Chapter 1: Introduction to Cloud Security
This book, Cloud Security Techniques and Best Practices, is meant for various audiences. You could be taking your first steps working with cloud services, or you could be coming from an IT perspective and want to know about various compute and storage services and how to configure them securely. Or, you might be working in information security and want to know the various authentication, encryption, and audit services and how to configure them securely, or you might be working with architecture and want to know how to design large-scale environments in the cloud in a secure way.
Reading this book will allow you to make the most of cloud services while focusing on security aspects. Before discussing cloud services in more detail, let me share my opinion regarding cloud services.
The world of IT is changing. For decades, organizations used to purchase physical hardware, install operating systems, and deploy software. This routine required a lot of ongoing maintenance (for patch deployment, backup, monitoring, and so on).
The cloud introduced a new paradigm – that is, the ability to consume managed services to achieve the same goal of running software (from file servers to Enterprise Resource Planning (ERP) or Customer Relationship Management (CRM) products), while using the expertise of the hyper-scale cloud providers.
Some well-known use cases of cloud computing are as follows:
- Netflix – one of the largest video streaming services world-wide. It uses AWS to run its media streaming services:
- Mercedes-Benz – one of the most famous automotive brands. It uses Azure to run its research and development:
- Home Depot – the largest home improvement retailer in the United States. It uses Google Cloud to run its online stores:
In this book, we will compare various aspects of cloud computing (from fundamental services such as compute, storage, and networking, to compliance management and best practices for building and maintaining large-scale environments in a secure way), while reviewing the different alternatives offered by Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
It does not matter which organization you are coming from – this book will allow you to have a better understanding of how to achieve security in any of the large hyper-scale cloud providers.
You do not have to read everything – simply find out which cloud provider is common at your workplace or which cloud provider you wish to focus on, and feel free to skip the rest.
In this chapter, we will cover the following topics:
- Why we need security
- Cloud service models
- Cloud deployment models
- The shared responsibility model
What is a cloud service?
As part of this introduction, let's define the terminology to make sure we are all on the same page.
The National Institute of Standards and Technology (NIST) defines cloud as a technology that has the following five characteristics:
- On-demand self-service: Imagine you wish to open a blog and you need compute resources. Instead of purchasing hardware and waiting for the vendor to ship it to your office and having to deploy software, the easier alternative can be a self-service portal, where you can select a pre-installed operating system and content management system that you can deploy within a few minutes by yourself.
- Broad network access: Consider having enough network access (the type that large Internet Service Providers (ISPs) have) to serve millions of end users with your application.
- Resource pooling: Consider having thousands of computers, running in a large server farm, and being able to maximize their use (from CPU, memory, and storage capacity), instead of having a single server running 10% of its CPU utilization.
- Rapid elasticity: Consider having the ability to increase and decrease the amount of compute resources (from a single server to thousands of servers, and then back to a single server), all according to your application or service needs.
- Measured service: Consider having the ability to pay for only the resources you consumed and being able to generate a billing report that shows which resources have been used and how much you must pay for the resources.
Further details relating to the NIST definition can be found at the following link:
What are the cloud deployment models?
Now that we understand what the cloud characteristics are, let's talk about cloud deployment models:
- Private cloud: An infrastructure deployed and maintained by a single organization. Let's say we are a large financial organization (such as a bank or insurance organization), we would like to serve various departments in our organization (from HR, IT, sales, and so on), and we might have regulatory requirements to keep customers' data on-premises – a private cloud can be a suitable solution.
- Public cloud: An infrastructure deployed and maintained by a service provider for serving multiple customers and organizations, mostly accessible over the internet. Naturally, this book will focus on the public cloud model, with reference to various services offered by AWS, Azure, and GCP.
- Hybrid cloud: A combination of a private cloud (or on-premises cloud) and at least one public cloud infrastructure. I like to consider the hybrid cloud as an extension of the local data center. We should not consider this extension as something separate, and we should protect it the same way we protect our local data center.
- Multi-cloud: A scenario where our organization is either using multiple managed services (see the definition of SaaS in the next section) or using multiple public cloud infrastructure (see the definitions of IaaS and PaaS in the next section).
What are the cloud service models?
An essential part of understanding clouds is understanding the three cloud service models:
- Infrastructure as a Service (IaaS): This is the most fundamental service model, where a customer can select the virtual machine size (in terms of the amount of CPU and memory), select a pre-configured operating system, and deploy software inside the virtual machine instance according to business needs (services such as Amazon EC2, Azure Virtual Machines, and Google Compute Engine).
- Platform as a Service (PaaS): This type of service model varies from managed database services to managed application services (where a customer can import code and run it inside a managed environment) and more (services such as AWS Elastic Beanstalk, Azure Web Apps, and Google App Engine).
- Software as a Service (SaaS): This is the most widely used service model – a fully managed software environment where, as a customer, you usually open a web browser, log in to an application, and consume services. These could be messaging services, ERP, CRM, business analytics, and more (services such as Microsoft Office 365, Google Workspaces, Salesforce CRM, SAP SuccessFactors, and Oracle Cloud HCM).
Understanding the cloud service models will allow you to understand your role as a customer, explained later in the What is the shared responsibility model? section.
Why we need security
As mentioned previously, we can see clear benefits of using cloud services that enable our business to focus on what brings us value (from conducting research in a pharmaceutical lab, to selling products on a retail site, and so on).
But what about security? And, specifically, cloud security?
Why should our organization focus on the overhead called information security (and, in the context of this book, cloud security)?
The cloud has changed the paradigm of organizations controlling their data on-premises (from HR data to customers' data) and investing money in maintaining data centers, servers, storage, network equipment, and the application tier.
Using public clouds has changed the way organizations look at information security (in the context of this book, cloud security).
The following are a few common examples of the difference between on-premises data solutions and the cloud:
Organizations are often unwilling to migrate to a public cloud for security reasons because the physical servers are located outside of the organization's direct control, and sometimes even outside their physical geography.
Here are a few questions often asked by organizations' management:
- Are my servers going to behave the same as if they were on-premises?
- How do I protect my servers outside my data center from a data breach?
- How do I know the cloud provider will not have access to my data?
- Do my employees have enough knowledge to work in new environments such as the public cloud?
Perhaps the most obvious question asked is – is the public cloud secure enough to store my data?
From my personal experience, the answer is yes.
By design, the hyper-scale cloud providers invest billions of dollars protecting their data centers, building secure services, investing in employee training, and locating security incidents and remediating them fast. This is all with much higher investment, attention, and expertise than most organizations can dedicate to protecting their local data centers.
The reason for this is simple – if a security breach happens to one of the hyper-scale cloud providers, their customers' trust will be breached, and the cloud providers will run out of business.
At the end of the day, cloud security enables our organization to achieve (among other things) the following:
- Decreased attack surface: Using central authentication, data encryption, DDoS protection services, and more
- Compliance with regulation: Deploying environments according to best practices
- Standardization and best practices: Enforcing security using automated tools and services
Reading this book will allow you to have a better understanding of various methods to secure your cloud environments – most of them using the cloud vendor's built-in services and capabilities.
What is the shared responsibility model?
When speaking about cloud security and cloud service models (IaaS/PaaS/SaaS), the thing that we all hear about is the shared responsibility model, which tries to draw a line between the cloud provider and the customer's responsibilities regarding security.
As you can see in the following diagram, the cloud provider is always responsible for the lower layers – from the physical security of their data centers, through networking, storage, host servers, and the virtualization layers:
Above the virtualization layer is where the responsibility begins to change.
When working with IaaS, we, as the customers, can select a pre-installed image of an operating system (with or without additional software installed inside the image), deploy our applications, and manage permissions to access our data.
When working with PaaS, we, as the customers, may have the ability to control code in a managed environment (services such as AWS Elastic Beanstalk, Azure Web Apps, and Google App Engine) and manage permissions to access our data.
When working with SaaS, we, as the customers, received a fully managed service, and all we can do is manage permissions to access our data.
In the next sections, we will look at how the various cloud providers (AWS, Azure, and GCP) look at the shared responsibility model from their own perspective.
For more information on the shared responsibility model, you can check the following link: https://tutorials4sharepoint.wordpress.com/2020/04/24/shared-responsibility-model/.
AWS and the shared responsibility model
Looking at the shared responsibility model from AWS's point of view, we can see the clear distinction between AWS's responsibility for the security of the cloud (physical hardware and the lower layers such as host servers, storage, database, and network) and the customer's responsibility for security in the cloud (everything the customer controls – operating system, data encryption, network firewall rules, and customer data). The following diagram depicts AWS and the shared responsibility model:
As a customer of AWS, reading this book will allow you to gain the essential knowledge and best practices for using common AWS services (including compute, storage, networking, authentication, and so on) in a secure way.
More information on the AWS shared responsibility model can be found at the following link: https://aws.amazon.com/blogs/industries/applying-the-aws-shared-responsibility-model-to-your-gxp-solution/.
Azure and the shared responsibility model
Looking at the shared responsibility model from Azure's point of view, we can see the distinction between Azure's responsibility for its data centers (physical layers) and the customer's responsibility at the top layers (identities, devices, and customers' data). In the middle layers (operating system, network controls, and applications) the responsibility changes between Azure and the customers, according to various service types. The following diagram depicts Azure and the shared responsibility model:
As a customer of Azure, reading this book will allow you to gain the essential knowledge and best practices for using common Azure services (including compute, storage, networking, authentication, and others) in a secure way.
More information on the Azure shared responsibility model can be found at the following link: https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility.
GCP and the shared responsibility model
Looking at the shared responsibility model from GCP's point of view, we can see that Google would like to emphasize that it builds its own hardware, which enables the company to control the hardware, boot, and kernel of its platform, including the storage layer encryption, network equipment, and logging of everything that Google is responsible for.
When looking at things that the customer is responsible for we can see a lot more layers, including everything from the guest operating system, network security rules, authentication, identity, and web application security, to things such as deployment, usage, access policies, and content (customers' data). The following diagram depicts GCP and the shared responsibility model:
As a customer of GCP, reading this book will allow you to gain the essential knowledge and best practices for using common GCP services (including compute, storage, networking, authentication, and more) in a secure way.
More information about the GCP shared responsibility model can be found at the following link: https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf.
As a customer, understanding the shared responsibility model allows you, at any given time, to understand which layers are under the cloud vendor's responsibility and which layers are under the customer's responsibility.
One of the things that makes cloud environments so robust is the ability to control almost anything using the Application Programming Interface (API) or using the command line.
Most mature cloud providers have already published and maintain their own Command-Line Interface (CLI) to allow customers to perform actions in an easy and standard way.
An alternative to using the command line to interact with the cloud provider's API is using a Software Developer Kit (SDK) – a method to control actions (from deploying a virtual machine to encrypting storage), query information from a service (checking whether auditing is enabled for my customers logging into my web application), and more.
Since this book doesn't require previous development experience, I will provide examples for performing actions using the command-line tools.
During various chapters of this book, I will provide you with examples of commands that will allow you to easily implement the various security controls over AWS, Azure, and GCP.
I highly recommend that you become familiar with those tools.
AWS CLI can be installed on Windows (64 bit), Linux (both x86 and ARM processors), macOS, and even inside a Docker container.
The AWS CLI documentation explains how to install the tool and provides a detailed explanation of how to use it.
The documentation can be found at https://aws.amazon.com/cli.
Azure CLI can be installed on Windows, Linux (Ubuntu, Debian, RHEL, CentOS, Fedora, openSUSE), and macOS.
The Azure CLI documentation explains how to install the tool and provides a detailed explanation of how to use it.
The documentation can be found at https://docs.microsoft.com/en-us/cli/azure.
Google Cloud SDK
The Google command-line tool (gcloud CLI) can be installed on Windows, Linux (Ubuntu, Debian, RHEL, CentOS, Fedora), and macOS.
The Google Cloud SDK documentation explains how to install the tool and provides a detailed explanation of how to use it.
The documentation can be found at https://cloud.google.com/sdk.
In the first chapter of this book, we learned the definition of a cloud, the different cloud deployment models, and the different cloud service models.
We also learned what the shared cloud responsibility model is, and how AWS, Azure, and GCP look at this concept from their own point of view.
Lastly, we had a short introduction to the AWS, Azure, and GCP built-in command-line tools, and, during the next chapters, I will provide you with examples of how to implement various tasks using the command-line tools.
This introduction will be referred to in the following chapters, where we will dive deeper into the best practices for securing cloud services using (in most cases) the cloud providers' built-in capabilities.
Securing cloud environments can be challenging, depending on your previous knowledge in IT or information security or cloud services in general.
Reading this book will assist you in gaining the necessary knowledge of how to secure cloud environments, regardless of your role in the organization or your previous experience.
In the next chapter, we will review the various compute services in the cloud (including virtual machines, managed databases, container services, and finally serverless services).