Resource Protection

Data

Types of Cloud Data: Files, Relational Database (Managed, Proprietary, IaaS), Non-Relational Database, Big Data, Sensitive Data

Protecting Cloud Data

At Rest

  • Implement mechanisms to ensure confidentiality, integrity, and availability when data is not actively accessed or transmitted.

  • Network Controls and Permissions

  • Encryption: Use encryption to secure data.

  • Hardware Security Modules (HSM): For added protection.

  • Backup and Replication: Ensure data can be restored and maintained.

In Transit

  • Implement security measures to protect data transmitted across networks.

  • Encryption: Always use encryption through secure communication protocols.

  • Hardware Security Modules (HSM): Use for secure key management.

Best Practice

  • Access Controls: Limit access to resources, data, and networks.

  • Encryption: Apply encryption at rest, in transit, and end-to-end.

  • Backup and Recovery: Regularly back up data and have recovery plans in place.

  • Regular Security Audits and Assessments: Perform regular checks to ensure security measures are effective.

Network

Provider Responsibilities

  • Infrastructure Protection: Includes DDoS protection and general threat management for both virtualized and physical infrastructure.

  • Physical Connection: The provider manages the physical network connectivity between different customers' cloud resources.

Customer Responsibilities

  • VPC (Virtual Private Cloud)

  • Network ACLs: Control traffic at the subnet level.

  • Security Groups: Manage traffic at the EC2 instance level.

  • PrivateLink: Establish private connectivity between VPCs and supported services.

  • Network Security Groups (NSG): Manage security at the subnet and instance levels.

  • Private Endpoint: Securely connect to Azure services.

  • Firewall Rules: Control traffic at the VPC, subnet, and VM levels.

  • VPC Service Controls: Define security perimeters around cloud services.

Additional Services

  • AWS: Shield, Web Application Firewall (WAF), GuardDuty.

  • Azure: Firewall, Application Gateway, FrontDoor.

  • Google Cloud: Cloud Armor.

Best Practice

  • Utilize cloud provider tools and minimize the public attack surface.

  • Review and adjust firewall rules; avoid opening ports globally.

  • Monitor network activity, set up alerts for abnormal usage, and maintain an incident response plan.

Compute

  • Patch Management: Regular updates to operating systems and services.

  • Automated OS Patching: Available for IaaS on platforms like AWS and Azure.

  • Resource Protection: Securing resources against unauthorized access and threats.

  • OS Hardening: Configure operating systems to run only required services with secure settings.

  • Monitoring: Utilize logs for tracking and detecting issues.

  • Attack Surface Minimization: Block unnecessary ports and reduce potential vulnerabilities.

  • Availability: Deploy multiple instances to ensure high availability and fault tolerance.

Platform Compute Protection

  • Provider Responsibility: The cloud provider secures the services and operating systems running the applications.

  • Custom Options: Customers can configure additional security settings for their PaaS environments.

  • The cloud service provider (CSP) handles patching and updates.

Confidential Computing

Enables the execution of workloads while keeping data and code confidential from the cloud provider, other tenants, and potential attackers.

Requirements: Requires specific compute instance sizes and hardware to ensure secure and isolated execution environments (application enclaves).

Built-in monitoring features are provided by the cloud platform, with options to use third-party monitoring tools as well.

Last updated