search

Resource Protection

hashtag
Data

Types of Cloud Data: Files, Relational Database (Managed, Proprietary, IaaS), Non-Relational Database, Big Data, Sensitive Data

hashtag
Protecting Cloud Data

hashtag
At Rest

  • Implement mechanisms to ensure confidentiality, integrity, and availability when data is not actively accessed or transmitted.

  • Network Controls and Permissions

  • Encryption: Use encryption to secure data.

  • Hardware Security Modules (HSM): For added protection.

  • Backup and Replication: Ensure data can be restored and maintained.

hashtag
In Transit

  • Implement security measures to protect data transmitted across networks.

  • Encryption: Always use encryption through secure communication protocols.

  • Hardware Security Modules (HSM): Use for secure key management.

hashtag
Best Practice

  • Access Controls: Limit access to resources, data, and networks.

  • Encryption: Apply encryption at rest, in transit, and end-to-end.

  • Backup and Recovery: Regularly back up data and have recovery plans in place.

  • Regular Security Audits and Assessments: Perform regular checks to ensure security measures are effective.

LogoData encryption options  |  Cloud Storage  |  Google Cloud DocumentationGoogle Cloud Documentationchevron-right
LogoProtecting data with encryption - Amazon Simple Storage ServiceAmazon Simple Storage Servicechevron-right
LogoAzure Storage encryption for data at restMicrosoftLearnchevron-right

hashtag
Network

hashtag
Provider Responsibilities

  • Infrastructure Protection: Includes DDoS protection and general threat management for both virtualized and physical infrastructure.

  • Physical Connection: The provider manages the physical network connectivity between different customers' cloud resources.

hashtag
Customer Responsibilities

  • VPC (Virtual Private Cloud)

  • Network ACLs: Control traffic at the subnet level.

  • Security Groups: Manage traffic at the EC2 instance level.

  • PrivateLink: Establish private connectivity between VPCs and supported services.

  • Network Security Groups (NSG): Manage security at the subnet and instance levels.

  • Private Endpoint: Securely connect to Azure services.

  • Firewall Rules: Control traffic at the VPC, subnet, and VM levels.

  • VPC Service Controls: Define security perimeters around cloud services.

hashtag
Additional Services

  • AWS: Shield, Web Application Firewall (WAF), GuardDuty.

  • Azure: Firewall, Application Gateway, FrontDoor.

  • Google Cloud: Cloud Armor.

hashtag
Best Practice

  • Utilize cloud provider tools and minimize the public attack surface.

  • Review and adjust firewall rules; avoid opening ports globally.

  • Monitor network activity, set up alerts for abnormal usage, and maintain an incident response plan.

hashtag
Compute

  • Patch Management: Regular updates to operating systems and services.

  • Automated OS Patching: Available for IaaS on platforms like AWS and Azure.

  • Resource Protection: Securing resources against unauthorized access and threats.

  • OS Hardening: Configure operating systems to run only required services with secure settings.

  • Monitoring: Utilize logs for tracking and detecting issues.

  • Attack Surface Minimization: Block unnecessary ports and reduce potential vulnerabilities.

  • Availability: Deploy multiple instances to ensure high availability and fault tolerance.

hashtag
Platform Compute Protection

  • Provider Responsibility: The cloud provider secures the services and operating systems running the applications.

  • Custom Options: Customers can configure additional security settings for their PaaS environments.

  • The cloud service provider (CSP) handles patching and updates.

hashtag
Confidential Computing

Enables the execution of workloads while keeping data and code confidential from the cloud provider, other tenants, and potential attackers.

Requirements: Requires specific compute instance sizes and hardware to ensure secure and isolated execution environments (application enclaves).

LogoAzure Confidential Computing – Protect Data In Use | Microsoft Azureazure.microsoft.comchevron-right
LogoOfficial Microsoft for Healthcare documentationMicrosoftLearnchevron-right

Built-in monitoring features are provided by the cloud platform, with options to use third-party monitoring tools as well.

LogoAzure Monitor overview - Azure MonitorMicrosoftLearnchevron-right
PreviousCloud Security & Regulatory ComplianceNextICCA: Cloud Security & Regulatory Compliance

Last updated