Scribd
Upload
94 views139 pages

Sécurité Dans Le Cloud 1-139

The document discusses cloud computing concepts including definitions, characteristics, and security domains. It defines cloud computing and outlines capital and operating expenditures. The document also covers essential cloud computing characteristics like on-demand self-service, distributed storage, and rapid elasticity.

Uploaded by

z.essiddiqi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
94 views139 pages

Sécurité Dans Le Cloud 1-139

The document discusses cloud computing concepts including definitions, characteristics, and security domains. It defines cloud computing and outlines capital and operating expenditures. The document also covers essential cloud computing characteristics like on-demand self-service, distributed storage, and rapid elasticity.

Uploaded by

z.essiddiqi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
  • Cloud Computing Security: An introduction to securing data in cloud environments, highlighting basic concepts and importance.
  • Part 1: Cloud Security: Outlines the key areas of cloud security including concepts, design, data security, and identity management.
  • Part 2: AWS Security: Focuses on security within AWS, including identity management, secure access, and audit trails.

CLOUD COMPUTING

SECURITY
How to protect your data in the Cloud
– By Saad KHOUDALI, Ph.D
PART 1: Cloud Security
Domain 1: Cloud
Course Objectives Concepts, Architecture,
and Design

Domain 3: Cloud
Domain 2: Cloud Data
Platform and
Security
Infrastructure Security

Domain 4: Cloud Domain 5: Identity and


Application Security Access Management

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 2


PART 2: Security

Introduction to Identity and Access Account


AWS Security Management (IAM) Management

Securing the
Policies and Network Access
Network with
Procedures for Protection
Virtual Private
Secure Access Beyond the VPC
Cloud

Data Protection Logging and


in the Cloud Audit Trails

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 3


COURSE
OBJECTIVES

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 4


COURSE OBJECTIVES

Understand the Cloud Computing concepts

Understand Cloud security domains

Understand Cloud Security in Amazon AWS

Understand how AWS security-related services works and can be


implemented to secure your AWS subscription

Helps you prepare for Cloud Security Certifications (CCSP, CCSK, CISSP)

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 5


INTRODUCTION
• Over the last decade, the term cloud has become
common in the modern lexicon of even laypersons with
no connection to, training in, or expertise in the IT
industry.
• It has become common in commercials targeting the
public at large, and it’s often used as a main selling
point for various services.
• Even those who do not understand what cloud
computing is or how it works have largely come to
understand it as a positive feature for a product or
service, feeling it means higher reliability, speed, and
an overall more beneficial consumer experience.
• Many companies are flocking to cloud computing at a
rapid pace due to its benefits and features.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 6
INTRODUCTION

• This rapid adoption of the cloud has brought with it a


set of security risks and threats that have created some
resistance from business organizations to adopt this
model.

• This is the reason why some Organization have


emerged to define and raise awareness of best
practices to help ensure a secure cloud computing
environment, such as the “Cloud Security Alliance” or
CSA.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 7


INTRODUCTION

• The CSA has defined 14 domains related to Cloud


security to help business organizations wishing to
move to the Cloud, to secure critical areas of focus in
Cloud Computing, by applying all recommendations as
defined in the Cloud Security Guidance document,
issued by the CSA
• The first part of this course will put emphasis on 5
domains only, instead of all CSA domains.
• The second part will present the Amazon AWS Cloud
environment, its security-related services and how to
use them in order to create a secure environment.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 8


DOMAIN 1: CLOUD
CONCEPTS,
ARCHITECTURE, AND
DESIGN
INTRODUCTION

• This domain provides the conceptual framework for this course.


• It describes and defines cloud computing, sets the baseline
terminology, and details the overall logical and architectural
frameworks.
• The goal of this domain is to build the foundation that the rest of
the course and its recommendations are based on.
• The intent is to provide a common language and understanding of
cloud computing, begin highlighting the differences between
cloud and traditional computing, and help students towards
adopting cloud-native approaches that result in better security
(and those other benefits), instead of creating more risks.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 10


DEFINING CLOUD COMPUTING

• “Cloud computing is a model for enabling ubiquitous, convenient,


on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage, applications,
and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.” –
Definition by NIST

• “Paradigm for enabling network access to a scalable and elastic


pool of shareable physical or virtual resources with self-service
provisioning and administration on-demand.” –
Definition by ISO/IEC

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 11


DEFINING CLOUD COMPUTING

• Takes a set of resources, such as processors and


memory, and puts them into a big pool (in this case,
using virtualization).
• Consumers ask for what they need out of the pool,
such as 8 CPUs and 16 GB of memory, and the cloud
assigns those resources to the client, who then
connects to and uses them over the network.
• When the client is done, they can release the resources
back into the pool for someone else to use.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 12


DEFINING CLOUD COMPUTING

• Consist of nearly any computing resources, ranging


from our “compute” examples of processors and
memory to networks, storage, and higher-level
resources like databases and applications.
• For example, subscribing to a customer-relations
management application for 500 employees on a
service shared by hundreds of other organizations is
just as much cloud computing as launching 100 remote
servers on a compute cloud.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 13


DEFINING CLOUD COMPUTING
Characteristics of Cloud Computing

• Cloud computing is an on-demand delivery of IT


capabilities, in which IT infrastructure and applications
are provided to subscribers as metered services over
networks.
• Examples of cloud solutions include Gmail, Facebook,
Dropbox, and [Link]

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 14


DEFINING CLOUD COMPUTING
Characteristics of Cloud Computing

• Let’s take an example of a company that wants to offer


IT services through the Internet, like an Ecommerce
Website.

• Question 1: What are the Capital Expenditures


(Expenses) or CapEx for this project?

• Question 2: What are the Operating Expenditures or


OpEx for this project?

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 15


DEFINING CLOUD COMPUTING
Characteristics of Cloud Computing

• Question 1: What are the Capital Expenditures


(Expenses) or CapEx for this project?

✓Servers, racks, storage array, Backup and


archiving platforms
✓Software Licenses
✓Networking equipment
✓Security equipment
✓Power generator
✓…

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 16


DEFINING CLOUD COMPUTING
Characteristics of Cloud Computing

• Question 2: What are the Operating Expenditures or


OpEx for this project?

✓Electricity, cooling bills


✓High speed Internet subscription
✓Developer’s salary
✓System, network, IT security and Datacenter
Administrators salaries
✓Power generator’s fuel
✓Maintenance contract
✓…

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 17


DEFINING CLOUD COMPUTING
Characteristics of Cloud Computing

• Solution with Cloud Computing to minimize CapEx:

✓The company can subscribe to Cloud services


related to their needs, and pay only what they
use

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 18


DEFINING CLOUD COMPUTING
Characteristics of Cloud Computing

• Solution with Cloud Computing to minimize OpEx:

✓The underlying infrastructure of the cloud


provider is maintained by the latter
✓Depending on the services, the company will
have the responsibility to maintain certain
aspect of their project
✓The monthly bill will include the consumption of
each subscribed cloud service

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 19


DEFINING CLOUD COMPUTING
Essential (*) characteristics of Cloud Computing

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 20


DEFINING CLOUD COMPUTING
Essential (*) characteristics of Cloud Computing

• On-demand self-service (*): A type of service rendered by cloud


service providers that allow provisions for cloud resources, such as
computing power, storage, and network, always on-demand,
without the need for human interaction with the service providers.
• Distributed storage: Distributed storage in the cloud offers
better scalability, availability, and reliability of data. However,
cloud distributed storage can potentially raise security and
compliance concerns.
• Rapid elasticity (*): The cloud offers instant provisioning of
capabilities to rapidly scale up or down, according to demand. To
the consumers, the resources available for provisioning seem to
be unlimited and can be purchased in any quantity at any point of
time.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 21


DEFINING CLOUD COMPUTING
Essential (*) characteristics of Cloud Computing

• Automated management: By minimizing user involvement, cloud


automation speeds up the process and reduces labor costs and
the possibility of human error.
• Broad network access (*): Cloud resources are available over the
network and accessed through standard procedures via a wide
variety of platforms, including laptops, mobile phones, and
personal digital assistants (PDAs).
• Resource pooling (*): The cloud service provider pools all the
resources together to serve multiple customers in the multi-tenant
environment, with physical and virtual resources dynamically
assigned and reassigned on demand by the consumer of the
cloud.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 22


DEFINING CLOUD COMPUTING
Characteristics of Cloud Computing

• Measured service (*): Cloud systems employ the "pay-per-use"


metering method. Subscribers pay for cloud services by monthly
subscription or according to the usage of resources such as storage
levels, processing power, and bandwidth. Cloud service providers
monitor, control, report, and charge consumption of resources by
customers with complete transparency.
• Virtualization technology: Virtualization technology in the cloud
enables the rapid scaling of resources in a way that non-
virtualized environments cannot achieve.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 23


DEFINING CLOUD COMPUTING
Benefits of Cloud Computing

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 24


DEFINING CLOUD COMPUTING
Benefits of Cloud Computing – Scalability and Elasticity

Scalability vs. Elasticity (auto-scaling)

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 25


DEFINING CLOUD COMPUTING
Benefits of Cloud Computing – High availability

• Availability in the cloud


is achieved by
replicating services,
workload and data
across multiple Cloud
regions, which are
composed of Availability
zones (AZ)

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 26


DEFINING CLOUD COMPUTING
Limitations of Cloud Computing

• Limited control and flexibility of organizations


• Proneness to outages and other technical issues
• Security, privacy, and compliance issues
• Contracts and lock-ins
• Dependence on network connections
• Potential vulnerability to attacks as every component is
online
• Difficulty in migrating from one service provider to
another

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 27


DEFINING CLOUD COMPUTING
Cloud Computing definitional model

• NIST defines cloud computing by:

• Describing essential characteristics (previous slides),

• Three cloud service models, and

• Four cloud deployment models.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 28


DEFINING CLOUD COMPUTING
Cloud Computing definitional model

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 29


DEFINING CLOUD COMPUTING
Cloud Computing service models

• NIST defines three service models (also called SPI tiers)


which describe the different foundational categories of
cloud services:

• Infrastructure as a Service (IaaS)


• Platform as a Service (PaaS)
• Software as a Service (SaaS)

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 30


DEFINING CLOUD COMPUTING
Infrastructure-as-a-Service Model

• Is the most basic cloud service and the one where the
most customization and control are available for the
customer.
• Offers access to a resource pool of fundamental
computing infrastructure, such as compute, network, or
storage.
• The capability provided to the consumer is to provision
processing, storage, networks, and other fundamental
computing resources where the consumer is able to
deploy and run arbitrary software, which can include
operating systems and applications

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 31


DEFINING CLOUD COMPUTING
Infrastructure-as-a-Service Model

• The consumer does not manage or control


the underlying cloud infrastructure but has
control over operating systems, storage, and
deployed applications; and possibly limited
control of selected networking components

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 32


Compute IaaS
DEFINING CLOUD COMPUTING
platform architecture
Infrastructure-as-a-Service Model

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 33


DEFINING CLOUD COMPUTING
Infrastructure-as-a-Service Model – Key Benefits (1/2)

• Scalability: the system can be rapidly provisioned and


expanded as needed, either for predictable events or in
response to unexpected demand.
• Cost of ownership of physical hardware: the
customer does not need to procure any hardware
either for the initial launch and implementation or for
future expansion.
• High availability
• Physical security requirements: cloud provider
assumes the cost and oversight of the physical security
of its data centers
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 34
DEFINING CLOUD COMPUTING
Infrastructure-as-a-Service Model – Key Benefits (2/2)

• Location and access independence: has no


dependence on the physical location of the
customer or users of the system, as well as no
dependence on specific network locations,
applications, or clients to access the system
• Metered usage: The customer only pays for the
resources they are using and only during the
durations of use.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 35


DEFINING CLOUD COMPUTING
Platform-as-a-Service Model

• abstracts and provides development or


application platforms, such as databases,
application platforms, file storage and
collaboration, or even proprietary application
processing (such as machine learning, big data
processing…).
• The customer does not manage or control the
underlying cloud infrastructure, including
network, servers, operating systems, or storage,
but has control over the deployed applications
and possibly configuration settings for the
application-hosting environment.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 36


Application platform
DEFINING CLOUD COMPUTING
(PaaS) running on top of
an Iaas architecture
Platform-as-a-Service Model

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 37


Application platform
DEFINING CLOUD COMPUTING
(PaaS) running on top of
an Iaas architecture
Platform-as-a-Service Model

PaaS doesn’t necessarily need to be built on top of IaaS.


There is no reason it cannot be a custom designed stand-
alone architecture.
The defining characteristic is that consumers access and
manage the platform, not the underlying infrastructure
(including cloud infrastructure).

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 38


DEFINING CLOUD COMPUTING
Platform-as-a-Service Model – Key Benefits (1/2)

• Auto-scaling
• Multiple host environments: the customer has a wide
choice of operating systems and environments.
• Choice of environments: offers many environment
options and OS to choose from that can affect an
application.
• Flexibility: developers have enormous flexibility to
move between providers and platforms with ease, due
to the abstraction layer offered by PaaS model.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 39


DEFINING CLOUD COMPUTING
Platform-as-a-Service Model – Key Benefits (2/2)

• Ease of upgrades: With the underlying operating


systems and platforms being offered by the cloud
provider, upgrades and changes are simpler and more
efficient than in a traditional data center model
• Cost effective: only systems currently in use incur costs
• Ease of access: easy collaboration for Dev teams across
national and international boundaries, since cloud
services are accessible from the internet
• Licensing: the cloud provider is responsible for
handling proper licensing of operating systems and
platforms
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 40
DEFINING CLOUD COMPUTING
Software-as-a-Service Model

• A fully functioning software application for a


customer to use in a turnkey operation, where
all the underlying responsibilities and
operations for maintaining systems, patches,
and operations are abstracted from the
customer and are the responsibility of the
cloud services provider.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 41


SaaS platform
architecture

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 42


DEFINING CLOUD COMPUTING
Software-as-a-Service Model – Key Benefits

• Support costs and efforts: cloud services and the entire


underlying infrastructure are solely the responsibility of the
provider are entirely removed from the responsibility of the
consumer
• Reduced overall costs: The customer in a SaaS environment
is only licensing use of the software
• Licensing: Like PaaS, all licensing cost are offered by the
provider
• Ease of use and administration: The customer only bears
responsibility for configuring user access and access
controls within the system, and the configurations are
minimal
• Standardization: all users will be running the exact same
version of the software at all times since SaaS is fully
featured software application

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 43


DEFINING CLOUD COMPUTING
AWS vs Azure vs Google Cloud Platform

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 44


DEFINING CLOUD COMPUTING
Separation of responsibilities in the Cloud

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 45


DEFINING CLOUD COMPUTING
Separation of responsibilities in the Cloud

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 46


DEFINING CLOUD COMPUTING
Cloud Deployment Models

• Public Cloud: The infrastructure is made


available to the general public or a large
industry group and is owned by an
organization selling cloud services.
• Private Cloud: The infrastructure is operated
solely for a single organization. It may be
managed by the organization or by a third-
party and may be located on-premises or off-
premises.
• DXC TECHNOLOGY Salé, N+ONE Nouaceur
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 47
DEFINING CLOUD COMPUTING
Cloud Deployment Models

• Community Cloud: The infrastructure is shared by several


organizations and supports a specific community that has
shared concerns (e.g. mission, security requirements, policy,
or compliance considerations).
• It may be managed by the organizations or by a third-party
and may be located on-premises or off-premises.
• Hybrid Cloud: is a composition of two or more clouds
(private, community, or public) that remain unique entities
but are bound together by standardized or proprietary
technology that enables data and application portability
(e.g., cloud bursting for load balancing between clouds).
• Hybrid is also commonly used to describe a non-cloud data
center bridged directly to a cloud provider.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 48
DEFINING CLOUD COMPUTING
Cloud Deployment Models

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 49


DEFINING CLOUD COMPUTING
Roles in Cloud Computing

• Cloud user: is the person or organization requesting


and using (consuming) the resources. We also
sometimes use the terms client and consumer to refer
to the cloud user.
• Cloud provider or cloud service provider: is the
person or organization who delivers it. We also use
the terms service or simply cloud to describe the
provider.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 50


DEFINING CLOUD COMPUTING
Roles in Cloud Computing

• Cloud auditor: An auditor that is specifically


responsible for conducting audits of cloud systems
and cloud applications.
• Cloud service broker: A partner that serves as an
intermediary between a cloud service customer and
cloud service provider.
• Cloud service customer: One that holds a business
relationship for services with a cloud service provider
(different from Cloud user)

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 51


DEFINING CLOUD COMPUTING
Roles in Cloud Computing

• Cloud service partner: One that holds a relationship


with either a cloud service provider or a cloud service
customer to assist with cloud services and their delivery.
• Includes the cloud auditor, cloud service broker, and
cloud service customer all under the umbrella of cloud
service partners.
• Cloud carrier: an intermediary for providing
connectivity and transport services between Cloud
providers an consumers

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 52


DEFINING CLOUD COMPUTING
Roles in Cloud Computing

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 53


SECURITY CONSIDERATIONS
FOR CLOUD CATEGORIES

• Each cloud category will carry some similar


and some different security considerations
due to the differing responsibilities on behalf of
the cloud customer and key features of a
typical deployment.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 54


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS

• Multitenancy
• Co-Location
• Hypervisor Security and Attacks
• Network Security
• Virtual Machine Attacks
• Virtual Switch Attacks
• Denial-of-Service (DoS) Attacks

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 55


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Multitenancy

• Definition: Hosting multiple organizations


or "tenants" on a single set of resources.
• Benefit: Cost efficiency and resource
optimization
• How it works:
• Resource Sharing: CPU, memory, and storage
• Logical Separation: Tenants are separated by
software-level controls.
• Example: A single database server hosting
databases for multiple companies.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 56


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Multitenancy

• Security Concerns in Multitenancy:


• Data Leakage: Risk of one tenant accessing
another's data.
• Resource Contention: Overuse of resources
by one tenant affecting others.
• Vulnerability Propagation: A security flaw
affecting multiple tenants.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 57


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Multitenancy

• Mitigating Security Concerns:


• Strong Isolation: Use of stringent software
controls.
• Rate Limiting: Preventing resource hogging
by any single tenant.
• Regular Audits: To identify and rectify
vulnerabilities.
• Encryption: encrypt data to prevent data
leakage or snooping

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 58


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Multitenancy in the
Cloud

• Traditional datacenters offer physical


separation of an organization's IT
resources, whereas cloud environments
host multiple systems together.
• The cloud provider is the responsible for
the separation and security of systems.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 59


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Multitenancy in the
Cloud
• In a private cloud accessed by a single
corporation, there are complexities related to
different departments requiring varying levels
of security for their systems.
• Encryption and other security tools gain
heightened importance in a cloud setting as
opposed to traditional data centers.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 60


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Multitenancy

• AWS Multitenancy
• AWS Services: Multiple services like EC2, S3
support multitenancy.
• Isolation: Virtualization and access controls.
• Security Features: IAM, VPC for enhanced
security.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 61


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Co-Location

• Definition: Hosting an organization's


own hardware in a third-party data
center.
• Benefit: Access to advanced
infrastructure and reduced operational
costs.
• Common Use: For specialized hardware
and legacy systems.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 62


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Co-Location

• How Does It Works:

• Physical Space: Rent rack space for servers.


• Connectivity: Provided by the data center.
• Maintenance: Organization's own
responsibility.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 63


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Co-Location

• Security Concerns in Co-location:


• Physical Security: Risk of unauthorized
access to hardware.
• Network Security: Shared infrastructure may
pose risks.
• Compliance: Meeting regulatory standards is
challenging.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 64


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Co-Location

• Mitigating Security Concerns:


• Physical Controls: Biometric scans,
surveillance cameras.
• Network Isolation: Virtual LANs, Firewalls.
• Regular Audits: To ensure compliance and
identify vulnerabilities.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 65


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS - Co-Location in The
Cloud
• Cloud environments that host multiple virtual
machines on the same physical hardware are
susceptible to attacks between virtual machines
as well as from virtual machines to the
hypervisor.
• In a virtual environment, the state of image files
for virtual hosts is a significant concern for
security.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 66


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Hypervisor Security
and Attacks
• Traditional data centers feature a close
relationship between individual servers'
hardware and operating systems.
• In cloud environments that use virtualization, a
hypervisor layer is introduced between the
physical hardware and the virtual servers.
• This hypervisor layer adds an additional level of
security concern that goes beyond the physical
and operating system security.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 67


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Hypervisor Security
and Attacks

• Definition: Security measures to protect


the hypervisor layer in virtualized
environments.
• Importance: Acts as a bridge between
physical hardware and virtual machines.
• Goal: Ensure integrity, confidentiality, and
availability of virtual resources.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 68


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Hypervisor Security
and Attacks

• Definition (Hypervisor): Software that


enables virtualization.
• Types: Type 1 (bare-metal) and Type 2
(hosted).
• Function: Manages multiple virtual
machines on a single physical host.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 69


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Hypervisor Security
and Attacks

• Types of Hypervisor Attacks:


• Hyperjacking: Taking control of the
hypervisor.
• Escape Attacks: Breaking out of a VM to
access the hypervisor or vise-versa (Red Pill /
Blue Pill)
• Resource Depletion: Consuming resources to
deny service.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 70


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Hypervisor Security
and Attacks

• Mitigating Hypervisor Attacks:


• Patching and Updates: Keeping the
hypervisor up-to-date.
• Access Control: Limiting who can interact
with the hypervisor.
• Monitoring: Constant vigilance to detect and
respond to threats.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 71


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Network Security

• Traditional data centers allow organizations to


deploy a wide range of security monitoring and
auditing tools, including the ability to physically
segregate networks.
• Most of these tools are Firewalls, IDPS, Packet
Capture, WAFs, Network segmentation, DMZ…
• Cloud environments cannot offer the same level of
network access and monitoring as traditional data
centers due to constraints like multitenancy and the
presence of other customers.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 72


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Network Security

• Even in a private cloud, cloud administrators


have limitations on how much each department
can see into the network layer, and a higher
level of abstraction is often required.
• In the absence of physical separation between
systems and zones in a cloud environment,
software-based separation and access controls
are essential. The responsibility for ensuring these
are properly configured and tested falls on the
cloud provider.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 73


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Network Security

• Network Security tools by AWS (1/2):


• AWS WAF (Web Application Firewall)
• AWS Shield
• AWS Network Firewall
• Amazon VPC (Virtual Private Cloud)

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 74


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – Network Security

• Network Security tools by AWS (2/2):


• Security Groups
• AWS Direct Connect
• AWS VPN (Virtual Private Network)
• Amazon Route 53 Resolver
• AWS Firewall Manager
• Amazon Inspector
•…
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 75
SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – VM Attacks

• Virtual machines are vulnerable to the same types of


security attacks as physical servers.
• The compromise of one VM can potentially affect
other VMs sharing the same host, even if they
belong to different companies or services.
• Customers are dependent on the cloud provider for
detecting and mitigating cross-VM attacks, as they
generally have visibility only into their own services
and not into other hosts within the cloud environment.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 76


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – VM Attacks

• Example of some VM attacks (1/5):


• VM Escape Attacks:
• Description: The attacker breaks out of the
VM environment to gain access to the host
system or other VMs.
• Impact: Compromise of all VMs hosted on
the same hypervisor.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 77


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – VM Attacks

• Example of some VM attacks (2/5):


• Side-Channel Attacks
• Description: The attacker gains information from a
different VM running on the same physical host by
analyzing data like CPU usage or cache behavior.
• Impact: Information leakage, potentially leading to
data breaches.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 78


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – VM Attacks

• Example of some VM attacks (3/5):


• Hyperjacking (see slide 70)
• Resources depletion DoS Attack (see slide 70)
• Unauthorized Data Access
• Description: Exploiting vulnerabilities to gain
unauthorized access to data stored on VMs.
• Impact: Data theft and potential data manipulation.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 79


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – VM Attacks

• Example of some VM attacks (4/5):


• Man-in-the-Middle Attacks
• Description: The attacker intercepts communication between
two VMs or between a VM and its hypervisor.
• Impact: Data theft, session hijacking, or injection of malicious
data.
• VM Sprawl
• Description: An excessive number of VMs are deployed, making
it difficult to manage and secure them effectively.
• Impact: Increased attack surface, potential for unpatched or
insecure VMs.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 80


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – VM Attacks

• Example of some VM attacks (5/5):


• VM Rollback
• Description: An attacker forces the VM to revert to a
less secure state by rolling it back to a previous
snapshot.
• Impact: Undoing security patches and configurations,
making the VM vulnerable.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 81


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – vSwitch Attacks

• Virtual switches are as vulnerable to attacks,


particularly at Layer 2, as physical switches.
• In a cloud environment, virtual switches share the
hosting environment with other services and
virtual machines.
• If any of the other hosts or services in the same
cloud environment are compromised, virtual
switches are also at risk of being attacked.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 82


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – vSwitch Attacks

• Examples of vSwitch Attacks:


• VLAN Hopping: exploit vSwitch misconfiguration
• MAC Spoofing: to impersonate another network device
• ARP Spoofing: The attacker sends falsified ARP
• Double Tagging: inserts two VLAN tags to packets,
tricking the vSwitch into forwarding it to an unauthorized
VLAN
• DHCP Starvation: exhausts all available IP addresses
• Sniffing Attacks: Data interception and potential data
leakage
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 83
SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – DoS Attacks
• DoS (Denial of Service) attacks present unique challenges in a
cloud setting due to features like multitenancy.
• An external DoS attack targeting one host can also affect other
hosts on the same cloud hypervisor by consuming shared
resources like processor, memory, or network bandwidth.
• While hypervisors can limit the resources consumed by a single
host, a DoS attack can still degrade the performance of other
hosts by consuming a significant amount of resources.
• DoS attacks can also originate from within the cloud, affecting
other hosts as internal attacks.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 84


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for IaaS – DoS Attacks

• Examples of some DoS Attacks targeting


Cloud env:
• Volumetric Attacks
• Resource Depletion Attacks
• Rate-based Attacks
• Nested Loops DoS
• Account Lockout
• Sniping Attacks
• Application Layer Attacks


SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 85
SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for PaaS

• With PaaS being a platform-based rather than


infrastructure-based model, there are slightly
different security concerns than with IaaS.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 86


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for PaaS

• System Isolation
• User Permissions
• User Access (AuthN, AuthZ)
• Malware, Trojans, Backdoors, and Administrative
Nightmares

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 87


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for PaaS – System Isolation

• In a Platform-as-a-Service (PaaS) environment,


customers usually have limited and constrained
system-level access, often without administrative
privileges.
• The restricted access is designed to allow the
cloud provider to maintain consistency and
security within the PaaS environment.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 88


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for PaaS – System Isolation

• Granting customers the ability to change platform


or infrastructure configurations would make it
challenging for the cloud provider to manage
patching and security controls effectively.
• Allowing customers to alter configurations would
also increase support costs and risk security
incidents affecting multiple customers within the
cloud.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 89
SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for SaaS

• Most of the security solutions and problems for


SaaS, with it being a fully featured software
application platform, fall on the side of the cloud
provider but still very much are issues the Cloud
consumer needs to be aware of

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 90


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for SaaS

• Web Application Security


• Data Policies
• Data Protection and Confidentiality

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 91


SECURITY CONSIDERATIONS FOR
CLOUD CATEGORIES
Security Concerns for SaaS

• OWASP, SANS recommendations to prevent


against most known Cloud security issues and
risks and how to implement them

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 92


DOMAIN 2: CLOUD DATA
SECURITY
CLOUD DATA SECURITY
Outlines
• Data Security Controls
• Cloud Data Storage Types
• Managing Data Migrations to the Cloud
• Securing Data in the Cloud
• Data Security Architectures
• Additional Data Security Controls
• Enforcing Lifecycle Management Security

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 94


CLOUD DATA SECURITY
Introduction
• Data security is a key enforcement tool for information
and data governance.
• its use should be risk-based since it is not appropriate
to secure everything equally.
• However, trusting the Cloud provider is not a reasonable
thing to do and some controls should be implemented
• This domain will focus on those controls related to
securing the data itself, of which encryption is one of
the most important

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 95


CLOUD DATA SECURITY
Data Security Controls

• Data security controls tend to fall into three


buckets:
1. Controlling what data goes into the cloud (and
where).

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 96


CLOUD DATA SECURITY
Data Security Controls
2. Protecting and managing the data in the cloud. The key
controls and processes are:
• Access controls
• Encryption
• Architecture
• Monitoring/alerting (of usage, configuration, lifecycle state,
etc.)
• Additional controls, including those related to the specific
product/service/platform of your cloud provider, data loss
prevention (DLP), and Enterprise Rights Management.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 97


CLOUD DATA SECURITY
Data Security Controls
3. Enforcing information lifecycle
management security.
• Managing data location/residency.
• Ensuring compliance, including audit artifacts (logs,
configurations).
• Backups and business continuity (Management Plane
and Business Continuity Domain)

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 98


CLOUD DATA SECURITY
Cloud Storage Types
• Cloud storage is virtualized and tends to support
different data storage types than used in
traditional storage technologies.
• Below the virtualization layer these might use well-
known data storage mechanisms.
• However, the cloud storage virtualization
technologies that cloud users access will be
different.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 99


CLOUD DATA SECURITY
Cloud Storage Types
• Most common Cloud storage technologies used
by Cloud users:
• Object Storage: is similar to a file system where each
files is accessed through an API (Example: AWS S3)
• Volume storage: a virtual hard drive for
instances/virtual machines (Example: AWS EBS)
• Database: (Example: AWS RDS, DynamoDB)
• Application/platform: Examples of these would be a
Content Delivery Network (CDN), files stored in SaaS,
caching, and other novel options.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 100
CLOUD DATA SECURITY
Cloud Storage Types
• Most cloud platforms also use redundant, durable
storage mechanisms that often utilize data dispersion
(sometimes also known as data fragmentation of bit
splitting).
• This process takes chunks of data, breaks them up, and
then stores multiple copies on different physical storage
to provide high durability.
• Data stored in this way is thus physically dispersed. A
single file, for example, would not be located on a single
hard drive.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 101
CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

• Before securing the data in the cloud, most


organizations want some means of managing
what data is stored in private and public cloud
providers.
• This is often essential for compliance as much
or more than for security.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 102


CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

• STEP 1:

• Define your policies for which data types are


allowed and where they are allowed, then tie these
to your baseline security requirements.
• For example, “Personally Identifiable Information
(PII) is allowed on X services assuming it meets Y
encryption and access control requirements.”

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 103


CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

• STEP 2:
• Identify your key data repositories.
• Monitor them for large migrations/activity using
tools such as Database Activity Monitoring (DAM)
and File Activity Monitoring (FAM).
• This is essentially building an “early warning
system” for large data transfers, but it’s also an
important data security control to detect all sorts of
major breaches and misuse scenarios.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 104
CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

• STEP 2: How to detect actual migrations?


1. Monitor cloud usage and any data transfers
with the help of the following tools:
• CASB: Cloud Access and Security Brokers (also
known as Cloud Security Gateways).
• URL filtering
• DLP: Data Loss Prevention

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 105


CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

• STEP 2: What is CASB?


• Are Cloud Service Brokers that discover internal
use of cloud services using various mechanisms
such as network monitoring, integrating with
an existing network gateway or monitoring
tool, or even by monitoring DNS queries.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 106


CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 107


CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

• STEP 2: What is URL Filtering?

• While not as robust as CASB, a URL filter/web


gateway may help you understand which cloud
services your users are using (or trying to use).

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 108


CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 109


CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

• STEP 2: What is DLP?


• If you monitor web traffic (and look inside SSL
connections), a DLP tool may also help detect
data migrations to cloud services.
• is a strategy to mitigate threats to critical data.
• However, some cloud SDKs and APIs may
encrypt portions of data and traffic that DLP
tools can’t unravel, and thus they won’t be
able to understand the payload.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 110
CLOUD DATA SECURITY
Managing Data Migrations to the Cloud
• STEP 2: How to secure Cloud Data transfers (1/2)?
• Ensure that you are protecting your data as it moves to
the cloud by understanding your provider’s data
migration mechanisms.
• Leveraging provider mechanisms is often more secure
and cost effective than “manual” data transfer methods
such as Secure File Transfer Protocol (SFTP).
• For example, sending data to a provider’s object
storage over an API is likely much more reliable and
secure than setting up your own SFTP server on a
virtual machine in the same provider.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 111


CLOUD DATA SECURITY
Managing Data Migrations to the Cloud

• STEP 2: How to secure Cloud Data transfers


(2/2)?
• There are a few options for in-transit encryption
depending on what the cloud platform supports.
• One way is to encrypt before sending to the cloud (client-
side encryption).
• Network encryption (TLS/ SFTP/etc.) is another option
because most cloud provider APIs use TLS by default;
• Proxy-based encryption may be a third option, where you
place an encryption proxy in a trusted area between the
cloud user and the cloud provider.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 112
CLOUD DATA SECURITY
Securing Data in the Cloud

• Access controls and encryption are the


core data security controls across the
various technologies.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 113


CLOUD DATA SECURITY
Securing Data in the Cloud

• Access controls and encryption are the


core data security controls across the
various technologies.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 114


CLOUD DATA SECURITY
Securing Data in the Cloud – Access Controls

• Access controls should be implemented


with a minimum of three layers:
• Management plane
• Public and internal sharing controls
• Application-level controls

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 115


CLOUD DATA SECURITY
Securing Data in the Cloud – Access Controls

Management plane Controls:


• are controls for managing access of users that
directly access the cloud platform’s management
plane.
• For example, logging in to the web console of an
IaaS service will allow that user to access data in
object storage.
• Fortunately, most cloud platforms and providers
start with default deny access control policies.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 116
CLOUD DATA SECURITY
Securing Data in the Cloud – Access Controls

Public and internal sharing controls


• If data is shared externally to the public
or partners that don’t have direct access
to the cloud platform, there will be a
second layer of controls for this access.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 117


CLOUD DATA SECURITY
Securing Data in the Cloud – Access Controls

Application-level controls
• In this level, access controls are designed
and implemented as the application is
built to manage how the application is
accessed by users or other applications.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 118


CLOUD DATA SECURITY
Securing Data in the Cloud – Access Controls

• Depending on the provider and the service model, an


entitlement matrix is important to document which user,
group and roles should access the resource and functions.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 119


CLOUD DATA SECURITY
Securing Data in the Cloud – SARE vs.
Tokenization

• SARE: Storage At-Rest Encryption


• Encryption options vary tremendously
based on service model, provider, and
application/deployment specifics.
• Key management is just as essential as
encryption.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 120


CLOUD DATA SECURITY
Securing Data in the Cloud – SARE vs.
Tokenization

• Encryption vs. Tokenization


• Encryption protects data by applying a
mathematical algorithm that “scrambles”
the data, which then can only be recovered
by running it through an “unscrambling”
(decryption) process with a corresponding
key.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 121


CLOUD DATA SECURITY
Securing Data in the Cloud – SARE vs.
Tokenization

• Encryption vs. Tokenization


• Tokenization takes the data and replaces it with a
random value.
• It then stores the original and the randomized
version in a secure database for later recovery.
• Is often used when the format of the data is
important (e.g. replacing credit card numbers in
an existing system that requires the same format
text string)
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 122
CLOUD DATA SECURITY
Securing Data in the Cloud – SARE vs.
Tokenization

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 123


CLOUD DATA SECURITY
Securing Data in the Cloud

• There are three components of an


encryption system:
• Data: information to encrypt
• the encryption engine: what performs the
mathematical process of encryption
• key management: handles the keys for the
encryption.
• The overall design of the system focuses on
where to put each of these components.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 124


CLOUD DATA SECURITY
Securing Data in the Cloud

• The design of an encryption system


should start with a threat model.
• For example:
• Is the cloud provider trustworthy to manage
our keys?
• How could the keys be exposed?
• Where should the encryption engine be
located to manage the threats we are
concerned with?
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 125
CLOUD DATA SECURITY
Securing Data in the Cloud – IaaS Encryption

• IaaS volumes can be encrypted using


different methods, depending on the data:
• Instance-managed encryption: The encryption
engine runs within the instance, and the key is
stored in the volume but protected by a passphrase
or keypair.
• Externally managed encryption: The encryption
engine runs in the instance, but the keys are
managed externally and issued to the instance on
request

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 126


CLOUD DATA SECURITY
Securing Data in the Cloud – IaaS Encryption

• HSM (Hardware
Security Module): A
hardened, tamper-
resistant hardware
devices that secure
cryptographic
processes by
generating, protecting,
and managing keys.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 127


CLOUD DATA SECURITY
Securing Data in the Cloud – IaaS Encryption

• Object and File Storage encryption can be achieved


using:
• Client-side encryption: Application will encrypt data before
storing it in the cloud. Encryption engine is embedded in
the application or client .
• Server-side encryption: Data is encrypted on the server
(cloud) side after being transferred in. The cloud
provider has access to the key and runs the
encryption engine.
• Proxy encryption: A third-party (proxy) will handle the
encryption/decryption between the client and the cloud
provider. The proxy may keep keys either onboard or
externally.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 128
CLOUD DATA SECURITY
Securing Data in the Cloud – IaaS Encryption

Client-side/Server-side Encryption in AWS

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 129


CLOUD DATA SECURITY
Securing Data in the Cloud – IaaS Encryption

Proxy Encryption

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 130


CLOUD DATA SECURITY
Securing Data in the Cloud – PaaS Encryption

• PaaS encryption varies tremendously due to all the


different PaaS platforms:
• Application layer encryption: Data is encrypted in the
PaaS application or the client accessing the
platform
• Database encryption: Data is encrypted in the
database using encryption that’s built in and is
supported by a database platform like Transparent
Database Encryption (TDE) or at the field level.
• Other: provider-managed layers in the application,
such as the messaging queue.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 131


CLOUD DATA SECURITY
Securing Data in the Cloud – SaaS Encryption

• SaaS providers may use any of the previous


options.
• It is recommended to use per-customer keys when
possible, in order to better enforce multitenancy
isolation.
• The following options are for SaaS consumers:
• Provider-managed encryption: Data is encrypted in the
SaaS application and generally managed by the
provider.
• Proxy encryption: Data passes through an encryption
proxy before being sent to the SaaS application
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 132
CLOUD DATA SECURITY
Securing Data in the Cloud – Key Management

• The main considerations for key management


are performance, accessibility, latency, and
security.
• There are four potential options for handling
key management:
• HSM/appliance
• Virtual appliance/software
• Cloud provider service
• Hybrid

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 133


CLOUD DATA SECURITY
Data Security Architectures
• Application architecture significantly influences data security.
• Cloud provider features can help in reducing the attack
surface.
• Strong metastructure security should be a requirement.
• Utilizing cloud storage or queue services can isolate
networks, reducing network-level attack paths.
• Examples include using object storage for data transfers and
batch processing instead of SFTP to static instances.
• Another method is message queue gapping, where different
application components run on separate virtual networks and
communicate only via the cloud provider's message queue
service, effectively eliminating network attacks between
components.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 134


CLOUD DATA SECURITY
Monitoring, Auditing, and Alerting
• These should tie into overall cloud monitoring.
• Identify (and alert about) any public access or
entitlement changes on sensitive data.
• Use tagging to support alerting, when it’s available.
• Should monitor both API and storage access, since
data may be exposed an API call or via a public
sharing URL.
• Activity monitoring, including Database Activity
Monitoring, may be an option.
• Making sure to store logs in a secure location, like a
dedicated logging account.
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 135
CLOUD DATA SECURITY
Additional Data Security Controls
• Cloud Platform/Provider-Specific Controls:
Provider-specific features
• Data Loss Prevention: a way to monitor and
protect data that employees access via monitoring
local systems, web, email, and other traffic.
• Enterprise Rights Management/Digital Rights
Management: based on encryption. ERM/DRM
apply rights to files before storing them in the
Cloud. Can break some cloud features (e.g.
document preview).
SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 136
CLOUD DATA SECURITY
Additional Data Security Controls

• Data Masking and Test Data Generation:


• Dynamic Masking: rewrites data on the fly,
typically using a proxy mechanism, to mask all
or part of data delivered to a user.
• Test Data Generation: creation of a database
with non-sensitive test data based on a “real”
database. It can use scrambling and other
randomization techniques to create a data set
that resembles the source in size and structure
but lacks sensitive data.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 137


CLOUD DATA SECURITY
Enforcing Lifecycle Management Security

• Managing data location/residency: At certain times, we’ll


need to disable unneeded locations and using encryption
to enforce access at the container or object level. Then, even
if the data moves to an unapproved location, the data is
still protected unless the key moves with it.
• Ensuring compliance: we don’t merely need to implement
controls to maintain compliance, you need to document
and test those controls. These are “artifacts of compliance;”
this includes any audit artifacts you will have.
• Backups and business continuity.

SECURITE DANS LE CLOUD - 3ALIA - 2023/2024 138


Domain 3: Cloud Platform
and Infrastructure Security

You might also like