Definition
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models (according to NIST publication 800 – 145)
Drivers for Cloud Computing
Cost of current IT ownership or estimated cost to maintain current solution
Reducing IT Complexity (Reduction, Scalability)
Consumption pricing model (Virtualization, Cost)
Business Agility – (Mobility Innovation/Collaboration)
Cloud computing Roles (Cloud Customers, Cloud Provider, Cloud Backup Service Provider, Cloud Security Service Provider, Cloud Service Broker, Cloud Service Auditor)
Key Cloud Computing Characteristics – On-demand self-service., Broad network access., Resource pooling. Rapid Elasticity, Measure Services
Cloud Transition Scenario – (Multiple Cloud provider model, Hybrid Cloud Model, Risk management Data Separation, Cloud Architecture Alignment with Business requirement)
Cloud computing Activities (Cloud Admin, Cloud Application Architect, Cloud Architect, Cloud Data Architect, Cloud Infrastructure Architect, Cloud Security Architect) Cloud Developer, Cloud Operator, Cloud Service manager, Cloud Storage Admin, Cloud User/Cloud Customer
Cloud Service Characteristics
Infrastructure a Service (IaaS)
IaaS Key Characteristics: (Scale, Converged network and Capacity Pool, Self-service and On-demand Capacity, High Reliability and Resilience,)
IaaS Key Benefits: (Measured Unit based Price Model, Elasticity, Reduced Cost of Ownership, Green IT Model)
Significant players: Amazon, AT&T, Verizon, HP and OpenStack
Platform as a Service (PaaS)
PaaS Key Characteristics- (Multiple Framework and Language support, Multiple hosts, Flexibility, Reduced Lock-in and More Choices, Auto-Scale ability)
PaaS Key Benefits-((OS Flexibility, Cooperation Among Globally Diverse Teams, Cost Efficiency by Choosing One vendor)
Significant Plyers: Microsoft, Google and OpenStack
Software as a Service (SaaS)
SaaS Delivery models- (Hosted Application Management (hosted AM), Software on Demand
SaaS Benefits – (Overall reduction of costs, Application and Software Licensing, reduced Support Costs, Backend Systems and capabilities, Easy of use and minimal administration, Automatic Updates and Patches, Sane version of software for every user, Global Accessibility
Significant Players: Google, Microsoft, Salesforce, Oracle
Recent additions Security as a Service, Malware as a Service
Security as a Service – Perimeter Infrastructure provided by Security Cloud provider. Significant player ZScaler. Benefits of previous models.
Malware as a Service. Hackers provide programs for Ransomware somewhere in Cloud. Usually services are free but developers are getting % of ransom
Cloud Deployment Model
Public Cloud Model
Key Benefits – Easy and Inexpensive, comfortable for providing resources and streamlined, Scalability to meet customer needs, pay as you Consume)
Private Cloud Model
Key Benefits- (Better Control Over Data, Ownership, Governance Controls retention,, Legal and Compliance uniformity, Incorporation of previous investment in current cost model, More applicable for Organizations with lot of custom applications)
Hybrid Cloud Model
According to NIST: Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).
Key benefits-(Critical tasks and processes are governed in Private Infrastructure, Reuse of Previous investment, Control in hand of an organization not in Cloud providers, Non-critical business function provided by Cloud provider, Use f cloud bursting in a case of a private organization reaches maxim capacity)
Community Cloud Model – According to NIST: The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises
Cloud Cross Cutting aspects
Architecture Overview – An Architect is a person who sees a big picture of the organization. Cloud Security Alliance
See the overall picture with this drawing
More about at: CSA Enterprise Architecture
SABSA – Sherwood Applied Business Security Ar4chitecture consist of the following Frameworks: Business Requirement Engineering, Risk and Opportunity management, Policy Architectural, Governance, Security Domain, Through-Life Service and Performance Management.
Infrastructure Library ITIL is the IT Service Management Framework.
The Open Group Architecture Framework (TOGAF) according to Open Group provides the methods and tools for assisting in the acceptance, production, use, and maintenance of an enterprise architecture. It is based on an iterative process model supported by best practices and a re-usable set of existing design assets (similar to LEGO)
Jericho/Open Group became a part of Open Group Security forum.
The Cloud Security Building Blocks are presented by this drawing below
Fundamental principles of an Enterprise Architecture: Definition of Protection for Enabling Trust Cloud, Cross-Platform Capabilities and Open Source, Trusted Facilities and Efficient Access, regulation, Proper identification, Authentication, Authorization, Administration and Auditability, centralized Security policy, Federate Access when it is possible, Easy to adapt and consume
The NIST Cloud Technology Roadmap: Interoperability, Portability, Availability, Security, Privacy, Performance, Resilience, Governance, SLAs, Auditability, Regulatory Compliance
Network Security and Perimeter – Physical Environment Security, Logical Netw2ork Security(link, protocol and application level Services
Cryptography
Encryption should be provided with data in transition and rest
Key management – Remote key management Service, Client-Side Key Management
IAM and Access Control: Provisioning and de-Provisioning, Centralized Directory Service, Privileged User management, Authentication and Access Management
Data and Media Sanitization: Vendor Look-in, Cryptographic Erasure, Data Overwriting
Virtualization Security The Hypervisor: Type I( Hardware based), Type II (Running on Host OS)
Security Types: Type II Security Higher level of risks due to OS Common Threats
Data Breaches – Data Loss, Account or Service Traffic Hijacking, Insecure Interface and APIIs, Denial of Service, Malicious Insiders, Abuse of Cloud Services, Insufficient Due Diligence, Shared Technologies Vulnerabilities, Shared model of Security (AWS), Micro segmentation, North-South attack, , East-West attacks, Insufficient resources
Security Considerations for Different Cloud Categories
Infrastructure as a Service (IaaS) Security: Virtual Machine Attack, Virtual Network, Hypervisor Attacks, VM-Based Rootkit, Virtual Switch Attacks, DOS Attacks. Co-Location, Multi Tenancy, Workload Complexity, Loss of Control, Network Topology, Logical Network Segmentation, No Physical End Point, Single Point of Access
Platform as a Service (PaaS) Security – System Resource Isolation, User-Level Permissions,
Software as a Service (SaaS) Security – Data Segregation, Data Access and Policies, Web Application Security
Open Web Application Security Project (OWASP) Top Ten Threats
- Injection – SQL< OS, LDAP
- Broken Authentication and Session Management
- Cross Site Scripting(XSS)
- Insecure Direct Object Reference
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery
- Using Components and Known Vulnerabilities
- Invalidated Redirects and Forward
Cloud Secure Data Life Cycle – Create, Store, Use, Share, Archive, Destroy
Information Data Governance Types – Information Classification, Information Management Policies, Location and Jurisdictional Policies, Authorizations, Custodianship
Business Continuity / Disaster Recovery Planning
Business Continuity Elements (from Security Perspective) – Availability, integrity, Confidentiality
Critical Success Factors – Customer Versus Provider Responsibility, What SLA covers in Business Continuity / Disaster Recovery Planning and how deep
Key SLA Components – Undocumented single point of failure shouldn’t exist, Migration to new provider should be possible within agreed-upon time frame, Customer should be able to verify data integrity in the cloud, Frequency of incremental backup should work on customer requirements
Cost Benefit Analysis – Resource Pooling, Switch from Capex to Opex, Factor in Time and Efficiency, Depreciation, Reduction in Maintenance and Configuration Time, Shift in Focus, Utility Costs. Software and Licensing Costs, Pay per usage, New technologies, additional governance requirements, Training required, Total Cost of Ownership
