Cloud Security: Tutorial and Course

Cloud Security: Tutorial and Course - Cloud Security Tutorial and Cloud Security Course, The Ultimate Guide to Cloud Security. Learn Cloud Security Tutorial and Cloud Security Course at Cloud Security Tutorial and Course.

Cloud Security Tutorial and Cloud Security Course

Cloud Security: Overview

Cloud Security Tutorial and Course - Cloud Security tutorial and Cloud Security course, the ultimate guide to Cloud Security, including facts and information about Cloud Security. Cloud Security Tutorial and Course is one of the ultimate created by to help you learn and understand Cloud Security and the related cloud computing technologies, as well as facts and information about Cloud Security.

Cloud Security Tutorial, Cloud Security Course

Cloud Security: Tutorial and Course - Cloud Security Tutorial and Cloud Security Course by , The Ultimate Guide to Cloud Security.

Cloud Security: Tutorial and Course

Cloud Security is an evolving sub-domain of computer security, network security, and, more broadly, information security. It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.

In this "Cloud Security: Tutorial and Course", we will focus on cloud security planning, system design, governance, and operational considerations. Rather that cover IT security from a general perspective, we will concentrate on areas unique to cloud environments. Information technology security and cloud security are such sweeping and important topics that they could easily require multiple books to cover everything. It is important to understand that all general IT security best practices still apply but few books and industry standards organizations have provided real-world guidance and lessons learned on cloud-specific security. That being said, we recommend reading the National Institute for Standards and Technology (NIST) Special Publication 500-299 as a good baseline cloud-security reference model and detailed specifications. In this "Cloud Security: Tutorial and Course", we will focus more on real-world lessons learned and best practices rather than a government-style reference model (I will leave that to NIST and other government organizations).

Cloud Security is divided into several sections:

Cloud Security Planning and Design

As an organization begins to plan for a cloud transition or deployment, certain security-specific considerations should be discussed. These security considerations should be part of the overall cloud planning process and not just a security audit or an assessment after everything is deployed. You should include these topics that are covered in this chapter as part of the appropriate governance, policies, and systems design planning for your cloud.

Security in an Automated Cloud Environment

One of the major differentiators of a cloud environment versus a modern on-premises datacenter with virtualization is the automation of as many processes and service-provisioning tasks as possible. This automation extends into patching of software, distribution of software and OS updates, and creation of network zones. Each of these automated provisioning processes presents a challenge to traditional security monitoring because the software and hardware environment is constantly changing with new users, new customers, new VMs, and new software instances. A cloud requires equal attention to the automation of asset and operational management; as new systems are automatically provisioned, so to must the security and operational systems learn about the new items in a real-time fashion so that scanning and monitoring of these assets can be initiated immediately.

Identity Management and Federation

User identity management, synchronization of directory services, and federation across multiple networks is very unique in a cloud environment compared to traditional enterprise IT.

Customer Accreditation of Cloud Services

It is difficult - if not impossible - to get a public cloud provider to give an individual customer access to the provider's network and allow customer IT security staff to perform an accreditation. In fact, to show customers what was happening inside the networks can be considered paramount to showing customers - and potentially competitors - your intellectual property, with too much visibility into the internal security systems and procedures. Although most public cloud providers rarely allow individual customer inspection and accreditation, providers have in some cases allowed a third-party assessment so that the public cloud provider can sell its services to government and other large customers with requirements for an official security accreditation. The U.S. government's FedRAMP accreditation process, which uses third-party assessment vendors, is an excellent example of this approach.

A private cloud deployment is much more accommodating and suitable for customer accessibility and a security accreditation process. The security standards and accreditation process are the same or very similar for a public cloud, with any multitenant cloud getting the highest level of scrutiny for security controls and customer data isolation.

As part of planning your organization's transition to cloud, you need a complete understanding of the cloud models, the security standards that you need to follow, and the personnel who will perform the security accreditation. When procuring a public cloud service, your evaluation criteria should include the designed security accreditation. For a private cloud deployment, ensure that your organization or the systems integrators that does the deployment is capable and experienced in highly secure cloud computing and already has security accreditation experience. Finally, remember that security accreditations normally require annual reassessments and certification renewals (or perhaps on some other time interval). As most public and private clouds mature and add new capabilities over time, these periodic accreditations are not just a quick "rubber stamp" process but involve assessing the entire system again with particular attention to the new services or configuration changes.

Data Sovereignty and On-Shore Support Operations

Data sovereignty refers to where your data is actually stored geographically in the cloud—whether it is stored in one or more datacenters hosted by your own organization or by a public cloud provider. Due to differing laws in each country, sometimes the data held by the cloud provider can be obtained by the government in whose jurisdiction the data is stored, or perhaps by the government of the country where the data provider is based, or even by foreign governments through international cooperation laws. Further government monitoring or snooping (some governments tend to change laws or push the bounds of legality to serve their own purposes) on behalf of crime prevention agencies has also become a concern.

Not everything here is doom and gloom. There are "safe harbor" agreements between key governments such as the United States and the European Union to better enforce data privacy and clarify specific scenarios and data types that can legally be turned over by a cloud provider upon official requests. Organizations using public cloud services should examine the policies and practices of a prospective cloud provider to answer the following questions:

Data sovereignty and data residency has become a more significant challenge and decision point than most organizations and cloud service providers originally anticipated. Initially, one of the selling points of the cloud that a cloud service provider would point out was that you, as the customer, didn't need to be concerned with where and how it stored your information—there was an SLA to protect you. Lessons learned are to now ask or contractually force your cloud provider to store your data in the countries or datacenter locations that fit your data sovereignty requirements. Also consider if you require that all operational support personnel at the cloud provider be located within your desired country and be local citizens (preferably with background checks performed regularly)—this in combination with data sovereignty will help to ensure that your data remains private and is not unnecessarily exposed to foreign governments or other parties with whom you did not intend to share it.

If you are a private cloud operator, you should not only have published policies to address these concerns, but also consider formal written internal policies, such as the following:

Cloud Security Certifications

There are dozens of government institutions in the U.S. and worldwide that have published computer security guidance. U.S. government customers often mandate these security specifications, but these are also excellent guidelines for non government clouds, as well.

There are also a significant number of security policies that come from U.S. government organizations, and certain industries such as healthcare and finance are required to follow them. Commercial and government agencies are required to implement these security standards and often go through a formal security accreditation process before their computer systems can go online.

Cloud Security Best Practices

Based on lessons learned and experience from across the cloud industry, you should consider the following best practices for your organization's planning.

Cloud Security Best Practices: Planning

As an organization plans for transitioning to a cloud service or deploying a private or hybrid cloud, the first step from a security standpoint is to consider what IT systems, applications, and data should or must remain within a legacy enterprise datacenter. Here are some considerations:

Cloud Security Best Practices: Multitenancy

Most clouds use software-based access controls and permissions to isolate customers from one another in a multitenant cloud environment. Hardware isolation is an option for private clouds and some virtual private clouds, but at additional cost.

Cloud Security Best Practices: Automation in a Cloud

The first rule in an automated cloud is to plan and design a cloud system with as few manual processes as possible. This might be contrary to ingrained principles of the past, but you must avoid any security processes or policies that delay or prevent automation. Here are some considerations:

Experience has shown that traditional security processes have tended to be manual approvals, after-provisioning audits, and slow methodical assessments - tendencies that must change when building or operating a cloud. Precertify everything to allow automated deployment - avoid forcing any manual security assessments in the provisioning process.

It is common for customers to request additional network configurations or opening of firewall ports. These can be handled through a manual vetting, approval, and configuration process, but you might want to charge extra for this service. Here are some things to keep in mind:

Cloud Security Best Practices: Asset and Configuration Management

The key to success is to also automate the updating of asset and configuration databases. This means that you configure the cloud management platform, which controls and initiates automation, to immediately log the new VM, application, or software upgrade into the asset and configuration databases.

Here are some considerations:

Cloud Security Best Practices: Monitoring and Detection Outside Your Network Perimeter

Traditional datacenter and IT security had a focus on monitoring for threats and attacks of the private network, datacenter, and everything inside your perimeter. Cloud providers should increase the radius of monitoring and detection to find threats before they even find or hit your network. Here are some things to keep in mind:

Cloud Security Best Practices: Consolidated Data in the Cloud

Many customers are concerned that data consolidated and hosted in the cloud might be less secure. The truth is that having centralized cloud services hosted by a cloud provider or your own IT organization enables a consolidation of all the top-level security personnel and security tools. Most organizations would rather have this concentration of expertise and security tools than a widely distributed group of legacy or mediocre tools and skillsets. Here are some considerations:

Cloud Security Best Practices: Continuous Monitoring

As soon as new systems are brought online and added to the asset and configuration management databases, the security management systems should immediately be triggered to launch any system scans and start routine monitoring. There should be little or no delay between a new system being provisioned in the cloud and the beginning of security scans and continuous monitoring. Monitoring of the automated provisioning, customer orders, system capacity, system performance, and security are critical in a 24-7, on-demand cloud environment. Here are some considerations:

Cloud Security Best Practices: Denial-of-Service Plan

Denial-of-Service (DoS) attacks are so common that it is a matter of when and how often, not if, your cloud is attacked. Here are some recommendations:

Cloud Security Best Practices: Global Threat Monitoring

Consider implementing security tools, firewalls, and intrusion detection systems that subscribe to a reputable worldwide threat management service or matrix. These services detect new and zero-day attacks that might start somewhere across the globe and then transmit the patch, fix, or mitigation of that new threat to all worldwide subscribers immediately. Thus, everyone subscribed to the service is "immediately" immune from the attack even before the attack or intrusion attempt was ever made to your specific network. These services utilize some of the world's best security experts to identify and mitigate threats. No individual cloud provider or consuming organization can afford the quantity and level of skills as these providers have.

Cloud Security Best Practices: Change Control

Legacy change control processes need to evolve in an automated cloud environment. When each new cloud service is ordered and automated provisioning is completed, an automated process should also be utilized to process change controls that can also feed or monitor be security operations. Here are some recommendations:

Cloud Security: Further Reading