Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - The Cloud, Services, Standards - Peerlyst
Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - The Cloud, Services, Standards - Peerlyst
Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - The Cloud, Services, Standards - Peerlyst
Cloud technology is disruptive, going to stay for long so it becomes very imperative for us to
understand cloud security and get our basics right before we dive into more complex technologies securing the
cloud. What is cloud and how do we secure it?
What is cloud
There are number of definitions out there by nist, ISO/IEC, ENISA etc but I would like to explain it in a very
simple way. “Cloud” is a very large pool of resources, like, processors, memory, storage etc. A consumer asks
for specific resource that it wants, like 2 CPUs and 4GB memory, provider assigns those to the client, who
then uses those resources over the network. When client is done, he releases the resources back into the pool
for someone else is use.
There are two techniques which make cloud viable – abstraction and orchestration. Abstraction(virtualisation)
is used to abstract resources from the physical infrastructure to create large set of pools and Orchestration
(Automation) is used to coordinate chunking and delivering the resources requested by the consumer.
And, Orchestration is the technique which differentiates cloud from the traditional virtualisation. In traditional
virtualisation, the process of assigning resources is manual.
Now, how cloud is delivered to the consumer? NIST defines 5 characteristics, 3 service models and 4
deployment models as shown below (image take from a Cloud Security Alliancedocument)
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 1/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst
You can read NIST publications – NIST SP 800-143, NIST SP 800-144, NIST SP 800-145 for more details.
Let us, first, understand the logical model of the cloud to have more informed decisions on securing the cloud.
According to functionality, cloud can be divided into several layers as depicted in the figure below :
Infrastructure: This, as name suggests, is the physical infrastructure on which the foundation is built. It
consists of core components like compute, network and storage.
Metastructure: This layer provides the interface between infrastructure and the other layers. It consists
of protocols and technologies that helps in management and configuration.
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 2/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst
Applistructure: This layer is all the applications who have been migrated to cloud or applications that built on
PaaS. It consists of applications and services like messaging, AI, SNS(in case of AWS).
Infostructure: This is the information layer which consist of data. It could be databases, files, content PII etc.
One thing to note here is the key difference between cloud computing and traditional computing is
the Metastructurelayer which includes management plane and it allows us accessthe resources remotely.
Now it will be easier for us to understand how to secure cloud as different security mechanisms can be applied
to different layers of logical model like, Application security to Applistructure, Data security to Infostructure
and Infrastructure security to Infrastructure layer.
And that is why, as far as security at infrastructure level is concerned, it is a shared responsibility between the
cloud provider and cloud consumer. The provider will take care of the physical infrastructure security and the
consumer will take care of the virtual infrastructure security. This also resonates, in the AWSshared
responsibility model, when they term these two layers as “Security in the cloud” and “Security of the cloud”.
AWS is responsible for Security of the cloud and customer is responsible for security in the cloud.
Some of the relevant standards and frameworks used by industry are Microsoft’s
Secure Development lifecycle, NIST 800-64, ISO27034 & OWASP (Open Web Application Security Project)
The piece of security is perhaps, the most important bit of security as far as consumer is concerned. And, I
would like to highlight a caveat here which is often misunderstood and you need to understand this very
clearly. “You do not pass on the responsibility to the cloud provider when you store your data in the cloud
whether its databases or even PII” You, as a customer, is ultimately responsible and legally liable for
any data loss or breaches. You can claim financial redressal or other things from cloud provider but it is
limited only to what is written in the Service Level Agreement (SLA).
Now, data-level cloud security, mainly, consist of controls and process around the following key points:
This level of cloud security focusses more on users, groups, policies and entitlement processes. There is
separate domain, Identity and Access Management, which focusses on this level of security. Some of keys
areas of focus under User-level cloud security are:
So, what I have explained above is brief cloud security overview and presents a picture of cloud security as
you will see from the top. Of course, We can dig deep into each and every point above which will reveal more
and more layers of technologies and processes which makes our cloud secure and available.
There are other controls as well like API security which interfaces with multiple layer and is of great
importance. APIs are like gates of our traditional physical infrastructure. If an adversary gets access to our
Management plane, he has access to just everything on our virtual infrastructure.
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 4/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst
In the last, I would like to put and disclaimer that this is just overview of cloud security to begin with and may
not cover each and every aspect of cloud security.
Next, I would like to cover compliance in the cloud, as remember, security and compliance are two pieces of
big puzzle. I think compliance is more like a secure baseline as this is what minimum we should do and the
security is something that you build upon compliance to take overall organisational security towards more
maturity.
To reach out to me for cloud security discussions and consulting, you can reach me through Secloud
LLC at [email protected]
cloud the cloud services standards providers ISO compliance management storage
d i m d t i r i s p a i d d a f p v I I
o s h s d l a d E v c d D p p p s n w d
a s t p s show more
14 5 20
Great article, with organizations moving to the cloud and selecting the various as a service, providing a
baseline of security requirements is very important. If you are in an organization that utilizes or is
required to utilize request for proposals (RFP) it is important to list the security requirements upfront.
This same knowledge contributes to the overall evaluation to determine if it is a better choice to
go cloud or hostlocally.
Upvote 1 Reply
I agree with the others, Yogesh Gupta, CISSP® CCSP - you've done a nice job of building a high-
level frameworkof understanding the building blocks. Naturally, I'd like to see these built out further in
friendly ways for business audiences to understand. For example, whenever we use specialized words
like "Federated" I like to help explain exactly what that means.
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 5/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst
There is a vast level of fluency present here within the Peerlyst Community. However, if we are trying
to build a body of knowledge that is accessible, it is important for us to liberate that knowledge by
expressing it in ways that are friendly to broader audiences and cultures of learning. You've succeeded
in doing that here! Well done! Thanks for inviting me to chime in.
Upvote 2 Reply
Chad Calease Thank you for your feedback. Yes, I would build this further with more deep
dives and I will make sure it will remain relevant to both business and technical community.
Upvote 2 Reply
Hi Yoges Gupta, I think your arcticle is good introduction to cloud security in general.I am qute sure
you are already aware how big is the topic and had chance to read publications of Cloud Security
Alliance. I would suggest you to continue by answering real life challenges that many organizations
have nowadays, like for instance which public cloud provider to select or how to combine
existing security solutions with those provided by cloud providers.Moreover, I have seen you
mentioned Vulnerability Analysis and Penetration testing to Application security. Of course that is
not wrong, however cloud infrastructure may also contain vulnerabilities and/or missing security
configurations.Therefore all the layers of cloud security should be regularly evaluated either
by vendor provided services (e.g. AWS Inspector, AWS Trusted Advisor ) or through "deep
diving" pentestexersizes by involving trusted third party.
Upvote 2 Reply
About writing on real life challenges, yes, that is plan. This is just an introduction for people
who know or may not know much of cloud and cloud security.
Yogesh Gupta, CISSP® CCSP Thank you for your feedback, I see you have already taken
very good direction. Regarding pentests you may be right in some cases, but I think it also
depends on type of contract. From my experience security assessments on infrastructure level
were also allowed by AWSafter being included in authorization request and some additional
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 6/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst
Great article Yogesh Gupta, CISSP® CCSP ! I really like starting with the basics and working your way
up :) It gives an opportunity to understand the concepts you are building on as you continue to dive
more in depth. I find it interesting to not only see where the subject is but the thought process on
developing material. I have been stagnate in my writing as of late but hopefully will make time to pick
it up again.
Upvote 5 Reply
+1
Upvote 1 Reply
Rob Chaykoski Thanks for your kind observation. Yes, I do have a desire of creating more
and more training material but time constraint is there !! I am working on a
cyber security training platform though but lets see how it goes.
About writing, I have realised that one can never make enough time so, its better to keep
jotting down points after points on cellphone or iPADand then compile them over the
weekend ... Thats the way to go :-) :-)
Upvote 2 Reply
Fantastic primer, no comments except some things that did not seem proper English but hey who is a
German to try to correct anyone on UK language!
Upvote 3 Reply
4 replies
Anthony Noblett CISSP, CISA, CGEIT, CRISC, CCSK, CCSPSept 25, 2017
The back end of this article is good, the front end is information that all
information security professionalsshould know by now. Are you going to go further and talk about what
actual processes and tools are available to implement cloud security controls?
Upvote 5 Reply
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 7/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 8/8