Cloud Security

With the cloud, we no longer have well-defined boundaries regarding what’s internal and what’s external to our systems. We must assess whether holes or vulnerabilities exist across servers, networks, infrastructure components, and endpoints and then continuously monitor them.

According to the Cloud Security Alliance (CSA), an organization dedicated to ensuring security best practices in the cloud, significant areas of operational risk in the cloud include the following:

Physical security: It covers security of IT equipment, network assets, and telecommunications infrastructure.

Human resource security: It deals with the people side of the equation — ensuring background checks, confidentiality, and segregation of duties.

Business continuity: It ensures that the provider meets its service level agreement for operation.

Disaster recovery: It ensures that assets (data and applications) are protected. If, for example, we are using a public Infrastructure as a Service (IaaS) to run an application, find out what happens if there’s some sort of disaster (natural or otherwise).

Incident handling changes in a cloud: Working with service provider to control at least part of the infrastructure. The multi-tenant nature of the cloud often makes investigating an incident more complicated. For example, because information may be commingled, log analysis can be difficult because your service provider is trying to maintain privacy.

Application security changes in the cloud: Uncovering exposed security threats (in a public cloud). The CSA divides application security into different areas including securing the software development lifecycle, authentication, authorization, identity management, application authorization management, application monitoring, application penetration testing, and risk management. So, if we are using a Platform as a Service (PaaS) to develop applications, be concerned about application security. Likewise, if we are running your application in the cloud or using a SaaS provider, application security will be an issue.

Identity and access management: Controls and maintains access to computer resources, applications, data, and services. In a traditional data center, you may use a directory service for authentication and then deploy the application in a firewall safe zone. The cloud often requires multiple forms of identity to ensure that access to resources is secure.

Encryption and key management: Ensures that only intended recipients receive data and can decrypt it. Data encryption refers to a set of algorithms that can transform text into a form called cyphertext (an encrypted form of plain text that unauthorized parties can’t read). The recipient of an encrypted message uses a key that triggers the algorithm to decrypt the data and provide it in its original state to the authorized user.

Could security best practices

Knowing current state helps us to building a comprehensive strategy. Then, we can ensure that best practices are followed.

• In a highly distributed environment, manage the identity of who’s allowed to access what resources under what circumstances. Clearly defined rules combined with automation provide a path forward.

• Try to create general awareness of security risks by educating and warning staff members about specific dangers. Complacency is easy, especially if you’re using a cloud service provider. However, security threats come from employees as well as outside organizations.

• Regularly have external IT security consultants check your company’s IT security policy, IT network, and the policies and practices of all your cloud service providers.

• Determine specific IT security policies for change management and patch management, and make sure that policies are well understood by your service management staff and by your cloud service provider.

• Review backup and disaster-recovery systems in light of IT security. Apart from anything else, IT security breaches can require complete application recovery.

Cloud Basics

What is cloud computing?

Cloud computing has evolved from a risky and confusing concept to a strategy that organizations large and small are beginning to adopt as part of their overall computing strategy. Companies are now starting to ask not whether they should think about cloud computing but what types of cloud computing models are best suited to solve their business problems. 

There are many important cloud fundamental services —

• Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) — to develop and deploy applications to support the business and open up new innovative opportunities and new revenue streams.
• Software as a Service (SaaS) provides packaged business process offerings that live in cloud and leverage both IaaS and PaaS services.

While cloud computing and services can be use for some relatively simple purposes also. like -

• e-mail
• Customer relationship management

Cloud computing is a method of providing a set of shared computing resources that includes - 

• Applications
• Computing
• Storage
• Networking
• Development
• Deployment platforms
• Business processes

Cloud computing turns traditional and typical computing assets into shared pools of resources that are based on an underlying Internet foundation.

Clouds come in different versions, depending on your needs. There are two primary deployment models of cloud -

• Public
• Private

Most organizations use a combination of private computing resources (data centers and private clouds) and public services as a hybrid environment.

The cloud doesn't exist in isolation to other corporate IT investments. The reality is that most companies use a combination of public and private cloud services in conjunction with their data center. Companies use different methods, depending on their business requirements to link and integrate these services. The way you construct your hybrid computing environment is determined by complexity of workloads and how you want to optimize performance of those workloads to support your constituents.

We may consider following factors for deciding deployment kind for cloud -

• Particular performance
• Security requirements
• Specific business goals

IaaS- 

The delivery of services such as hardware, software, storage, networking, data center space, and various utility software elements on request. Both public and private versions of IaaS exist.

In a public IaaS, user needs a simple sign-up mechanism to acquire resources. When users no longer need the resources, they can de-provision them.

In a private IaaS, IT organization or an integrator creates an infrastructure designed to provide resources on demand to internal users and sometimes partners. IaaS is the fundamental element used by other cloud models. Some customers bring their own tools and software to create applications.

PaaS- 

A mechanism for combining IaaS with an abstracted set of middle-ware services, software development and deployment tools that allow the organization to have a consistent way to create and deploy applications on a cloud or on-premises environment. A PaaS environment supports coordination between the developer and the operations organization, typically called DevOps. A PaaS offers a consistent set of programming and middleware services that ensure developers have a well-tested and well-integrated way to create applications in a cloud environment. A PaaS requires an infrastructure service.

SaaS- 

A business application created and hosted by a provider in a Multi-Tenant (shared) model. The SaaS application sits on top of both a PaaS and foundational IaaS. A SaaS environment can be built directly on an IaaS platform. Typically these underlying services aren’t visible to end-users of a SaaS application.

Cloud Capabilities -

• Elasticity and self-service provisioning
• Billing and metering of service usage
• Workload management
• Management services