- Basics aspects of managing cloud resources and related tasks
- Cloud access control fundamentals
Securing cloud resources involves implementing measures and best practices to protect data, applications and infrastructure deployed in a cloud environment from unauthorized access, data breaches and other security threats. Cloud security is a shared responsibility between the cloud service provider (CSP) and the cloud user (customer).
| Cloud Architecture | e.g. Responsibility for IaaS | e.g. Responsibility for PaaS |
|---|---|---|
| Workload | User | User |
| Services | User | CSP |
| Virtual Machines | User | CSP |
| Control Plane | CSP | CSP |
| Virtualization | CSP | CSP |
| Physical Infrastructure | CSP | CSP |
| Physical Facility | CSP | CSP |
From a security standpoint, the responsibility depends on what level of service is used.
At the level of data plane and control plane (tools, consoles, CLI, SDK), securing cloud resources is important and IAM is a key aspect of it.
- Identity protection
- Strong authentication mechanisms
- Control access
- Data encryption
- Network security
- Patching and updates
Security measures must be applied to both the data and the control plane.
Defense in depth (layered security) is a principle and strategy in cloud security that involves implementing multiple layers of security controls and measures to protect cloud resources from various threats and attacks.
- Robust and resilient posture
- Mitigate the risk of a single security control
Public Network (Perimeter)
- Public firewall, DDos Prevention, IDS/IPS, etc
Local Network
- nACL, Device Hardening, Monitoring, etc
Operating System (Endpoint)
- Hardening, Patching, Endpoint Protection, Monitoring, etc
Service (Application)
- Hardening, Patching, Monitoring, Vuln Scanning, Testing, etc
Workload
- Authentication, Authorization, Auditing, Data access control, Monitoring, Encryption (in transit & at rest), MFA, etc
Cloud platform attacks refer to security incidents and vulnerabilities that specifically target cloud computing platforms.
🔗 Top 10 Cloud Attacks and What You Can Do About Them - aquasec.com
- Identities - SaaS, Cloud Platform, Data plane identities
e.g.- administrator Azure AD credentials/identities
- Data
e.g.- AWS S3 bucket, or relational/non-relational data
- Services - SaaS, Control plane services, Compute instance
e.g.- emails, automation (API), EC2
- Misconfiguration - intentional or unintentional
e.g.- Publicly available data stores or services (DBs, public API, etc)
- Account hijacking
e.g.- Brute force, Password spraying, Credentials stuffing
- Service hijacking
e.g.- Insecure API Keys
- Malware injection
e.g.- compromised web app, API compromised bad code, infected VM, code repositories (open-source libraries)
Providers naming: AWS/GCP IAM, Azure AD
- Users - Cloud User, Guest User, External/Hybrid User (Federated Systems)
- minimize privileged
admin/root(cloud subscription account) user access - create groups and use dynamic management
- security assessments and auditing user configuration
- apply least required rights concept (POLP)
- minimize privileged
- Resources
- apply least privileges and audit resource access & review
- use dynamic access policies
- separate control plane and data plane access
e.g. It can be useful to organize user identities into a flow like this:
User identity/credentials (Access management)
⬇️
Group
⬇️
Role
⬇️
Resource
📌 CSPs Identity Management
- Users, Roles, Policies
🔗 Azure AD
- Users, Service Principals, Managed Identities, Roles
- Google Account, Service Account, Role, Policy
All the CSPs have identity protection services like
- AWS CloudTrail, Trusted Advisor
- Azure Identity Protection and AD Logs
- Google Cloud Identity, Advanced Protection Program, Security Key
e.g. Account & Login vulnerabilities:
- weak passwords, leaked credentials, threat intelligence
- location/IP anomalies, password spraying, brute force attacks
📌 Best practices for accessing and managing cloud resources and users:
- use strong authentication (MFA) & enforce strong password policies
- implement role-based/conditional access control
- monitor user activities & review user permissions/config
- use secure connection protocols & data encryption
- implement network segmentation
- regular systems patching & users training
- audit unused accounts
- Revoke the permissions for the compromised identity and isolate it
- Reset identities (session tokens, API & access keys)
- Review what happened and determine impact with IT and business colleagues
- Remediate and fix it, improve processes and plan of action, report
- Return to operating state and monitor
There are many types of cloud data like
- files, relational/non-relational databases (managed, proprietary, IaaS), big data, sensitive data
Protecting cloud data at rest involves implementing mechanisms to ensure the confidentiality, integrity and availability of data even when it is not actively being accessed or transmitted.
- network controls and permissions
- encryption, hardware security module
- backup, replication
Protecting cloud data in transit involves security measures and protocols to safeguard data transmitted across networks.
- encryption (always) through secure communication protocols
- Hardware security modules (
HSM)
📌 Best practices for cloud data protection:
- Access controls - limit access to resource, data, network
- Encryption - at rest, in transit, end-to-end
- Backup and Recovery
- Regular security Audits and assessments
The cloud provider ensures network and (virtualized and physical) infrastructure protection through DDoS protection and general threat protection.
The physical connection between the cloud resources of one customer and those of another is handled by the cloud vendor. The customer is responsible for the physical network between their cloud resources.
At tenant level, there are some layers to protect and that the customer is responsible for, such as:
- AWS VPC
- Network ACL - Subnet level
- Security Group - EC2 level
- PrivateLink - establish private connectivity between Virtual Private Clouds and supported services.
- Azure Network Security
- Network Security Group - Subnet & Instance level
- Private Endpoint
- Google Cloud Network Security
- Firewall Rule - VPC, Subnet, VM Level
- VPC Service Controls
Additional network security services:
- AWS - Shield, Web Application Firewall (WAF), GuardDuty
- Azure - Firewall, App Gateway, FrontDoor
- Google - Cloud Armor
📌 Best practices for cloud network protection:
- leverage cloud provider tools and limit public attack surface
- check firewall rules and don't open ports globally
- monitor, setup alerts for abnormal usage and have a playbook for this kind of activity
Infrastructure compute protection involves
- patch management
- IaaS - automated OS patching (AWS, Azure) & service
- resource protection
- OS hardening (run only required services, with most secure settings)
- monitoring (logs)
- attack surface minimization (block ports).
- availability (multiple instances)
Platform compute protection involves the cloud provider to secure the services and operating system of the running application
- custom options can also be set up by the customer
- PaaS - always patched by the CSP
Confidential computing enables the execution of workloads while keeping the data and code confidential, protecting them from the cloud service provider, other tenants and potential attackers, unauthorized data access, inside a trusted isolated execution environment (application enclave).
- Confidential compute requires specific compute instance sizes and hardware
Monitoring is a built-in feature into the cloud platform.
- 3rd party agent monitoring can also be used
Cloud Regulatory Compliance refers to the adherence to specific laws, regulations and industry standards that govern the protection, privacy and security of data and systems within the cloud computing environment. Organizations that operate in regulated industries or handle sensitive data are required to comply with various legal and industry-specific requirements and frameworks.
Key aspects:
- data protection regulations (GDPR, CCPA, HIPAA)
- security standards (PCI DSS, ISO 27001, NIST CyberSec framework
- data residency and vendor due diligence
- audit and reporting
- incident response
- data backup and retention
CSP Regulatory Support
📌 Tools
📌 Documentation
Tenant Responsibilities
Since the customer is responsible for cloud services compliance, he should
- understand customer compliance requirements and document provider compliance with regulations
- implement customer responsibilities
- use provider tools to maintain compliance
Common Protected Data
Protected data refers to sensitive information that requires special safeguards and security measures to ensure its confidentiality, integrity and availability.
- PII (Personally Identifiable Information) - individual data
- PHI (Protected Health Information) - healthcare
- Financial Data - sensitive banking information (PII, PCI-DSS)
- IP (Intellectual Property) - inventions, patents, copyrights, business plans
- Legal & Compliance Data
- Confidential Business Data & business reputation
- Regional Considerations
- GDPR-EU (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- etc
🔗 HIPAA Reference Architecture on AWS
- AWS HIPAA
- Under the HIPAA regulations, cloud service providers (CSPs) such as AWS are considered business associates
