📒3. Cloud Identity, Security, and Compliance
Last updated
Last updated
📕 Learning Objectives
Basics aspects of managing cloud resources and related tasks
Cloud access control fundamentals
Securing cloud resources involves implementing measures and best practices to protect data, applications and infrastructure deployed in a cloud environment from unauthorized access, data breaches and other security threats. Cloud security is a shared responsibility between the cloud service provider (CSP) and the cloud user (customer).
| Cloud Architecture | e.g. Responsibility for IaaS | e.g. Responsibility for PaaS |
|---|---|---|
Workload | User | User |
Services | User | CSP |
Virtual Machines | User | CSP |
Control Plane | CSP | CSP |
Virtualization | CSP | CSP |
Physical Infrastructure | CSP | CSP |
Physical Facility | CSP | CSP |
From a security standpoint, the responsibility depends on what level of service is used.
At the level of data plane and control plane (tools, consoles, CLI, SDK), securing cloud resources is important and IAM is a key aspect of it.
Identity protection
Strong authentication mechanisms
Control access
Data encryption
Network security
Patching and updates
Security measures must be applied to both the data and the control plane.
Defense in depth (layered security) is a principle and strategy in cloud security that involves implementing multiple layers of security controls and measures to protect cloud resources from various threats and attacks.
Robust and resilient posture
Mitigate the risk of a single security control
Public Network (Perimeter)
Public firewall, DDos Prevention, IDS/IPS, etc
Local Network
nACL, Device Hardening, Monitoring, etc
Operating System (Endpoint)
Hardening, Patching, Endpoint Protection, Monitoring, etc
Service (Application)
Hardening, Patching, Monitoring, Vuln Scanning, Testing, etc
Workload
Authentication, Authorization, Auditing, Data access control, Monitoring, Encryption (in transit & at rest), MFA, etc
Cloud platform attacks refer to security incidents and vulnerabilities that specifically target cloud computing platforms.
🔗 Top 10 Cloud Attacks and What You Can Do About Them - aquasec.com
Identities - SaaS, Cloud Platform, Data plane identities
e.g. - administrator Azure AD credentials/identities
Data
e.g. - AWS S3 bucket, or relational/non-relational data
Services - SaaS, Control plane services, Compute instance
e.g. - emails, automation (API), EC2
Misconfiguration - intentional or unintentional
e.g. - Publicly available data stores or services (DBs, public API, etc)
Account hijacking
e.g. - Brute force, Password spraying, Credentials stuffing
Service hijacking
e.g. - Insecure API Keys
Malware injection
e.g. - compromised web app, API compromised bad code, infected VM, code repositories (open-source libraries)
Providers naming: AWS/GCP IAM, Azure AD
Users - Cloud User, Guest User, External/Hybrid User (Federated Systems)
minimize privileged admin/root (cloud subscription account) user access
create groups and use dynamic management
security assessments and auditing user configuration
apply least required rights concept (POLP)
Resources
apply least privileges and audit resource access & review
use dynamic access policies
separate control plane and data plane access
e.g. It can be useful to organize user identities into a flow like this:
User identity/credentials (Access management)
⬇️
Group
⬇️
Role
⬇️
Resource
📌 CSPs Identity Management
Users, Roles, Policies
🔗 Azure AD
Users, Service Principals, Managed Identities, Roles
Google Account, Service Account, Role, Policy
All the CSPs have identity protection services like
AWS CloudTrail, Trusted Advisor
Azure Identity Protection and AD Logs
Google Cloud Identity, Advanced Protection Program, Security Key
e.g. Account & Login vulnerabilities:
weak passwords, leaked credentials, threat intelligence
location/IP anomalies, password spraying, brute force attacks
📌 Best practices for accessing and managing cloud resources and users:
use strong authentication (MFA) & enforce strong password policies
implement role-based/conditional access control
monitor user activities & review user permissions/config
use secure connection protocols & data encryption
implement network segmentation
regular systems patching & users training
audit unused accounts
Revoke the permissions for the compromised identity and isolate it
Reset identities (session tokens, API & access keys)
Review what happened and determine impact with IT and business colleagues
Remediate and fix it, improve processes and plan of action, report
Return to operating state and monitor
There are many types of cloud data like
files, relational/non-relational databases (managed, proprietary, IaaS), big data, sensitive data
Protecting cloud data at rest involves implementing mechanisms to ensure the confidentiality, integrity and availability of data even when it is not actively being accessed or transmitted.
network controls and permissions
encryption, hardware security module
backup, replication
Protecting cloud data in transit involves security measures and protocols to safeguard data transmitted across networks.
encryption (always) through secure communication protocols
Hardware security modules (HSM)
📌 Best practices for cloud data protection:
Access controls - limit access to resource, data, network
Encryption - at rest, in transit, end-to-end
Backup and Recovery
Regular security Audits and assessments
The cloud provider ensures network and (virtualized and physical) infrastructure protection through DDoS protection and general threat protection.
The physical connection between the cloud resources of one customer and those of another is handled by the cloud vendor. The customer is responsible for the physical network between their cloud resources.
At tenant level, there are some layers to protect and that the customer is responsible for, such as:
Network ACL - Subnet level
Security Group - EC2 level
PrivateLink - establish private connectivity between Virtual Private Clouds and supported services.
Network Security Group - Subnet & Instance level
Firewall Rule - VPC, Subnet, VM Level
Additional network security services:
AWS - Shield, Web Application Firewall (WAF), GuardDuty
Azure - Firewall, App Gateway, FrontDoor
Google - Cloud Armor
📌 Best practices for cloud network protection:
leverage cloud provider tools and limit public attack surface
check firewall rules and don't open ports globally
monitor, setup alerts for abnormal usage and have a playbook for this kind of activity
Infrastructure compute protection involves
patch management
IaaS - automated OS patching (AWS, Azure) & service
resource protection
OS hardening (run only required services, with most secure settings)
monitoring (logs)
attack surface minimization (block ports).
availability (multiple instances)
Platform compute protection involves the cloud provider to secure the services and operating system of the running application
custom options can also be set up by the customer
PaaS - always patched by the CSP
Confidential computing enables the execution of workloads while keeping the data and code confidential, protecting them from the cloud service provider, other tenants and potential attackers, unauthorized data access, inside a trusted isolated execution environment (application enclave).
Confidential compute requires specific compute instance sizes and hardware
🔗 Azure Confidential Computing
Monitoring is a built-in feature into the cloud platform.
3rd party agent monitoring can also be used
Cloud Regulatory Compliance refers to the adherence to specific laws, regulations and industry standards that govern the protection, privacy and security of data and systems within the cloud computing environment. Organizations that operate in regulated industries or handle sensitive data are required to comply with various legal and industry-specific requirements and frameworks.
Key aspects:
data protection regulations (GDPR, CCPA, HIPAA)
security standards (PCI DSS, ISO 27001, NIST CyberSec framework
data residency and vendor due diligence
audit and reporting
incident response
data backup and retention
CSP Regulatory Support
📌 Tools
📌 Documentation
Tenant Responsibilities
Since the customer is responsible for cloud services compliance, he should
understand customer compliance requirements and document provider compliance with regulations
implement customer responsibilities
use provider tools to maintain compliance
Common Protected Data
Protected data refers to sensitive information that requires special safeguards and security measures to ensure its confidentiality, integrity and availability.
PII (Personally Identifiable Information) - individual data
PHI (Protected Health Information) - healthcare
Financial Data - sensitive banking information (PII, PCI-DSS)
IP (Intellectual Property) - inventions, patents, copyrights, business plans
Legal & Compliance Data
Confidential Business Data & business reputation
Regional Considerations
GDPR-EU (General Data Protection Regulation)
etc
🔗 HIPAA Reference Architecture on AWS
Under the HIPAA regulations, cloud service providers (CSPs) such as AWS are considered business associates
