CLOUD COMPUTING SECURITY

Cloud computing, as defined by the National Institute of Standards and Technology (NIST),
is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool
of configurable computing resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal management effort or
service provider interaction.” cloud computing could be described as the use of computing
resources both hardware and soft ware provided over a network, requiring minimal
interaction between users and providers.
Cloud security is a set of security measures designed to protect cloud-based infrastructure,
applications, and data. The goal is to establish control over data and resources, prevent
unauthorized access, protect data privacy, prevent malicious attacks by external hackers or
insider threats, and protect cloud workloads from accidental or malicious disruption. Another
objective of cloud security is to extend an organization’s compliance policies to the cloud. 

Cloud computing components are secured from two main viewpoints:

1. Cloud service types

Most cloud providers attempt to create a secure cloud for customers. Their business model
hinges on preventing breaches and maintaining public and customer trust. Cloud providers
can attempt to avoid cloud security issues with the service they provide, but can’t control how
customers use the service, what data they add to it, and who has access. Customers can
weaken cybersecurity in cloud with their configuration, sensitive data, and access policies. In
each public cloud service type, the cloud provider and cloud customer share different levels
of responsibility for security. By service type, these are:

 Software-as-a-Service (SaaS) cloud services provide clients access to applications that

are purely hosted and run on the provider's servers. Providers manage the applications, data,
runtime, middleware, and operating system. Clients are only tasked with getting their
applications. Customers are responsible for securing their data and user access.
 Platform-as-a-Service cloud services provide clients a host for developing their own
applications, which are run within a client’s own “sandboxed” space on provider servers.
Providers manage the runtime, middleware, operating system. Clients are tasked with
managing their applications, data, user access, end-user devices, and end-user networks.
Customers are responsible for securing their data, user access, and applications.
 Infrastructure-as-a-Service (IaaS) cloud services offer clients the hardware and remote
connectivity frameworks to house the bulk of their computing, down to the operating system.
Providers only manage core cloud services. Clients are tasked with securing all that gets
stacked atop an operating system, including applications, data, runtimes, middleware, and the
OS itself. In addition, clients need to manage user access, end-user devices, and end-user
networks. IaaS examples include Microsoft Azure, Google Compute Engine (GCE), Amazon
Web Services (AWS).
2. Cloud environments are deployment models in which one or more cloud services create a
system for the end-users and organizations. These segments the management responsibilities
— including security — between clients and providers.
The currently used cloud environments are:
 Public cloud environments are composed of multi-tenant cloud services where a
client shares a provider’s servers with other clients, like an office building or
coworking space. These are third-party services run by the provider to give clients
access via the web.
 Private third-party cloud environments are based on the use of a cloud service that
provides the client with exclusive use of their own cloud. These single-tenant
environments are normally owned, managed, and operated offsite by an external
provider.
 Private in-house cloud environments also composed of single-tenant cloud service
servers but operated from their own private data center. In this case, this cloud
environment is run by the business themselves to allow full configuration and setup of
every element.
 Multi-cloud environments include the use of two or more cloud services from
separate providers. These can be any blend of public and/or private cloud services.
 Hybrid cloud environments consist of using a blend of private third-party cloud
and/or onsite private cloud data center with one or more public clouds.

5 Key Areas of Cloud Security

1. Identity and Access Management
2. Securing Data in the Cloud
3. Securing the Operating System
4. Protecting the Network Layer
5. Managing Security Monitoring, Alerting, Audit Trail, and Incident Response
Data security is an aspect of cloud security that involves the technical end of threat
prevention. Tools and technologies allow providers and clients to insert barriers between the
access and visibility of sensitive data. Among these, encryption is one of the most powerful
tools available. Encryption scrambles your data so that it's only readable by someone who has
the encryption key. If your data is lost or stolen, it will be effectively unreadable and
meaningless. Data transit protections like virtual private networks (VPNs) are also
emphasized in cloud networks.
Identity and access management (IAM) pertains to the accessibility privileges offered to
user accounts. Managing authentication and authorization of user accounts also apply here.
Access controls are pivotal to restrict users — both legitimate and malicious — from entering
and compromising sensitive data and systems. Password management, multi-factor
authentication, and other methods fall in the scope of IAM.
Securing the Operating System
maintenance, proper configurations, and patching methods can strengthen the security of that
operating system. Scheduling maintenance windows, staying current with system
configuration requirements, and establishing a patch baseline are integral components to
cloud security and something your organization must be vigilant in implementing, especially
given the current cyber climate where malicious individuals and organizations are quick to
exploit vulnerabilities.
Protecting the Network Layer
Network security is how you protect resources from unauthorized access. Network security
can be a challenging task because it requires an understanding of connectivity between
resources. Having a plan of action that identifies where segmentation is required, how
connectivity will be implemented, and ongoing hygiene of the network is critical for securing
your organizations environments. For industry resources about network security in the cloud,
learn more here:
Governance focuses on policies for threat prevention, detection, and mitigation. With SMB and
enterprises, aspects like threat intel can help with tracking and prioritizing threats to keep essential
systems guarded carefully. However, even individual cloud clients could benefit from valuing safe
user behavior policies and training. These apply mostly in organizational environments, but rules for
safe use and response to threats can be helpful to any user.
Data retention (DR) and business continuity (BC) planning involve technical disaster recovery
measures in case of data loss. Central to any DR and BC plan are methods for data redundancy such
as backups. Additionally, having technical systems for ensuring uninterrupted operations can help.
Frameworks for testing the validity of backups and detailed employee recovery instructions are just as
valuable for a thorough BC plan.
Legal compliance revolves around protecting user privacy as set by legislative bodies. Governments
have taken up the importance of protecting private user information from being exploited for profit.
As such, organizations must follow regulations to abide by these policies. One approach is the use of
data masking, which obscures identity within data via encryption methods.
What makes cloud security different FromTraditional IT security
Data storage: The biggest distinction is that older models of IT relied heavily upon onsite
data storage. Organizations have long found that building all IT frameworks in-house for
detailed, custom security controls is costly and rigid. Cloud-based frameworks have helped
offload costs of system development and upkeep, but also remove some control from users.
Scaling speed: On a similar note, cloud security demands unique attention when scaling
organization IT systems. Cloud-centric infrastructure and apps are very modular and quick to
mobilize. While this ability keeps systems uniformly adjusted to organizational changes, it
does poses concerns when an organization’s need for upgrades and convenience outpaces
their ability to keep up with security.
End-user system interfacing: For organizations and individual users alike, cloud systems
also interface with many other systems and services that must be secured. Access permissions
must be maintained from the end-user device level to the software level and even the network
level. Beyond this, providers and users must be attentive to vulnerabilities they might cause
through unsafe setup and system access behaviors.
Proximity to other networked data and systems: Since cloud systems are a persistent
connection between cloud providers and all their users, this substantial network can
compromise even the provider themselves. In networking landscapes, a single weak device or
component can be exploited to infect the rest. Cloud providers expose themselves to threats
from many end-users that they interact with, whether they are providing data storage or other
services. Additional network security responsibilities fall upon the providers who otherwise
delivered products live purely on end-user systems instead of their own.
key technologies for cloud security
A cloud security strategy should include all of the following technologies:
Encryption: Encryption is a way of scrambling data so that only authorized parties can
understand the information. If an attacker hacks into a company's cloud and finds
unencrypted data, they are able to do any number of malicious actions with the data: leak it,
sell it, use it to carry out further attacks, etc. However, if the company's data is encrypted, the
attacker will only find scrambled data that cannot be used unless they somehow discover the
decryption key (which should be almost impossible). In this way, encryption helps prevent
data leakage and exposure, even when other security measures fail.
Data can be encrypted both at rest (when it is stored) or in transit (while it is sent from one
place to another). Cloud data should be encrypted both at rest and in transit so that attackers
cannot intercept and read it. Encrypting data in transit should address both data traveling
between a cloud and a user, and data traveling from one cloud to another, as in a multi-cloud
or hybrid cloud environment. Additionally, data should be encrypted when it is stored in a
database or via a cloud storage service.
If the clouds in a multi-cloud or hybrid cloud environment are connected at the network layer,
a VPN can encrypt traffic between them. If they are connected at the application layer,
SSL/TLS encryption should be used. SSL/TLS should also encrypt traffic between a user and
a cloud (see What Is HTTPS?).
Identity and access management (IAM): Identity and access management (IAM) products
track who a user is and what they are allowed to do, and they authorize users and deny access
to unauthorized users as necessary. IAM is extremely important in cloud computing because
a user's identity and access privileges determine whether they can access data, not the user's
device or location.
IAM helps reduce the threats of unauthorized users gaining access to internal assets and
authorized users exceeding their privileges. The right IAM solution will help mitigate several
kinds of attacks, including account takeover and insider attack (when a user or employee
abuses their access in order to expose data).
IAM may include several different services, or it may be a single service that combines all of
the following capabilities:
 Identity providers (IdP) authenticate user identity
 Single sign-on (SSO) services help authenticate user identities for multiple
applications, so that users only have to sign in once to access all their cloud services
 Multi-factor authentication (MFA) services strengthen the user authentication process
 Access control services allow and restrict user access
Firewall: A cloud firewall provides a layer of protection around cloud assets by blocking
malicious web traffic. Unlike traditional firewalls, which are hosted on-premise and defend
the network perimeter, cloud firewalls are hosted in the cloud and form a virtual security
barrier around cloud infrastructure. Most web application firewalls fall into this category.
Cloud firewalls block DDoS attacks, malicious bot activity, and vulnerability exploits. This
reduces the chances of a cyber attack crippling an organization's cloud infrastructure.
What other practices are important for keeping cloud data secure?
Implementing the above technologies (plus any additional cloud security products) is not
enough, on its own, to protect cloud data. In addition to standard cyber security best
practices, organizations that use the cloud should follow these cloud security practices:
Proper configuration of security settings for cloud servers: When a company does not set
up their security settings properly, it can result in a data breach. Misconfigured cloud servers
can expose data directly to the wider Internet. Configuring cloud security settings properly
requires team members who are experts in working with each cloud, and may also require
close collaboration with the cloud vendor.
 Compliance — Existing compliance requirements and practices should be augmented to
include data and applications residing in the cloud.

 Risk assessment — Review and update risk assessments to include cloud services.
Identify and address risk factors introduced by cloud environments and providers.
Risk databases for cloud providers are available to expedite the assessment process.
 Compliance Assessments — Review and update compliance assessments for PCI,
HIPAA, Sarbanes-Oxley and other application regulatory requirements.

Backup plans: As with any other type of security, there must be a plan for when things go
wrong. To prevent data from getting lost or tampered with, data should be backed up in
another cloud or on-premise. There should also be a failover plan in place so that business
processes are not interrupted if one cloud service fails. One of the advantages of multi-cloud
and hybrid cloud deployments is that different clouds can be used as backup — for instance,
data storage in the cloud can back up an on-premise database.
User and employee education: A large percentage of data breaches occur because a user
was victimized by a phishing attack, unknowingly installed malware, used an outdated and
vulnerable device, or practiced poor password hygiene (reusing the same password, writing
their password down in a visible location, etc.). By educating their internal employees about
security, businesses that operate in the cloud can reduce the risk of these occurrences.
We recommend asking your cloud provider some questions of the following questions:
 Security audits: “Do you conduct regular external audits of your security?”
 Data segmentation: “Is customer data is logically segmented and kept separate?”
  Encryption: “Is our data encrypted? What parts of it are encrypted?”
 Customer data retention: “What customer data retention policies are being followed?”
 User data retention: “Is my data is properly deleted if I leave your cloud service?”
 Access management: “How are access rights controlled?”
Cloud Security Policy
A cloud security policy is a formal guideline under which a company operates in the cloud.
These instructions define the security strategy and guide all decisions concerning the safety
of cloud assets. Cloud security policies specify:
 Data types that can and cannot move to the cloud
 How teams address the risks for each data type
 Who makes decisions about shifting workloads to the cloud
 Who is authorized to access or migrate the data
 Regulation terms and current compliance status
 Proper responses to threats, hacking attempts, and data breaches
 Rules surrounding risk prioritization
System Security and Audit
A security audit is a systematic evaluation of the security of a company's information system
by measuring how well it conforms to an established set of criteria. A thorough audit
typically assesses the security of the system's physical configuration and environment,
software, information handling processes and user practices.
These audits are one of three main types of security diagnostics, along with vulnerability
assessments and penetration testing. Security audits measure an information system's
performance against a list of criteria. A vulnerability assessment is a comprehensive study of
an information system, seeking potential security weaknesses. Penetration testing is a covert
approach in which a security expert tests to see if a system can withstand a specific attack.
Each approach has inherent strengths and using two or more in conjunction may be the most
effective approach.
Organizations should construct a security audit plan that is repeatable and updateable.
Stakeholders must be included in the process for the best outcome.
There are several reasons to do a security audit. They include these six goals:
1. Identify security problems and gaps, as well as system weaknesses.
2. Establish a security baseline that future audits can be compared with.
3. Comply with internal organization security policies.
 4. Comply with external regulatory requirements.
5. Determine if security training is adequate.
6. Identify unnecessary resources.
Security audits come in two forms, internal and external audits, that involve the following
procedures:
 Internal audits. In these audits, a business uses its own resources and internal audit
department. Internal audits are used when an organization wants to validate business
systems for policy and procedure compliance.
 External audits. With these audits, an outside organization is brought in to conduct
an audit. External audits are also conducted when an organization needs to confirm it
is conforming to industry standards or government regulations.
Four main security audits that every business should be conducting on a regular basis:
1. Risk Assessment:
risk assessment audits help businesses identify their weaknesses and vulnerabilities so that
the businesses can come with effective strategies to tackle them. 
2. Vulnerability Assessment:
During the vulnerability audit, the security audit companies indicate the aspects of the
business that are weak and thus can be used to cause significant harm to the business.  It
should be repeated on a regular basis so that the business owners are truly in touch with the
weak links of their businesses and can plan the proper strategies to cover up and conceal
these weaknesses to prevent any sort of exploitation. 
3. Penetration Testing:
Penetration testing is a form of data security audit in which one of the auditors acts as a
hacker and attempts to bypass the company’s security system. The hacker may use different
hacking methodologies and attempt different techniques to help businesses gather data which
can then be used to strengthen the business’s security system and ensure that the business is
strong and can withstand any unauthorized attacks. 
4. Compliance Audit:
The company will go through the rules and regulations and confirm whether your business
follows them all or not. The company will also indicate any changes that the business has to
acknowledge. A security audit consists of a complete assessment of all components of your
IT infrastructure — this includes operating systems, servers, digital communication and
sharing tools, applications, data storage and collection processes, and more.
Steps involved in a security audit
These five steps are generally part of a security audit:

1. Agree on goals. Include all stakeholders in discussions of what should be achieved

with the audit.
2. Define the scope of the audit. List all assets to be audited, including computer
equipment, internal documentation and processed data.
3. Conduct the audit and identify threats. List potential threats related to each Threats
can include the loss of data, equipment or records through natural disasters, malware
or unauthorized users.
4. Evaluate security and risks. Assess the risk of each of the identified threats
happening, and how well the organization can defend against them.
5. Determine the needed controls. Identify what security measures must be
implemented or improved to minimize risks.