Cloud is the term we hear very frequently now days. I have also covered some of the aspects of cloud in my previous blogs. So in this blog we will actually learn about the cloud security and its architecture. How the things works in the cloud and its architecture.
What is Cloud architecture/Cloud deployment Models?
There are different type of cloud models and their architecture depending on the ownership or hosting location they are classified into these following
CSP (Cloud service provider) provide some cloud services over internet and these cloud machines of infrastructure are on public facing internet.
User has to pay only as much as they use.
As resource are shared, there is a security risk and performance issue.
Note: There is one Hosted Private, that is more secure but costly.
As the name suggest these are completely private and cant be reached through the internet. They needs an VPN file in order to connect to the cloud. Mostly used by banking or government sector because they require strict access control in their operations and their data is confidential so it can be added to the public infrastructure
Here organization can have more privacy and security.
It can be on premise or offsite as per business requirement. The infra of on premises is better then the off premises.
It is costly as compare to public cloud.
In this model, several organizations share the costs of either of public cloud or private cloud architecture. These pools are done for standardization in security policy.
Some cloud solutions are also available that implement combination of private/ public/ community/ hosted / onsite/ offsite solutions.
In cloud architecture, we have different cloud service models. These model are based on complexity and comes under anything as a service (XaaS), key feature is to identify where responsibilities lie and three most common implementation on basis of infrastructure, software and platform.
i. Infrastructure as a service/IaaS:
We can rent servers, load balancers or SAN components to provide IT resources. To provide service we do not need to make setup on our premises; in cloud we can directly provide services from data center.
ii. Software as a service/SaaS:
No need to purchase software licenses, users can access software hosted on supplier’s server and user has to pay charge as much as they use that or according to lease agreement(on demand). It increases the performance, as it does not require any setup from user side.
iii. Platform as a service/PaaS:
It provide resources between SaaS and IaaS. PaaS provide both SaaS and IaaS means it not only provides servers and network infrastructure both but also provide a multi-tier application/database on top of it.
It is different from SaaS as PaaS would not be configured to do anything. Application developer has to create software that runs using that platform.
· How cloud can be security?
Cloud architecture provides flexibility to its users but data security is important when we are moving data from private to public storage, weak configuration of cloud can make it more near to hackers. We have to secure compute, network and storage cloud resources to maintain “Confidentiality”, “Integrity” and “Availability”.
i. VM Escape Protection:
When a malware running on guest operating system jump to another operating system or host then it is known as the VM escape protection. This mostly happens when the machine are not isolated from each other like using the bridge adapter setting while using the VM machine. Malware repeats this process to identify that applications running on VM. After the identification, it performs “timing attack” i.e. send multiple usernames to the authentication server. As we know if username is not valid, server will reply but in case of valid one, it will take some time. So by measuring the response time attacker can try to guess valid usernames. There are “signature” that an attacker could use to identify the presence of VM’s hardware.
If another application is suspicious towards attack, there might be possibility that attacker can gain access to your server or data that reside in memory of physical server. So after compromising the hypervisor server, attacker can make copy of server images and can download it from anywhere. This allow attacker to steal all unencrypted data and if server admin saved the private key on the system then encrypted data can be decrypted using the key.
· Monitoring the hypervisor software, and installing the updates on timely basis.
· Make sure that applications hosted on the cloud is isolated from each other.
· Always identify the security vulnerability in the hypervisor and patch them as soon as possible.
ii. Cloud/ Security Controls:
Cloud have same security controls as on premise networks such as IAM, endpoint protection and Secret management.
IAM helps to in proper authorization of application same as on-premises.
· Secret Management:
Cloud service is vulnerable to remote access and if we fail in managing credentials then it will expose the user and whole system.
i. We know root account is created by default in windows and Linux both Operating system but root account should have to be used only when a specific requirements comes in.
ii. Always use MFA to sensitive options.
iii. For managing secret we can use “Principles” of IAM that I already discussed in above mentioned blog link.
iii. Cloud Computing Security
In cloud computing components provides the process and memory to fulfill a task. So in most of cases of cloud we use EC2 instances. Make sure if we are processing a good number of data the EC2 should have the enough memory to process it.
To know more about EC2 please check my previous blog.
How to secure a Container?
Container is a shared component so user should have to be careful while configuring it to reduce the risk of data exposure.
· We can isolate container through separate namespaces and control groups.
· By namespace: User can control writing and reading by another processes.
· By Control Groups: User can control overwhelm others in DOS-type attack.
iv. Storage Security
For computation resources needs a persistent storage. Cloud architecture uses object base storage.
For storage security based on AWS, please go through this blog of mine
Permissions and Resource Policies
User can authorized storage resources with the help of policy, if policies are perfectly set no one can access the resources without authorization. In cloud we have ACL to manage the permissions.
v. Cloud Network Security
In cloud user can implements their own networks like on premises data center i.e. VPC(Virtual private cloud). By default, VPC are isolated from each other and it doesn’t matter if they exists in the same account.
Public and private Subnets
Each subnet within a VPC can be either private or public. If default route is configured with subnet then it becomes public subnet. The internet gateway (virtual router) provide 1:1 netting. If users wants to communicate with private subnets, there are 2 ways.
NAT Gateway: By it instance can connect to internet and other resources but does not allow connections to be initiated from internet.
VPN: VPC can connect VPN at software layer or using CSP-managed features.
So in this blog we have covered how we can use cloud services provider with a better security.