Introduction
As you're doing this module, information systems are under attack. They're under attack from port scanners, which hunt for holes unknowingly left open in firewalls. They're under attack from bots that probe Web sites for unpatched security vulnerabilities. And they're under attack by human hackers looking for passwords, credit-card numbers, and other "secrets" that can be monetized on the dark Web. There is no end to which the bad guys won't go to steal your data and wreak havoc on your organization.
It falls to cloud administrators and cloud security professionals to stop them. This responsibility requires understanding the threats that they face and the tools and techniques used to thwart them. Security in information systems is the assurance that services and data are being used as they were intended, by the people and other services explicitly permitted to do so, according to the policy of the organizations managing those systems. Security is not a blockade. It is a process.
Security in the cloud is a three-pronged affair. First, software developers must ensure that their code isn't vulnerable to attack -- for example, that a Web site isn't vulnerable to SQL injection (a technique that enables attackers to exploit vulnerabilities in code to extract information from back-end databases). Second, cloud administrators must use the tools available to them to secure the cloud resources that they deploy -- for example, by configuring a cloud database to automatically encrypt data written to it and enabling active threat detection to alert them if the database encounters suspicious traffic. Third, the cloud service provider (CSP) must ensure the security of the cloud infrastructure that it offers to customers. Security is a shared responsibility. All it takes one weak link in the chain to compromise everyone involved.
For the cloud administrator, achieving security involves a quantitative understanding of risk, especially how much risk an organization may adequately and comfortably maintain in the act of sustaining its business model electronically. This lesson's principal concern is therefore the responsibilities that fall to cloud administrators and the mechanisms they use to mitigate risk and secure infrastructure.
We start by discussing the various responsibilities involved in any distributed information security process and identifying the parties in the CSP/customer relationship charged with these responsibilities. We then examine some of the common threats to cloud security and the role that encryption and other technologies play in mitigating them. Finally, we take up the topic of regulatory compliance and the added responsibilities it places on cloud professionals. Unknowing is unarmed. Let's eliminate the "unknowing" by diving into cloud security.
Learning objectives
- Understand the importance of risk assessment in implementing cloud security
- Understand how cloud customers and cloud service providers share responsibility for security
- List some of the prominent threats to cloud security
- Understand the role that cryptography plays in securing data
- Understand the difference between symmetric encryption and asymmetric encryption
- Understand how public key cryptography facilitates the secure exchange of data
- Explain the concept of multilayered data security and why it is necessary
- Explain some of the services offered by data-security platforms and the integrated security services offered by cloud service providers
Prerequisites
- Understand what cloud computing is, including cloud service models, and common cloud providers
- Know the different type of clouds (public, private, hybrid)
- Recognize cloud service models such as IaaS, PaaS, and SaaS and differentiate between them
- Understand how cloud resource provisioning works
- Know how data centers work and how data is stored in the cloud