Discussion

CloudComputingSecurity.docx

Home >Engineering homework help >Discussion

Cloud Computing Security

Welcome to week 6 where we will be discussing cloud computing security. Cloud computing is a catch all term that can also include SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service). The differences between these cloud computing models are the scale of offering. SaaS often is just an individual piece of software served on demand, without the end user knowing about, or having access to the underlying OS, other applications, or hardware. Platform as a service is the next level up, often used for programming applications through cloud services. The end-user would have access to deployed applications, and be able to access code libraries and services that exist within the cloud environment, but still would not have access to the network equipment, or operating systems. Infrastructure as a service is akin to moving an entire data center to the cloud. The end-user would have full control over an environment, including network devices, servers, operating systems, and possibly even firewall or network security controls.

· https://www.youtube.com/watch?v=n-g_QVFfSXs

· https://www.youtube.com/watch?v=lcIEBTBmtcI

· https://www.youtube.com/watch?v=GCGLYMeh75Y

· https://www.youtube.com/watch?v=Uw-8DDlbK8Q

· https://www.youtube.com/watch?v=GwgFcauwDXI – This one is a bit old but does a good job showing methods of attack on cloud services.

Virtualization

We will not be touching heavily on virtualization beyond a brief explanation until week 12, as virtualization is one of the main technologies that enable the trend of cloud computing to advance. Virtualization is a technology that separates the hardware components from the software by a management layer called a hypervisor. This separation allows for a massive pool of resources to be shared amongst many machines, providing CPU, memory, network bandwidth, storage space, and all other hardware based resources. Normally, if you were to view the task manager of your system, you will see that the system idle process normally is the majority of CPU time. This is basically your CPU not being used at that current time. The hypervisor is able to trick the operating system into thinking it has a dedicated CPU, when in actuality, it is only providing the core times as demanded by the system, and then distributing all that idle time to other systems that reside within the same virtual hardware.

Currently just about everything can be virtualized, including firewalls, IPS devices, and even SIEM products. There is considerable work being done into virtualization security, and numerous guides online on how to setup whichever product you may use for virtualization. For the most part, a properly configured virtual environment should prevent a user on one machine from ever seeing or even knowing about other machines that are controlled by the same hypervisor.

Cloud Trust Model and Audit Compliance

It is a significant leap to switch from an on premises system to a cloud service, as you are going from a controlled, isolated environment and throwing it into the ether, on other peoples server farms, and trusting that they are employing security at least as well as you had it. This is in addition to the fact that sensitive data may now be leaving your network and going to places you may not fully be aware of. As a cyber security individual, the way to start establishing the trust model is to ensure that the cloud vendor is meeting certain industry standard security compliances. The following certifications and audit compliances are items worth looking for in vendors:

· ISO 27001

· ISO 27017

· ISO 27018

· PCI DSS v3.1

· SOC1, SOC2, and/or SOC3

· HIPAA (for health information)

· FedRAMP

Please see Google’s SOC3 public report here to understand what is reported on, and also be aware that student e-mail and many UMES services are using Google Apps For Education. https://cloud.google.com/files/Google_SOC3_2016.pdf

ISO stands for Internation Standards Organization (International Organization for Standardization). SOC stands for Service Organization Control.

The main steps in building a trust with a cloud vendor is asking the right questions and knowing your requirements. Since data will no longer be under your control but the liability for the data will partly fall to you, many things need to be considered. For example, the following questions could be worth asking:

· Is all the data stored in the United States, or in a particular state or data center?

· What security audits do you perform and how often?

· Do you control all the data yourself or do you outsource?

· Do you background check all your employees?

· Is it possible to tour your data center?

Once again, as a security person, you need to ask the correct questions, and know what data is leaving your direct control and moving to the cloud.

Here are some examples of the major cloud providers security controls:

· https://cloud.google.com/security/

· https://aws.amazon.com/security/

Shared Security

The concept of shared security is prevalent when adopting a cloud model. All the major vendors have some notes on the shared security aspect, but in almost all of them, it boils down to who the responsible party is for each aspect. AWS for example stipulates that the customer is responsible for security “IN” the cloud, while AWS is responsible for security “of” the cloud. It is important to make sure you read the shared security outlines for any cloud model you consider, as you may hold a lot of liability, with very little control.

· https://aws.amazon.com/compliance/shared-responsibility-model/

· https://gallery.technet.microsoft.com/Shared-Responsibilities-81d0ff91 (the downloadable pdf)

CyberInsurance

I am including a brief note on this topic as I just learned of it myself recently. Cyber insurance is becoming a requirement for certain business partnerships where data is being transferred between two business entities. Cyber insurance is a separate line item on an insurance policy that ensures a company from any losses that may occur as the result of a data breach, or any monetary loss due to technology based attacks. Since attacks of this nature may cost an incredible amount of money, standard liability insurance would not protect a company in these events. We as cyber security professionals should at least be aware of, and know that cyber insurance exists and we may be called upon to evaluate and recommend a policy. It may also be a requirement to ask that cloud vendors also have insurance of this nature to aid in trusting them with corporate or personal data.

Media Content this Week

Cloud Security