Cloud security control and auditing
When you run an application on the cloud, different aspects of security must be controlled by different entities. For instance, the following figure (from Azure) shows the breakdown of security responsibilities between the provider and the customer.
Figure 13: Security responsibilities in Azure (Source)
Many classes of applications require different infrastructure, process, and security certifications. Most cloud service providers will comply with a majority of the popular certifications and audit requirements followed in the US and Europe.
To develop an application that passes these compliance checks, both the cloud service providers and the application developers must apply a minimal set of security controls, which we will explore below. As with the rest of this course, we look at controls from a predominantly IaaS perspective. Obviously, as we move up the stack, the cloud service provider has to ensure the security of the resources it is responsible for.
For an IaaS cloud, the following table gives an overview of some of the the security controls to be implemented by both parties:
||Cloud service provider responsibility
|Identity and access management
||A cloud service provider must provide information to customers about who is using the service. This requires that they:
- Deliver and maintain an authentication service (so that users cannot access resources without explicit privileges).
- Create a service that allows account management policy configuration. (Customers can add and remove users and roles.)
- Adopt insider misuse protections (monitor employees and restrict access to sensitive server locations).
|Using the authentication and access control service provided by the cloud provider, customers must:
- Define roles, groups, and permissions.
- Create and disseminate credentials.
- Use access control logging. (The customer will have a log of all sensitive user events.)
- Use multi-factor authentication where appropriate.
|Availability and fault tolerance
||To ensure that the cloud is resilient to failure, cloud service providers must have:
- Tape backups and redundancy of storage and compute systems.
- Geo-distributed datacenters.
|The redundancy provided by the cloud service provider has to be leveraged by the customer, who should:
- Add redundant options for connectivity to all endpoints.
- Use application-layer backups and snapshots of instances and storage state. (A snapshot of a VM instance, or a database, stores its state at a fixed moment in time, allowing a recovery to be performed from that point.)
|Patching and configuration management
- Ensure sandboxing of tenants using hypervisors and overlay networks. (This will be explained later.)
- Regular vulnerability assessments and penetration testing (when an internal or external team of "hackers" systematically attempts to break into a system) of bare metal, hypervisor, and networks.
- Patch OS and machine images with the latest security updates.
- Use appropriate user roles with the least privilege for each application. (For example, when you run a web server on the cloud, ensure that it doesn't have access to any infrastructure keys, or even to local "root." This way, if your website is breached, the rest of your application is isolated.)
- Restrict traffic to instances using firewalls and virtual private clouds, and segment the network into zones (block all network traffic from untrusted sources).
|Monitoring and detection
||Verify that customer resources are not being used for nefarious activities (either intentionally or unintentionally), and take appropriate actions.
- Install host-based intrusion detection and anti-malware systems. (These detect any misuse of your cloud network or hosts.)
- Define alerts and response strategies for incidents and breaches. (Be prepared for attacks and automate a recovery and logging protocol.)
- Cross-tenant data access controls and privacy safeguards. (As described on the previous page, ensure that customers on the same physical infrastructure are isolated.)
- Data integrity verification and repair from redundant data stores. (When storing data in several replicas, ensure their consistency and accuracy.)
- Use secure protocols (like SSL/TLS and IPsec) for data in transit. (These ensure that your network traffic cannot be read.)
- Encrypt data at rest. (Encrypt all the data you store on the cloud, such that even a rogue employee of the cloud service provider cannot disclose this information.)
|Cryptographic object security
- Support data encryption in all provided storage/file systems and DBs. (For example, Windows environments could allow BitLocker implementations.)
- Securely manage customer account and access credentials.
- Create and distribute access keys (for cloud service provider APIs) as well as remote connectivity (like SSH, VNC, RDP).
- Do not store keys on the cloud where possible, so that a key will not be in the same place as the data.
Providers will often build in services that simplify the process for customers to implement security controls. For example, Azure provides Azure Network Security Groups, which can act as external network firewalls.
The process of verifying the presence of these controls is known as a security audit. These audits can be done internally (by hiring a technical consultant) or externally (by a certifying agency). To host sensitive information on the cloud, both the provider and the customer must pass these audits.
- Mather, Tim et. al. (2009). Cloud security and privacy: an enterprise perspective on risks and compliance. O'Reilly Media
- Pucher, Alex et. al. (2012). A Survey on Cloud Provider Security Measures. University of California Santa Barbara
Check your knowledge