NAVIGATING THE CLOUDS: ENSURING SECURITY IN A DIGITAL WORLD

Security
in Cloud
Computin
g Salmon Joy
Technology Expert and
Educator
 Cloud: What You Need to
KnowUNDERSTAND HOW THE CLOUD WORKS

Amazon EC2, Azure Virtual

Infrastructure as a
Machines, Google Compute
Service
Engine
Platform as a AWS Elastic Beanstalk, Azure App
Service Services, Google App Engine

Software as a Office 365, Salesforce, Google

Service Workspace
Shared
Responsibility
Model
In the shared responsibility model, security
responsibilities are divided between the
CSP and the customer. This division
depends on the type of cloud service
being used
Infrastructure as a
Service (IaaS):
Cloud Service Provider
Responsible for securing the underlying
infrastructure, which includes physical
servers, storage, and networking hardware.

Customer
Responsible for securing the operating
systems, applications, data, and
configurations of the virtual machines they
deploy.
Platform as a
Service (PaaS)
Cloud Service Provider
Responsible for the underlying
infrastructure and the platform services,
including runtime environments and
managed databases.

Customer
Responsible for the security of their
applications, data, and any configurations
they make within the platform.
Software as a
Service (SaaS)
Cloud Service Provider
Responsible for the entire stack, including
the infrastructure, platform, and the software
application itself.

Customer
Responsible for the security of their data
within the application, user access controls,
and any settings they can configure.
 Key Management
Services
Effective key management is critical to maintaining the security
AWS Key Management of encrypted
Azure Keydata. Google Cloud Key
Service Vault Management Service

Centralized management Securely stores and

Manages cryptographic keys
of encryption keys. manages cryptographic keys,
for cloud services.
Supports customer-managed secrets, and certificates.
Supports symmetric
keys (CMKs) and AWS-managed Supports hardware security
and asymmetric keys.
keys. modules (HSMs) for
Features: Key rotation, IAM-
Features: Key rotation, enhanced security.
automatic encryption for based access control,
Features: Role-based access
supported AWS services, audit audit logging.
control (RBAC), key rotation,
logging through AWS CloudTrail.
integration with Azure
services.
Hacked!
Case
Studies
 Details:
Capital One A former AWS employee exploited the misconfiguration
to access Capital One's cloud storage.

Data The hacker was able to retrieve sensitive information,

including Social Security numbers, bank account details,
and credit scores.

Breach Impact

(2019) Significant financial and reputational damage.

Capital One faced fines and regulatory scrutiny, costing
the company millions in settlements and remediation
In 2019, Capital One experienced efforts.
a massive data breach affecting
over 100 million customers in the Lessons Learned:
United States and Canada. The Ensure proper configuration of cloud security
breach was due to a settings. Regularly audit and review security policies
and access controls.
misconfigured firewall in the Implement robust monitoring and incident
Amazon Web Services (AWS) response mechanisms.
cloud infrastructure.
Dropbox Details:
Hackers used a set of stolen employee credentials to

Password access a database backup.

The database contained hashed and salted passwords,
but the scale of the breach was significant.

Breach Impact

(2016) User data was potentially exposed, causing a loss of

trust. Dropbox had to implement mandatory password
resets and enhance their security protocols.
In 2016, Dropbox confirmed a
breach that occurred in 2012, where
credentials of over 68 million users Lessons Learned:
were stolen. The breach was due to Use multi-factor authentication (MFA) for all
compromised employee credentials accounts. Regularly update and audit password
policies.
that granted access to a cloud- Educate employees about phishing and other credential
based repository containing user theft tactics.
data.
Tesla Details:

Kubernetes
Hackers gained access to Tesla's Kubernetes console,
which was not password-protected.
Once inside, they deployed mining scripts to utilize

Console
Tesla’s cloud resources for cryptocurrency mining.

Hack (2018)
Impact
Increased operational costs due to unauthorized
resource usage.
Potential exposure of proprietary data and disruption
of operations.

In 2018, Tesla's cloud infrastructure

was compromised due to an Lessons Learned:
unsecured Kubernetes console, Secure all cloud management consoles with
leading to cryptojacking—the strong authentication mechanisms.
Regularly scan for and remediate unsecured
unauthorized use of Tesla's cloud endpoints. Implement resource usage monitoring to
resources for mining detect unusual activity.
cryptocurrency.
Uber Details:
Hackers accessed the credentials from GitHub and used

Data
them to access Uber’s data stored on AWS S3 buckets.
Sensitive information, including personal data of riders
and drivers, was compromised.

Breach Impact

(2016) Uber faced regulatory fines and legal actions.

Significant reputational damage and loss of user
trust.
In 2016, Uber's data breach affected
57 million riders and drivers. The Lessons Learned:
breach occurred because of Avoid storing sensitive credentials in publicly
accessible repositories.
improperly secured credentials for
Use environment variables and secret management tools
Uber's third-party cloud storage to handle credentials securely.
service, which were stored in a Conduct regular audits and penetration testing to
identify security gaps.
public GitHub repository.
 Details:
Code Attackers gained access to the AWS control panel,
deleted essential data, and backups when extortion

Spaces demands were not met.

The company could not recover from the attack due to
the extensive data loss.

Extortion Impact

Attack (2014) Total shutdown of Code Spaces'

operations. Irreversible data loss and
financial collapse.
In 2014, Code Spaces, a code
hosting and project management Lessons Learned:
service, faced a catastrophic attack
Implement multi-factor authentication (MFA) for
that led to the company's shutdown. cloud account access.
The attackers launched a Distributed Maintain offsite and offline backups to safeguard
against such attacks.
Denial of Service (DDoS) attack and Develop and test incident response and disaster
hijacked Code Spaces’ AWS control recovery plans regularly.
panel.
Future Trends
in Cloud
Security
 Zero Trust Zero Trust
Architecture Architecture
Achievement Challenges
s
Enhanced Security Posture: Zero Trust Complex Implementation: Requires
ensures that every access request is significant changes to existing
thoroughly verified regardless of origin, infrastructure and processes, making
significantly reducing the risk of insider threats implementation complex.
and unauthorized access.
High Costs: Initial setup and
Granular Control: Provides detailed ongoing management can be
control over who accesses what, when, expensive.
and how, enhancing security at every
level. User Experience: Strict access
controls can sometimes hinder user
Adaptive Authentication: Utilizes context- productivity if not implemented
aware access controls that adapt based on carefully.
 AI and ML in AI and ML
Security in Security
Achievement Challenges
s
Proactive Threat Detection: AI and ML Data Quality: Effectiveness depends on
can identify and mitigate threats in real- the quality and volume of data available
time by analyzing patterns and anomalies for training.
in vast datasets.
Sophisticated Adversaries:
Automated Response: Enables rapid Cybercriminals also use AI to develop
automated response to incidents, reducing more advanced attacks, creating an
the impact of potential breaches. ongoing arms race.

Enhanced Analytics: Provides deeper Resource Intensive: High

insights into security events and helps computational power and specialized
predict future threats. expertise are required to develop and
maintain AI-based security solutions.
 Quantum Quantum
Computing and Computing and
Cryptography Cryptography
Achievements
Post-Quantum Cryptography:
Challenges
Development of new cryptographic methods
resistant to quantum attacks is underway. Readiness: Most current
cryptographic systems are not yet
quantum-resistant, posing a future risk
Enhanced Encryption: Quantum key Implementation: Transitioning to post-
distribution offers theoretically quantum cryptographic systems will
unbreakable encryption. require significant updates to existing
infrastructure.

Cost and Complexity: High costs and

technical complexity of quantum
technologies make them inaccessible
to many organizations currently.
 Cloud-Native Cloud-Native
Security Tools Security Tools
Achievements Challenges
Integrated Security: Cloud providers Vendor Lock-In: Reliance on
offer native security tools (e.g., AWS specific cloud-native tools can
GuardDuty, Azure Security Center) that increase dependency on a single
integrate seamlessly with their services. provider.
Interoperability: Integrating cloud-native
Scalability: These tools are designed to tools with on-premises systems and
scale automatically with cloud workloads, multi- cloud environments can be
providing consistent security across challenging.
dynamic environments.
Visibility: Ensuring comprehensive
Ease of Use: Simplifies the deployment visibility across different tools and
and management of security controls. services can be complex.
 DevSecOps DevSecOps
Achievements Challenges

Shift-Left Security: Embeds security Cultural Change: Requires a

earlier in the development lifecycle, significant cultural shift and buy-in
reducing vulnerabilities in production. from all stakeholders.

Continuous Security: Facilitates Skill Gaps: Requires developers to

continuous monitoring and compliance, have security expertise, which may
aligning with agile and CI/CD practices. necessitate additional training and hiring.

Collaboration: Enhances Tool Integration: Integrating security

collaboration between development, tools into the CI/CD pipeline without
operations, and security teams. disrupting workflows can be difficult.
 Confidential Confidentia
Computing l
Achievement Computing
s
Data Protection: Protects data in use by
Challenges
performing computations in a hardware-
based Trusted Execution Environment (TEE). Adoption: Still an emerging
technology
PerformancewithOverhead:
limited adoption and
Potential
Privacy: Ensures sensitive data remains support.
performance impacts due to the
encrypted even during processing, added layer of security.
enhancing privacy and security.
Compatibility: Ensuring compatibility
with existing applications and
infrastructure can be challenging.
"It takes 20 years to
build a reputation and
a few minutes of
cyber-incident to ruin
it."
STEPHANE NAPPO
Do you have
any
questions?
Salmon Joy - 9029964453