Back to Subject
Practice MCQ

Unit 6 - Notes

INT363

Unit 6: Cloud Security

1. Security Issues in Cloud Computing

Cloud computing introduces a unique threat landscape that differs from on-premise infrastructure. In a microservices environment, the attack surface increases significantly due to the distributed nature of services.

Key Security Threats

  • Data Breaches: Unauthorized access to sensitive data due to weak authentication or vulnerabilities.
  • Misconfiguration: The most common cause of cloud security failures (e.g., leaving S3 buckets public, open ports in Security Groups).
  • Insecure APIs: Microservices rely heavily on APIs. Unsecured endpoints can expose logic and data to attackers.
  • Account Hijacking: Phishing, credential stuffing, or weak passwords allowing attackers to take control of administrative accounts.
  • Insider Threats: Malicious or negligent actions by employees, contractors, or business partners.
  • DDoS (Distributed Denial of Service): Overwhelming resources to make services unavailable.
  • Shared Technology Issues: Vulnerabilities in the hypervisor or container runtime (e.g., Docker breakout) that allow an attacker to hop from one tenant to another.

2. Shared Responsibility Architecture

Cloud security is a partnership between the Cloud Service Provider (CSP) and the Customer. The division of responsibility depends on the service model (IaaS, PaaS, SaaS).

The Model Breakdown

  1. Security OF the Cloud (CSP Responsibility):

    • Physical infrastructure (data centers, power, cooling).
    • Hardware (servers, storage devices).
    • Host virtualization software (Hypervisors).
    • Global network backbone.

  2. Security IN the Cloud (Customer Responsibility):

    • IaaS (e.g., AWS EC2): Customer manages OS patching, firewall configuration, data encryption, and application security.
    • PaaS (e.g., Google App Engine): CSP manages OS and runtime; Customer manages code, data, and IAM.
    • SaaS (e.g., Salesforce, Microsoft 365): CSP manages almost everything; Customer is responsible for Data and User Access Management (IAM).

3. Security by Design Principles

"Security by Design" implies that security is integrated into the software development lifecycle (SDLC) from the initial design phase, rather than added as an afterthought.

Core Principles

  • Zero Trust Architecture: Never trust, always verify. Every request (internal or external) must be authenticated and authorized.
  • Least Privilege: Users and services should only have the minimum permissions necessary to perform their function.
  • Defense in Depth: Layering multiple security controls (firewalls, IDS, encryption, MFA) so that if one fails, others stand guard.
  • Shift Left: Integrating security testing (SAST/DAST) early in the CI/CD pipeline.
  • Automation: Automating security configurations to prevent human error (Infrastructure as Code - IaC).
  • Attack Surface Reduction: Minimizing the entry points available to an attacker (e.g., disabling unused ports, removing unnecessary services).

4. Identity and Access Management (IAM)

In cloud microservices, Identity is the new perimeter. Network boundaries are porous, so controlling who can access what is critical.

Key Components of IAM

  1. Principals: The entity requesting access (User, Service Account, or Role).
  2. Authentication (AuthN): Verifying the identity (e.g., Passwords, MFA, Biometrics).
  3. Authorization (AuthZ): Determining permissions.
    • RBAC (Role-Based Access Control): Access based on job function.
    • ABAC (Attribute-Based Access Control): Access based on tags, time, location, or data sensitivity.
  4. Federation: allowing users to use existing credentials (e.g., Corporate Active Directory) to access cloud resources via SAML 2.0 or OIDC.

IAM in Microservices

  • OAuth 2.0 / OIDC: Standard protocol for delegation and authentication.
  • JWT (JSON Web Tokens): Used to pass stateless claims between microservices securely.

5. Cloud Security Layers Illustration

Cloud security is best visualized as a set of concentric layers protecting the core asset (Data).

Layer Focus Area Technologies/Controls
User Layer Access Control IAM, MFA, SSO
Application Layer Software Code WAF, RASP, Code Scanning (SAST/DAST)
Compute/Host Layer OS & Containers OS Hardening, Patching, Container Scanning, Antivirus
Network Layer Traffic Flow VPC, Security Groups, NACLs, VPN, DDoS Protection
Physical Layer Hardware Guards, Biometric Locks, CCTV (Managed by CSP)
Data Layer The Asset Encryption (At Rest/In Transit), DLP (Data Loss Prevention)

6. Cloud Network, Host, and Data Security Concepts

Cloud Network Security

  • VPC (Virtual Private Cloud): Logically isolated section of the cloud.
  • Segmentation: Using Subnets (Public vs. Private) to isolate resources. Database servers should always be in private subnets.
  • Security Groups: Stateful firewalls applied at the instance level (allow rules only).
  • NACLs (Network Access Control Lists): Stateless firewalls applied at the subnet level (allow and deny rules).
  • Service Mesh (e.g., Istio, Linkerd): Manages secure communication (mTLS) between microservices.

Host Security

  • Hardening: Removing non-essential software and disabling default accounts.
  • Patch Management: Automated updating of OS and libraries to fix vulnerabilities.
  • Container Security:
    • Scanning container images for vulnerabilities before deployment.
    • Running containers as non-root users.
    • Using minimal base images (e.g., Alpine Linux).

Data Security

  • Data at Rest: Encryption of stored data (Databases, S3 buckets, EBS volumes) using AES-256. Keys managed via KMS (Key Management Service).
  • Data in Transit: Encryption of data moving across the network using TLS/SSL (HTTPS).
  • Data Lifecycle Management: Automated retention and deletion policies to minimize liability.

7. Security Operations and Major Cloud Service Provider Tools

Security Operations (SecOps) involves the continuous monitoring, detection, and response to threats.

Security Operations Center (SOC) Functions

  • Log Aggregation: Collecting logs from applications, networks, and hosts.
  • SIEM (Security Information and Event Management): Analyzing logs for patterns indicating attacks.
  • Incident Response: Protocols for containing and mitigating breaches.

Major CSP Security Tools

Feature AWS Microsoft Azure Google Cloud (GCP)
Identity AWS IAM, Cognito Azure Active Directory (Entra ID) Cloud IAM
DDoS Protection AWS Shield Azure DDoS Protection Google Cloud Armor
Key Management AWS KMS, CloudHSM Azure Key Vault Cloud KMS
Threat Detection Amazon GuardDuty Azure Sentinel / Defender Security Command Center
WAF AWS WAF Azure WAF Cloud Armor
Compliance AWS Artifact Azure Policy Assured Workloads

8. Security Compliance and Regulations

Organizations must adhere to legal and industry standards regarding data privacy and protection.

Key Regulations

  • GDPR (General Data Protection Regulation): EU regulation focusing on data privacy and the "right to be forgotten."
  • HIPAA (Health Insurance Portability and Accountability Act): US standard for protecting sensitive patient health information.
  • PCI-DSS (Payment Card Industry Data Security Standard): Requirements for handling credit card information.
  • SOC 2 (System and Organization Controls): Audit procedure for service organizations focusing on security, availability, processing integrity, confidentiality, and privacy.

Cloud Compliance Strategy

  • Data Sovereignty: Ensuring data resides in specific geographic locations to meet local laws.
  • Auditing: Continuous logging (e.g., AWS CloudTrail) to prove compliance to auditors.

9. Interoperability Challenges

Interoperability refers to the ability of different cloud systems and software to exchange and make use of information.

Security Implications

  • Vendor Lock-in: Proprietary security formats make it difficult to migrate data securely between clouds.
  • Identity Federation Issues: Mapping identities across different cloud providers (e.g., Azure AD to AWS IAM) can be complex and prone to privilege escalation errors.
  • Inconsistent Policies: A firewall rule in one cloud might not translate perfectly to another, creating security gaps in Multi-Cloud architectures.
  • API Standardization: Lack of standardized security APIs complicates the integration of third-party security tools across different environments.

10. Monitoring and Performance Management

In cloud microservices, performance issues often look like security issues (e.g., is the service slow due to high load or a DDoS attack?).

Key Metrics

  • Latency: Time taken to process a request.
  • Traffic Volume: Bandwidth usage.
  • Error Rates: HTTP 4xx and 5xx errors.
  • Saturation: Resource utilization (CPU/RAM).

Tools and Techniques

  • APM (Application Performance Monitoring): Tools like New Relic, Datadog, or Dynatrace.
  • Distributed Tracing: Tools like Jaeger or Zipkin track a request as it hops between microservices to identify bottlenecks or security failures.
  • Log Analytics: Using the ELK Stack (Elasticsearch, Logstash, Kibana) or Splunk to visualize system health and security events.

11. Future Trends and Innovations: Edge Computing and AI

Edge Computing Security

  • Concept: Processing data closer to the source (IoT devices) rather than a central cloud to reduce latency.
  • Security Challenges:
    • Physical security of edge devices (easier to steal/tamper).
    • Limited computational power on devices restricts heavy encryption or advanced security agents.
    • Update management for thousands of distributed devices.
  • Fog Computing: Adds a decentralized layer between edge and cloud, requiring distributed security policies.

AI in Cloud Security

  • Defensive AI:
    • Anomaly Detection: AI models learn "normal" behavior and flag deviations in real-time (User and Entity Behavior Analytics - UEBA).
    • Automated Response: AI-driven SOAR (Security Orchestration, Automation, and Response) to block IPs or isolate infected hosts automatically.
  • Offensive AI (The Risk):
    • Attackers using AI to generate sophisticated phishing emails, automate vulnerability scanning, or create polymorphic malware that evades detection.