Sunday, June 28, 2020

Cloud Security, Implications, and Policy

Cloud security is about securing the cloud and securing access to the cloud. In this lesson, we’ll look at security, implications, and policies of cloud computing.

Shared Responsibility

We have different cloud service models (IaaS, Paas, and SaaS). In these different service models, there is a shared responsibility.evolving-technologies-security-compliance-1080p.mp4

Cloud Service Models Iaas Paas Saas

With the IaaS service model, the cloud provider is responsible for the security of the lower layers. The customer is responsible for the security of the operating system and everything that runs on top of it. With PaaS, the cloud provider is responsible for everything except the data and application.

With a SaaS solution, the cloud provider is responsible for everything. The higher the cloud provider’s control of the service model, the more security responsibilities the cloud provider has.

Cloud Service Models Security Responsibility

The Cloud Security Alliance (CSA) is an organization that promotes best practices for cloud security. They offer a security guidance document that covers best practices and recommendations for all domains in cloud computing.

They have two recommendations for the shared responsibility model:

Cloud providers should clearly document their internal security controls and customer security
features so the cloud user can make an informed decision. Providers should also properly
design and implement those controls.

Cloud users should, for any given cloud project, build a responsibilities matrix to document
who is implementing which controls and how. This should also align with any necessary
compliance standards.

The CSA provides two tools to help meet these requirements:

  • Consensus Assessments Initiative Questionnaire (CAIQ): a template for cloud providers to document their security and compliance controls.
  • Cloud Controls Matrix (CCM): lists cloud security controls and maps them to multiple security and compliance standards. You can also use the CCM to document security responsibilities.

Compliance

Regulatory compliance means that an organization has to conform to a specification, policy, standard, or law relevant to its business processes. Violations of regulatory compliance often result in legal punishment, including fines.

Here are examples of regulatory compliance laws and regulations:

  • Payment Card Industry Data Security Standard (PCI DSS): an information security standard for organizations that handle credit cards.
  • Health Insurance Portability and Accountability Act (HIPAA): US legislation that provides data security and privacy to protect medical information.
  • General Data Protection Regulation (GDPR): EU legislation on data privacy and protection for individuals within the European Union.

There are also cloud-specific standards. Here are two ISO standards:

  • ISO 27017: ISO standard that provides guidelines on the security aspects of cloud computing.
  • ISO 27018: ISO standard that provides guidelines on protecting Personally Identifiable Information (PII) in cloud computing.

Threats and Risks

Cloud environments face the same threats as traditional (on-premises) IT infrastructures. The cloud runs on software. Software has vulnerabilities; attackers try to exploit these vulnerabilities.

The main difference between traditional IT infrastructures and cloud computing is that the cloud provider and customer share the responsibility for mitigating these threats. The customer has to understand who is responsible for what and trust the cloud provider meets their responsibilities.

Let’s discuss some threats unique to cloud computing.

Limited visibility and control

The responsibility of the customer and cloud provider depends on the cloud service model. With the PaaS and Saas service models, the cloud provider is responsible for most layers. This also means that the customer doesn’t have much visibility into what happens behind the scenes. The customer might want to monitor and analyze their applications outside of their control when the cloud provider manages the network layer.

Simplified unauthorized usage

Shadow IT is resources that users use without explicit approval from the organization. This is also a risk with traditional IT environments. For example, users that use Google Drive, Onedrive, or physical devices like USB sticks.

Cloud providers make it easy to provision new on-demand resources. It’s easy for staff to provision new cloud resources (especially PaaS and SaaS) without consent from the IT department. The IT department can’t protect something they don’t know about. Shadow IT reduces visibility and control.

Management APIs

We use management APIs to interact with cloud services, often used for automation and orchestration tools. These management APIs are sometimes accessible over the Internet and can have vulnerabilities.

Separation between tenants

A multi-tenant cloud is a private or public cloud where customers use services on a shared infrastructure. Vulnerabilities in a multi-tenant cloud is a risk. An exploit of a vulnerability in an application, hypervisor or hardware could overcome the logical isolation between customers, giving an attacker access to data of other customers.

Incomplete data deletion

The customer has limited visibility because they don’t know where the cloud provider physically stores their data. The cloud provider might spread out data over multiple storage devices. This reduces the ability of the customer to verify whether data has been securely erased.

Stolen credentials

You can create and access cloud resources through the GUI, CLI, or APIs. When your API keys are exposed, an attacker might try to create cloud resources. There are plenty of horror stories online where someone accidentally committed their Amazon AWS API keys to a public GitHub repository and ended up with a huge bill because hundreds of virtual machines were mining crypto currency. Cloud providers like AWS often waive these charges when it happens the first time.

Vendor lock-in

Vendor lock-in is an issue when you want to move to another cloud provider. Cloud providers offer different services and non-standard APIs. To use multiple services from one cloud provider is tempting since they integrate so well. The more services you use, the harder it becomes to switch to another cloud provider.

When a cloud provider goes bankrupt, it might be difficult to retrieve your data, and it’s difficult to switch quickly to another cloud provider. There are options to mitigate this. A good example is the Serverless Framework for serverless applications. Cloud providers like Amazon AWS and Google Cloud offer serverless applications natively, but the serverless framework is like a layer on top of it. It makes it easier to switch serverless applications from one cloud provider to another.

Another example is Terraform. Cloud providers offer tools to write your infrastructure as a code. Amazon AWS has CloudFormation, and Google Cloud has the Cloud Deployment Manager. Terraform is a tool you can use to write infrastructure as a code and it supports multiple cloud providers.

Increased complexity

Migrations to the cloud introduces complexity into IT operations. IT staff has to learn new skills and must have the ability, skill level, and time to learn all this new technology. They have to do this next to maintaining their on-premises IT infrastructure.

The first time I logged into Amazon AWS, I felt overwhelmed with all the services (140+). It doesn’t help that they use cryptic names for their services. The cloud can be a rabbit hole where you dive into learning one service, only to discover ten other services that look interesting.

The CSA has good implementation guides about these threats and how to counter them.

Security

A cloud security architecture should protect everything:

  • Cloud
    • Public
    • Private
  • Endpoints
    • Mobile devices (smartphones and tablets)
    • Laptops
    • (Virtual) Servers
    • IoT (Internet of Things)
  • Network
    • Campus
    • Branch
    • Corporate DC

This lesson is intended for students preparing for the “evolving technologies” section of Cisco CCIE/CCDE written exams and about the cloud so let me give you an overview of three Cisco cloud security products:

  • Cisco Cloudlock: a Cloud Access Security Broker (CASB), it’s a product that sits between on-premises infrastructure and a cloud provider. A CASB provides visibility and control in cloud activities, protects against compromised accounts, identifies data exposures, and privacy/compliance violations.
  • Cisco Umbrella: Cisco purchased OpenDNS and rebranded the OpenDNS enterprise security products to Cisco Umbrella. It’s DNS based, monitors all internet activity, and stops connections to malicious internet destinations.
  • Cisco Stealthwatch Cloud: this product gives visibility in network and cloud traffic. This tool uses flows logs to monitor cloud network traffic and reports suspicious activity.

Conclusion

In this lesson, you learned about cloud security, implications, and policy. If you have questions, please leave a comment!

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)