Anjdeb Consulting

Linkedin Facebook Instagram Twitter
Linkedin Facebook Instagram Twitter
Linkedin Facebook Instagram Twitter

Cloud Security

Leave a Comment / Uncategorized / By

In today’s age, more and more businesses are transitioning their operations to Cloud due to that fact that the cloud is more reliable and more secure than the legacy systems. There are various delivery and deployment models in Cloud that business can adopt-

Cloud delivery models comprise of-

Software as a Service (SaaS) – SaaS cloud providers develop and maintain software applications over the internet.
Platform as a Service (PaaS) – PaaS cloud providers deliver platforms and resources to develop software applications.
Infrastructure as a Service (IaaS) – IaaS cloud providers deliver infrastructure services such as servers, storage, network and datacentres over the internet.


 

Cloud deployment models include-


Public – This is available to the general public whereby resources can be free or pay per use via the internet. In this model, the service provider infrastructure stores the data and manages the resource pools.
Private – This model is particularly used by one single business or an organisation. The infrastructure can be hosted on premise or in cloud but the infrastructure and services always remain on a private network to provide more control over the environment.
Hybrid – This is a combination of both public and private cloud services.

 

From cybersecurity perspective, these business models come with certain potential risks.
Privacy – Entrusting organisation’s sensitive and personal data to a third party
Security – Access and Misconfiguration issues
Compliance – Ability to fulfil legal, regulatory, and contractual obligations

Here are some of the best practices to manage the risks

1. Choosing a cloud provider wisely –

Vendor assessment is essential to assess the effectiveness of Cloud Service Provider (CSP) controls. It is imperative to understand if CSP relies on any other service providers for their services and solutions. Organisations should also conduct regular security audits of its vendors to assess their security capabilities. Considering a Cloud access security brokers (CASB) might be helpful when organisation’s internal staff does not have cloud expertise. CASBs are tools to enforce cloud security policies. They are generally useful for organisations that have multiple cloud computing services from different vendors.
Understand the shared security responsibility model defined by the CSP – This model divides the responsibility between the organisation and the CSP. In this model, it is key to be aware of clearly defined boundaries as the responsibilities are shared. This can prevent any misunderstanding, miscommunication, or incidents occurring because of security responsibilities falling through cracks.

2. Securing your identity management system

In a cloud-based environment, it is key to ensure that users have access to resources but limited to the ones they need. When organisations give too much access to the users to different parts of the cloud infrastructure, it may facilitate quick and better collaboration, but it introduces greater risks. In order to mitigate those risks, following practices must be followed-

  • Use secure passwords, for instance a long passphrase or a complex password that includes a combination of numbers, letters or symbols.
  • Use multifactor authentication to introduce multiple layers of protection.
  • Create user roles with least privilege so that user has necessary permissions essential to perform their job function. This also helps in situation when a bad actor accidentally gets access to a system as the damage is limited.
  • Disable inactive accounts as they are no longer in use and they are not monitored as active accounts making their existence more vulnerable.
  • Monitor suspicious activity and possibly compromised credentials via real time monitoring and related analysis.

3. Securing your compute and network layer.

This can be done by –

  • Hardening the Operating system by removing unnecessary ports, protocols and services.
  • Continuously scan for vulnerabilities, apply necessary patches and identify misconfigurations.
    Implement inbound and outbound firewall rules and review them regularly. Outbound rules need to be explicitly defined in order to prevent malicious attacker to exfiltrate sensitive data.
  • Intrusion Detection and Prevention system analyse, monitor and respond to network traffic for both on-premise and public cloud ecosystem. When an IDPS encounters signature based, anomaly based or protocol-based threats, they raise real time alert, notify the administrator of potential threat, and consequently block it.
  • Securely manage remote connections- This can be done by enabling secure login which is possible by issuing secure shell keys to the users and limit Remote Desktop Protocol (RDP) with VM access.
  • Use only trusted images from sources like Amazon AWS, Microsoft Azure, Google GCP and not rely on random images available over the internet.

4. Securing your storage layer.

This can be achieved by –

  • Classifying the data to understand what type of data is stored and where. Data classification policies should be in line with the security policies of the organisation and any exceptions/violations should be flagged automatically.
  • Data should be encrypted both at rest and in transit. Encryption keys should not be stored where the data is. There are various methods to achieve this. For example, storing the keys on premise while the data resides in the cloud or utilising key management solution which is separate from your cloud infrastructure.
  • Manage data through the use of Identity and Access Management policies and Access control lists. This will help centralise control of permissions to storage.
  • Enable logging which will help provide an audit trail of user actions and versioning which will help restore to an old version of the data in case a system or application crashes.
  • In many cloud storage solutions, setting up Attribute Based Access Control (ABAC) gives more granular control over data objects.
  • Security awareness and staff training – Organisations needs to invest in security training for all associates as the threat landscape is constantly changing. The only way to combat this situation is by constantly learning about new threats and potential countermeasures.
  • Securing your end points – Endpoint detection and response (EDR) tools and Endpoint detection platforms (EDP) provide continuous monitoring and automated response. They address numerous security requirements like patch management, endpoint encryption, VPN and threat prevention.
  • Checking Compliance Requirements – Before setting up a new cloud computing service, organisations must review their compliance requirements and ensure that their service providers fulfil the data security needs. Organisations are also required to perform periodic risk assessment of their cloud projects, identify, and assess risks, prioritise and mitigate them on a regular basis.


By following the above cloud security best practices and implementing the right tools and solutions, organisations can minimise risks and get the most out of cloud computing offerings.

Leave a Comment

Your email address will not be published. Required fields are marked *