Cloud security can quickly become a complex and confusing topic so this post is an attempt to clarify what Cloud Security is and is not, including a practical view from the front lines of business.
So what exactly is meant when we hear the term “The Cloud” in the context of business computing? If you ask that question to ten different people, you’re likely to get ten different answers. Herein lies the problem, there is simply a lot of differing opinions and points of view out there as to what, exactly, Cloud Security is. To even begin to answer the question of what Cloud Security is, we must first be grounded in what “The Cloud” is. And is not.
The Cloud Defined
The National Institute of Standards and Technology (NIST) defines the Cloud as ubiquitous, convenient, on-demand network access to a shared pool of configurable resources (for example networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
When working at Silicon Valley tech giants, I often hear engineers refer to the Cloud as “using someone else’s computer”. Regardless of what definition you find most suitable for defining the Cloud, it is fair to say it will consist of technology running somewhere other than in your data center that is managed and operated by someone else, usually for a fee. Simply put, the Cloud is a growing and evolving computing paradigm that includes a set of services and resources provided by others outside your company.
OK, now that we have a definition of what the Cloud is, what isn’t Cloud? Obviously H2O in a form other than vapor or for purpose of this discussion, any computing services and resources that do not meet the definition of Cloud. For example, a computing resource and services running within your company’s data center, used by a single user and paid for, operated and maintained by your company’s IT staff likely does not meet the definition of Cloud.
To further understand what the Cloud is and is not, it is helpful to look at popular Cloud models that includes, but is not limited to:
- SaaS or Software as a Service
- IaaS or Infrastructure as a Service
- PaaS or Platform as a Service
There are multiple other models out there but these three are arguably the most prevalent and the ones you’re most likely to encounter if you’re just getting started in Cloud computing. An example of a SaaS solution could be a customer relationship management application (CRM) that you pay a subscription fee to use and access online from your browser. An example of an IaaS solution is a portal you login to from your browser that enables you to quickly build servers, applications, databases and other infrastructure components on demand, for a fee. Lastly, an example of a PaaS solution may include a diverse set of applications and services that you access online for a fee to manage your inventory and supply chain. There are of course overlaps between all of these models, but the core value of each is fundamentally different.
The popular Cloud deployments typically consist of one or more of the following:
Public Cloud – An environment that is generally available to the public and may consist of multiple tenant groups that you become a “tenant” (aka user) of. Public Cloud is accessible by users outside your company but only users you approve will be able to access your environment.
Private Cloud – An environment that is dedicated to your business and is only accessible to your users. Private Cloud can run both internal to your company or external with only users you approve to have access to utilize it.
Hybrid Cloud – A combination of Public and/or Private Cloud solutions or other Cloud deployment methods.
There is a lot of good content available that explains Cloud basics in more detail but that is not the purpose of this post. If you’re looking for more information on Cloud basics, here is a good starting point: https://www.infoworld.com/article/2683784/what-is-cloud-computing.html
Cloud Security Basics
Now that we’ve established what Cloud is and isn’t, let’s take a look at Cloud Security. In the simplest terms, Cloud Security is everything related to security of a Cloud solution. Regardless of the model, IaaS, SaaS, PaaS or other, at a minimum, Cloud Security includes, but is not limited to:
- Identity and Access Management
- Network Security
- Privacy and Data Security
- Infrastructure Hardening and Vulnerability Management
- Application and API Security
- Monitoring and Alerting
The big Cloud providers such as Microsoft (Azure), Amazon (AWS) and Google (GCP) have a variety of tools and services to support the above security capabilities. There are also multiple third party vendor solutions for each that can be bolted on or plugged in to your Azure, AWS or GCP solutions. There are of course many other security capabilities I could include in the list above, yet these are definitely table stakes.
Any business that addresses these minimum security capabilities in their Cloud environment is going to be off to a good start but ultimately effective security starts with knowing your risks and minimizing, mitigating or eliminating those risks. So regardless of what model you’re using or your deployment, you should first assess your risks and the potential threats these risks map to. Only after you know your risk exposure, can you formulate a robust, effective security posture.
Among the many things to watch out for in Cloud computing, you should be aware of some of the most egregious inlcuding, but are not limited to:
- Lack of proper access controls
- Too many or wrong team members with elevated privileges (e.g. admin access)
- Unencrypted data at rest and in motion
- Lack of network security and zero trust (e.g. no firewalls, network segmentation, least privilege)
- Loose or no API security
- Lack of governance and change management
- No monitoring and alerting
- No security incident response procedures
- Stale credentials (have not changed in a very long time)
For more reading on Cloud Security, there are multiple excellent resources and for starters I recommend the following:
AWS Security Best Practices – a bit dated but still has good basics.
AWS Security Best Practices (PDF)
Microsoft Azure Security Center.
Google Cloud Platform Security – as you might expect, written by engineers, this leaves some readability to be desired but still have a lot of good information.
Google Cloud Platform (GCP) Security
Happy Cloud computing!
Beerleagueringer.com 