Cloud Security – How to Secure Cloud Environment?
Today, I am going to discuss about securing cloud environment. Cloud security is popular word in IT industries these days. Let’s start with basics and all possible ways to protect your cloud environment.
Cloud Security Streams / Features
Today we will discuss about cloud security areas which we should consider in scope while designing a security solution for your cloud environment. In Cloud context, security comes as a shared responsibility between the Cloud Service provider (CSP)and its Tenants. All major CSP’s ensure to make available different features, tools and solution options which can be leverage by clients to have a secure cloud environment. The Cloud Security Streams are as follows
- Physical Security – includes Cloud Data Center protection of hardware, software, networks also data centers are protected by security personnel and electronic devices such as cameras.
- Network security – Includes data security in transit to and from the public cloud provider. It means designing and building network configuration and its elements allowing a secure access to cloud resources from your on-premise Data centers, Office, Internet etc.
- System Security- This capability covers operating system hardening, protection and policy control. The host security at PaaS and SaaS Level are transferred to CSP.
- Application Security – It’s a shared responsibility in cloud context to protect the application running over the cloud. Based on type of cloud model application security is managed, for e.g in SaaS cloud provider will manage the security of the application. While at the PaaS level platform security will be managed by CSP and deployed application will be customer responsibility.
- Data security – Data security capability includes securing data in transit and at rest it to avoid data loss and exposure.
- Identity and Access management- This capability evolves around authentication, verification and authorization of cloud resources.
- Encryptions – as all communications between regions is across public Internet infrastructure; therefore, appropriate encryption methods should be used to protect sensitive data.
- Security operations- Governance and strategic direction on security policies, risk assessment and its maintenance
How to Secure your Cloud Environment?
Below are simple steps which can be followed to ensure the cloud infrastructure is secured. we must leverage best in market solution while designing a secure and cost-effective solution.
- Ensure to leverage data and Network security built-in features provided by the cloud Service provider partner solutions.
- Design an Appropriate Data Backup solution along with Encryption enabled for covering data security.
- Regular Audit / scan of Test of Application layer and get Quarterly/ yearly scan reports of Cloud infra from CSP.
- Design Stable and Redundant Backup solution to cover Disaster Recovery and Business Continuity.
- Design your environment to use layered security by allowing many data access accounts and permissions as possible.
Note: In cloud environment security comes with shared responsibility model. The Hypervisor layer and anything below it which includes hardware and applications & physical security are protected by service provider. The operating system and above layer need to be taken care by the client /User. I would recommend leveraging CSP’s features with combination of Third party tools to ensure having secure environment for Business.
Today I will share the top best in class Cloud Service provider Microsoft Azure, AWS and Google cloud platform build in features which can be leveraged to design a secure cloud solution for your CSP.
Microsoft Azure Security Built In Security Features
Microsoft is providing numerous tools and features to secure your cloud environment. These tools have their respective cost. Microsoft has also provided broker platform features like monitoring your cloud estate from single plane of glass. Below is the list of security tools which can be leveraged to design a secure cloud environment:
- Operations Management Suite Security (OMS) and Audit Dashboard
- Azure Resource Manager
- Application Insights
- Azure Monitor
- Log Analytics
- Azure Advisor
- Azure Security Center
- Role-Based Access Control (RBAC)
- Shared Access Signature
- Internal DNS
- Azure DNS
- Log Analytics NSGs
- Enable log categories for NSGs:
- Rules counter
Azure supports various encryption models, including server-side encryption that uses service-managed keys, customer-managed keys in Key Vault, or customer-managed keys on customer-controlled hardware. With client-side encryption, client can manage and store keys on-premises or in another secure location.
- Encryption in Transit
- Encryption at rest
- Storage Service Encryption
- Client-side Encryption
- Azure Disk Encryption (IaaS Virtual Machine Disk)
This feature provides security micro-segmentation for your virtual networks in Azure.
- Web Application vulnerability scanning
- Penetration Testing
- Web Application firewall
- The web application firewall (WAF)
- Authentication and authorization in Azure App Service
- Layered Security Architecture (providing differing levels of network access for each application tier)
- Web server diagnostics
- Detailed Error Logging
- Failed Request Tracing
- Web Server Logging
- Application diagnostics
- All (displays all events)
- Application Errors (displays exception events)
- Performance (displays performance events)
- Storage Analytics (Successful requests, Failed requests, including timeout, throttling, network, authorization, and other errors)
- Enabling Browser-Based Clients Using CORS
- Cross-Origin Resource Sharing (CORS)
Microsoft Azure provides confidentiality, integrity, and availability of customer data, while also enabling transparent accountability. Available network recommendations by Microsoft are as follows:
- Add a Next Generation Firewall Recommends that client can add a Next Generation Firewall (NGFW) from a Microsoft partner to increase your security protections
- Route traffic through NGFW only Recommends that you configure network security group (NSG) rules that force inbound traffic to your VM through your NGFW.
- Enable Network Security Groups on subnets or virtual machines Recommends that you enable NSGs on subnets or VMs.
- Restrict access through Internet facing endpoint Recommends that you configure inbound traffic rules for NSGs.
Below are the main components or areas where you should focus to enhance the network security of your cloud environment.
- Network Layer Controls
- Network Security Groups
- A Network Security Group (NSG)
- Route Control and Forced Tunneling
- Forced tunneling
- Virtual Network Security Appliances – Azure partner network security appliance solution.
- Azure Virtual Network
- Azure networking supports various secure remote access scenarios. Some of these include:
- Connect individual workstations to an Azure Virtual Network
- Connect on-premises network to an Azure Virtual Network with a VPN
- Connect on-premises network to an Azure Virtual Network with a dedicated WAN link
- Connect Azure Virtual Networks to each other
- VPN Gateway
- Express Route
- Microsoft Azure ExpressRoute (Dedicated WAN Link -ExpressRoute connections do not go over the public Internet)
- Application Gateway (Layer 7 Load Balancer)
- Web Application Firewall
- Traffic Manager
- Microsoft Azure Traffic Manager
- Azure Load Balancer (Layer 4 Load Balancer) – Internet-facing load balancing.
Unified security management and advanced threat protection across hybrid cloud workloads , there are various tool available by azure for the compute environment.
- Antimalware & Antivirus – Azure IaaS, use antimalware software from security vendors such as (Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to protect your virtual machines).
- Hardware Security Module (store keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2 standards.)
- Virtual machine backup
- Azure Backup (Windows & Linux only)
- Azure Site Recovery (DR & BCP Orchestration)
- SQL VM TDE (Transparent data encryption (TDE) and column level encryption (CLE) are SQL server encryption features. This form of encryption requires customers to manage and store the cryptographic keys you use for encryption.)
- The Azure Key Vault (AKV)
- VM Disk Encryption (Azure Disk Encryption (industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux))
- Virtual networking
- Patch Updates
- Security policy management and reporting
- Identify and access management
Secure Identity (IAM)
Protect application and data at the front gate with Azure Identify and access management solutions.
- Multi-Factor Authentication (Multi-Factor Authentication experience that works with both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and fingerprint-based approvals)
- Password policy enforcement
- Token-based authentication enables authentication via Azure Active Directory.
- Role-based access control (RBAC)
- Integrated identity management (hybrid identity) enables you to maintain control of users’ access across internal data centers and cloud platforms, creating a single user identity for authentication and authorization to all resources.
AWS Built-in Security Features
Like other CSP the AWS cloud security solution has also been offering various feature to design cloud security. Below are the list of some of the services that you can use for cloud security.
- AWS Artifact
- AWS Certificate Manager (SSL/TLS Certificates)
- Amazon Cloud Directory
- AWS CloudHSM Key Storage & Management
- Amazon Cognito User Sign Up & Sign In
- AWS Directory Service Directory
- AWS Firewall Manager
- Amazon GuardDuty Threat Detection
- AWS Identity and Access Management (IAM)
- Amazon Inspector
- Security Assessment
- AWS Key Management Service
- Amazon Macie (Sensitive Data Classification)
- AWS Organizations (Multiple Account Management)
- AWS Shield (DDoS Protection)
- AWS Secrets Manager
- AWS Single Sign-On (SSO)
- AWS WAF (Web Application Firewall)
It help identify and protect applications and infrastructure from cyber-attacks and other advanced threats vectors. Infrastructure security is important area to secure cloud environment. Have a look at below tools that is available in AWS market place to secure cloud environment.
Tools Offered in AWS Market Place
- Check Point
- Alert Logic
- Intel Security
Configuration & Vulnerability Analysis
Tools to help you inspect application deployments for security risks and vulnerabilities, while receiving priorities and advice to assist with remediation.
- cloudcheckr- The CloudCheckr CMP offers a single pane of glass view to help modern enterprises manage and optimize their public cloud
Logging and monitoring
Help maintain visibility and auditability of activity in your application infrastructure and receive policy-driven alerting, and reporting.
- Sumo Logic
Assist with safeguarding your data from unauthorized disclosure and modification, through encryption, key management, and policy-driven controls.
Google Cloud Platform Build In Security Features
Shielded VMs are virtual machines (VMs) on Google Cloud Platform hardened by a set of security controls that help defend against rootkits and boot kits to secure cloud environment.
- Verifiable integrity with secure and measured boot
- vTPM exfiltration resistance
- Trusted UEFI firmware
- Tamper-evident attestations
- Live migration and patching
Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Kubernetes Engine.
- Policy creation
- Policy verification and enforcement
- Audit logging
- Open source support for Kubernetes
- Break Glass support
- Integration with third-party solutions
- Integrate Binary Authorization with leading container security and CI/CD partners, such as CloudBees and Twistlock.
Google Cloud Load Balancing
Scale your applications on Google Compute Engine from zero to full-throttle with Google Cloud Load Balancing, with no pre-warming needed
- HTTP(S) Load Balancing
- TCP/SSL Load Balancing
- SSL Offload
- Advanced Feature Support
- UDP Load Balancing
- Stackdriver Logging
- Seamless Autoscaling
- High Fidelity Health Checks
- Cloud CDN Integration
Authentication, Integrity, and Encryption
Google employs several security measures to help ensure the authenticity, integrity, and privacy of data in transit.
- Encryption at rest
- Encryption in transit
Encryption in use – protects data when it is being used by servers to run computations, e.g. homomorphic encryption.
ALTS, a mutual authentication and transport encryption system that runs at the application layer, to protect RPC communications. Using application-level security allows applications to have authenticated remote peer identity, which can be used to implement fine-grained authorization policies
Google Key Management Service
Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for your cloud services the same way you do on premises. You can generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys.
- Symmetric and asymmetric key support
- Encrypt and decrypt via API
- Automated and at-will key rotation
- Delay for key destruction
- High global availability
- Application Layer Transport Security
Google Cloud Data Loss Prevention
Automatically discover and redact sensitive data everywhere
- Flexible Classification
- Secure Data Handling
- Custom Detectors
- Easy Workload Integration
- Likelihood Scores
- Pay As You Go Pricing
- Detailed Findings
- Simple and Powerful Redaction
- REST API
Google Cloud HSM
Cloud HSM a cloud-hosted hardware security module (HSM) service on Google Cloud Platform.
- Symmetric and asymmetric key support
- Statement attestation
- Integration with Cloud KMS
- Multi-region support
- G Suite DLP Mail
- G Suite DLP Drive
- G Suite Doc Controls
Google Chrome Browser
Manage centrally employee activity in the cloud, across all devices and platforms, now and in the future
- Advanced malware and phishing protection gives employees a safe cloud experience.
- Regular security updates
- Users are protected from the latest security vulnerabilities — no patching required.
- Prevents malware and isolates malicious web pages that try to infect devices, monitor web activity, or steal data.
- Site isolation
- G Suite Device Management
Identity & Access Management
Protect user identities by managing the user lifecycle, authentication and assurance, and managing system and application access.
- Cloud Identity
- Cloud IAM
- Cloud Identity-Aware Proxy
- Security Keys
- Cloud Resource Manager
- Firebase Authentication
- Cloud Security Scanner-Automatically scan your App Engine apps for common vulnerabilities
- Apigee-API Management for Visibility and Control Design, secure, analyze, and scale APIs anywhere.
Security Monitoring & Operations
Monitor for malicious activity, handle security incidents, and support operational processes that prevent, detect, and respond to threats.
- Stackdriver Logging
- Cloud Security Command CenterALPHA
- Access Transparency
Cloud Security Command CenterALPHA
- Asset Discovery and Inventory
- Sensitive Data Identification
- Application Vulnerability Detection
- REST API
- Access Control Monitoring
- Anomaly Detection From Google
- Third-party Security Tool Inputs (Integrate output from your existing security tools such as Cloudflare, CrowdStrike, Dome9, Palo Alto Networks, Qualys, and RedLock into Cloud Security Command Center to detect DDoS attacks)
- Real-time Notifications
Google Governance, Risk & Compliance
Support governance and compliance processes, including performing assessments, demonstrating compliance, and achieving certifications. You should read attached Third-party audits and certifications article in given link: https://techyaz.com/cloud/top-5-cloud-service-provider-accreditations-third-party-auditor-reports/
I hope you liked this article. I would recommend you to also read this article about cloud security and data protection: Understanding Cloud Security and Data Protection
- Cloud Data Center Locations for Top 3 CSPs (AWS, Azure & Google) - September 23, 2019
- CCSK Certification Training Material - September 21, 2019
- Cloud Security – How to Secure Cloud Environment? - December 24, 2018