Cloud Security (CIT 610)

Lec 4: Securing the Cloud – Key Strategies & Best Practices

Dr. Amer Aljaedi

College of Computing and Information Technology
University of Tabuk
[email protected]
 Outline
• Overall Strategy: Effectively Managing Risks
• Overview of Security Controls
• The Limits of Security Controls
• Best Practices
• Security Monitoring

2
 Introduction
• This Chapter aims to build on material that was introduced throughout
earlier chapters and make it actionable so that it can be applied in
practice.
• In practical terms, security engineers and administrators, along with
cloud designers, seek to prevent, detect, and respond to security
vulnerabilities and threats in an effective manner.
• One key strategy for cloud security is to implement effective security
monitoring and vulnerability detection.

3
 Overall Strategy: Effectively Managing Risk
• Addressing security risks can be done in various ways, but without a
sound process and a considered strategy such efforts often prove
ineffective.
• Appropriate approaches in different realms (for instance finance and
healthcare) can vary significantly. Consequently, suitable security
controls will also vary.
• Throwing every available security control at a cloud service without first
establishing requirements or defining a governing policy is not practicing
effective security, and it may result in neutering end-user functionality.

4
 Overall Strategy: Effectively Managing Risk
• It should also be recognized that risk management does involve
business decisions about the costs on either side of the equation.

5
 Risk Management: Stages & Activities
• Effectively managing security risk involves multiple activities that extend
over time. These activities can be grouped into four stages:
1. Plan
2. Implement
3. Evaluate
4. Maintain

6
 Risk Management: Stages & Activities
• Each stage includes discrete steps, these include activities such as:
developing a comprehensive security policy, classifying data and
systems, and performing a risk assessment.

7
 Risk Management: Stages & Activities
• The following characterizations are derived from previous work that is
documented in many domains, including NIST and International Standards
Organization (ISO):
Information Resource Categorization
Select Security Controls
Risk Assessment
Implement Security Controls
Assess Security Controls
Periodic Review and Update

8
 Overview of Security Controls
• In essence, security controls are countermeasures or safeguards to
prevent, avoid, counteract, detect, or otherwise respond to security
risks.
• They can be technical mechanisms, manual practices, or procedures
• The categorization of security controls varies and there are various
schemes that are used in different realms (government, health care,
accounting, and so on).

9
 Overview of Security Controls
• Cloud Security Controls Must Meet Your Needs
• NIST Definitions for Security Controls
• Unclassified Models
– Not all security needs are identical
– characterized according to low-impact, moderate-impact, or high-impact information
systems.
• Classified Model
– Unclassified, Sensitive But Unclassified, Confidential, Secret, and Top Secret.
• The Cloud Security Alliance (CSA) Approach
– The Cloud Security Alliance developed a Controls Matrix which is a framework of nearly
100 distinct control specifications.

10
 The Limits of Security Controls
• There are many reasons why security is often ineffective. From a software
perspective, we often face several issues:
Software development practices are typically not rigorous or focused on
engineering principles and verification.
Software frameworks and functionality scaffolding have grown to be huge.
Installation and configuration of software are usually not performed following a
rigorous and defined process that brings identical results even when performed
by the same installer.
The discovery of new vulnerabilities extends over time to include even older and
mature software.

11
 Security Exposure Will Vary Over Time
• Security controls and procedures must continually be reviewed, and
when necessarily improved to support mission changes and cover
evolving threat capabilities.
• At different stages of a cloud life cycle, the security of the cloud will
alternate from higher risk to lower risk between the time that
exploitable vulnerabilities are exposed and patches installation (or new
controls are put into effect).

12
 Exploits Don’t Play Fair
• The fact is that exploits tend to take advantage of borderline
circumstances that otherwise do not cause issues.
• Likewise, the interfaces between applications make a fine target for
manipulation by sending them data or control values that are not
gracefully handled.

13
 Best Practices
• Traditional security best practices still apply to cloud computing, but
CSPs and cloud consumers may be challenged in adopting such practices
when they are more general rather than specific to the cloud space.

14
 Best Practices for Cloud Computing: First Principals
• In this section we identify several key strategies and best practices for
security in cloud computing.
Policy: is the true foundation for all security activities.
Risk Management: The objectives of risk management best practices are to
assess, address, and reduce security risks in a cloud initiative—and to do so in
the context of weighing the risks from a business perspective.
• Selecting security controls and monitoring their effectiveness are part of risk
management.
Configuration Management & Change Control: It is a best practice to implement
a configuration and change management process.
• Govern changes, identify security consequences, and provide assurance for system
configuration and version.
15
Best Practices for Cloud Computing: First Principals
Auditing: In auditing we seek to verify compliance, review the effectiveness of
controls, and validate security processes.
Vulnerability Scanning: The goal of vulnerability scanning is to identify any new
or residual vulnerabilities so that the associated risk may be mitigated.
Segregation of Duties: It is a best practice to limit the privileges that users have
to a small set which is necessary for the user to perform his work
• In the cloud, the segregation of duties will already be partially implemented by the
nature of the model itself.

16
 Best Practices Across the Cloud Community
• The Cloud Computing Use Case Discussion Group is focused on best practices for
building clouds or IaaS and PaaS.
• This group also identified a number of security controls for cloud computing:
 Asset Management
 Cryptography
 Data/Storage Security
 Endpoint Security
 Event Auditing and Reporting
 Identity, Roles, Access Control, and Attributes
 Network Security
 Other controls listed by the Cloud Computing Use Case Discussion Group

17
 Other Best Practices for Cloud Computing: Cloud
Service Consumers
• Beyond the CSA’s best practices, NIST has offered a relatively short set as well.
• From CSA’s list and a range of NIST sources: the following is representative of
practices for a cloud consumer:
 State-of-the-Practice
 Transparency
 Security Controls
 Security Standards and Practices

18
 Other Best Practices for Cloud Computing: Cloud
Service Providers
• Here we will identify just a few additional best practices.
• There are many best practices for cloud providers that are consistent with
traditional IT security best practices. Practices that are important to bring
forward include:
Network Isolation
The Use of a CMDB
Configuration Integrity
Identity
– Identity and Access Management (IAM)

19
 Security Monitoring
• It is a best practice to automate the collection of security events from all security
relevant network devices, servers, and applications.
• Security monitoring in cloud infrastructure and services is based on the
generation, collection, analysis, and reporting of security-relevant event data.

20
Security Monitoring

21
 The Purpose of Security Monitoring

• Security monitoring is a key cloud security strategy that has several important
purposes for CSPs and tenants, these include:
Threat Detection
Verification of Security Controls
Exposure of Bugs
A Legal Record of Activity
Enabling Forensics

22
 Transforming an Event Stream
• It is vital that the security instrumentation functionality is correctly deployed and
maintained.
• However, security instrumentation data poses many challenges from generation
to transmission and from centralized collection to analysis and response.
• The sheer amount of raw security event data that is generated in even a small
cloud infrastructure demands that the collection, handling, analysis, and storage
of data be efficient.
Generation of Security Events
Collection of Security Events
Correlation and Analysis Strategies

23
Security Monitoring

24
 The Need for C.I.A. in Security Monitoring
• It is a best practice in cloud security to assure the security of monitoring and the
integrity and availability of the event stream
• If monitoring is insecure, then monitoring will produce results that are not
trustworthy.
• Monitoring is only as reliable as event data is complete and correct.

25
 The Opportunity for MaaS
• Cloud providers can be expected to offer broader and richer security monitoring and
alerting capabilities for their tenants.
• The appeal of CP monitoring services for customers will vary according to the nature
of the cloud delivery model (public to private), the nature of the service delivery
(IaaS to SaaS), the sensitivity of the information and processing, regulatory and
compliance requirements, as well as the degree of customer risk acceptance or
aversion.

26
 Summary
• For a CSP, effective security represents an opportunity to reduce ongoing costs and
provide a competitive service.
• One can easily envision cloud service customers of PaaS or IaaS preferring to use a
CSP security information event management (SIEM) capability as long as the
customer’s event stream is not accessible to other customers.
• There is an important difference between security monitoring and a monitoring
system that can reliably trigger an effective response in the same time domain as
the threat itself.

27