Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user.The term is generally used to describe data centers available to many users over the Internet. Large clouds, predominant today, often have functions distributed over multiple locations from central servers.
If the connection to the user is relatively close, it may be designated an edge server.The availability of high-capacity networks, low-cost computers and storage devices as well as the widespread adoption of hardware virtualization, service-oriented architecture and autonomic and utility computing has led to growth in cloud computing.
Securing your cloud infrastructure is utmost priority while designing the solutions for avoiding any malicious activities so it is always recommendable to know about security best practices , attacks and prevention techniques at different level.
Service Models
Infrastructure as a Service(IaaS)
Software as a Service(SaaS)
Platform as a Service(PaaS)
Mobile back end as a Service(MbaaS)
Serverless Computing
Software as Service(SaaS)
Software as a Service, also known as cloud application services, represents the most commonly utilized option for businesses in the cloud market. SaaS utilizes the internet to deliver applications, which are managed by a third-party vendor, to its users.
A majority of SaaS applications run directly through your web browser, which means they do not require any downloads or installations on the client side.
Ex:Google Apps, Dropbox, Salesforce, Cisco WebEx, Concur, GoToMeeting
Characteristics
SaaS makes the software available over the Internet.
The Software are maintained by the vendor rather than where they are running.
The license to the software may be subscription based or usage based
SaaS applications are cost effective since they do not require any maintenance at end user side.
They are available on demand.
Infrastructure as a Service(IaaS)
Cloud infrastructure services, known as Infrastructure as a Service (IaaS), are made of highly scalable and automated compute resources. IaaS is fully self-service for accessing and monitoring computers, networking, storage, and other services. IaaS allows businesses to purchase resources on-demand and as-needed instead of having to buy hardware outright.
Ex: DigitalOcean, Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod, Microsoft Azure, Google Compute Engine (GCE)
Characteristics
Resources are available as a service
Cost varies depending on consumption
Services are highly scalable
Multiple users on a single piece of hardware
Organization retain complete control of the infrastructure
Dynamic and flexible
Platform as a Service(PaaS)
Cloud platform services, also known as Platform as a Service (PaaS), provide cloud components to certain software while being used mainly for applications. PaaS delivers a framework for developers that they can build upon and use to create customized applications. All servers, storage, and networking can be managed by the enterprise or a third-party provider while the developers can maintain management of the applications.
Ex: AWS Elastic Beanstalk, Windows Azure, Heroku, Force.com, Google App Engine, Apache Stratos, OpenShift
Characteristics
Builds on virtualization technology, so resources can easily be scaled up or down as your business changes
Provides a variety of services to assist with the development, testing, and deployment of apps
Accessible to numerous users via the same development application
Integrates web services and databases
Mobile backend as a Service(MbaaS)
In the mobile “backend” as a service (m) model, also known as backend as a service (BaaS), web app and mobile app developers are provided with a way to link their applications to cloud storage and cloud computing services with application programming interfaces (APIs) exposed to their applications and custom software development kits (SDKs).
Ex:Any Presence, FeedHenry and Appcelerator
Characteristics
Push notifications
File storage
Integration with Social networking
Server less Computing
Server less computing is a cloud computing code execution model in which the cloud provider fully manages starting and stopping virtual machines as necessary to serve requests, and requests are billed by an abstract measure of the resources required to satisfy the request, rather than per virtual machine, per hour
Ex:Lambda in AWS, Cloud Functions in GCP
Characteristics
Polyglot Platform.
Support For Sync and Async Invocation.
API Gateway Integration.
Developer Productivity.
Support for DevOps and Tooling.
Deployment ModelsPrivate Cloud : A private cloud involves a distinct and secure cloud based environment in which only the specified client can operate.However, private cloud model is only accessible by a single organization. So private clouds provides benefits like higher security and privacy, more control, cost and energy efficiency, improved reliability
Public Cloud : A public Cloud infrastructure is provisioned for open use by the general public which may be processed, managed and operated by commercial businessman,academic or government organization and exists in the place of cloud provider
Hybrid Cloud : This type of cloud is a combination of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities but can share data if required.
Community Cloud : The cloud infrastructure is shared by many organizations and supports a specific community that has shared concerns (E.g.: mission, policy, security required). It may be managed by organization or trusted third party.
Types of Security
Infrastructure Security
Application Security
Data Security
Infrastructure Security Levels
Network Level
Host Level
Application Level
Network Level
It includes different security attacks at Networking layer such as DDos attacks,Sniffer attacks and BGP of Prefix hijacking
Attack Types
1.DNS attack : Sender and a receiver get rerouted through some evil connection
Prevention Method : Domain name system security Extensions (DNSSEC) reduces the effects of DNS threats.
2.DDoS Attack : Attack against a single network from multiple computers or systems
Prevention Method : Limit the number of ICMP and SYN packets on router interfaces.
3.Sniffer Attack : Data is not encrypted & flowing in network, and chance to read the vital Information.
Prevention Method : Detect based on ARP and RTT. Implement Inter Protocol Security (IPSec) to encrypt network traffic System administrator can prevent this attack to be tight on security, i.e one time password or ticketing authentication
4.Eavesdropping : Attacker monitor network traffic in transit then interprets all unprotected data
Prevention Method : Methods of preventing intruders are Internet protocol security(IP sec) Implement security policies and procedures install anti-virus software
5.Issues of reused IP addresses : IP address is reassigned and reused by other customer. The address still exists in the DNS cache.
Prevention Method : Old ARP addresses are cleared from cache
6.BGP Prefix Hijacking : network attack in which wrong announcement on IP address associated with a autonomous system.
Prevention Method : Filtering and MD5/TTL protection(preventing the source of most attacks)
7.Dos Attack : Prevent the authorized user to accessing services on network
Prevention Method : DoS attacks can be prevented with a firewall but they have configured properly Enforce strong password policies
Host Level
It Includes different attacks at the hypervisor,Cookies and OS levels
Attack Types
1.Hypervisor : Single hardware unit is difficult to monitor multiple operating systems. code get control of the system and block other guest OS
Prevention Method : Malicious Hook safe that can provide generic protection against kernel mode root kits
2.Cookie Poisoning : Unauthorized person can change or modify the content of cookies.
Prevention Method : Cookie should be avoided, or regular Cookie Cleanup is necessary.
3.Securing virtual server : Self-provisioning new virtual servers on an IaaS platform creates a risk that insecure virtual servers
Prevention Method : Operational security procedures need to be followed
4.Backdoor and debug options : Debug options are left enabled unnoticed, it provide an easy entry to a hacker into the web-site and let him make changes at the website level
Prevention Method : Scan the system periodically for SUID/SGID files Permissions and ownership of important files and directories periodically
Application Level
It includes Transport layer 7 security i.e.. Application Level
Attack Types
1.Hidden field manipulation : Certain fields are hidden in the web-site and it’s used by the developers. Hacker can easily modify on the web page
Prevention Method : Avoid putting parameters into a query string
2.SQL injection : Malicious code is inserted into a standard SQL code and gain unauthorized access to a database
Prevention Method : Avoiding the usage of dynamically generated SQL in the code
3.Cross site Scripting attack : Inject the malicious scripts into web contents.
Prevention Method : Various techniques to detect the security flaws like: Active Content Filtering, Content Based Data Leakage Prevention Technology.
4.Dos Attack : Services used by the authorized user unable to be used by them
Prevention Method : Intrusion Detection System (IDS) is the most popular method of defense against this type of attacks .Preventive tools are Firewalls,Switches,Routers
5.Google Hacking : Google search engine Best option for the hacker to access the sensitive information
Prevention Method : Prevent sharing of any sensitive information Software solution such as Web Vulnerability Scanner.
Infrastructure Security in Google Cloud ( Google Managed )
Ensuring Security at service deployment
1.Service Identity, Integrity, and Isolation
2.Inter-Service Access Management
3.Encryption of Inter-Service Communication
4.Access Management of End User Data
Ensuring Security at Data storage
1.Encryption at Rest
2.Deletion of Data
Ensuring Secure Internet Communication
1. Enabling Security using Google Front End Service
2.Automated Security ennoblement using Denial of Service (DoS) Protection
3.Third level of Security using User authentication
Ensuring Operational Security
1.Safe software deployment enables libraries to prevent from XSS Vulnerabilities in web apps
2.Keeping Employee Devices and Credentials Safe
3.Reduce the insider risk by using Principle of Least privilege
4.Intrusion detection
Infrastructure Security Best Practices Checklist
1.Ensure visibility using single pane of glass tool like stack driver monitoring for across the projects.
2.Ensure resource hierarchy future in GCP account to granulate the access.
3.Optimize the access management using IAM Groups
4.Managing firewalls to deny security issues
5.Optimization Images life cycle rules to secure the compute environment
6.Use Organizations and open a breadth of additional security features
7.Implement Column Level Encryption for databases.
8.Use Oath 2.0 as an integrated authorization plan
9. White listing with Cloud IAP for access requests to VMs
10.Implement Binary Authorization while using Kubernetes
11.Use Cloud web security scanner before deploying the applications
12.Enable flow Logs
13.Segregate resources by projects
14.Limit the use of Cloud IAM primitive roles
15.Rotate Cloud IAM service account access keys periodically
16.Ensure firewall rules are not overly permissive
17.Ensure Cloud Storage buckets enforce appropriate access controls
18.Ensure Cloud Storage buckets have logging and versioning enabled
19.Create periodic snapshots of Compute Engine instances
20.Create periodic backups of Cloud SQL instances
Infrastructure Security in AWS cloud
1.Account Security Features
Securing the access using MFA,Strong Password,password rotation policies and Access keys and Security Token service Authenticating compute instances using EC2 key pairs and X.509 certificates for enhanced security features
2.Ensure usage of HTTPS access points
3.Security logs for debugging or real time alerting
4.Trusted Advisor for security checks and other features to optimize the infrastructure utilization
5.AWS Config for service configuration security.
6.Ensure that no S3 Buckets are publicly readable/writable unless required by the business.
7.Turn on Redshift audit logging in order to support auditing and post-incident forensic investigations for a given database.
8.Encrypt data stored in EBS as an added layer of security.
9.Encrypt Amazon RDS as an added layer of security.
10.Enable require_ssl parameter in all Redshift clusters to minimize the risk of man-in-the-middle attack.
11.Restrict access to RDS instances to decrease the risk of malicious activities such as brute force attacks, SQL injections, or DoS attacks.
12.Inventory and categorize all existing custom applications deployed in AWS
13.Involve IT security teams throughout the application development life cycle
14.Grant the fewest privileges possible for application users
15.Enforce a single set of data loss prevention policies
16.Encrypt highly sensitive data such as protected health information (PHI) or personally identifiable information (PII) using customer controlled keys.
17.Periodically move logs from the source to a log-processing system.
18.Run a configuration audit.
19.Don’t commit your access keys or credentials.
20.Leverage detective controls to identify potential security incidents.
21.Don’t forget to include your mobile apps in an audit.
22.Never use root access keys to request access through APIs or other common methods.
23.It’s your responsibility to apply the latest security patches to EC2 instances.
24. Scan your Git repositories and history for AWS keys.
25.Use private subnets with appropriate ACLs for anything that doesn’t need to be public.
26.Eliminate blind spots.
27.Use granular permissions and versioning to protect data in S3 buckets.
28.Ensure that changes are properly verified and tracked.
29.Bundle native and third-party tools to create a secure AWS environment.
30.Identify, define, and categorize information assets.
Data SecuritySecuring Data at Rest
Determine the sensitive data and make sure it is completed encrypted at rest
Make sure that all the data stored in the storage services like VM disks, storage buckets, file systems, etc. is encrypted at rest using either the Cloud Provider’s default encryption mechanism or by using a Cloud Provider’s KMS Service.
Cloud KMS service is a more secure way of protecting data and extremely sensitive data should be encrypted using any KMS Service.
The Backups, snapshots of the disks or any other data should also be encrypted using the KMS service.
The encryption algorithms should include AES-256 or AES-128 encryption and preferably AES-256 algorithms should be used.
Securing Data in Transit
The services within cloud and outside cloud should be communicating over secured HTTPS links.
The access to the databases should also be over the SSL secured URLs.
The web services exposed to the world should have strong authentication mechanisms in-place, like OAuth 2.0, JWT token based access.
The services used only within the Cloud network should not have publicly exposed endpoints.
Use the cloud provider’s internal network to access the cloud services wherever possible. Eg. We have a web application running on VM servers and they need to access data on cloud storage services. Then the Cloud Storage API calls should go via Cloud Provider’s private network using services like AWS Endpoints, GCP VPC’s Private Access, etc.
Access Control
The services accessing the databases should not be publicly exposed.
The database resources should have restricted access only from those services explicitly which need to connect to the database using IAM.
The sensitive data stored on storage devices/services should only be accessible to the authorized personnel. Proper access control mechanisms should be in place to avoid any means of unnecessary data leakage.
IAM should be used
Application Security
Optimizing Persistent Disk Performance
Ensuring Continuous Delivery
Securing the traffic to the instances using firewalls
Enable VPC Flow Logs.
Use Logging and Versioning of Cloud Storage Bucket
Limiting the use of Cloud Identity and Access Management Primitive Roles
Ensure deletion of persistent disks if not required
Eliminate vulnerabilities before applications go into production.Adopt security tools that integrate into the developer’s environment.
Analyze your application security risk profile so you can focus your efforts.
Make sure you understand your cloud security provider’s risks and controls.
Develop a structured plan to coordinate security initiative improvements with cloud migration.
Establish security blueprints outlining cloud security best practices.
For better quality , few segments of the article is taken from AWS/GCP Whitepapers and Ph.D research papers.
The founder of TacoBIG.com.He is a Cloud Architect from Bangalore interested in contributing guidance to Cloud related communities. He loves to read books and share knowledge with others. He is keen on understanding Financial wisdom and sharing thoughts on how to achieve financial freedom.
