This document provides an introduction to cloud security. It discusses the shared responsibility model of cloud security between customers and providers for different cloud service models like IaaS, PaaS, and SaaS. It outlines some common cloud security risks like data leakage, malware injections, DDoS attacks, and insecure APIs. The document then defines cloud security and discusses key questions around responsibility, fortification, and controls. It introduces the NIST Cybersecurity Framework as an important resource for managing cyber risks and provides additional resources for researching cloud providers' security programs and NIST guidelines on cloud computing security and privacy.
2. Agenda
Why Cloud?
Security Implications of Cloud Service and Deployment Models
Cloud Security Risks and Threats (A Sampler)
What is Cloud Security?
NIST Cybersecurity Framework
Additional Resources
3. W hy Cloud?
Scalability Pay as you go Resource sharing
Collaboration/
mobility
Competitiveness
5. The Shared Responsibility of Cloud Security
On-Premises
Infrastructure as a
Service (IaaS)
Platform as a
Service
(PaaS)
Software as a
Service
(SaaS)
User Access User Access User Access User Access
Data Data Data Data
Applications Applications Applications Applications
Operating System Operating System Operating System Operating System
Network Traffic Network Traffic Network Traffic Network Traffic
Hypervisor Hypervisor Hypervisor Hypervisor
Infrastructure Infrastructure Infrastructure Infrastructure
Physical Physical Physical Physical
White –Customer Responsibility Shaded –Cloud Provider Responsibility
6. Cloud Deployments Models
Hybrid Private
Cloud security
responsibility
completely
owned by client
Shared cloud
security
responsibility
between client and
cloud provider
Cloud security
retained by cloud
provider; no
client control
Public
7. M ulticloud Lack of Visibility
Most US based enterprises are using at least two public cloud providers. This approach
adds even more security complexity.
Source: Cisco
8. Data Leakage
Data is no longer under
your control
Loss of confidentiality
Data Loss
Data Damage
A correct copy of the
data is no longer
available
Compromise of integrity
or availability
9. M alware Injections
The attacker attempts to inject an
implementation of a malicious service
or virtual machine into the cloud.
Source: F5
10. Distributed Denial of Service
(DDoS)
These types of attacks cause the
availability of data or services to go
down because of an overload of
traffic to the server.
Source: F5
12. Containerization
With the wide adoption of
container-based applications,
systems became more complex
and security risks increased.
Source: Devopedia
13. W hat Is Cloud Security?
CLOUD
Policies, procedures and tools used to protect data,
applications and networks in cloud environments.
14. K ey Questions
RESPONSIBILITY FORTIFICATION CONTROLS
What is my
responsibility?
How do I secure
my cloud
environment?
What security
controls work
best?
15. NIST Cybersecurity
Framework
Established in 2014
M ain goals:
■ H elp manage cyber risks
■ Provide a “common language” for
discussing cyber risks
■ H elp create and assess and
improve cybersecurity
programs
16
21. Best Practices
• Research Your Cloud Service Provider’s Security Program
• Read Your Cloud Services Provider’s Terms of Use
• Utilize NIST’s Cybersecurity Framework
• Prevent, detect and respond to cyberattacks - nist.gov/cyberframework
• Utilize NIST’s Guidelines on Security and Privacy in Public Cloud
Computing
• nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf
22. Additional Resources
■ NIST Cybersecurity Framework
nist.gov/cyberframework
■ NIST Guidelines on Security and Privacy in Public Cloud Computing
nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf
■ Cloud Security Alliance
cloudsecurityalliance.org
■ (ISC)2 2020 Cloud Security Report
isc2.org/resource-center/reports/2020-cloud-security-report