Cloud Infrastructure

Security
Introduction
 Cloud infrastructure security is the practice of securing resources deployed in a cloud environment
and supporting systems.

 Public cloud infrastructure is, in many ways, more vulnerable than on-premises infrastructure
because it can easily be exposed to public networks, and is not located behind a secure network
perimeter.

 However, in a private or hybrid cloud, security is still a challenge, as there are multiple security
concerns due to the highly automated nature of the environment, and numerous integration points
with public cloud systems.
Public Cloud Security
 In a public cloud, the cloud provider takes responsibility for securing the infrastructure, and provides
tools that allow the organization to secure its workloads. Your organization is responsible for:

 Securing workloads and data, fully complying with relevant compliance standards, and ensuring all
activity is logged to enable auditing.

 Ensuring cloud configurations remain secure, and any new resources on the cloud are similarly
secured, using automated tools such as a Cloud Security Posture Management (CSPM) platform.

 Understanding which service level agreements (SLA), supplied by your cloud provider, deliver
relevant services and monitoring.
 Securing 6 Key Components of
Cloud Infrastructure
 The components are-
1. Accounts
2. Servers
3. Hypervisors
4. Storage
5. Databases
6. Network
Accounts
 Service accounts in the cloud are typically privileged accounts, which may have access to
critical infrastructure. Once compromised, attackers have access to cloud networks and can
access sensitive resources and data.

 Service accounts may be created automatically when you create new cloud resources, scale
cloud resources, or stand up environments using infrastructure as code (IaC). The new
accounts may have default settings, which in some cases means weak or no authentication.

 Use identity and access management (IAM) to set policies controlling access and authentication
to service accounts.

 Use a cloud configuration monitoring tool to automatically detect and remediate non-secured
accounts.

 Monitor usage of sensitive accounts to detect suspicious activity and respond.

Servers
 While a cloud environment is virtualized, behind the scenes it is made up of physical hardware
deployed at multiple geographical locations. This includes physical servers, storage devices, load
balancers, and network equipment like switches and routers.
 Control inbound and outbound communication—your server should only be allowed to
connect to networks, and specific IP ranges needed for its operations. For example, a database
server should not have access to the public internet, or any other IP, except those of the
application instances it serves.
 Encrypt communications—whether communications go over public networks or within a secure
private network, they should be encrypted to avoid man in the middle (MiTM) attacks. Never use
unsecured protocols like Telnet or FTP. Transmit all data over HTTPS, or other secure protocols
like SCP (Secure Copy) or SFTP (Secure FTP).
 Minimize privileges—only users or service roles that absolutely need access to a server should
be granted access. Carefully control the access level of each account to ensure it can only access
the specific files and folders, and perform specific operations, needed for their role. Avoid using
the root user—any operation should be performed using identified user accounts.
Hypervisors
 A hypervisor runs on physical hardware, and makes it possible to run several virtual machines
(VMs), each with a separate operating system.
 All cloud systems are based on hypervisors. Therefore, hypervisors are a key security concern,
because compromise of the hypervisor (an attack known as hyperjacking) gives the attacker
access to all hosts and virtual machines running on it.
 In public cloud systems, hypervisor security is the responsibility of the cloud provider, so you
don’t need to concern yourself with it
 In private cloud systems, the hypervisor is always under your responsibility. Here are a few
ways to ensure your hypervisor is secure:
• Ensure machines running hypervisors are hardened, patched, isolated from public networks, and
physically secured in your data center
• Assign least privileges to local user accounts, carefully controlling access to the hypervisor
• Secure and monitor shared hardware caches and networks used by the hypervisor
• Pay special attention to hypervisors in development and testing environments—ensure
appropriate security measures are applied when a new hypervisor is deployed to production
Storage
 In cloud systems, virtualization is used to abstract storage from hardware systems. Storage
systems become elastic pools of storage, or virtualized resources that can be provisioned and
scaled automatically.
 Here are a few ways to secure your cloud storage services:
• Identify which devices or applications connect to cloud storage, which cloud storage services are
used throughout the organization, and map data flows.
• Block access to cloud storage for internal users who don’t need it, and eliminate shadow usage of
cloud services by end users.
• Classify data into sensitivity levels—a variety of automated tools are available. This can help you
focus on data stored in cloud storage that has security or compliance implications.
• Remove unused data—cloud storage can easily scale and it is common to retain unnecessary
data, or entire data volumes or snapshots that are no longer used. Identify this unused data and
eliminate it to reduce the attack surface and your compliance obligations.
• Carefully control access to data using identity and access management (IAM) systems, and
applying consistent security policies for cloud and on-premises systems.
Databases
 Databases in the cloud can easily be exposed to public networks, and almost always contain
sensitive data, making them an imminent security risk. Because databases are closely integrated
with the applications they serve and other cloud systems, those adjacent systems must also be
secured to prevent compromise of the database.
 Here are few ways to improve security of databases-
• Network access—as a general rule, databases should never be exposed to public networks and
should be isolated from unrelated infrastructure. If possible, a database should only accept
connections from the specific application instances it is intended to serve.
• Permissions—grant only the minimal level of permissions to users, applications and service
roles. Avoid “super users” and administrative users with blanket permissions. Each administrator
should have access to the specific databases they work on.
• Database security policies—ensure database settings are in line with your organization’s
security and compliance policies. Map your security requirements and compliance obligations to
specific settings on cloud database systems. Use automated tools like CSPM to ensure secure
settings are applied to all database instances.
Network
 Here are a few ways you can secure cloud networks:

 Use security groups to define rules that define what traffic can flow between cloud resources. Keep
in mind that security groups are tightly connected to compute instances, and compromise of an
instance grants access to the security group configuration, so additional security layers are needed.

 Use Network Access Control Lists (ACL) to control access to virtual private networks. ACLs provide
both allow and deny rules, and provide stronger security controls than security groups.

 Use additional security solutions such as firewalls as a service (FWaaS) and web application
firewalls (WAF) to actively detect and block malicious traffic.

 Deploy Cloud Security Posture Management (CSPM) tools to automatically review cloud networks,
detect non-secure or vulnerable configurations and remediate them.