Cloud enables users to dynamically avail resources based on their needs, and only pay for what they use. That’s a great invention for the digital world. But how secure is it? We take a look at the key elements involved in cloud security.
Cloud security is the shared responsibility of the customer and the cloud service provider (CSP). Though users technically own the servers, they generally don’t have physical control over them. Authentication, authorisation, firewalls, audit and transaction visibility are crucial steps in cloud security.
Regions and availability zones
Uptime and availability are important aspects of cloud security. Service providers maintain their infrastructure in different geographic locations. For each region there can be more than one availability zone (AZ). For example, a cloud service provider could support two regions — India and Australia, and in each of the regions there could be multiple AZs. For instance, there could be two AZs in Mumbai in India but in different parts of the city.
Each of the AZs is self-contained and independent, having different power providers, separate network confirmations, and so on. This makes them reliable, as downtime in one AZ will not affect the other AZ.
As users we can take advantage of this, and configure our application to the nearest region in order to reduce latency. We can also load balance either through active/active or active/standby configurations. This provides the flexibility to switch when there is an issue or overload requests, enabling high availability.
Each region’s cost may differ with respect to the services, and not all regions provide all the services. Also, while selecting the region, compliance regulations need to be considered.
Virtual private cloud (VPC)
In a public cloud space we can create a private isolated network known as virtual private cloud or VPC. This is just like the private cloud having both public and private subnets. The private cloud does not expose the IP addresses as public addresses and is accessible only through restricted means. VPC is essentially at the network layer as an IaaS service.
As an analogy, in IT parks different organisations can use different facilities such as parks and auditoriums, but the work area is private where only employees or restricted persons can enter. The VPC is similar to this private area. Users have proper control over it and it’s also considered to be secure. For example, the web servers can be accessed from anywhere but the database can be accessed only by the backend application servers.
Multiple subnets can be created in the single VPC, within the range of the IP addresses the VPC is created with. The subnet can be either private or public, drawing the line for the servers in these networks not to access data from the public network.
VPC gateway endpoints allow connecting multiple VPCs, keeping the data private without using the internet.
Virtual LANs (VLANs) partition the network, and the connected group of servers can access each other without using the internet. Here, the partitioning occurs in layer two of the OSI model.
Virtual private networks (VPN) use encryption on top of the public network, making it secure and avoiding man-in-the-middle attacks.
Security groups act as a ‘firewall’ on instances. Using a security group, we can control both the incoming and outgoing traffic. They are stateful, which means any traffic that is allowed to go out, can go back in. They support only allow rules, which means traffic cannot be explicitly blocked, and only configured traffic is allowed in.
NACLs (network access control lists) act as a ‘firewall’ at the subnet level. We can associate a single NACL to multiple subnets, but only one NACL can be assigned a subnet.
Stateless inbound and outbound rules apply for all traffic. For example, if the output traffic is allowed our request will reach out, but if we expect a response, the outbound rules must be specified. Both allow and deny rules for both inbound and outbound traffic are supported. Here we can specify only a reference to a CIDR range (no hostname).
Cloud service providers also offer security at different OSI layers, such as WAF or web application firewall secured at layer 7, network firewall protected at layer 4, and so on. This enhances security by blocking unusual API calls, not allowing or allowing access from certain geographic locations, and tracking and reporting attempts made to access critical data.
IAM (identity and access management) policies
Cloud access to resources is governed by policies and their permissions centrally, with audit enabled by default. Each policy can be attached to the entity, user, user group or a role.
There are two basic policies — identity based policy and resource based policy. Under identity based policy, permissions are given to the user or user group. The resource based policy defines who can access the data and what activities they are allowed to perform.
Access is granted only when both the policies allow it; if either policy denies access, it will not be granted. By default, all the access is denied, and only an explicit ‘allow’ grants the access. But if there is an explicit ‘deny’, it will get higher precedence and access will be denied.
Granular access policies can be set such as to allow or disallow certain IP addresses, data and time, group, geographic locations, etc.
Applications that use API keys, encryption keys or credentials should not be hard coded. Cloud provides services to handle secrets elegantly. Secrets are encrypted at rest and in transit.
Secrets management protects and manages access to applications and services. IAM policies make sure one has access to secrets.
Monitoring and auditing is a crucial phase of cyber security. The cloud provides a framework and services to manage and enable monitoring at the granular level.
IAM access, policy change, and infrastructure changes are some of the common tasks where the logging is default enabled and aggregated in the central location. But these are not sufficient; the cloud provides APIs to write customised logs based on the user’s requirement.
These centralised logs can be used for further inspection and analysis, as well as integrated with any SEIM (security information and event management) solution. Intuitive reports can be created from these logs.
Cloud access security broker (CASB)
Each cloud service provider offers a set of tools that enable the security tools. But there could be gaps or these may not match the requirements. And as the data resides with the cloud service provider, adhering to security policies becomes important. In such scenarios CASB comes to the rescue, fills in the gaps and compliments cloud security services. This broker is placed between the cloud consumer and the cloud provider.
CASB provides security software as a service, addressing cloud service risks, enforcing the security policy, threat protection, data security, and compliance with regulations. It can be implemented as software running either locally or in the cloud, and has four primary characteristics.
- Visibility: Visibility of all the processes running on the cloud and ensuring they are authorised; validation and avoiding misconfigurations.
- Compliance: Following the organisation’s own or mandated policies, like HIPAA and PCI.
- Threat prevention: Allowing only authenticated and authorised users to the granular level, including multi-level approvals or multi-factor authentication.
- Data security: Protecting and encrypting sensitive data at rest and in transit. Ensuring APIs are secure.
CASB, along with next-generation secure-web gateways (SWGs), monitoring and management of web APIs, and user/entity behaviour analytics (UEBA), provides the capability to deliver static and dynamic access to the management.
CASB is evolving into a huge service known as secure access service edge (SASE) architecture. SASE combines multiple security and networking technologies to provide comprehensive web and cloud security. Security service edge (SSE) is the convergence of multiple cloud-based security services as part of a SASE architecture.
‘Structural awareness’ solutions help manage risk, and protect systems and data.
- Cloud compliance and best practices: Visualisation and continual assessment of the environment, including the ability to enforce known good standards.
- Instance and container visibility: Monitoring and protection of containers throughout their life cycle.
- Virtual private network: Secure access to applications running in a VPC for remote employees.
- Secure data: Encryption and key management solutions to protect data and meet regulatory compliance standards.
- Vulnerability assessment and management: Visibility into the attack surface to discover and resolve security issues.
- Software composition analysis: Management of and security for open source licences.
- Operational intelligence: Aggregation and analysis of data for security, performance, and availability.
- DevSecOps: Automated and continuous process management for continuous integration and delivery of secure applications.
- Cyber risk management: Prioritised insight into the threats, vulnerabilities, and impacts of cloud assets.
- Container security: Minimal or hardened operating system that is specifically designed to run containers. Running similar security demand services on the same host limits the scope of intrusion.
- Backup: Maintaining backups ensures availability and helps to follow legal requirements such as holding information for seven years.
- Permissions: Authentication and authorisation at a granular level, and constant audits.
‘Situational awareness’ solutions detect security events and are capable of responding, recovering data, and enabling continual improvement.
- Firewalls and proxies: Provide fine-grained inspection of traffic for potential threats at both the network and application levels.
- Endpoint detection and response: Protects endpoints, including cloud workloads from zero-day and other attacks.
- Intrusion detection systems: Monitor networks and workloads for security events.
- Backup and restoration: Protects data from errors, failures, and accidental deletion.
- Disaster recovery: Provides additional flexibility to quickly recover from a disaster, ensuring that cloud workloads are available.
- Security information and event management: Ingests, correlates, and prioritises events for deeper visibility into anomalous behaviour and threat mitigation.
- Workload isolation: Provides dynamic security control for microservices, containers, and other workloads.