intermediary between the CSP and CSC to help the CSC understand and purchase the Services they need.
- Cloud Service Auditor – A third party that verifies the attainment of an SLA
Example of CSA: Security Trust Assurance and Risk Registry
Cloud Actor Functions:
Cloud Service Provider
|Service Orchestrations||Resource Abstractions and Control||Physical Resources||Cloud Service Management|
|Service Layer||Hardware||Business Support|
|SaaS||Facility||Provisioning & Config|
|PaaS||Portability & Interoperability|
|IaaS||Security & Privacy|
|Security Audit||Privacy Impact Audit||Performance Audit|
|Service Intermediation||Service Aggregation||Service Arbitrage|
General Security Requirements
- Shifting Capital Expenditure to Operational Expenditure
- Distributed – Pay attention to Laws by State \ Region
- Multitenant – Using shared physical resources
- Responsibility Cannot be Transferred – Customer is responsible for the use and protection of resources.
- Privacy – Determined by law and the SLA
- CSP – May have higher requirements than the CSC
- DAR – Data at Rest (Encryption, Redundancy)
- DIM – Data in Motion (Separation, Isolation, Transport Security, vLANs, SSL/TLS, IPSec)
- DIU – Data in Use (Protection of APIs, digital signatures and encryption, restricted access. Homomorphic Encryption. The idea of keeping data encrypted even while being manipulated in memory or shared with another application. *Never having to decrypt*