☁️Cloud Computing Architecture Unit 5 – Cloud Security & Compliance

Cloud security is a critical aspect of modern computing, focusing on protecting data, applications, and infrastructure in cloud environments. Key concepts include confidentiality, integrity, availability, authentication, and authorization, which form the foundation of robust security measures. Cloud systems face various threats, including data breaches, insider threats, and denial-of-service attacks. To mitigate these risks, organizations implement comprehensive security architectures, identity and access management solutions, and data protection strategies, while adhering to compliance standards and industry best practices.

Study Guides for Unit 5

5.1

Identity and access management (IAM)

10 min read

5.2

Data protection and privacy

13 min read

5.3

Compliance standards (HIPAA, GDPR, PCI-DSS)

9 min read

5.4

Security monitoring and incident response

11 min read

5.5

Shared responsibility model

9 min read

Key Concepts in Cloud Security

  • Cloud security involves protecting data, applications, and infrastructure associated with cloud computing systems
  • Confidentiality ensures that data is accessible only to authorized users and systems
    • Achieved through access controls, encryption, and secure communication protocols (HTTPS, SSL/TLS)
  • Integrity guarantees that data remains accurate, complete, and unaltered throughout its lifecycle
    • Maintained using checksums, digital signatures, and version control
  • Availability ensures that data and services are accessible to authorized users when needed
    • Achieved through redundancy, failover mechanisms, and load balancing
  • Non-repudiation prevents entities from denying their actions or transactions
    • Supported by digital signatures, timestamps, and audit trails
  • Authentication verifies the identity of users, devices, or systems attempting to access resources
    • Implemented using passwords, biometric data, or multi-factor authentication (MFA)
  • Authorization grants or denies access to resources based on authenticated identities and predefined policies
    • Enforced through access control lists (ACLs), role-based access control (RBAC), or attribute-based access control (ABAC)

Cloud Security Threats and Vulnerabilities

  • Data breaches occur when unauthorized individuals gain access to sensitive or confidential information
    • Can result from weak access controls, unpatched vulnerabilities, or social engineering attacks (phishing)
  • Insider threats originate from malicious or negligent employees, contractors, or partners with legitimate access to cloud resources
    • Mitigated through strict access controls, monitoring, and employee training
  • Denial-of-service (DoS) attacks overwhelm cloud services with traffic, making them unavailable to legitimate users
    • Defended against using firewalls, intrusion prevention systems (IPS), and content delivery networks (CDNs)
  • Insecure APIs and interfaces can be exploited by attackers to gain unauthorized access or manipulate data
    • Addressed by implementing strong authentication, authorization, and input validation
  • Misconfiguration of cloud services, such as open ports or default passwords, can lead to vulnerabilities
    • Prevented through regular security audits, automated configuration management, and adherence to best practices
  • Insufficient due diligence when selecting and managing cloud service providers (CSPs) can introduce risks
    • Mitigated by conducting thorough vendor assessments, reviewing service level agreements (SLAs), and monitoring CSP security practices
  • Shared technology vulnerabilities arise from the multi-tenant nature of cloud computing
    • Addressed through proper isolation of resources, patch management, and regular vulnerability assessments

Security Architecture for Cloud Systems

  • Security architecture encompasses the design, implementation, and maintenance of security controls and processes within a cloud environment
  • Defense-in-depth strategy employs multiple layers of security controls to protect against various threats
    • Includes firewalls, intrusion detection/prevention systems (IDS/IPS), and encryption at different levels (network, application, data)
  • Zero-trust security model assumes that no user, device, or network should be inherently trusted
    • Requires continuous authentication, authorization, and monitoring of all entities accessing cloud resources
  • Micro-segmentation divides the cloud environment into smaller, isolated security zones
    • Enables granular access control and containment of potential breaches
  • Secure access management ensures that only authorized users and devices can connect to cloud resources
    • Achieved through virtual private networks (VPNs), multi-factor authentication (MFA), and single sign-on (SSO)
  • Continuous monitoring and logging of cloud activities help detect and respond to security incidents
    • Utilizes security information and event management (SIEM) tools and security orchestration, automation, and response (SOAR) platforms
  • Incident response and disaster recovery plans outline procedures for handling security breaches and ensuring business continuity
    • Regularly tested and updated to maintain effectiveness

Identity and Access Management in the Cloud

  • Identity and Access Management (IAM) is a framework for managing user identities, authentication, and authorization in the cloud
  • Centralized identity management consolidates user identities across multiple cloud services and applications
    • Enables consistent access control policies and reduces administrative overhead
  • Single sign-on (SSO) allows users to access multiple cloud services with a single set of credentials
    • Improves user experience and reduces password fatigue
  • Multi-factor authentication (MFA) requires users to provide two or more forms of identification to access cloud resources
    • Enhances security by combining factors such as passwords, biometric data, or hardware tokens
  • Role-based access control (RBAC) grants access to resources based on a user's role within the organization
    • Simplifies access management and ensures that users have only the permissions necessary to perform their job functions
  • Attribute-based access control (ABAC) grants access based on attributes associated with users, resources, and environment
    • Enables more fine-grained and dynamic access control policies
  • Privileged access management (PAM) controls and monitors access to sensitive or critical cloud resources
    • Includes secure storage of privileged credentials, session recording, and just-in-time access provisioning
  • Regular access reviews and audits help maintain the principle of least privilege and identify unnecessary or outdated permissions

Data Protection and Encryption

  • Data protection and encryption are essential for safeguarding sensitive information in the cloud
  • Data classification categorizes data based on its sensitivity and criticality
    • Helps determine appropriate security controls and access restrictions for each data type
  • Encryption converts data into an unreadable format using mathematical algorithms and encryption keys
    • Protects data confidentiality and integrity both at rest and in transit
  • Symmetric encryption uses the same key for both encryption and decryption
    • Provides fast and efficient encryption for large datasets (Advanced Encryption Standard (AES))
  • Asymmetric encryption, or public-key cryptography, uses a pair of keys: a public key for encryption and a private key for decryption
    • Enables secure communication and digital signatures (RSA, Elliptic Curve Cryptography (ECC))
  • Key management involves the secure generation, storage, distribution, and rotation of encryption keys
    • Utilizes hardware security modules (HSMs) or key management services (KMS) to protect keys
  • Tokenization replaces sensitive data with a unique, randomly generated token
    • Reduces the risk of data exposure and simplifies compliance with data protection regulations (Payment Card Industry Data Security Standard (PCI DSS))
  • Data loss prevention (DLP) solutions monitor, detect, and prevent unauthorized data exfiltration
    • Enforce policies based on data classification and user behavior analysis

Compliance Standards and Regulations

  • Compliance standards and regulations set requirements for protecting sensitive data and ensuring the security of cloud environments
  • General Data Protection Regulation (GDPR) is a European Union (EU) regulation that governs the collection, processing, and storage of personal data
    • Requires data controllers and processors to implement appropriate technical and organizational measures to protect personal data
  • Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes standards for protecting sensitive patient health information
    • Mandates the implementation of physical, technical, and administrative safeguards for electronic protected health information (ePHI)
  • Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for organizations that handle credit card data
    • Prescribes controls for network security, data protection, access management, and vulnerability management
  • ISO/IEC 27001 is an international standard for information security management systems (ISMS)
    • Provides a framework for implementing, maintaining, and continually improving an organization's information security practices
  • Service Organization Control (SOC) reports provide assurance about a service provider's internal controls and security practices
    • SOC 2 reports focus on the trust services criteria of security, availability, processing integrity, confidentiality, and privacy
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is a set of security controls and best practices for cloud computing
    • Helps organizations assess the security posture of their cloud environments and align with industry standards
  • Compliance as Code (CaC) automates the implementation and validation of compliance controls through software development practices
    • Enables continuous compliance monitoring and reduces the risk of human error

Cloud Security Best Practices

  • Implement a strong password policy that requires complex passwords and regular password changes
    • Enforce password length, complexity, and expiration requirements
  • Enable multi-factor authentication (MFA) for all user accounts, especially those with administrative privileges
    • Use a combination of factors, such as passwords, biometric data, or hardware tokens
  • Apply the principle of least privilege, granting users only the permissions necessary to perform their job functions
    • Regularly review and revoke unnecessary permissions
  • Encrypt data both at rest and in transit using industry-standard encryption algorithms and protocols
    • Use encryption for data stored in databases, file systems, and backups, as well as data transmitted over networks
  • Implement network segmentation to isolate sensitive resources and limit the impact of potential breaches
    • Use virtual private clouds (VPCs), subnets, and network access control lists (ACLs) to control traffic between resources
  • Regularly patch and update operating systems, applications, and security tools to address known vulnerabilities
    • Automate patch management processes to ensure timely and consistent updates
  • Conduct regular security assessments, including vulnerability scans and penetration tests, to identify and remediate weaknesses
    • Engage third-party security experts to provide an independent evaluation of the cloud environment
  • Develop and test incident response and disaster recovery plans to minimize the impact of security incidents and ensure business continuity
    • Establish clear roles, responsibilities, and communication channels for incident response teams
  • Confidential computing protects data in use by performing computations within secure enclaves
    • Utilizes hardware-based technologies, such as Intel Software Guard Extensions (SGX) or AMD Secure Encrypted Virtualization (SEV)
  • Secure Access Service Edge (SASE) converges network and security functions into a single, cloud-delivered service
    • Combines software-defined wide area networking (SD-WAN), secure web gateway (SWG), cloud access security broker (CASB), and zero-trust network access (ZTNA)
  • Zero-trust architecture (ZTA) assumes that no user, device, or network should be inherently trusted
    • Requires continuous authentication, authorization, and monitoring of all entities accessing cloud resources
  • AI-driven security solutions leverage machine learning and artificial intelligence to detect and respond to threats
    • Analyze user behavior, network traffic, and system logs to identify anomalies and potential security incidents
  • Blockchain technology enables secure, decentralized, and tamper-proof record-keeping
    • Potential applications include identity management, data integrity verification, and smart contracts
  • Quantum computing poses a long-term threat to current encryption algorithms
    • Research into post-quantum cryptography aims to develop encryption methods that are resistant to quantum attacks
  • DevSecOps integrates security into the software development lifecycle, making security a shared responsibility
    • Embeds security controls and testing into the continuous integration and continuous deployment (CI/CD) pipeline
  • Cloud security posture management (CSPM) tools continuously monitor and assess the security configuration of cloud environments
    • Identify misconfigurations, policy violations, and compliance gaps, and provide remediation guidance
Fiveable
About Us
About FiveableBlogCareersTestimonialsCode of ConductTerms of UsePrivacy PolicyCCPA Privacy Policy
Resources
Cram ModeAP Score CalculatorsStudy GuidesPractice QuizzesGlossaryCrisis Text LineRequest a Feature
Stay Connected
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
About Us
About FiveableBlogCareersTestimonialsCode of ConductTerms of UsePrivacy PolicyCCPA Privacy Policy
Resources
Cram ModeAP Score CalculatorsStudy GuidesPractice QuizzesGlossaryCrisis Text LineRequest a Feature
© 2024 Fiveable Inc. All rights reserved.
AP® and SAT® are trademarks registered by the College Board, which is not affiliated with, and does not endorse this website.
Back
Practice QuizGlossary
Practice QuizGlossary
Next guide