Resource Protection

Data

Types of Cloud Data: Files, Relational Database (Managed, Proprietary, IaaS), Non-Relational Database, Big Data, Sensitive Data

Protecting Cloud Data

At Rest

Implement mechanisms to ensure confidentiality, integrity, and availability when data is not actively accessed or transmitted.
Network Controls and Permissions
Encryption: Use encryption to secure data.
Hardware Security Modules (HSM): For added protection.
Backup and Replication: Ensure data can be restored and maintained.

In Transit

Implement security measures to protect data transmitted across networks.
Encryption: Always use encryption through secure communication protocols.
Hardware Security Modules (HSM): Use for secure key management.

Best Practice

Access Controls: Limit access to resources, data, and networks.
Encryption: Apply encryption at rest, in transit, and end-to-end.
Backup and Recovery: Regularly back up data and have recovery plans in place.
Regular Security Audits and Assessments: Perform regular checks to ensure security measures are effective.

Network

Provider Responsibilities

Infrastructure Protection: Includes DDoS protection and general threat management for both virtualized and physical infrastructure.
Physical Connection: The provider manages the physical network connectivity between different customers' cloud resources.

Customer Responsibilities

VPC (Virtual Private Cloud)
Network ACLs: Control traffic at the subnet level.
Security Groups: Manage traffic at the EC2 instance level.
PrivateLink: Establish private connectivity between VPCs and supported services.
Network Security Groups (NSG): Manage security at the subnet and instance levels.
Private Endpoint: Securely connect to Azure services.
Firewall Rules: Control traffic at the VPC, subnet, and VM levels.
VPC Service Controls: Define security perimeters around cloud services.

Additional Services

AWS: Shield, Web Application Firewall (WAF), GuardDuty.
Azure: Firewall, Application Gateway, FrontDoor.
Google Cloud: Cloud Armor.

Best Practice

Utilize cloud provider tools and minimize the public attack surface.
Review and adjust firewall rules; avoid opening ports globally.
Monitor network activity, set up alerts for abnormal usage, and maintain an incident response plan.

Compute

Patch Management: Regular updates to operating systems and services.
Automated OS Patching: Available for IaaS on platforms like AWS and Azure.
Resource Protection: Securing resources against unauthorized access and threats.
OS Hardening: Configure operating systems to run only required services with secure settings.
Monitoring: Utilize logs for tracking and detecting issues.
Attack Surface Minimization: Block unnecessary ports and reduce potential vulnerabilities.
Availability: Deploy multiple instances to ensure high availability and fault tolerance.

Platform Compute Protection

Provider Responsibility: The cloud provider secures the services and operating systems running the applications.
Custom Options: Customers can configure additional security settings for their PaaS environments.
The cloud service provider (CSP) handles patching and updates.

Confidential Computing

Enables the execution of workloads while keeping data and code confidential from the cloud provider, other tenants, and potential attackers.

Requirements: Requires specific compute instance sizes and hardware to ensure secure and isolated execution environments (application enclaves).

Built-in monitoring features are provided by the cloud platform, with options to use third-party monitoring tools as well.

PreviousCloud Security & Regulatory Compliance NextICCA: Cloud Security & Regulatory Compliance

Last updated 9 months ago

Resource Protection

Data

Types of Cloud Data: Files, Relational Database (Managed, Proprietary, IaaS), Non-Relational Database, Big Data, Sensitive Data

Protecting Cloud Data

At Rest

Implement mechanisms to ensure confidentiality, integrity, and availability when data is not actively accessed or transmitted.
Network Controls and Permissions
Encryption: Use encryption to secure data.
Hardware Security Modules (HSM): For added protection.
Backup and Replication: Ensure data can be restored and maintained.

In Transit

Implement security measures to protect data transmitted across networks.
Encryption: Always use encryption through secure communication protocols.
Hardware Security Modules (HSM): Use for secure key management.

Best Practice

Access Controls: Limit access to resources, data, and networks.
Encryption: Apply encryption at rest, in transit, and end-to-end.
Backup and Recovery: Regularly back up data and have recovery plans in place.
Regular Security Audits and Assessments: Perform regular checks to ensure security measures are effective.

Data encryption options | Cloud Storage | Google CloudGoogle Cloud

Protecting data with encryption - Amazon Simple Storage ServiceAmazon Simple Storage Service

Azure Storage encryption for data at restMicrosoftLearn

Network

Provider Responsibilities

Infrastructure Protection: Includes DDoS protection and general threat management for both virtualized and physical infrastructure.
Physical Connection: The provider manages the physical network connectivity between different customers' cloud resources.

Customer Responsibilities

VPC (Virtual Private Cloud)
Network ACLs: Control traffic at the subnet level.
Security Groups: Manage traffic at the EC2 instance level.
PrivateLink: Establish private connectivity between VPCs and supported services.
Network Security Groups (NSG): Manage security at the subnet and instance levels.
Private Endpoint: Securely connect to Azure services.
Firewall Rules: Control traffic at the VPC, subnet, and VM levels.
VPC Service Controls: Define security perimeters around cloud services.

Additional Services

AWS: Shield, Web Application Firewall (WAF), GuardDuty.
Azure: Firewall, Application Gateway, FrontDoor.
Google Cloud: Cloud Armor.

Best Practice

Utilize cloud provider tools and minimize the public attack surface.
Review and adjust firewall rules; avoid opening ports globally.
Monitor network activity, set up alerts for abnormal usage, and maintain an incident response plan.

Compute

Patch Management: Regular updates to operating systems and services.
Automated OS Patching: Available for IaaS on platforms like AWS and Azure.
Resource Protection: Securing resources against unauthorized access and threats.
OS Hardening: Configure operating systems to run only required services with secure settings.
Monitoring: Utilize logs for tracking and detecting issues.
Attack Surface Minimization: Block unnecessary ports and reduce potential vulnerabilities.
Availability: Deploy multiple instances to ensure high availability and fault tolerance.

Platform Compute Protection

Provider Responsibility: The cloud provider secures the services and operating systems running the applications.
Custom Options: Customers can configure additional security settings for their PaaS environments.
The cloud service provider (CSP) handles patching and updates.

Confidential Computing

Enables the execution of workloads while keeping data and code confidential from the cloud provider, other tenants, and potential attackers.

Requirements: Requires specific compute instance sizes and hardware to ensure secure and isolated execution environments (application enclaves).

Azure Confidential Computing – Protect Data In Use | Microsoft AzureMicrosoft Azure

Healthcare platform confidential computing - Azure Example ScenariosMicrosoftLearn

Built-in monitoring features are provided by the cloud platform, with options to use third-party monitoring tools as well.

Azure Monitor overview - Azure MonitorMicrosoftLearn

PreviousCloud Security & Regulatory Compliance NextICCA: Cloud Security & Regulatory Compliance

Last updated 9 months ago