Foundations of Cloud Security

Security empowers innovation. If you put security first, everything else will follow. Designing for security is pervasive throughout the cloud infrastructure that services run on. This is vital to adopt a foundations of cloud security at the first steps of your cloud journey. Security is always paramount!

Countless companies and governments have lost data because of security incidents. Just one such breach could cost millions in fines and lost business—and more importantly, the loss of customer trust. As a result, security is increasingly becoming a high priority for CEOs and Boards of Directors.

Unfortunately, many organizations do not have access to the resources needed to implement state-of-the-art security controls and techniques. All of cloud providers have invested heavily in its technical infrastructure and has hundreds of dedicated engineers to provide a secure and robust platform. Deploying your systems on a Cloud allows you to leverage that same infrastructure and can help you secure your services and data through the entire information processing lifecycle, including:

• Secure deployment of services
• Secure storage of data
• Secure communications between services
• Safe operation by administrators

Cloud services are built on secure infrastructure. User benefits from running on top of all of this secure infrastructure, which highlights how Cloud is designed for security from the bottom up. It’s not enough to build something and try to make it secure after the fact. Security should be fundamental to all designs, not bolted on to an old paradigm. That’s why we build security through progressive layers that are integrated from the ground up.

Cloud delivers true defense in depth, meaning our cloud infrastructure doesn’t rely on any one technology to make it secure. Let’s talk about a few of security layers, starting at the bottom and working our way up:

Secure low level infrastructure

Cloud infrastructure designs and builds provider’s own data centers, which incorporate multiple layers of physical security protections. Access to these data centers is limited to only a very small fraction of employees. Both the server boards and the networking equipment in data centers are custom-designed by cloud provider. They also design custom integrated circuits, including a hardware security chip called Titan that’s currently being deployed on both servers and peripherals.

Notes:

• State-of-the-art data centers
• Security of physical premises
• Hardware design and provenance
• Secure boot stack and machine identity

Secure service deployment

Cloud’s infrastructure provides cryptographic privacy and integrity for remote procedure call (“RPC”) data on the network, which is how cloud services
communicate with each other. The infrastructure automatically encrypts RPC traffic in transit between data centers. To help ensure that code is secure as possible, It stores its source code centrally and requires two-party review of new code.

Notes:

• Service identity, integrity, and isolation
• Inter-service access management
• Encryption of inter-service communication
• Access management of end-user data

Secure data storage

In a Cloud, all data is encrypted at rest by default – without any need for you to configure or enable anything. This default encryption leverages provider-managed encryption keys, but also supports customer owned:

• Customer Managed Encryption keys, where you can manage your own encryption keys with a Key Management Service (KMS).
• And Customer Supplied Encryption keys, where you can provide and manage your own keys.

Cloud infrastructure meticulously tracks the location and status of all equipment within our data centers from acquisition, to installation, to retirement, to destruction. Metal detectors and video surveillance are implemented to help make sure no equipment leaves the data center floor without authorization.

When a hard drive is retired, the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multi-stage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility.

Notes:

• Encryption at rest
• Hardware tracking and disposal
• Deletion of data

Secure internet communication

Cloud services that want to make themselves available on the Internet register themselves with an global frontend infrastructure service. It checks incoming network connections for correct certificates, best practices, strong encryption, and adds protection against Denial of Service attacks.

The sheer scale of its infrastructure enables to simply absorb many Denial of Service attacks. Even behind the global frontend, it also has multi-tier, multi-layer Denial of Service protections that further reduce the risk of any DoS impact. Cloud customers can take advantage of this extra protection by using the Cloud Load Balancer, which we’ll cover in more detail in a later module.

Cloud also offers customers additional transport encryption options for connecting on-premises resources to the cloud. These options are Cloud VPN for establishing IPSec connections, and Cloud Interconnect for highly available, low latency connections.

Notes:

• Global Front End service
• Denial of Service (DoS) protection
• User authentication
• Load balancing

Operational security

Any cloud provider has created a thriving security culture for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, and as a part of ongoing training and in company-wide events to raise awareness. There are always priorities keeping employees and their devices and credentials safe. It is keen on reducing insider risk and intrusion detection as well.

Notes:

• Safe software development
• Keeping employee devices and credentials safe
• Reducing insider risk
• Intrusion detection

VPC network security

In addition to the security provided by the infrastructure, there are a few Cloud specific items that help provide security at the cloud resource level. Virtual Private Cloud or VPC networking provides the ability to logically isolate networks when you define your resources. You can also control all network ingress and egress traffic to any resource on these networks via firewall rules. These concepts and a many more will be discussed in detail in a later module.

Notes:

• Define your resources on a logically isolated network.
• Control public internet ingress and egress traffic via firewall rules.

Operational monitoring

Logging and monitoring are the cornerstones of application and network security operations.

Monitoring and logging enables application analysis, network forensics, access patterns, performance profiling, and more.

Without monitoring it is very difficult to know exactly what is happening or when incidents occur. Monitoring and logging are also needed to help identify security or operational risks to your organization.

Cloud logging framework allows you to store, search, analyze, monitor, and trigger alerts on log data and events from Cloud. Our API also allows ingestion of any custom log data from any other source.

Cloud logging and monitoring is always fully managed service that performs at scale and can ingest application and system log data from thousands of VMs. Even better, you can analyze all that log data in real time. Combined with the powerful visualization tools, Cloud logging helps identify trends and prevent issues before they happen. The error reporting and trace tools help to quickly locate and fix problems in production systems.

Notes:

• Logging and monitoring are the cornerstones of application and network security operations.
• Every cloud provider enables debugging, monitoring, and diagnostics for applications that run on their infrastructure.

Regulatory compliance

Another facet of security today is the need to ensure regulatory compliance, which involves much more than just making use of encryption and firewalls – you also need data protection and compliance with a variety of regulatory standards. Our products regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards to earn your trust. We are constantly working to expand our coverage.

As you have seen, Cloud provides many security controls automatically. When implementing systems correctly on Cloud, leveraging these aspects can reduce the IT Security resources required, and help drastically reduce the total cost of ownership.

While compliance requirements are a facet of security, they are not one and the same thing. Compliance is very much specific to individual environments and industries. While this will not be covered at length in this course, check out some of the great links in the speaker notes of this module to learn more about Cloud’s compliance posture.

Notes:

• Security in the cloud is much more than encryption and firewalls.
• Requires data protection and compliance with a variety of regulatory standards for independent third-party certifications, such as:
  • GDPR
  • PCI-DSS
  • HIPAA
  • FedRamp, etc.
• Compliance and security are not the same thing!
• Compliance is specific to individual environments and industries.

Lear more about security in cloud with our #CyberTechTalk WIKI and follow our previous posts.

Be an ethical, save your privacy!