UNIT V: SECURITY IN THE CLOUD

Security Overview
Secure cloud computing encompasses three core capabilities: confidentiality, integrity, and
availability.

1. Confidentiality is the ability to keep information secret from people who shouldn’t have
access.

2. Integrity means that systems operate as they are intended to function and produce
outputs that are not unexpected or misleading.

3. Availability speaks to maintaining service uptime for cloud infrastructure and cloud-
based services, which includes preventing denial-of-service (DoS) attacks.

The cloud offers on-demand compute and storage resources that can help transform businesses
and accelerate services development and deployment. However, businesses cannot enjoy all
these potential benefits without a strong backbone to help protect them from digital threats,
malware, and hackers. The goal is to reduce total attack surface, manage risks to accessing
cloud resources, and ultimately make it profitable and beneficial to use the cloud.

Every industry is working diligently to keep up with the ever-changing threat landscape,
whether its protecting intellectual property, keeping systems patched, or ensuring compliance
with privacy regulations. IT security teams are often short-staffed or struggling to meet the
constantly changing needs of the business. Cloud computing offers a solution to these
challenges because many public clouds have cybersecurity, encryption, and data protection
baked into their service offerings.

The cloud is emerging as a premier platform for the security conscious, where the latest
technologies are implemented, cybersecurity experts are available around the clock, and
advancements in digital threats are addressed in real time. Not only can businesses benefit from
on-demand compute and storage resources in the cloud, but they can also benefit from world-
class data security features as well.

Network security refers to securing the perimeter of a data center, and the movement of data
inside or outside the data center. This entails using network infrastructure and access controls
to manage data flow and prevent digital threats from entering the network. A key example of
network security is the use of firewalls to restrict access to specific network ports. But
networking is just one piece of the equation and cloud computing encompasses the full gamut
of devices, data, and software. Businesses and cloud architects need a robust and secure
network perimeter, but there will always be insider threats and data breaches that bypass
perimeter protections. For this reason, it is important to have a multi-layered security strategy,
like confidential computing, that touches hardware, software, and applications.

Cloud Security Challenges and Risks

All companies face security risks, threats, and challenges every day. Many think these
terms all mean the same thing, but they are more nuanced.
 • A risk is a potential for loss of data or a weak spot.
• A threat is a type of attack or adversary.
• A challenge is an organization’s hurdles in implementing practical cloud security.

Let us consider an example: An API endpoint hosted in the cloud and exposed to the public
Internet is a risk, the attacker who tries to access sensitive data using that API is
the threat (along with any specific techniques they could try), and your
organization’s challenge is effectively protecting public APIs while keeping them
available for legitimate users or customers who need them.

A complete cloud security strategy addresses all three aspects, so no cracks exist within
the foundation.

Four cloud security risks

1. Unmanaged Attack Surface

2. Human Error
3. Misconfiguration
4. Data Breach

1. Unmanaged Attack Surface

An attack surface is your environment’s total exposure. The adoption of microservices can
lead to an explosion of publicly available workload. Every workload adds to the attack
surface.

Attack surface can also include subtle information leaks that lead to an attack. For
example, CrowdStrike’s team of threat hunters found an attacker using sampled DNS
request data gathered over public Wi-Fi to work out the names of S3 buckets. CrowStrike
stopped the attack before the attackers did any damage, but it is a great illustration of risk’s
ubiquitous nature. Even strong controls on the S3 buckets were not enough to completely
hide their existence. If you use the public Internet or cloud, you’re automatically exposing
an attack surface to the world.

2. Human Error

Human error is a constant risk when building business applications. However, hosting
resources on the public cloud magnifies the risk.

The cloud’s ease of use means that users could be using APIs you are not aware of without
proper controls and opening up holes in your perimeter. Manage human error by building
strong controls to help people make the right decisions.

3. Misconfiguration

Cloud settings keep growing as providers add more services over time. Many companies
are using more than one provider.
Providers have different default configurations, with each service having its distinct
implementations and nuances. Until organizations become proficient at securing their
various cloud services, adversaries will continue to exploit misconfigurations.

4. Data Breaches

A data breach occurs when sensitive information leaves your possession without your
knowledge or permission. Data is worth more to attackers than anything else, making it
the goal of most attacks. Cloud misconfiguration and lack of runtime protection can l eave
it wide open for thieves to steal.

The impact of data breaches depends on the type of data stolen. Thieves sell personally
identifiable information (PII) and personal health information (PHI) on the dark web to
those who want to steal identities or use the information in phishing emails.

Other sensitive information, such as internal documents or emails, could be used to

damage a company’s reputation or sabotage its stock price. No matter the reason for
stealing the data, breaches continue to be an imposing threat to companies using the cloud.

Following steps help to manage risk in the cloud:

• Perform regular risk assessments to find new risks.

• Prioritize and implement security controls to mitigate the risks you have identified
(CrowdStrike can help).
• Document and revisit any risks you choose to accept.

Four cloud security challenges are:

1. Lack of Cloud Security and Skills

2. Identity and Access Management
3. Shadow IT
4. Cloud Compliance

1. Lack Of Cloud Security Strategy and Skills

Traditional data center security models are not suitable for the cloud. Administrators must
learn new strategies and skills specific to cloud computing.

Cloud may give organizations agility, but it can also open up vulnerabilities for
organizations that lack the internal knowledge and skills to understand security challenges
in the cloud effectively. Poor planning can manifest itself in misunderstanding the
implications of the shared responsibility model, which lays out the security duties of the
cloud provider and the user. This misunderstanding could lead to the exploitation of
unintentional security holes.

2. Identity and Access Management

Identity and Access Management (IAM) is essential. While this may seem obvious, the
challenge lies in the details.
It’s a daunting task to create the necessary roles and permissions for an enterprise of
thousands of employees. There are three steps to a holistic IAM strategy: ro le design,
privileged access management, and implementation.

Begin with a solid role design based on the needs of those using the cloud. Design the
roles outside of any specific IAM system. These roles describe the work your employees
do, which won’t change between cloud providers.

Next, a strategy for privileged access management (PAM) outlines which roles require
more protection due to their privileges. Tightly control who has access to privileged
credentials and rotate them regularly.

Finally, it’s time to implement the designed roles within the cloud provider’s IAM service.
This step will be much easier after developing these ahead of time.

3. Shadow IT

Shadow IT challenges security because it circumvents the standard IT approval and

management process.

Shadow IT is the result of employees adopting cloud services to do their jobs. The ease
with which cloud resources can be spun up and down makes controlling its growth
difficult. For example, developers can quickly spawn workloads using their accounts.
Unfortunately, assets created in this way may not be adequately secured and accessible via
default passwords and misconfigurations.

The adoption of DevOps complicates matters. Cloud and DevOps teams like to run fast
and without friction. However, obtaining the visibility and management levels that the
security teams require is difficult without hampering DevOps activities. DevOps needs a
frictionless way to deploy secure applications and directly integrate with their continuous
integration/continuous delivery (CI/CD) pipeline. There needs to be a unified approach
for security teams to get the information they need without slowing down DevOps. IT and
security need to find solutions that will work for the cloud — at DevOps’ velocity.

4. Cloud Compliance

Organizations have to adhere to regulations that protect sensitive data like PCI
DSS and HIPAA. Sensitive data includes credit card information, healthcare patient
records, etc. To ensure compliance standards are met, many organizations limit access and
what users can do when granted access. If access control measures are not set in place, it
becomes a challenge to monitor access to the network.

How to Overcome Cloud Security Challenges

Each challenge is different and therefore requires unique solutions. Take the time to plan
before making use of any cloud services. A sound strategy takes into consideration any
common cloud challenges like the ones we’ve discussed here. Then you’ll have a plan of
action for each anticipated challenge.
Software-as-a-Service Security

Software-as-a-Service (SaaS) environments are a particularly attractive target for

cybercriminals because they tend to store a large variety and amount of sensitive data, including
payment card details and personally identifiable information. Thus, it is crucial for companies
to prioritize SaaS security.

SaaS security covers a range of practices that organizations implement to protect their assets
when using a SaaS architecture. According to the UK’s National Cyber Security Centre
(NCSC) SaaS security guidelines, responsibility for security is shared between the customer
and the service provider or software distributor. Additionally, vendors are introducing SaaS
Security Posture Management (SSPM) systems that can regulate and automate SaaS security.

Many organizations are well-experienced in handling the security risks associated with
Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) environments. IT and
security teams typically collaborate using integrated business processes and programs. There
is also a large market for IaaS and PaaS security and management tools.

SaaS applications tend to operate differently and offer advantages for organizations. However,
they can be harder to manage in terms of security:

• Complexity—SaaS apps are designed to serve a wide variety of teams across an

organization. For example, record systems are used by sales teams for customer data,
by development teams for source code, and human resource teams for HR information.
Such SaaS applications tend to be used frequently by multiple end-users who may have
different levels of technical knowledge. The sheer volume and complexity of usage
makes SaaS applications difficult for security teams to understand.
• Communication—security teams have little communication with the business
administrators who select and manage new SaaS technologies. The limited interaction
between teams makes it harder for security teams to understand the scope of use and
the associated threats to the organization when these applications become fully
operational.
• Collaboration—internal teams supporting SaaS applications tend to focus on
functionality and business requirements, often lacking the necessary guidance to secure
them. Balancing business and security needs requires collaboration on an ongoing
basis. To ensure consistency, organizations should focus more resources and effort into
identifying and addressing security risks, and treat SaaS with the same respect as bare
metal, IaaS, PaaS and endpoint security.

The following practices are recommended for securing SaaS environments and assets.

1. Enhanced Authentication
Cloud providers can handle authentication in various ways, making it complicated to determine
how users should be given access to SaaS resources. Some vendors support integration with
identity providers that the customer can manage, such as Active Directory (AD) with Security
Assertion Markup Language, OpenID Connect and Open Authorization. Likewise, some
vendors support multi-factor authentication, while others do not.

To navigate the various SaaS offerings available, it is essential that the security team
understands which services are being used and the supported options for each service. This
context allows administrators to choose the right authentication method (or methods) according
to the organization’s needs.

A good option is to use single sign-on (SSO) tied to AD, if the SaaS provider supports it, as
this ensures that the account and password policies correlate to the services in use for the SaaS
application.

2. Data Encryption

The channels used to communicate with SaaS applications typically use Transport Layer
Security (TLS) to protect in-transit data. Some SaaS providers also offer encryption capabilities
for protecting data at rest. This could be a default feature or may need to be enabled.

Research the available security measures of each SaaS service in use to determine whether data
encryption is possible and make sure to enable the encryption when relevant.

3. Oversight and Vetting

Ensure you review and evaluate any potential SaaS provider. Make sure you understand how
the service is used and which security model is used to deliver the service, as well as any
available optional security features.

4. Discovery and Inventory

It is important to be able to track all SaaS usage given that usage patterns can be unexpected,
especially when applications are deployed rapidly. Make sure you search for new, untracked
SaaS usage and stay alert for unexpected changes.

Combine manual data collection techniques with automation tools, where possible, to keep up
with rapidly evolving SaaS usage and maintain a reliable, up-to-date inventory of the services
employed and who is using them.
5. CASB Tools

Consider using a Cloud Access Security Broker (CASB) solution for situations where the SaaS
provider does not provide an adequate level of security. CASB allows organizations to add
controls that are not included or natively-supported by SaaS providers.

Explore the tools available to address any shortcomings in the SaaS provider’s security model.
You should also pay attention to the different CASB deployment modes so you choose the
right deployment configuration (i.e. API or proxy-based) for your organization’s architecture.

6. Situational Awareness

Monitor your SaaS use and examine the data from tools like CASBs, and keep track of the data
and logs provided by the SaaS provider. IT and security executives must treat SaaS offerings
differently from ordinary websites, as they are robust tools demanding the same level of
security as any enterprise application.

Make sure you implement measures for systematic risk management when adopting SaaS
security best practices—this helps ensure that users employ SaaS safely and that your
organization’s SaaS usage remains protected.

7. Use SaaS Security Posture Management (SSPM)

SSPM ensures that SaaS applications are properly configured to protect them from
compromise. Cynet provides a leading SSPM solution that continuously monitors SaaS
applications to identify gaps between stated security policies and actual security posture, letting
you automatically find and fix security risks in SaaS assets, and automatically prioritize risks
and misconfigurations by severity.

Cynet SSPM provides:

• Automatic tracking of SaaS risks – tracks security posture across all SaaS platforms,
prioritized by risk category, tracked over time directly from the Cynet dashboard.
• Automatic analysis and fix in one click – drills down to provide details and insights
about every identified risk, recommends remediation actions, and applies them
automatically.

Cloud Security Governance

Cloud security governance refers to the management model that facilitates effective and
efficient security management and operations in the cloud environment so that an enterprise’s
business targets are achieved. This model incorporates a hierarchy of executive mandates,
performance expectations, operational practices, structures, and metrics that, when
implemented, result in the optimization of business value for an enterprise.
Strategic alignment, value delivery, risk mitigation, effective use of resources, and performance
measurement are key objectives of any IT-related governance model, security included. To
successfully pursue and achieve these objectives, it is important to understand the operational
culture and business and customer profiles of an enterprise, so that an effective security
governance model can be customized for the enterprise.

Cloud Security Governance Challenges:

Whether developing a governance model from the start or having to retrofit one on existing
investments in cloud, these are some of the common challenges:

1. Lack of senior management participation and buy-in:

The lack of a senior management influenced and endorsed security policy is one of the common
challenges facing cloud customers. An enterprise security policy is intended to set the executive
tone, principles and expectations for security management and operations in the cloud.
However, many enterprises tend to author security policies that are often laden with tactical
content, and lack executive input or influence. The result of this situation is the ineffective
definition and communication of executive tone and expectations for security in the cloud. To
resolve this challenge, it is essential to engage enterprise executives in the discussion and
definition of tone and expectations for security that will feed a formal enterprise security policy.
It is also essential for the executives to take full accountability for the policy, communicating
inherent provisions to the enterprise, and subsequently enforcing compliance.

2. Lack of embedded management operational controls:

Another common cloud security governance challenge is lack of embedded management

controls into cloud security operational processes and procedures. Controls are often
interpreted as an auditor’s checklist or repackaged as procedures, and as a result, are not
effectively embedded into security operational processes and procedures as they should be, for
purposes of optimizing value and reducing day-to-day operational risks. This lack of embedded
controls may result in operational risks that may not be apparent to the enterprise. For example,
the security configuration of a device may be modified (change event) by a staffer without
proper analysis of the business impact (control) of the modification. The net result could be the
introduction of exploitable security weaknesses that may not have been apparent with this
modification. The enterprise would now have to live with an inherent operational risk that could
have been avoided if the control had been embedded in the change execution process.
 3. Lack of operating model, roles, and responsibilities:

Many enterprises moving into the cloud environment tend to lack a formal operating model for
security, or do not have strategic and tactical roles and responsibilities properly defined and
operationalized. This situation stifles the effectiveness of a security management and
operational function/organization to support security in the cloud. Simply, establishing a
hierarchy that includes designating an accountable official at the top, supported by a
stakeholder committee, management team, operational staff, and third-party provider support
(in that order) can help an enterprise to better manage and control security in the cloud, and
protect associated investments in accordance with enterprise business goals. This hierarchy can
be employed in an in-sourced, out-sourced, or co-sourced model depending on the culture,
norms, and risk tolerance of the enterprise.

4. Lack of metrics for measuring performance and risk

Another major challenge for cloud customers is the lack of defined metrics to measure security
performance and risks – a problem that also stifles executive visibility into the real security
risks in the cloud. This challenge is directly attributable to the combination of other challenges
discussed above. For example, a metric that quantitatively measures the number of exploitable
security vulnerabilities on host devices in the cloud over time can be leveraged as an indicator
of risk in the host device environment. Similarly, a metric that measures the number of user-
reported security incidents over a given period can be leveraged as a performance indicator of
staff awareness and training efforts. Metrics enable executive visibility into the extent to which
security tone and expectations (per established policy) are being met within the enterprise and
support prompt decision-making in reducing risks or rewarding performance as appropriate.

Cloud security governance facilitates the institution of a model that helps enterprises explicitly
address the challenges described above.

Key Objectives for Cloud Security Governance

Building a cloud security governance model for an enterprise requires strategic-level security
management competencies in combination with the use of appropriate security standards and
frameworks (e.g., NIST, ISO, CSA) and the adoption of a governance framework (e.g.,
COBIT). The first step is to visualize the overall governance structure, inherent components,
and to direct its effective design and implementation. The use of appropriate security standards
and frameworks allow for a minimum standard of security controls to be implemented in the
cloud, while also meeting customer and regulatory compliance obligations where applicable.
A governance framework provides referential guidance and best practices for establishing the
governance model for security in the cloud. The following represents key objectives to pursue
in establishing a governance model for security in the cloud. These objectives assume that
appropriate security standards and a governance framework have been chosen based on the
enterprise’s business targets, customer profile, and obligations for protecting data and other
information assets in the cloud environment.
1. Strategic Alignment

Enterprises should mandate that security investments, services, and projects in the
cloud are executed to achieve established business goals (e.g., market competitiveness,
financial, or operational performance).

2. Value Delivery

Enterprises should define, operationalize, and maintain an appropriate security

function/organization with appropriate strategic and tactical representation, and
charged with the responsibility to maximize the business value (Key Goal Indicators,
ROI) from the pursuit of security initiatives in the cloud.

3. Risk Mitigation

Security initiatives in the cloud should be subject to measurements that gauge

effectiveness in mitigating risk to the enterprise (Key Risk Indicators). These initiatives
should also yield results that progressively demonstrate a reduction in these risks over
time.

4. Effective Use of Resources

It is important for enterprises to establish a practical operating model for managing and
performing security operations in the cloud, including the proper definition and
operationalization of due processes, the institution of appropriate roles and
responsibilities, and use of relevant tools for overall efficiency and effectiveness.

5. Sustained Performance

Security initiatives in the cloud should be measurable in terms of performance, value,

and risk to the enterprise (Key Performance Indicators, Key Risk Indicators), and yield
results that demonstrate attainment of desired targets (Key Goal Indicators) over time.

Risk Management in Cloud Computing

Risk management is the process of identifying, assessing, and controlling threats to an

organisation's system security, capital and resources. Effective risk management means
attempting to control future outcomes proactively rather than reactively. In the context of cloud
computing, risk management plans are curated to deal with the risks or threats associated with
the cloud security. Every business and organisation face the risk of unexpected, harmful events
that can cost the organisation capital or cause it to permanently close. Risk management allows
organisations to prevent and mitigate any threats, service disruptions, attacks or compromises
by quantifying the risks below the threshold of acceptable level of risks.

Risk management is a cyclically executed process comprised of a set of activities for

overseeing and controlling risks. Risk management follows a series of 5 steps to manage risk,
it drives organisations to formulate a better strategy to tackle upcoming risks. These steps are
referred to as Risk Management Process and are as follows:

• Identify the risk

• Analyze the risk
• Evaluate the risk
• Treat the risk
• Monitor or review the risk

1. Identify the risk - The inception of the risk management process starts with the
identification of the risks that may negatively influence an organisation's strategy or
compromise cloud system security. Operational, performance, security, and privacy
requirements are identified. The organisation should uncover, recognise and describe
risks that might affect the working environment. Some risks in cloud computing include
cloud vendor risks, operational risks, legal risks, and attacker risks.
2. Analyze the risk - After the identification of the risk, the scope of the risk is analyzed.
The likelihood and the consequences of the risks are determined. In cloud computing,
the likelihood is determined as the function of the threats to the system, the
vulnerabilities, and consequences of these vulnerabilities being exploited. In analysis
phase, the organisation develops an understanding of the nature of risk and its potential
to affect organisation goals and objectives.
3. Evaluate the risk - The risks are further ranked based on the severity of the impact
they create on information security and the probability of actualizing. The organisation
then decides whether the risk is acceptable or it is serious enough to call for treatment.
4. Treat the risk - In this step, the highest-ranked risks are treated to eliminate or
modified to achieve an acceptable level. Risk mitigation strategies and preventive plans
are set out to minimise the probability of negative risks and enhance opportunities. The
security controls are implemented in the cloud system and are assessed by proper
assessment procedures to determine if security controls are effective to produce the
desired outcome.
5. Monitor or Review the risk - Monitor the security controls in the cloud infrastructure
on a regular basis including assessing control effectiveness, documenting changes to
the system and the working environment. Part of the mitigation plan includes following
up on risks to continuously monitor and track new and existing risks.

The steps of risk management process should be executed concurrently, by individuals or teams
in well-defined organisational roles, as part of the System Development Life Cycle (SDLC)
process. Treating security as an addition to the system, and implementing risk management
process in cloud computing independent to the SDLC is more difficult process that can incur
higher cost with a lower potential to mitigate risks.

Types of risks in cloud computing are:

1. Data Breach - Data breach stands for unauthorized access to the confidential data of
the organisation by a third party such as hackers. In cloud computing, the data of the
organisation is stored outside the premise, that is at the endpoint of the cloud
service provider(CSP). Thus any attack to target data stored on the CSP servers may
affect all of its customers.
2. Cloud Vendor Security Risk - Every organisation takes services offered by different
cloud vendors. The inefficiency of these cloud vendors to provide data security and risk
mitigation directly affects the organisation's business plan and growth. Also, migrating
from one vendor to another is difficult due to different interfaces and services provided
by these cloud vendors.
3. Availability - Any internet connection loss disrupts the cloud provider's services,
making the services inoperative. It can happen at both the user's and the cloud service
provider's end. An effective risk management plan should focus on availability of
services by creating redunadancy in servers on cloud such that other servers can provide
those services if one fails.
4. Compliance - The service provider might not follow the external audit process,
exposing the end user to security risks. If a data breach at the cloud service provider's
end exposes personal data, the organisation may be held accountable due to improper
protection and agreements.

Apart from these risks, cloud computing possesses various security risks bound under 2 main
categories.

• Internal Security Risks: Internal security risks in cloud computing include the
challenges that arise due to mismanagement by the organisation or the cloud service
provide. Some internal security risks involve:
1. Misconfiguration of settings - Misconfiguration of cloud security settings, either by
the organisation workforce or by the cloud service provider, exposes the risk of a data
breach. Most small businesses cloud security and risk management are inadequate for
protecting their cloud infrastructure.
2. Malicious Insiders - A malicious insider is a person working in the organisation and
therefore already has authorized access to the confidential data and resources of the
organization. With cloud deployments, organisations lack control over the underlying
infrastructure; making it very hard to detect malicious insiders.

• External Security Risks: External security risks are threats to an organisation arising
from the improper handling of the resources by its users and targeted attacks by hackers.
Some of the external security risks involve:
 1. Unauthorized Access - The cloud-based deployment of the organisation's
infrastructure is outside the network perimeter and directly accessible from the public
internet. Therefore, it is easier for the attacker to get unauthorized access to the server
with the compromised credentials.
2. Accounts Hijacking - The use of a weak or repetitive password allows attackers to
gain control over multiple accounts using a single stolen password. Moreover,
organizations using cloud infrastructure cannot often identify and respond to such
threats.
3. Insecure APIs - The Application Programming Interfaces(APIs) provided by the cloud
service provider to the user are well-documented for ease of use. A potential attacker
might use this documentation to attack the data and resources of the organisation.

Above discussed risks are the primary security concern for individuals, businesses, and
organisations. If actualized, some risks may cause a business to close. These risks need to be
treated proactively by implementing risk management strategies. By implementing a risk
management plan and considering the various potential risks or events before they occur, an
organisation may save money and time and protect its future. This is because a robust risk
management plan will help an organisation establish procedures to prevent potential threats
and minimise their impact if they occur. This ability to understand and control risks allows
organisations to be more confident in their business decisions. Moreover, effective risk
management helps organisations to understand the processes deeply and provide information
that can be used to make informed decisions to provide increased levels of security and ensure
that the business remains profitable. In cloud computing, the organisation sets risk management
plans which help them to identify appropriate cloud vendors and service providers, make
proper service-level agreements and set up better budgeting plans.

Risk management enables organisations to ensure any potential threats to cloud-deployments

security, assets, and business plans are identified and treated before they derail the
organisation's goals. It has far-reaching benefits that can fundamentally change the decision
making process of the organisation. Here are some benefits of robust risk management:

1. Forecast Probable Issues - The risk management process in cloud computing

identifies all the possible risks or threats associated with the cloud service provider, the
cloud vendor, the organisation, and the users. It helps an organisations to mitigate risks
by implementing appropiate control strategies and create a better business plan.
2. Increases the scope of growth - Risk management in cloud computing forces
organisations to study the risk factors in detail. Thus, the workforce is aware of all the
possible catastrophic events; and the organisation creates a framework that can be
deployed to avoid risks that are decremental to both the organisation and the
environment. Hence, risk management enables organisations to take a calculated risks
and accelerate their growth.
3. Business Process Improvement - Risk Management requires organisations to collect
information about their processes and operations. As a result, organisations can find
inefficient processes or the scope for improvement in a process.
 4. Better Budgeting - Organisations implementing risk management strategies often have
clear insights into the finances. Thus, they can create more efficient budgets to
implement risk management plans and achieve the organisational goals.

An effective risk management process is a mix of coordinate governance and internal controls.
It coordinates the engagement of managers, employers, and stakeholders at each step to
embrace risk-taking as an avenue for growth and opportunity. The following are the best
practices to manage the risks in cloud computing:

1. Choose the cloud service provider wisely - Perform cloud vendor risk assessment for
contract clarity, availability, security, ethics, compliance, and legal liabilities. Make
sure, the cloud service provider(CSP) has service providers that can deliver the services
accordingly.
2. Deploy Technical Safeguards such as Cloud Access Security Broker - Cloud Access
Security Broker (CASB) are on-premise or cloud-based software which acts as
intermediary between cloud service providers and consumers, to monitor the activities
and enforce organisation security policy for accessing cloud applications.
3. Establish controls based on risk treatment - After identification, analysis, and
evaluation of the risk. Dedicated measures need to be taken to mitigate risks and drive
the business processes to improve. Organisations should delete unwanted data from the
hosted cloud.
4. Optimized cloud service model - Adopt a cloud service model that promotes
achieving a business solution, minimizes risks, and optimizes cloud investment cost.
5. Strategize Availability of Services - Create redundancy of servers by regions and
zones. In this way, if one connection fails, it will not stop the operation of the services.

Cloud Security Monitoring

Cloud security monitoring is the practice of continuously supervising both virtual and physical
servers to analyze data for threats and vulnerabilities. Cloud security monitoring solutions often
rely on automation to measure and assess behaviors related to data, applications and
infrastructure.
Cloud security monitoring solutions can be built natively into the cloud server hosting
infrastructure (like AWS’s CloudWatch, for example) or they can be third-party solutions that
are added to an existing environment (like Blumira). Organizations can also perform cloud
monitoring on premises using existing security management tools.
Like a SIEM, cloud security monitoring works by collecting log data across servers. Advanced
cloud monitoring solutions analyze and correlate gathered data for anomalous activity, then
send alerts and enable incident response. A cloud security monitoring service will typically
offer:
1. Visibility. Moving to the cloud inherently lowers an organization’s visibility
across their infrastructure, so cloud monitoring security tools should bring a
single pane of glass to monitor application, user and file behavior to identify
potential attacks.
 2. Scalability: Cloud security monitoring tools should be able to monitor large
amounts of data across a variety of distributed locations.
3. Auditing: It’s a challenge for organizations to manage and meet compliance
requirements, so cloud security monitoring tools should provide robust auditing
and monitoring capabilities.
4. Continuous monitoring: Advanced cloud security monitoring solutions should
continuously monitor behavior in real time to quickly identify malicious activity
and prevent an attack.
5. Integration: To maximize visibility, a cloud monitoring solution should ideally
integrate with an organization’s existing services, such as productivity suites
(i.e. Microsoft 365 and G Suite), endpoint security solutions
(i.e. Crowdstrike and VMware Carbon Black) and identity and authentication
services (i.e. Duo and Okta).

Some common cloud security threats include:

1. Misconfigurations: Human error — or failing to set the right security controls
in a cloud platform — is one of the biggest cloud security threats. Examples of
misconfigurations include accidentally allowing unrestricted outbound access
or opening up access to an S3 bucket. Cloud misconfiguration can be extremely
damaging; one real-life example of this was the Capital One breach in 2019, in
which a former Amazon employee was able to expose personal records of
Capital One customers due to a misconfigured web application firewall (WAF).
2. Data loss: The collaboration and shareability of cloud services are double-edged
swords; these benefits often make it too easy for users to share data with the
wrong internal parties or external third-parties. 64% of cybersecurity
professionals cited data loss and leakage as a top cloud security concern,
according to Synopsys’ Cloud Security Report.
3. API vulnerabilities: Cloud applications use APIs to interact with each other, but
those APIs aren’t always secure. Malicious actors can launch denial-of-service
(DoS) attacks to exploit APIs, allowing them to access company data.
4. Malware: Malware is a real threat in the cloud. Data and documents constantly
travel to and from the cloud, which means that there are more opportunities for
threat actors to launch malware attacks such as hyperjacking and hypervisor
infections.
5. IAM complexity. Identity and access management (IAM) in a cloud or hybrid
cloud environment can be extremely complex. For larger organizations, the
process of simply understanding who has access to which resources can be time-
consuming and difficult. Other IAM challenges in the cloud include ‘zombie’
SaaS accounts (inactive users), and improper user provisioning and
deprovisioning. Hybrid environments where users must access a mix of SaaS
apps and on-premises applications can introduce siloes and further complicate
IAM, leading to misconfigurations and security gaps.
Cloud security monitoring provides the following benefits:
 1. Maintain compliance: Monitoring is a requirement for nearly every major regulation,
from HIPAA to PCI DSS. Cloud-based organizations must use monitoring tools
to avoid compliance violations and costly fees.
2. Identify vulnerabilities: Automated monitoring solutions can quickly alert IT and
security teams about anomalies and help identify patterns that point to risky or
malicious behavior. Overall, this brings a deeper level of observability and visibility to
cloud environments.
3. Prevent loss of business: An overlooked security incident can be detrimental and even
result in shutting down business operations, leading to a decrease in customer trust and
satisfaction — especially if customer data was leaked. Cloud security monitoring can
help with business continuity and data security, while avoiding a potentially
catastrophic data breach.
4. Increase security maturity: An organization with a mature infosec model has a
proactive, multi-layered approach to security. A cloud monitoring solution enables
organizations to include cloud as one of those layers and provides visibility into the
overall environment.

Cloud Security Monitoring Challenges:

1. Lack of cloud security strategy: Many organizations hastily migrate to the cloud to
support remote work without developing a clear cloud security strategy. Without a clear
strategy, an organization will not be able to fully reap the benefits of a cloud security
monitoring solution.
2. Alert fatigue: Many cloud monitoring products are noisy, which can result in IT and
security teams lacking insight into what’s important to focus on. A FireEye study
revealed that some organizations receive up to 10,000 alerts per month from security
products. Cloud monitoring solutions with prioritized alerts can reduce the noise and
chances of receiving false positives, which provides higher security value.
3. Lack of context: Logs and alerts are only valuable if an organization understands how
to interpret them. Security teams should understand what they want to monitor and why;
once they receive alerts, they should know which actions to take. A best-in-class threat
detection and response platform will provide remediation steps and playbooks in
addition to prioritized alerts.

These cloud security monitoring best practices will help you to be strategic, gain visibility into
your environment and provide layers of security that will protect against threats:
1. Carefully evaluate cloud service providers: The big three cloud service providers
(Google, Amazon and Microsoft) are fairly comparable when it comes to security.
Regardless of the vendor, organizations should evaluate levels of compliance and
data/network availability to ensure that it fits their needs.
2. Perform a cloud infrastructure inventory: Security teams should do a deep dive into
their existing cloud infrastructure to understand potential risks, such as shadow IT.
Organizations should perform regular audits and know what changes were made within
their cloud environments to help identify causes of misconfigurations.
 3. Take a layered approach to cloud security: Setting up layers of security can help
organizations to achieve the most visibility into their tech stack. Native cloud
monitoring tools such as AWS GuardDuty can help with that, but it’s important to bring
in specialized tools to address different components of the tech stack, from physical
hardware to orchestration.
Security Architecture Design

Security in cloud computing is a major concern. Proxy and brokerage services should be
employed to restrict a client from accessing the shared data directly. Data in the cloud should
be stored in encrypted form.

Before deploying a particular resource to the cloud, one should need to analyze several aspects
of the resource, such as:

o A select resource needs to move to the cloud and analyze its sensitivity to risk.
o Consider cloud service models such as IaaS, PaaS,and These models require the
customer to be responsible for Security at different service levels.
o Consider the cloud type, such as public, private, community, or
o Understand the cloud service provider's system regarding data storage and its transfer
into and out of the cloud.
o The risk in cloud deployment mainly depends upon the service models and cloud types.

The Cloud Security Alliance (CSA) stack model defines the boundaries between each service
model and shows how different functional units relate. A particular service model defines the
boundary between the service provider's responsibilities and the customer. The following
diagram shows the CSA stack model:
 o IaaS is the most basic level of service, with PaaS and SaaS next two above levels of
services.
o Moving upwards, each service inherits the capabilities and security concerns of the
model beneath.
o IaaS provides the infrastructure, PaaS provides the platform development environment,
and SaaS provides the operating environment.
o IaaS has the lowest integrated functionality and security level, while SaaS has the
highest.
o This model describes the security boundaries at which cloud service providers'
responsibilities end and customers' responsibilities begin.
o Any protection mechanism below the security limit must be built into the system and
maintained by the customer.

Although each service model has a security mechanism, security requirements also depend on
where these services are located, private, public, hybrid, or community cloud.

Since all data is transferred using the Internet, data security in the cloud is a major concern.
Here are the key mechanisms to protect the data:

o access control
o audit trail
o certification
o authority
The service model should include security mechanisms working in all of the above areas.

Since the data stored in the cloud can be accessed from anywhere, we need to have a mechanism
to isolate the data and protect it from the client's direct access.

Broker cloud storage is a way of separating storage in the Access Cloud. In this approach,
two services are created:

1. A broker has full access to the storage but does not have access to the client.
2. A proxy does not have access to storage but has access to both the client and the broker.
3. Working on a Brocade cloud storage access system
4. When the client issues a request to access data:
5. The client data request goes to the external service interface of the proxy.
6. The proxy forwards the request to the broker.
7. The broker requests the data from the cloud storage system.
8. The cloud storage system returns the data to the broker.
9. The broker returns the data to the proxy.
10. Finally, the proxy sends the data to the client.

All the above steps are shown in the following diagram:

Encryption helps to protect the data from being hacked. It protects the data being transferred
and the data stored in the cloud. Although encryption helps protect data from unauthorized
access, it does not prevent data loss.
The difference between "cloud security" and "cloud security architecture" is that the former is
built from problem-specific measures while the latter is built from threats. A cloud security
architecture can reduce or eliminate the holes in Security that point-of-solution approaches are
almost certainly about to leave.

It does this by building down - defining threats starting with the users, moving to the cloud
environment and service provider, and then to the applications. Cloud security architectures
can also reduce redundancy in security measures, which will contribute to threat mitigation and
increase both capital and operating costs.

The cloud security architecture also organizes security measures, making them more consistent
and easier to implement, particularly during cloud deployments and redeployments. Security
is often destroyed because it is illogical or complex, and these flaws can be identified with the
proper cloud security architecture.

The goal of the cloud security architecture is accomplished through a series of functional
elements. These elements are often considered separately rather than part of a coordinated
architectural plan. It includes access security or access control, network security, application
security, contractual Security, and monitoring, sometimes called service security. Finally, there
is data protection, which are measures implemented at the protected-asset level.

A complete cloud security architecture addresses the goals by unifying the functional elements.

The security and security architectures for the cloud are not single-player processes. Most
enterprises will keep a large portion of their IT workflow within their data centers, local
networks, and VPNs. The cloud adds additional players, so the cloud security architecture
should be part of a broader shared responsibility model.

A shared responsibility model is an architecture diagram and a contract form. It exists formally
between a cloud user and each cloud provider and network service provider if they are
contracted separately.

Each will divide the components of a cloud application into layers, with the top layer being the
responsibility of the customer and the lower layer being the responsibility of the cloud provider.
Each separate function or component of the application is mapped to the appropriate layer
depending on who provides it. The contract form then describes how each party responds.

Data Security

Cloud data security is the combination of technology solutions, policies, and procedures that
the enterprise implements to protect cloud-based applications and systems, along with the
associated data and user access.
The core principles of information security and data governance—
data confidentiality, integrity, and availability (known as the CIA triad)—also apply to the
cloud:

• Confidentiality: protecting the data from unauthorized access and disclosure

• Integrity: safeguard the data from unauthorized modification so it can be trusted
• Availability: ensuring the data is fully available and accessible when it’s needed

These tenets apply regardless of:

• Which cloud model the enterprise adopts—public, private, hybrid, or community

clouds
• Which cloud computing categories the organization uses—software-as-a-service
(SaaS), platform-as-a-service (PaaS), infrastructure-as-a service (IaaS), or function-as-
a-service (FaaS)

Some of the common cloud-related risks that organizations face include:

• Regulatory noncompliance—whether it’s the General Protection Data

Regulation (GDPR) or the Healthcare Insurance Portability and Accountability Act
(HIPAA), cloud computing adds complexity to satisfying compliance requirements.
• Data loss and data leaks—data loss and data leaks can result from poor security
practices such as misconfigurations of cloud systems or threats such as insiders.
• Loss of customer trust and brand reputation—customers trust organizations to
safeguard their personally identifiable information (PII) and when a security incident
leads to data compromise, companies lose customer goodwill.
• Business interruption—risk professionals around the globe identified business
disruption caused by failure of cloud technology / platforms or supply chains as one of
their top five cyber exposure concerns.[2]
• Financial losses—the costs of incident mitigation, data breaches, business disruption,
and other consequences of cloud security incidents can add up to hundreds of millions
of dollars.

While cybersecurity threats that apply to on-premises infrastructure also extend to cloud
computing, the cloud brings additional data security threats. Here are some of the common
ones:

• Unsecure application programming interfaces (APIs)—many cloud services and

applications rely on APIs for functionalities such as authentication and access, but these
 interfaces often have security weaknesses such as misconfigurations, opening the door
to compromises.
• Account hijacking or takeover—many people use weak passwords or reuse
compromised passwords, which gives cyberattackers easy access to cloud accounts.
• Insider threats—while these are not unique to the cloud, the lack of visibility into
the cloud ecosystem increases the risk of insider threats, whether the insiders are
gaining unauthorized access to data with malicious intent or are inadvertently sharing
or storing sensitive data via the cloud.

Data security in the cloud starts with identity governance. Organizations need a
comprehensive, consolidated view of data access across its on-premises and cloud platforms
and workloads. Identity governance provides:

• Visibility—the lack of visibility results in ineffective access control, increasing both

risks and costs.
• Federated access—this eliminates manual maintenance of separate identities by
leveraging Active Directory or another system of record.
• Monitoring—the enterprise needs a way to determine if the access to cloud data is
authorized and appropriate.

In addition to governance, other recommended data security safeguards for cloud computing
include:

Deploy encryption. Ensure that sensitive and critical data, such as PII and intellectual
property, is encrypted both in transit and at rest. Not all vendors offer encryption, and the
enterprise should consider implementing a third-party encryption solution for added protection.

Back up the data. While vendors have their own backup procedures, it’s essential to back up
cloud data locally as well. Use the 3-2-1 rule for data backup: Keep at least three copies, store
them on at least two different media, and keep at least one backup offsite (in the case of the
cloud, the offsite backup could be the one executed by the vendor).

Implement identity and access management (IAM). IAM technology and policies ensure
that the right people have appropriate access to data, and this framework needs to encompass
the cloud environment. Besides identity governance, IAM components include access
management (such as single sign-on, or SSO) and privileged access management.

Manage organizational password policies. Poor password hygiene is frequently the cause of
data breaches and other security incidents. Use password management solutions to make it
simple for employees and other end users to maintain secure password practices.

Adopt multi-factor authentication (MFA). In addition to using secure password practices,

MFA is a good way to mitigate the risk of compromised credentials. It creates an extra hurdle
that threat actors must overcome as they try to gain entry to cloud accounts.
Application Security

Today's applications are frequently available over multiple networks and connected to the
cloud, they are more vulnerable to security attacks and breaches. There is increasing pressure
and incentive to assure security not only at the network level but also within individual
applications. One explanation for this is because hackers are focusing their attacks on
applications more now than in the past. Application security testing can expose application-
level flaws, assisting in the prevention of these attacks.

The faster and earlier you can detect and resolve security concerns in the software development
process, the safer your company will be. Because everyone makes mistakes, the trick is to
identify them as soon as possible.

Application security tools that integrate with your development environment can make this
process and workflow much easier and more efficient. These tools are especially beneficial for
compliance audits, as they can save time and resources by detecting issues before the auditors
notice them. The changing nature of how enterprise applications are built over the last many
years has aided the rapid expansion of the application security industry.

Types of Application Security

Authentication, authorization, encryption, logging, and application security testing are all
examples of application security features. Developers can also use code to reduce security
flaws in applications.

Authentication

When developers include protocols in an application to ensure that only authorized users have
access to it. Authentication procedures verify that the user is who they claim to be. When
logging into an application, this can be performed by requiring the user to supply a user name
and password. Multi-factor authentication necessitates the use of multiple forms of
authentication, such as something you know (a password), something you have (a mobile
device), and something you are (a biometric).

Authorization

A user may be authorized to access and use the application after being authenticated. By
comparing the user's identification to a list of authorized users, the system may verify that the
user has permission to access the application. In order for the application to match only
validated user credentials to the approved user list, authentication must take place before
authorization.

Encryption
Other security measures can safeguard sensitive data from being seen or utilized by a
cybercriminal after a user has been verified and is using the application. Traffic containing
sensitive data that flows between the end-user and the cloud in cloud-based applications can
be encrypted to keep the data safe.

Logging

If a security breach occurs in an application, logging can assist in determining who gained
access to the data and how they did so. Application log files keep track of which parts of the
application have been accessed and by whom.

Application security can be divided into numerous categories:

• Static Application Security Testing (SAST): SAST aids in the detection of code flaws
by examining the application source files for the root cause. The ability to compare
static analysis scan results with real-time solutions speeds up the detection of security
problems, decreasing MTTR and enabling collaborative troubleshooting.

• Dynamic Application Security Testing (DAST): DAST is a more proactive approach,

simulating security breaches on a live web application to deliver precise information
about exploitable flaws. DAST is especially useful for detecting runtime or
environment-related errors because it evaluates applications in production.

• Interactive Application Security Testing (IAST): IAST combines parts of SAST and
DAST by performing analysis in real-time or at any moment during the development
or production process from within the application. IAST has access to all of the
application's code and components, allowing it to produce more accurate results and
provide more in-depth access than previous versions.

• Run-time Application Security Protection (RASP): RASP also works within the
application, but it is more concerned with security than with testing. RASP provides
continuous security checks and automatic responses to possible breaches, which
includes terminating the session and informing IT teams.

Different approaches will uncover different subsets of the application's security flaws, and
they'll be most effective at different stages of the development lifecycle. They all reflect the
various time, effort, cost, and vulnerability trade-offs.

• Design Review: The architecture and design of the application can be examined for
security flaws before code is created. The construction of a threat model is a popular
strategy used at this phase.

• White-box Security Review or Code Review: A security engineer delves into the
application by manually inspecting the source code and looking for security issues.
Vulnerabilities unique to the application can be discovered through understanding the
application.
 • Black-box Security Audit: This is accomplished solely through the use of an
application to test it for security flaws; no source code is necessary.

• Automated Tooling: Many security tools can be automated by including them in the
development or testing process. Automated DAST/SAST tools that are incorporated
into code editors or CI/CD systems are examples.

• Coordinated Vulnerability Platform: Many websites and software providers offer

hacker-powered application security solutions through which individuals can be
recognized and compensated for reporting defects.

Security issues with web applications range from large-scale network disruption to focused
database tampering. The following are some application security threats:

• A vulnerability known as cross-site scripting (XSS) allows an attacker to insert client-

side code into a webpage. This gives the attacker direct access to the user's sensitive
information.

• Remote attackers can use denial-of-service (DoS) and distributed denial-of-service

(DDoS) attacks to flood a targeted server or the infrastructure that supports it with
various types of traffic. This illegitimate traffic eventually prevents legitimate users
from accessing the server, causing it to shut down.

• SQL injection (SQLi) is a technique used by hackers to exploit database flaws. These
attacks, in particular, can reveal user identities and passwords, as well as enabling
attackers to edit or destroy data, as well as modify or create user rights.

• Hackers employ cross-site request forgery (CSRF) to mimic authorized users after
duping them into submitting an authorization request. Since their accounts have
additional permissions, high-level users are obviously frequent targets of this strategy,
and once the account is compromised, the attacker can remove, change, or destroy data.

• Memory corruption occurs when bad actors execute a variety of attacks on an

application, they end up unintentionally changing some area of its memory. As a result,
the software exhibits unexpected behaviour or fails.

• The buffer overflow occurs when malicious code is injected into the system's
designated memory region. Overflowing the buffer zone's capacity causes surrounding
areas of the application's memory to be overwritten with data, posing a security risk.

Virtual Machine Security

In Cloud Computing, where operators construct workloads and applications on-demand,

virtualized security enables security services and functions to move around with those on-
demand-created workloads. This is crucial for virtual machine security. It’s crucial to protect
virtualized security in cloud computing technologies such as isolating multitenant setups in
public cloud settings. Because data and workloads move around a complex ecosystem
including several providers, virtualized security’s flexibility is useful for securing hybrid and
multi-cloud settings.

Service Provider Security

The system’s virtualization hardware shouldn’t be physically accessible to anyone not
authorized. Each VM can be given an access control that can only be established through the
Hypervisor in order to safeguard it against unwanted access by Cloud administrators. The
three fundamental tenets of access control, identity, authentication, and authorization, will
prevent unauthorized data and system components from being accessed by administrators.
Hypervisor Security
The Hypervisor’s code integrity is protected via a technology called Hyper safe. Securing the
write-protected memory pages, expands the hypervisor implementation and prohibits coding
changes. By restricting access to its code, it defends the Hypervisor from control-flow
hijacking threats. The only way to carry out a VM Escape assault is through a local physical
setting. Therefore, insider assaults must be prevented in the physical Cloud environment.
Additionally, the host OS and the interaction between the guest machines need to be
configured properly.
Virtual Machine Security
The administrator must set up a program or application that prevents virtual machines from
consuming additional resources without permission. Additionally, a lightweight process that
gathers logs from the VMs and monitors them in real-time to repair any VM tampering must
operate on a Virtual Machine. Best security procedures must be used to harden the guest
OS and any running applications. These procedures include setting up firewalls, host
intrusion prevention systems (HIPS), anti-virus and anti-spyware programmers, online
application protection, and log monitoring in guest operating systems.
Guest Image Security
A policy to control the creation, use, storage, and deletion of images must be in place for
organizations that use virtualization. To find viruses, worms, spyware, and rootkits that hide
from security software running in a guest OS, image files must be analyzed.
Benefits of Virtualized Security
Virtualized security is now practically required to meet the intricate security requirements of
a virtualized network, and it is also more adaptable and effective than traditional physical
security.
• Cost-Effectiveness: Cloud computing’s virtual machine security enables
businesses to keep their networks secure without having to significantly raise their
expenditures on pricey proprietary hardware. Usage-based pricing for cloud-
based virtualized security services can result in significant savings for businesses
that manage their resources effectively.
• Flexibility: It is essential in a virtualized environment that security operations
can follow workloads wherever they go. A company is able to profit fully from
virtualization while simultaneously maintaining data security thanks to the
 protection it offers across various data centers, in multi-cloud, and hybrid-cloud
environments.
• Operational Efficiency: Virtualized security can be deployed more quickly and
easily than hardware-based security because it doesn’t require IT, teams, to set up
and configure several hardware appliances. Instead, they may quickly scale
security systems by setting them up using centralized software. Security-related
duties can be automated when security technology is used, which frees up more
time for IT employees.
• Regulatory Compliance: Virtual machine security in cloud computing is a
requirement for enterprises that need to maintain regulatory compliance because
traditional hardware-based security is static and unable to keep up with the
demands of a virtualized network.
Virtualization Machine Security Challenges
• As we previously covered, buffer overflows are a common component of classical
network attacks. Trojan horses, worms, spyware, rootkits, and DoS attacks are
examples of malware.
• In a cloud context, more recent assaults might be caused via VM rootkits,
hypervisor malware, or guest hopping and hijacking. Man-in-the-middle attacks
against VM migrations are another form of attack. Typically, passwords or
sensitive information are stolen during passive attacks. Active attacks could alter
the kernel’s data structures, seriously harming cloud servers.
• HIDS or NIDS are both types of IDSs. To supervise and check the execution of
code, use programmed shepherding. The RIO dynamic optimization
infrastructure, the v Safe and v Shield tools from VMware, security compliance
for hypervisors, and Intel vPro technology are some further protective solutions.

Four Steps to ensure VM Security in Cloud Computing

1. Protect Hosted Elements by Segregation

To secure virtual machines in cloud computing, the first step is to segregate the newly hosted
components. Let’s take an example where three features that are now running on an edge
device may be placed in the cloud either as part of a private subnetwork that is invisible or
as part of the service data plane, with addresses that are accessible to network users.

2. All Components are Tested and Reviewed

Before allowing virtual features and functions to be implemented, you must confirm that they
comply with security standards as step two of cloud-virtual security. Virtual networking is
subject to outside attacks, which can be dangerous, but insider attacks can be disastrous.
When a feature with a backdoor security flaw is added to a service, it becomes a part of the
infrastructure of the service and is far more likely to have unprotected attack paths to other
infrastructure pieces.
 3. Separate Management APIs to Protect the Network

The third step is to isolate service from infrastructure management and orchestration.
Because they are created to regulate features, functions, and service behaviors, management
APIs will always pose a significant risk. All such APIs should be protected, but the ones that
keep an eye on infrastructure components that service users should never access must also be
protected.

4. Keep Connections Secure and Separate

The fourth and last aspect of cloud virtual network security is to make sure that connections
between tenants or services do not cross over into virtual networks. Virtual Networking is
a fantastic approach to building quick connections to scaled or redeployed features, but
each time a modification is made to the virtual network, it’s possible that an accidental
connection will be made between two distinct services, tenants, or feature/function
deployments. A data plane leak, a link between the actual user networks, or a management
or control leak could result from this, allowing one user to affect the service provided to
another.

Identity and Access Management

IAM is a cloud service that controls the permissions and access for users and cloud resources.
IAM policies are sets of permission policies that can be attached to either users or cloud
resources to authorize what they access and what they can do with it.

Services that don’t expose any underlying infrastructure rely heavily on IAM for security. For
example, consider an application that follows this flow: a Simple Notification Service (SNS)
topic triggers a Lambda function, which in turn puts an item in a DynamoDB table. In this type
of application, there is no network to inspect, so identity and permissions become the most
significant aspects of security.

As an example of the impact of a strict (or over-permissive) IAM profile, let’s consider the
Lambda function. The function is only supposed to put items in the DynamoDB table. What
happens if the function has full DynamoDB permissions? If the function is compromised for
whatever reason, the DynamoDB table is immediately compromised as well, since the function
could be leveraged to exfiltrate data.

If the IAM profile follows the “least-privilege” principle and only allows the function to put
items in the table, the blast radius will be greatly reduced in the case of an incident. A hands-
on example of this can be found in this CNCF webinar.
Managing a large number of privileged users with access to an ever-expanding set of services
is challenging. Managing separate IAM roles and groups for these users and resources adds yet
another layer of complexity. Cloud providers like AWS and Google Cloud help customers
solve these problems with tools like the Google Cloud IAM recommender (currently in beta)
and the AWS IAM access advisor. These tools attempt to analyze the services last accessed by
users and resources, and help you find out which permissions might be over-privileged.

These tools indicate that cloud providers recognize these access challenges, which is definitely
a step in the right direction. However, there are a few more challenges we need to consider.

Identity and Access Challenges

IAM and SSO

Most businesses today use some form of single sign-on (SSO), such as Okta, to manage the
way users interact with cloud services. This is an effective way of centralizing access across a
large number of users and services. While using SSO to log into public cloud accounts is
definitely the best practice, the mapping between SSO users and IAM roles can become
challenging, as users can have multiple roles that span several cloud accounts.

Effective permissions
Considering that users and services have more than one permission set attached to them,
understanding the effective permissions of an entity becomes difficult.

Multi-cloud
According to RightScale, more than 84% of organizations use a multi-cloud strategy. Each
provider has its own policies, tools and terminology. There is no common language that helps
you understand relationships and permissions across cloud providers.

IAM is only one, albeit crucial, aspect of cloud security. Businesses must look at IAM as a part
of their overall security posture and add an integrated layer of security across their application
lifecycle. We’d be remiss if we didn’t mention that this is where a Cloud Native Security
Platform such as Prisma Cloud would come in handy.

Cloud providers deliver a great baseline for implementing a least-privileged approach to

permissions. As cloud adoption scales in your organization, the challenges mentioned above
and more will become apparent, and you might need to look at multi-cloud solutions to solve
them. As a starting point:
• Don’t use root accounts - Always create individual IAM users with relevant
permissions, and don’t give your root credentials to anyone.
• Adopt a role-per-group model - Assign policies to groups of users based on the
specific things those users need to do. Don’t “stack” IAM roles by assigning roles to
individual users and then adding them to groups. This will make it hard for you to
understand their effective permissions.
• Grant least-privilege - Only grant the least amount of permissions needed for a job,
just like we discussed with the Lambda function accessing DynamoDB. This will
ensure that if a user or resource is compromised, the blast radius is reduced to the one
or few things that entity was permitted to do. This is an ongoing task. As your
application is constantly changing, you need to make sure that your permissions adapt
accordingly.
• Leverage cloud provider tools - Managing many permission profiles at scale is
challenging. Leverage the platforms you are already using to generate least-privilege
permission sets and analyze your existing services. Remember that the cloud provider
recommendation is to always manually review the generated profiles before
implementing them.