Privilege /Secrets maintenance is most crucial requirement in Identity and Access management services. The secrets/passwords are everywhere however in cloud environment these number are 4x times as compares to on premise solution with static secrets. The Secrets could be any form of digital credentials and sensitive information which could lead to breach!

What are Secrets?

A secret can be any sensitive information for e.g.

• User password
• Application and Database and other system-to-system passwords.
• auto-generated passwords /encryption keys
• Private encryption keys
• API Key and other application keys/credentials inside containers
• SSH Keys
• authorization tokens
• Private certificates for secure communication, transmitting and receiving of data (TLS, SSL etc.)
• One-time password devices

Why we need to manage Secrets?

The Secret management is imperative in today scenarios as this has been most affected sector and primary target for any Hackers. The emerging threat in digital environment and highly equipped hackers with self-learning abilities to classify, assess and exploit any vulnerability in the environment

Whether we are using secrets in different cloud services or within a particular cloud-based application, unorganized secrets management procedures can bring serious threat to entire security of platform for example: –

• Hard-coded and default credentials
• Managing passwords manually
• Sharing passwords
• Regular rotations
• Weak password and storing it in plain text files
• Hardcoded and embedded live scripts

Secrets Management Tools

In Cloud security it is imperative that primary focus should be on access control and circulation of dynamic secrets. There are various tools features provided by Cloud service provider and third-party vendors in Market for secret keys management however the most flexible and easy tool trending these days in the cloud industry is Hashicorp Vault. It comes with two products to provide cloud security services the Vault and boundary

Hashicorp is a software company with a Freemium Business Model. They provide various products to fully managed platform to automate infrastructure on any cloud.

The Hashicorp is based on open-source tools and marketable harvests that enable developers, operators, and security experts to secure, run, provision, and connect cloud-computing they basically provide infrastructure as code which is very flexible and mature. The products prevalent for cloud security are secrets management tool Hashicorp Vault and Boundary.

What is HashiCorp Vault?

HashiCorp Vault is a is a secrets management tool for securely accessing secrets. It is used to accomplish secrets keys management in distributed systems across cloud platforms. Vault empowers cloud security players to control access to tokens, passwords, encryption keys, and certificates to defend any potentially sensitive data. The contemporary “zero trust” model is used to harden inside the HashiCorp vault. The Vault can be easily integrated with applications to be explicitly authenticated, authorized to fetch secrets, rotating secrets and perform sensitive operations, along with catering audit requirements.

HashiCorp Vault solution is widely used across many industries including large financial organizations, hospitality, and everything in between to provide security in the cloud operating model.

Secrets Management tool HashiCorp Vault allows steady control access to encryption keys, passwords, certificates etc. for shielding technologies and applications. This delivers an extensive secrets management solution for enterprises looking for securing cloud environment

1– Vault helps protect data at rest and data in transit.

2– Vault exposes a high-level API for cryptography for developers to secure sensitive data without revealing encryption keys.

3- Vault also can act like a certificate authority, to provide dynamic short-lived certificates to secure communications with SSL/TLS.

4- Vault enables a brokering of identity between different platforms, such as AD on premises and AWS IAM to permit applications to work across platform borders. Vaults provide: –

• Storage Backends for Encrypted
• Isolated Namespaces
• Secure plugins
• Detailed Historical Audit logs
• Tenancy, rotating and revoking of secrets

1. Vault provides a master key and generates encryption keys to protect data. The master key is split into five parts. Any three of the five parts are required to reconstruct the master key.

HashiCorp Vault Architecture

The below architectural diagram of secrets management tool HashiCorp vault can explain the workflow of the vault process and services.

• Storage Backend
• Barrier
• Secrets Engine
• Audit Device
• Auth Method
• Client Token
• Token Store
• Root Tokens
• Rollback Manager
• Core
• Audit Broker
• Expiration Manager

Storage Backend – A storage backend is used for robust storage of encrypted data. The storage is placed at bottom of Architecture stack as it is non trusted components for the vault and chosen as per client requirement, the considered factors for the same are like High availability/Disaster recovery/Recovery time Objective. When the Vault is started the storage backend must be declared and configured well in advance.

HTTP API – The HTTP API is used to interact with clients, and it is also non-trusted component for the vault hence placed outside the Barrier

Barrier – The barrier is strong cryptographic components which creates an un-penetrable protection layer around the Vault. The barrier ensures data is validated and decrypted as it goes inside the Vault and all data gets encrypted as it goes out from the vault. The barrier by default stays in sealed state and must be unlocked before requesting any access operation to the vault.

The Unlocking of the vault is possible only using combination of Unseal Keys. When the vault is initialized it generate encryption keys. This key is in turn protected by Master key which gets divided into 5 parts and combination of any 3 keys of which are required to rebuild the master key. For protection purpose all data that flows between Vault and the storage backend passes through the barrier.

Image – Vault Architectures

Secrets Engine – Secrets engines are components which store, generate, or encrypt data. Secret Engine is like virtual file system supporting operations like read, write, delete, generate dynamic credentials, encryptions etc. In Vault when a secrets engine is enabled, a random UUID is generated. This becomes the data root for that engine. As Secret engine writes to the physical storage layer, it is prefixed with that UUID folder as relative access is not supported by the vault hence the secrets engine cannot access other data.

Audit Device – are leveraged to keep comprehensive record of logs for all requests and response inside the vault. As all the operations executed inside the vault are API request and response, thus audit log contains all authenticated communication with Vault, as well all generated errors.

Auth Method – Authentication is used to validate access to vault. The auth method are responsible for conveying identity and a set of policies to a user. Vaults validate a user and returns a client token that can be used for future requests.

Client Token /Vault token– Tokens are the method for authentication within Vault. Token can be generated leveraging authentication methods they can also be used dynamically to generate tokens based on external identities. Inside the Vault tokens record to information like Access control list policies. These policies control directs what access are allowed to the user inside the Vault these tokens also carried meta data which is used for Audit logs such as creation time, last renewal time etc.

Token Store – Are token authentication backend that it is responsible for creating and storing tokens, the token store has no login capability and all actions require existing authenticated tokens.

Root Tokens – are tokens that have the root policy committed to them.

Rollback Manager – This is internal component of Vault to control partial failure cases by using write ahead logging.

Core – The core is used to manage the flow of requests through the system, it enforces Access control Lists and ensure audit logging is done.

Audit Broker – is leveraged to distribute the request out to all the configured audit devices.

Expiration Manager – is used to automatically revokes the secret on Lease expire if allowed by the client

HashiCorp Vaults Pricing

Let’s discuss about Hashicorp vaults pricing. There are 3 options to use this tool from pricing stand point.

1. Open Source
2. Cloud – Managed Vault
3. Enterprise Vault Premium editions.

The Vault Open-source freeware version has limitation of ~50 users only and to leverage all features and functionality it is highly recommended to use Cloud or Enterprise version. You can visit attached link for all Vault Pricing Options.

Conclusion

In this Article we have covered What are Secrets? Why we need Secrets Management? and Secrets Management tool offered by Hashicorp Vault. There are several other tools available for secrets management in the market as mentioned below. As per the client requirement and existing infrastructure we can propose appropriate tools to our clients as long it serves the purpose of underline security with future integration possibilities

• Conjur Secrets Manager (Open Source) – CyberArk
• Dynamic Access Provider (DAP) Enterprise – CyberArk
• AWS Secrets Manager – Rotate, manage, and retrieve database credentials, API keys, and other secrets through their lifecycle
• Azure Key Vault – securely storing and accessing secrets
• Akeyless Vault for Secrets Management and Secure Remote Access
• Docker secrets management

The Security trend seen in last 5 years has shown paradigm shift towards Identify and Access management domain. IAM plays vital role in preventing Cyberattacks due to leak credentials and hence many organizations are moving towards taking proactive steps by adding more secrets tools and technology to protect their sensitive information. As these organization moves towards more flexible, scalable, secure and cloud agnostic environment.

The Hashicorp suits of products are outstanding in terms of ease of use, integration, and configurations. The can flawlessly assimilates with all offerings of major cloud vendors. The Hashicorp products carry solution to full scale infrastructure security management.

For the next topics we will cover about other HashiCorp product in security and its comparison to Other traditional Privilege Access Management tools in the market. Stay tuned for upcoming topics on Boundary and CyberArk PAM solution offerings.

Related Articles:

• Understanding Cloud Security & Data Protection
• Cloud Security – How to Secure Cloud Environment?
• Top 5 Cloud Service Provider Accreditations and Third-Party Auditor Reports

The post Cloud Secrets Management Tool – HashiCorp Vault appeared first on Techyaz.com.

What is CCSK?

The Cloud Security Alliance (CSA) has established a web-based/online examination for cloud security skills for an individual’s competence in key cloud security controls, policies, compliance & issues. The Certification was launched in 2010 by CSA (Cloud Security Alliance), the CCSK is a widely recognized expertise benchmark for Cloud Security Professionals. It is widely approved catalog of security best practices, the “Security Guidance for Critical Areas of Focus in Cloud Computing V4.0”.

CCSK eases a common understanding of cloud security concepts. This surges the risk analytics of risk decisions that are made in your organization.

What are the benefits of CCSK?

The CCSK is envisioned to provide understanding of security issues and best practices over a broad range of cloud computing domains. The CCSK certification will identify you as an induvial who have knowledge about security issues, policies and compliance of Cloud Environment in all platform and domains.

The CCSK is strongly recommended for IT auditors, and it is even required for portions of the CSA Security, Trust & Assurance Registry (STAR) program.

The CCSK was recognized as the most valuable IT certification in terms of average salary by Certification Magazine.

How to Prepare for CCSK?

CCSK test will have 60 questions to be completed in 90 minutes with no pause. It’s an open book exam however that is a myth if you believe you can complete 80% of questions while searching in book. So better prepare for exam and don’t investigate materials on books while giving exam.

The Test participants will have 2 opportunity to appear for exam in case you cannot score 80% in first attempt, I would recommend you take online course/trainings with vast variety of sample questions which will help you to clear the certification in final attempt. Have a look at below courses that will help you with sample questions.

• CCSK v4.0 – Certificate of Cloud Security Knowledge Tests
• Udemy Courses on CCSK Certification (Certificate of Cloud Security Knowledge)

There are many formal Training course you can buy online before appearing for CSK certification which will make it easy for you to pass the examinations.

However, if you believe in self-learning all you need is to go read and deep understanding of 3 documents which are enough for clearing the exam of CCSK.

• 6% of the questions are based on the ENISA (European Union agency for cyber security) report.
• 87% of the questions are based on the CSA Guidance v4.
• 7% of questions are based on the CSA’s CCM 3.0.1 (Cloud Control Matrix)

What all domain are covered under CCSK course?

I have given below list of topics that anybody can learn from the above attached links in order to take this certification. I will again emphasis all of you to go through the links attached for sample questions and tests in above section. You can find such sample papers here as well.

• Udemy Courses on CCSK Certification (Certificate of Cloud Security Knowledge)

Have a look at the topics from each documents.

CSA Topics

• Domain 1 Cloud Computing Concepts and Architectures
• Domain 2: Governance and Enterprise Risk Management
• Domain 3: Legal Issues, Contracts and Electronic Discovery
• Domain 4: Compliance and Audit Management
• Domain 5: Information Governance
• Domain 6: Management Plane and Business Continuity
• Domain 7: Infrastructure Security
• Domain 8: Virtualization and Containers
• Domain 9: Incident Response
• Domain 10: Application Security
• Domain 11: Data Security and Encryption
• Domain 12: Identity, Entitlement, and Access Management
• Domain 13: Security as a Service
• Domain 14: Related Technologies

ENISA Topics

• ENISA Cloud Computing: Benefits, Risks and Recommendations for
• Information Security
• Isolation failure
• Economic Denial of Service
• Licensing Risks
• VM hopping
• Five key legal issues common across all scenarios
• Top security risks in ENISA research
• OVF
• Underlying vulnerability in Loss of Governance
• User provisioning vulnerability
• Risk concerns of a cloud provider being acquired
• Security benefits of cloud

Cloud Security Alliance – Cloud Controls Matrix

• CCM Domains
• CCM Controls
• Architectural Relevance
• Delivery Model Applicability
• Scope Applicability
• Mapped Standards and Frameworks

Reference links: https://cloudsecurityalliance.org/

Read More:

• Cloud Security – How to Secure Cloud Environment?
• Understanding Cloud Security & Data Protection
• Top 5 Cloud Service Provider Accreditations

I hope you like this article. Please follow our Facebook page and Twitter handle to get latest updates.

The post CCSK Certification Training Material appeared first on Techyaz.com.

Cloud Security Streams / Features

Today we will discuss about cloud security areas which we should consider in scope while designing a security solution for your cloud environment. In Cloud context, security comes as a shared responsibility between the Cloud Service provider (CSP)and its Tenants. All major CSP’s ensure to make available different features, tools and solution options which can be leverage by clients to have a secure cloud environment. The Cloud Security Streams are as follows

1. Physical Security – includes Cloud Data Center protection of hardware, software, networks also data centers are protected by security personnel and electronic devices such as cameras.
2. Network security – Includes data security in transit to and from the public cloud provider. It means designing and building network configuration and its elements allowing a secure access to cloud resources from your on-premise Data centers, Office, Internet etc.
3. System Security- This capability covers operating system hardening, protection and policy control. The host security at PaaS and SaaS Level are transferred to CSP.
4. Application Security – It’s a shared responsibility in cloud context to protect the application running over the cloud. Based on type of cloud model application security is managed, for e.g in SaaS cloud provider will manage the security of the application. While at the PaaS level platform security will be managed by CSP and deployed application will be customer responsibility.
5. Data security – Data security capability includes securing data in transit and at rest it to avoid data loss and exposure.
6. Identity and Access management- This capability evolves around authentication, verification and authorization of cloud resources.
7. Encryptions – as all communications between regions is across public Internet infrastructure; therefore, appropriate encryption methods should be used to protect sensitive data.
8. Security operations- Governance and strategic direction on security policies, risk assessment and its maintenance

How to Secure your Cloud Environment?

Below are simple steps which can be followed to ensure the cloud infrastructure is secured. we must leverage best in market solution while designing a secure and cost-effective solution.

1. Ensure to leverage data and Network security built-in features provided by the cloud Service provider partner solutions.
2. Design an Appropriate Data Backup solution along with Encryption enabled for covering data security.
3. Regular Audit / scan of Test of Application layer and get Quarterly/ yearly scan reports of Cloud infra from CSP.
4. Design Stable and Redundant Backup solution to cover Disaster Recovery and Business Continuity.
5. Design your environment to use layered security by allowing many data access accounts and permissions as possible.

Note: In cloud environment security comes with shared responsibility model. The Hypervisor layer and anything below it which includes hardware and applications & physical security are protected by service provider. The operating system and above layer need to be taken care by the client /User. I would recommend leveraging CSP’s features with combination of Third party tools to ensure having secure environment for Business.   

Today I will share the top best in class Cloud Service provider Microsoft Azure, AWS and Google cloud platform build in features which can be leveraged to design a secure cloud solution for your CSP.

Microsoft Azure Security Built In Security Features

Microsoft is providing numerous tools and features to secure your cloud environment. These tools have their respective cost. Microsoft has also provided broker platform features like monitoring your cloud estate from single plane of glass.  Below is the list of security tools which can be leveraged to design a secure cloud environment:

• Operations Management Suite Security (OMS) and Audit Dashboard
• Azure Resource Manager
• Application Insights
• Azure Monitor
• Log Analytics
• Azure Advisor
• Azure Security Center
• Role-Based Access Control (RBAC)
• Shared Access Signature
• Internal DNS
• Azure DNS
• Log Analytics NSGs
• Enable log categories for NSGs:
  1. Event
  2. Rules counter

Encryption 

Azure supports various encryption models, including server-side encryption that uses service-managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. With client-side encryption, client can manage and store keys on-premises or in another secure location. 

• Encryption in Transit
• Encryption at rest
• Storage Service Encryption
• Client-side Encryption
• Azure Disk Encryption (IaaS Virtual Machine Disk)

Applications Security 

This feature provides security micro-segmentation for your virtual networks in Azure.

• Web Application vulnerability scanning
• Penetration Testing
• Web Application firewall
• The web application firewall (WAF)
• Authentication and authorization in Azure App Service
• Layered Security Architecture (providing differing levels of network access for each application tier)
• Web server diagnostics
  • Detailed Error Logging
  • Failed Request Tracing
  • Web Server Logging
  • Application diagnostics
  • All (displays all events)
  • Application Errors (displays exception events)
  • Performance (displays performance events)
  • Storage
  • Storage Analytics (Successful requests, Failed requests, including timeout, throttling, network, authorization, and other errors)
  • Enabling Browser-Based Clients Using CORS
  • Cross-Origin Resource Sharing (CORS)

Network Security

Microsoft Azure provides confidentiality, integrity, and availability of customer data, while also enabling transparent accountability. Available network recommendations by Microsoft are as follows:

1. Add a Next Generation Firewall Recommends that client can add a Next Generation Firewall (NGFW) from a Microsoft partner to increase your security protections
2. Route traffic through NGFW only Recommends that you configure network security group (NSG) rules that force inbound traffic to your VM through your NGFW.
3. Enable Network Security Groups on subnets or virtual machines Recommends that you enable NSGs on subnets or VMs.
4. Restrict access through Internet facing endpoint Recommends that you configure inbound traffic rules for NSGs.

Below are the main components or areas where you should focus to enhance the network security of your cloud environment.

• Network Layer Controls
• Network Security Groups
• A Network Security Group (NSG)
• Route Control and Forced Tunneling
• Forced tunneling
• Virtual Network Security Appliances – Azure partner network security appliance solution.
• Azure Virtual Network
• Azure networking supports various secure remote access scenarios. Some of these include:
• Connect individual workstations to an Azure Virtual Network
• Connect on-premises network to an Azure Virtual Network with a VPN
• Connect on-premises network to an Azure Virtual Network with a dedicated WAN link
• Connect Azure Virtual Networks to each other
• VPN Gateway
• Express Route
• Microsoft Azure ExpressRoute (Dedicated WAN Link -ExpressRoute connections do not go over the public Internet)
• Application Gateway (Layer 7 Load Balancer)
• Web Application Firewall
• Traffic Manager
• Microsoft Azure Traffic Manager
• Azure Load Balancer (Layer 4 Load Balancer) – Internet-facing load balancing.

Compute Security

Unified security management and advanced threat protection across hybrid cloud workloads , there are various tool available by azure for the compute environment.

• Antimalware & Antivirus – Azure IaaS, use antimalware software from security vendors such as (Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to protect your virtual machines).
• Hardware Security Module (store keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2 standards.)
• Virtual machine backup
• Azure Backup (Windows & Linux only)
• Azure Site Recovery (DR & BCP Orchestration)
• SQL VM TDE (Transparent data encryption (TDE) and column level encryption (CLE) are SQL server encryption features. This form of encryption requires customers to manage and store the cryptographic keys you use for encryption.)
• The Azure Key Vault (AKV)
• VM Disk Encryption (Azure Disk Encryption (industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux))
• Virtual networking
• Patch Updates
• Security policy management and reporting
• Identify and access management

Secure Identity (IAM)

Protect application and data at the front gate with Azure Identify and access management solutions.

• Multi-Factor Authentication (Multi-Factor Authentication experience that works with both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and fingerprint-based approvals)
• Password policy enforcement
• Token-based authentication enables authentication via Azure Active Directory.
• Role-based access control (RBAC)
• Integrated identity management (hybrid identity) enables you to maintain control of users’ access across internal data centers and cloud platforms, creating a single user identity for authentication and authorization to all resources. 

AWS Built-in Security Features 

Like other CSP the AWS cloud security solution has also been offering various feature to design cloud security. Below are the list of some of the services that you can use for cloud security.

• AWS Artifact
• AWS Certificate Manager (SSL/TLS Certificates)
• Amazon Cloud Directory
• AWS CloudHSM Key Storage & Management
• Amazon Cognito User Sign Up & Sign In
• AWS Directory Service Directory
• AWS Firewall Manager
• Amazon GuardDuty Threat Detection
• AWS Identity and Access Management (IAM)
• Amazon Inspector
• Security Assessment
• AWS Key Management Service
• Amazon Macie (Sensitive Data Classification)
• AWS Organizations (Multiple Account Management)
• AWS Shield (DDoS Protection)
• AWS Secrets Manager
• AWS Single Sign-On (SSO)
• AWS WAF (Web Application Firewall)

Infrastructure Security

It help identify and protect applications and infrastructure from cyber-attacks and other advanced threats vectors. Infrastructure security is important area to secure cloud environment. Have a look at below tools that is available in AWS market place to secure cloud environment.

Tools Offered in AWS Market Place

• Barracuda
• Check Point
• TM_logo_red_2c_transparent_small
• Alert Logic
• Intel Security
• Symantec
• 600x400_Sophos_logo
• FORTINET_logo
• PaloAlto
• imperva-new
• openvpn
• netgate
• Gigamon-Free-Standing-Orange-Logo

Configuration & Vulnerability Analysis

Tools to help you inspect application deployments for security risks and vulnerabilities, while receiving priorities and advice to assist with remediation.

Stealth

• cloudcheckr- The CloudCheckr CMP offers a single pane of glass view to help modern enterprises manage and optimize their public cloud
• 600x400_Tenable_Logo
• 600x400_EvidentIo

Logging and monitoring

Help maintain visibility and auditability of activity in your application infrastructure and receive policy-driven alerting, and reporting.

• Sumo Logic
• 200x133_Splunk_Logo
• Cisco_600x400

Data Security

Assist with safeguarding your data from unauthorized disclosure and modification, through encryption, key management, and policy-driven controls.

• 300x100_Gemalto_Logo
• hytrust
• townsendsecurity

Google Cloud Platform Build In Security Features

Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and boot kits to secure cloud environment.

• Verifiable integrity with secure and measured boot
• vTPM exfiltration resistance
• Trusted UEFI firmware
• Tamper-evident attestations
• Live migration and patching

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Kubernetes Engine.

• Policy creation
• Policy verification and enforcement
• Audit logging
• Open source support for Kubernetes
• Break Glass support
• Integration with third-party solutions
• Integrate Binary Authorization with leading container security and CI/CD partners, such as CloudBees and Twistlock.

Google Cloud Load Balancing

Scale your applications on Google Compute Engine from zero to full-throttle with Google Cloud Load Balancing, with no pre-warming needed

• HTTP(S) Load Balancing
• TCP/SSL Load Balancing
• SSL Offload
• Advanced Feature Support
• UDP Load Balancing
• Stackdriver Logging
• Seamless Autoscaling
• High Fidelity Health Checks
• Affinity
• Cloud CDN Integration

Authentication, Integrity, and Encryption

Google employs several security measures to help ensure the authenticity, integrity, and privacy of data in transit.

• Encryption at rest
• Encryption in transit

Encryption in use – protects data when it is being used by servers to run computations, e.g. homomorphic encryption.

ALTS, a mutual authentication and transport encryption system that runs at the application layer, to protect RPC communications. Using application-level security allows applications to have authenticated remote peer identity, which can be used to implement fine-grained authorization policies

Google Key Management Service

Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services the same way you do on premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. 

• Symmetric and asymmetric key support
• Encrypt and decrypt via API
• Automated and at-will key rotation
• Delay for key destruction
• High global availability
• Application Layer Transport Security

Google Cloud Data Loss Prevention

Automatically discover and redact sensitive data everywhere

• Flexible Classification
• Secure Data Handling
• Custom Detectors
• Easy Workload Integration
• Likelihood Scores
• Pay As You Go Pricing
• Detailed Findings
• Simple and Powerful Redaction
• REST API

Google Cloud HSM

Cloud HSM a cloud-hosted hardware security module (HSM) service on Google Cloud Platform.

• Symmetric and asymmetric key support
• Statement attestation
• Integration with Cloud KMS
• Multi-region support
• G Suite DLP Mail
• G Suite DLP Drive
• G Suite Doc Controls

Google Chrome Browser

Manage centrally employee activity in the cloud, across all devices and platforms, now and in the future

• Advanced malware and phishing protection gives employees a safe cloud experience.
• Regular security updates
• Users are protected from the latest security vulnerabilities — no patching required.
• Sandboxing
• Prevents malware and isolates malicious web pages that try to infect devices, monitor web activity, or steal data.
• Site isolation
• G Suite Device Management

Identity & Access Management

Protect user identities by managing the user lifecycle, authentication and assurance, and managing system and application access.

• Cloud Identity
• Cloud IAM
• Cloud Identity-Aware Proxy
• Security Keys
• Cloud Resource Manager
• Firebase Authentication

Application Security

• Cloud Security Scanner-Automatically scan your App Engine apps for common vulnerabilities
• Apigee-API Management for Visibility and Control Design, secure, analyze, and scale APIs anywhere.

Security Monitoring & Operations

Monitor for malicious activity, handle security incidents, and support operational processes that prevent, detect, and respond to threats.

• Stackdriver Logging
• Cloud Security Command CenterALPHA
• Access Transparency

Cloud Security Command CenterALPHA

• Asset Discovery and Inventory
• Sensitive Data Identification
• Application Vulnerability Detection
• REST API
• Access Control Monitoring
• Anomaly Detection From Google
• Third-party Security Tool Inputs (Integrate output from your existing security tools such as Cloudflare, CrowdStrike, Dome9, Palo Alto Networks, Qualys, and RedLock into Cloud Security Command Center to detect DDoS attacks)
• Real-time Notifications

Google Governance, Risk & Compliance

Support governance and compliance processes, including performing assessments, demonstrating compliance, and achieving certifications. You should read attached Third-party audits and certifications article in given link: https://techyaz.com/cloud/top-5-cloud-service-provider-accreditations-third-party-auditor-reports/

I hope you liked this article. I would recommend you to also read this article about cloud security and data protection: Understanding Cloud Security and Data Protection

The post Cloud Security – How to Secure Cloud Environment? appeared first on Techyaz.com.

Here I am going to answer all these questions and explaining about Cloud Security in this context.

Is your data secure in Cloud environment?

Yes, your data will be secured in cloud environment if you can design security solution/configurations leveraging public cloud providers features and third-party tools efficiently.

The amount of security configuration work you must do will varies, depending on what kind of cloud services you select and how sensitive your data is.

Security in Cloud creates a shared responsibility model between the customer and Cloud Service Provider (CSP). CSPs are responsible for securing the infrastructure (hardware, software, networks, and facilities of their Data center) that supports the cloud and you will be responsible for anything you put on the cloud or connect to the cloud (Data, Operating System, softwares, tools, License, Access, Credentials, authentication, encryption etc.)

Is your data in Cloud Hackable?

No, cloud systems are not hackable in terms of technology, hardware and network services provided by cloud provider. However, if security configurations are not done accurately by the user then loopholes in security may lead vulnerability in your cloud environment.

Can your data be disclosed by the Cloud Service Provider?

Your content/data will not be disclosed unless service provider required to do so to comply with the law of the country or a valid and binding order of a governmental or regulatory body. Unless prohibited from doing so or there is clear indication of illegal conduct about the use of CSP’s products or services. CSP notifies customers before disclosing customer content so they can seek protection from disclosure.

To understand all above and similar security related concerns you should first understand Cloud Security. Let’s discuss what is cloud security and how many domains we need to take care from cloud security point of view.

What is Cloud Security?

As every second your information/data travel through cloud and from different locations, networks and regions. We need to ensure it is not leaked in process of transmission from one place to other. Typically, all firms are well verse about physical and technical security of their On-premise data center. Similarly, cloud services and Infrastructure need to be secured to protect the confidentiality, integrity, and availability of your or your client data.

In Cloud context, security is a shared responsibility between the Cloud Service Provider (CSP) and its users/customers. CSPs take care of physical and logical security of its underlying hardware until Hypervisor layer. However, anything above Operating System is Client responsibility because customer owns the data and service provider has no access to it. Although it also varies in each model of Cloud Computing for some services.

Cloud Security is all about leveraging security features and tools to design and build a secure cloud environment to protect the privacy and integrity of cloud customers and their data. Cloud Security is blend of technologies and policies designed to adhere and regulate compliance rules and protect information, data applications and infrastructure associated with Cloud Computing use.

Cloud Security Categories

From cloud security perspective, below are the cloud security domains or categories that needs to be considered while building cloud environment.

1. Physical Security
2. Network security
3. System Security
4. Application Security
5. Data Security
6. Identity and Access management
7. Encryptions
8. Security operations

Each ownership for each type of security in cloud varies in each model of Cloud. You can see who is responsible for  what in each cloud model in below image.

1. Physical Security- is the protection of hardware, software, networks and data from physical actions and events that could cause serious loss or damage to an enterprise, agency or institution. CSPs are responsible to take care of this security.
2. Network Security – Includes data security in transit to and from the public cloud provider. It means designing and building network configuration and its elements allowing a secure access to cloud resources from your on-premise Data centers, Office, Internet etc. This security is shared responsibility between CSPs & Customer.
3. System Security- This capability covers operating system hardening, protection and policy control. The host security at PaaS and SaaS Level are transferred to CSP.
4. Application Security – It’s a shared responsibility in cloud context to protect the application running over the cloud. Based on type of cloud model application security is managed, for e.g in SaaS cloud provider will manage the security of the application. While at the PaaS level platform security will be managed by CSP and deployed application will be customer responsibility.
5. Data Security – Data security capability includes securing data in transit and at rest it to avoid data loss and exposure.
6. Identity and Access management- This capability evolves around authentication, verification and authorization of cloud resources.
7. Encryptions – As all communications between regions is across public Internet infrastructure; therefore, appropriate encryption methods should be used to protect sensitive data.
8. Security operations- Governance and strategic direction on security policies, risk assessment and its maintenance.

Choose Cloud Service Provider considering Data Security, Information Security and Quality Assurance?

Its depends on data and its criticality in terms of sensitivity, availability & durability requirement. For choosing most reliable cloud service provider we must consider CSP’s accreditations, security certifications and third party audit assessment reports. All major cloud service provider share their policies accreditation on data privacy, security, durability, availability information on their respective portals under valid Non-disclosure agreement. These certifications are global and can be achieved through periodic rigorous external audit accredited certification bodies based on NIST (National Industrial Security Program Operating Manual) global standards.

Some of the Most popular Cloud Service Provider Accreditations and Certification for cloud computing compliance and security are given in attached article. Read it to understand Cloud Accreditations and Certification that will finally help you to choose right Cloud Service Provider.

I hope you like this article. Please follow us on our facebook page and on Twitter handle to get latest updates.

Reference Links: Azure , AWS  ,Google ,IBM

The post Understanding Cloud Security & Data Protection appeared first on Techyaz.com.

Compliance Program provided by Cloud Services Providers

Cloud Service providers ensure robust controls to secure their infrastructure, to protect client data. As virtual systems build over the cloud Infrastructure need also to be secured and it comes with shared responsibility and compliance. Cloud Data center environment comes with audit friendly features and standards to ensure client satisfaction about their data security. The IT infrastructure that CSP provides to its customers is designed and managed in orientation with security best practices and a variety of IT security standards due to economies of scale, including but not limited to the following:

AWS (Amazon) Security Certifications /Accreditation 

• Cloud Computing Compliance Controls Catalogue (C5)
• FedRAMP Partner Package
• Global Financial Services Regulatory Principles IRAP Package
• ISO 27001:2013 Certification and Statement of Applicability (SoA)
• ISO 27017:2015 Certification and Statement of Applicability (SoA)
• ISO 27018:2014 Certification and Statement of Applicability (SoA)
• ISO 9001:2015 Certification
• MAS TRM Guidelines Workbook
• PCI DSS Attestation of Compliance (AOC) and Responsibility Summary
• PSN Connection Compliance Certificate (CoCo)
• PSN Service Provision Compliance Certificate
• Quality Management System Overview
• Service Organization Controls (SOC) 1 Report
• Service Organization Controls (SOC) 2 Report
• Service Organization Controls (SOC) 3 Report
• SOC Continued Operations

 Microsoft Azure Security and Compliance Certifications / Accreditation 

• ISO 27001, FedRAMP, SOC 1 and SOC 2.
• The Content Delivery and Security Association (CDSA)
• Criminal Justice Information Services (CJIS)
• The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) CSACCM
• EU Model Clause
• FDA 21 CFR Part 11(The US Food and Drug Administration (FDA) Code of Federal
• Regulations (CFR) Title 21 Part 11)
• FedRAMP(Federal Risk and Authorization Management Program (FedRAMP)
• The Family Educational Rights and Privacy Act (FERPA)
• FIPS 140-2. Federal Information Processing Standard (FIPS) Publication 140-2
• The Health Insurance Portability and Accountability Act (HIPAA)
• IRAP (Australian Government Information Security Registered Assessors Program)
• ISO/IEC 27001/27002:2013
• Multi-Level Protection Scheme (MLPS) is based on the Chinese state standard issued by the Ministry of Public Security
• Multi-Tier Cloud Security Standard for Singapore (MTCS SS),
• Payment Card Industry (PCI) Data Security Standards (DSS) version 3.0
• TCS CCCPPF Trusted Cloud Service certification developed by the China Cloud Computing Promotion and Policy Forum (CCCPPF)
• UK G-Cloud. 

Google Security and Compliance Certifications / Accreditation

• SSAE16 / ISAE 3402 Type II:
• SOC 1
• SOC 2
• SOC 3 public audit report
• ISO 27017, Cloud Security
• ISO 27018, Cloud Privacy
• FedRAMP ATO for Google App Engine
• PCI DSS v3.2
• HIPAA
• CSA STAR
• MTCS Tier 3 Certification (Singapore)
• Google Cloud Platform and the EU Data Protection Directive 

IBM Security and Compliance Certifications / Accreditation

• FedRAMP
• FISMA
• FFIEC
• SOC Reports
• ISO 27001
• ISO 27017
• ISO 27018
• Cloud Security Alliance
• PCI Compliance
• HIPAA
• HITRUST Assessment
• GSMA (DAL09, PAR01)
• CJIS Standards
• EU Model Clauses
• Privacy Shield
• IBM ISO Management System Certifications

Related Read:

• What is Cloud Computing?
• Understanding Cloud Security & Data Protection in Cloud

I hope you like this article. Please follow our Facebook page and Twitter handle to get latest updates.

Reference Links: Azure , AWS  ,Google ,IBM

The post Top 5 Cloud Service Provider Accreditations and Third-Party Auditor Reports appeared first on Techyaz.com.