SECURITY

MANAGEMENT IN
CLOUD COMPUTING
MUHAMMAD FAHEEM SARWAR (01-247201-005)
IHSAN ULLAH KHAN (01-247201-022)
What Is Security Management in the Cloud?

Security management in the cloud is a set of strategies designed to allow a

business to use cloud applications and networks to their greatest potential
while limiting potential threats and vulnerabilities. This is often done with
several independent tactics:
• Identifying and assessing cloud services.
• Auditing and adjusting native security settings.
• Encrypting data.
• Managing devices.
• Managing users.
• Reporting.
 Cloud security management 

There are two primary types of cloud computing that organizations will
generally need to manage: software-as-a-service (SaaS) and infrastructure-
as-a-service (IaaS). SaaS and IaaS are used for different purposes, resulting
in distinct management and security practices.
• Cloud security management for software-as-a-service (SaaS)
• Cloud security management for infrastructure-as-a-service (IaaS)
 
Cloud security management for software-as-a-service (SaaS)

• In our latest study of cloud application use, we found that on average,

organizations are using 1,427 distinct cloud applications1—most of which are
software-as-a-service (SaaS) applications, such as Microsoft Office 365, Box,
and many other productivity apps that employees sign up for, often without IT
approval. For SaaS application, it is widely understood that as a customer, you
are responsible for the security of your data and who can access it.
• Managing security for hundreds of SaaS applications individually is an
extremely inefficient task, and in many cases, impossible due to limitations of
the SaaS provider on what you can actually control. The most common way to
manage data security and user access in cloud computing is through the use of
a Cloud Access Security Broker (CASB). When using a CASB, your security
management can consist of the following primary tasks:
• View all cloud services in use and assess their risk. CASB technology
uses network log data from secure web gateways, firewalls, or
security incident and event management (SIEM) products to show all
the cloud services being accessed from your network and managed
devices.
• Audit and adjust native security settings. Many SaaS applications,
including Office 365, come with native settings like access and sharing
permissions.
• Use Data Loss Prevention to prevent theft. Some of your intellectual
property or regulated data will most likely make it into a cloud service
like Dropbox. Through an API connection to the service itself, you can
classify data and set policy to remove, quarantine, or encrypt it based
on your chosen policy.
• Encrypt data with your own keys. Depending on your risk tolerance, you
may not want to trust the cloud provider’s native encryption to protect
your data. If you do, the provider will have your encryption keys and
technically could access your data. Instead, you have the option to use
your own encryption keys and manage them yourself, blocking access
from any third party but allowing authorized users to use the application
with normal functionality.
• Block sharing with unknown devices or unauthorized users. One of the
most common security gaps in cloud computing is someone signing into a
cloud service from an unmanaged device and accessing data without your
visibility. To stop that, you can set requirements for the devices that can
access data within the cloud services you manage, so only the devices you
know are allowed to download anything. You can similarly control sharing
of information to unauthorized users by changing their permissions or
“role” such as owner, editor, or viewer, and revoking shared links.
Cloud security management for Platform-as-
a-service (PaaS)
Platform-as-a-service (PaaS) environments available from the same
providers are similar but exist as predefined operating environments for
you to run your applications. Most IT teams today use IaaS, as it allows
an easier transition from on-premises server environments, where they
can run the same Linux or Windows server operating systems they used
on-premises or build cloud-native ones with containers or serverless
functions.
Cloud security management for infrastructure-as-a-service (IaaS)

• Infrastructure-as-a-service (IaaS) resembles the data center and server

environments that many IT teams are used to managing on their own physical sites.
In this case, providers like Amazon Web Services (AWS) or Microsoft Azure host the
physical infrastructure, and lease out virtualized networks and operating systems
for you to use as your own. With IaaS, you are responsible for several additional
layers of security as compared to SaaS, starting with the virtual network traffic and
operating systems you use.
•  The most common approach to managing security across multiple IaaS cloud
providers is to use a Cloud Workload Protection Platform, which abstracts a layer of
security above the providers, similar to a CASB, but suited for protecting networks,
operating systems, and applications. When using a Cloud Workload Protection
Platform, your cloud security management can encompass the following tasks:
• View all infrastructure in use across multiple providers and assess its
current security configuration. Simply by entering account credentials for
your IaaS providers like AWS and Azure, you can see all the cloud workloads
being created, and assess their security policy.
• View your network traffic and control it at the virtual machine (VM)
level. In a fully virtualized environment like AWS, you have network traffic
coming in and out from the public internet, and also travelling between your
VMs in the cloud. It’s important to see everything, scan for malicious access,
and set your policies at the VM (aka micro-segmentation) so you can have
fine-tuned security over certain assets.
• Harden your workloads with whitelisting. Most workloads running in IaaS
have a single purpose and don’t need to change much. As opposed to
allowing new applications to run on your operating systems, whitelist only
what you need, and default-deny the rest. This stops all malware except for
memory-exploit based attacks.
• Stop file less attacks that target operating system memory. If you default-
deny all new files entering your operating systems, you are left with one
critical vulnerability, which is memory exploits that can bypass your
whitelist. Memory exploit prevention, part of an agent you deploy to your
workloads, can monitor for these attacks (e.g., buffer overflow) and stop
them before they execute.
• Deploy agent-based security as code, using DevOps tools. The last thing
you want to do in a cloud environment is tack on agent-based security
after workloads have been deployed, putting you in a constant catch-up
mode. Instead, agents can be deployed through tools like Chef or Puppet
as code in the same package as the workload itself. Once you decide what
your security configuration should be, export the code from your Cloud
Workload Protection Platform management console and share with your
infrastructure teams so they can include it as part of their deployment
process.