This document provides an overview of resource management and security in cloud computing. It discusses inter-cloud resource management, resource provisioning models including advance, dynamic and user self-provisioning, and the global exchange of cloud resources. It also covers why cloud security governance is needed, what cloud security governance entails, common challenges around lack of management buy-in, controls, roles and metrics. Finally, it discusses key objectives for an effective cloud security governance model and what virtualized security is compared to traditional physical security.
1. Cloud Computing (KCS-713):
Unit-4: Resource Management And Security In Cloud
Dr. Radhey Shyam
Professor
Department of Computer Science and Engineering
SRMGPC Lucknow
(Affiliated to Dr. A.P.J. Abdul Kalam Technical University, Lucknow)
Unit-4 have been compiled/prepared by Dr. Radhey Shyam, with grateful acknowledgment who made their
course contents freely available. Feel free to use this study material for your own academic purposes. For
any query, the communication can be made through my mail shyam0058@gmail.com.
Date: December 07, 2021
2. Cloud Computing (KCS713)
(UNIT – IV)
Resource Management And Security In Cloud
Inter Cloud Resource Management
The cloud computing environment shares a variety of hardware and software resources. The inter
cloud is a cloud of clouds constructed to support resource sharing between the clouds. The resources
under the inter cloud environment are managed in distributed model without any central authority. The
inter cloud communication and resource identification is a complex task. The inter cloud resource
management services are build to perform resource discovery, match, select, composition, negotiate,
schedule and monitor operations.
Resource Provisioning
Cloud provisioning is the allocation of resources and services from a cloud provider to a client. The
growing catalog of cloud services that customers can provide includes infrastructure as a service,
software as a service, and platform as a service, in public or private cloud environments.
Provisioning is the process of configuring the IT infrastructure. It can also refer to the steps necessary
to manage access to data and resources and make them available to users and systems. Once
something has been provisioned, the next step is configuration.
In cloud computing, a resource provisioning mechanism is required to supply cloud consumers a set of
computing resources for processing the jobs and storing the data. Cloud providers can offer cloud
consumers two resource provisioning plans, namely short-term on-demand and long-term reservation
plans. Efficient resource provision which can guarantee the satisfactory cloud computing services to
the end user, lays the foundation for the success of commercial competition. Resource provisioning is
the allocation of a cloud provider's resources to a customer. When a cloud provider accepts a request
from a customer, it must create the appropriate number of virtual machines (VMs) and allocate
resources to support them. The process is conducted in several different ways:
1. Advance provisioning : With advance provisioning, the customer contracts with the provider for
services and the provider prepares the appropriate resources in advance of start of service. The
customer is charged a flat fee or is billed on a monthly basis.
3. 2. Dynamic provisioning : With dynamic provisioning, the provider allocates more resources as they are
needed and removes them when they are not. The customer is billed on a pay-per-use basis. When
dynamic provisioning is used to create a hybrid cloud, it is sometimes referred to as cloud bursting.
3. User self-provisioning :With user self-provisioning (also known as cloud self-service), the customer
purchases resources from the cloud provider through a web form, creating a customer account and
paying for resources with a credit card. The provider's resources are available for customer use within
hours, if not minutes.
Global Exchange of Cloud Resources
Global Cloud Xchange (GCX) offers network services which power digital transformation for
enterprises, new media providers, and telecoms carriers. We cover all aspects of cloud-centric
connectivity from managed SD-WAN and hybrid networks, to direct Cloud connections and 100 Gbps+
waves. With a pedigree going back 30+ years, GCX are experts in providing connectivity throughout
the Emerging Markets Corridor into Asia via the vast GCX subsea network (the world’s largest private
submarine cable network), with extensions available into more than 200 countries worldwide.
Why Cloud Security Governance Is Needed
Enterprises are increasingly pursuing the business advantages of migrating technology platforms and
services into the cloud environment leveraging one or more of the three main cloud service areas –
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
These advantages include but are not limited to rapid information system deployment, significantly
reduced operating costs, massive economies of scale, processing speed, and agility. However,
subscription to these services often imply security and compliance challenges for enterprises who are
often unprepared to resolve them.
Data breaches, system vulnerabilities, insufficient identity, and credential and access management are
some of the typical security challenges in the cloud environment that subscriber enterprises must
address. In some situations, an enterprise may lack adequate operationalization and enforcement of
policies, procedures, a formal operating model, or even a properly constituted organizational function to
effectively manage security in the cloud. In other situations, the enterprise may also not sufficiently
exercise its responsibility to protect data in the cloud or may lack the means for senior management
visibility into cloud security performance and risks. These issues may prevail even when an enterprise
stands to gain significant business benefits from transforming its service delivery model via the use of
cloud computing platforms.
The underlying business problem leading to these challenges is the lack of effective governance of
cloud security. In this blog, I explore cloud security governance, common challenges, and review key
targets that can help enterprises optimize the business benefits of cloud security programs.
4. What Is Cloud Security Governance?
Cloud security governance refers to the management model that facilitates effective and efficient
security management and operations in the cloud environment so that an enterprise’s business targets
are achieved. This model incorporates a hierarchy of executive mandates, performance expectations,
operational practices, structures, and metrics that, when implemented, result in the optimization of
business value for an enterprise. Cloud security governance helps answer leadership questions such
as:
Are our security investments yielding the desired returns?
Do we know our security risks and their business impact?
Are we progressively reducing security risks to acceptable levels?
Have we established a security-conscious culture within the enterprise?
Strategic alignment, value delivery, risk mitigation, effective use of resources, and performance
measurement are key objectives of any IT-related governance model, security included. To
successfully pursue and achieve these objectives, it is important to understand the operational culture
and business and customer profiles of an enterprise, so that an effective security governance model
can be customized for the enterprise.
Cloud Security Governance Challenges
Whether developing a governance model from the start or having to retrofit one on existing investments
in cloud, these are some of the common challenges:
Lack of senior management participation and buy-in
The lack of a senior management influenced and endorsed security policy is one of the common
challenges facing cloud customers. An enterprise security policy is intended to set the executive tone,
principles and expectations for security management and operations in the cloud. However, many
enterprises tend to author security policies that are often laden with tactical content, and lack executive
input or influence. The result of this situation is the ineffective definition and communication of
executive tone and expectations for security in the cloud. To resolve this challenge, it is essential to
engage enterprise executives in the discussion and definition of tone and expectations for security that
will feed a formal enterprise security policy. It is also essential for the executives to take full
accountability for the policy, communicating inherent provisions to the enterprise, and subsequently
enforcing compliance
Lack of embedded management operational controls
Another common cloud security governance challenge is lack of embedded management controls into
cloud security operational processes and procedures. Controls are often interpreted as an auditor’s
checklist or repackaged as procedures, and as a result, are not effectively embedded into security
operational processes and procedures as they should be, for purposes of optimizing value and
reducing day-to-day operational risks. This lack of embedded controls may result in operational risks
5. that may not be apparent to the enterprise. For example, the security configuration of a device may be
modified (change event) by a staffer without proper analysis of the business impact (control) of the
modification. The net result could be the introduction of exploitable security weaknesses that may not
have been apparent with this modification. The enterprise would now have to live with an inherent
operational risk that could have been avoided if the control had been embedded in the change
execution process.
Lack of operating model, roles, and responsibilities
Many enterprises moving into the cloud environment tend to lack a formal operating model for security,
or do not have strategic and tactical roles and responsibilities properly defined and operationalized.
This situation stifles the effectiveness of a security management and operational function/organization
to support security in the cloud. Simply, establishing a hierarchy that includes designating an
accountable official at the top, supported by a stakeholder committee, management team, operational
staff, and third-party provider support (in that order) can help an enterprise to better manage and
control security in the cloud, and protect associated investments in accordance with enterprise
business goals. This hierarchy can be employed in an in-sourced, out-sourced, or co-sourced model
depending on the culture, norms, and risk tolerance of the enterprise.
Lack of metrics for measuring performance and risk
Another major challenge for cloud customers is the lack of defined metrics to measure security
performance and risks – a problem that also stifles executive visibility into the real security risks in the
cloud. This challenge is directly attributable to the combination of other challenges discussed above.
For example, a metric that quantitatively measures the number of exploitable security vulnerabilities on
host devices in the cloud over time can be leveraged as an indicator of risk in the host device
environment. Similarly, a metric that measures the number of user-reported security incidents over a
given period can be leveraged as a performance indicator of staff awareness and training efforts.
The challenges described above clearly highlight the need for cloud customers to establish a
framework to effectively manage and support security in cloud management, so that the pursuit of
business targets are not potentially compromised. Unless tone and expectations for cloud security are
established (via an enterprise policy) to drive operational processes and procedures with embedded
management controls, it is very difficult to determine or evaluate business value, performance,
resource effectiveness, and risks regarding security operations in the cloud. Cloud security governance
facilitates the institution of a model that helps enterprises explicitly address the challenges described
above.
Key Objectives for Cloud Security Governance
Building a cloud security governance model for an enterprise requires strategic-level security
management competencies in combination with the use of appropriate security standards and
frameworks (e.g., NIST, ISO, CSA) and the adoption of a governance framework (e.g., COBIT). The
first step is to visualize the overall governance structure, inherent components, and to direct its
effective design and implementation. The use of appropriate security standards and frameworks allow
6. for a minimum standard of security controls to be implemented in the cloud, while also meeting
customer and regulatory compliance obligations where applicable. A governance framework provides
referential guidance and best practices for establishing the governance model for security in the cloud.
The following represents key objectives to pursue in establishing a governance model for security in
the cloud. These objectives assume that appropriate security standards and a governance framework
have been chosen based on the enterprise’s business targets, customer profile, and obligations for
protecting data and other information assets in the cloud environment.
1.Strategic Alignment
Enterprises should mandate that security investments, services, and projects in the cloud are
executed to achieve established business goals (e.g., market competitiveness, financial, or
operational performance).
2.Value Delivery
Enterprises should define, operationalize, and maintain an appropriate security
function/organization with appropriate strategic and tactical representation, and charged with the
responsibility to maximize the business value (Key Goal Indicators, ROI) from the pursuit of security
initiatives in the cloud.
3. Risk Mitigation
Security initiatives in the cloud should be subject to measurements that gauge effectiveness in
mitigating risk to the enterprise (Key Risk Indicators). These initiatives should also yield results that
progressively demonstrate a reduction in these risks over time.
4. Effective Use of Resources
It is important for enterprises to establish a practical operating model for managing and performing
security operations in the cloud, including the proper definition and operationalization of due
processes, the institution of appropriate roles and responsibilities, and use of relevant tools for
overall efficiency and effectiveness.
5. Sustained Performance
Security initiatives in the cloud should be measurable in terms of performance, value and risk to the
enterprise (Key Performance Indicators, Key Risk Indicators), and yield results that demonstrate
attainment of desired targets (Key Goal Indicators) over time.
What is virtualized security?
Virtualized security, or security virtualization, refers to security solutions that are software-based
and designed to work within a virtualized IT environment. This differs from traditional, hardware-based
network security, which is static and runs on devices such as traditional firewalls, routers, and switches.
7. In contrast to hardware-based security, virtualized security is flexible and dynamic. Instead of being tied
to a device, it can be deployed anywhere in the network and is often cloud-based. This is key for
virtualized networks, in which operators spin up workloads and applications dynamically; virtualized
security allows security services and functions to move around with those dynamically created
workloads.
Cloud security considerations (such as isolating multitenant environments in public cloud
environments) are also important to virtualized security. The flexibility of virtualized security is helpful
for securing hybrid and multi-cloud environments, where data and workloads migrate around a
complicated ecosystem involving multiple vendors.
What are the benefits of virtualized security?
Virtualized security is now effectively necessary to keep up with the complex security demands of a
virtualized network, plus it’s more flexible and efficient than traditional physical security. Here are some
of its specific benefits:
Cost-effectiveness: Virtualized security allows an enterprise to maintain a secure network without a
large increase in spending on expensive proprietary hardware. Pricing for cloud-based virtualized
security services is often determined by usage, which can mean additional savings for organizations
that use resources efficiently.
Flexibility: Virtualized security functions can follow workloads anywhere, which is crucial in a
virtualized environment. It provides protection across multiple data centers and in multi-cloud and
hybrid cloud environments, allowing an organization to take advantage of the full benefits of
virtualization while also keeping data secure.
Operational efficiency: Quicker and easier to deploy than hardware-based security, virtualized
security doesn’t require IT teams to set up and configure multiple hardware appliances. Instead, they
can set up security systems through centralized software, enabling rapid scaling. Using software to run
security technology also allows security tasks to be automated, freeing up additional time for IT teams.
Regulatory compliance: Traditional hardware-based security is static and unable to keep up with the
demands of a virtualized network, making virtualized security a necessity for organizations that need to
maintain regulatory compliance.
How does virtualized security work?
Virtualized security can take the functions of traditional security hardware appliances (such as firewalls
and antivirus protection) and deploy them via software. In addition, virtualized security can also perform
additional security functions. These functions are only possible due to the advantages of virtualization,
and are designed to address the specific security needs of a virtualized environment.
For example, an enterprise can insert security controls (such as encryption) between the application
layer and the underlying infrastructure, or use strategies such as micro-segmentation to reduce the
8. potential attack surface.
Virtualized security can be implemented as an application directly on a bare metal hypervisor (a
position it can leverage to provide effective application monitoring) or as a hosted service on a virtual
machine. In either case, it can be quickly deployed where it is most effective, unlike physical security,
which is tied to a specific device.
What are the risks of virtualized security?
The increased complexity of virtualized security can be a challenge for IT, which in turn leads to
increased risk. It’s harder to keep track of workloads and applications in a virtualized environment as
they migrate across servers, which makes it more difficult to monitor security policies and
configurations.
It’s important to note, however, that many of these risks are already present in a virtualized
environment, whether security services are virtualized or not. Following enterprise security best
practices (such as spinning down virtual machines when they are no longer needed and using
automation to keep security policies up to date) can help mitigate such risks.
How is physical security different from virtualized security?
Traditional physical security is hardware-based, and as a result, it’s inflexible and static. The traditional
approach depends on devices deployed at strategic points across a network and is often focused on
protecting the network perimeter (as with a traditional firewall). However, the perimeter of a virtualized,
cloud-based network is necessarily porous and workloads and applications are dynamically created,
increasing the potential attack surface.
Traditional security also relies heavily upon port and protocol filtering, an approach that’s ineffective in
a virtualized environment where addresses and ports are assigned dynamically. In such an
environment, traditional hardware-based security is not enough; a cloud-based network requires
virtualized security that can move around the network along with workloads and applications.
What are the different types of virtualized security?
There are many features and types of virtualized security, encompassing network security,application
security, and cloud security. Some virtualized security technologies are essentially updated, virtualized
versions of traditional security technology. Others are innovative new technologies that are built into
the very fabric of the virtualized network.
Some common types of virtualized security features include:
Segmentation, or making specific resources available only to specific applications and users. This
typically takes the form of controlling traffic between different network segments or tiers.
9. Micro-segmentation, or applying specific security policies at the workload level to create granular
secure zones and limit an attacker’s ability to move through the network. Micro-segmentation divides a
data center into segments and allows IT teams to define security controls for each segment
individually, bolstering the data center’s resistance to attack.
Isolation, or separating independent workloads and applications on the same network. This is
particularly important in a multitenant public cloud environment, and can also be used to isolate virtual
networks from the underlying physical infrastructure, protecting the infrastructure from attack.
SECURITY :‐In the computer industry, the term security or the phrase computer security ‐‐refers
to techniques for ensuring that data stored in a computer cannot be read or compromised by any
individuals without authorization. Most computer security measures involve data encryption and
passwords.
•Data encryption is the translation of data into a form that is unreadable without a deciphering
mechanism.
•A password is a secret word or phrase that gives a user access to a particular program or system.
CLOUD COMPUTING SECURITY CHALLENGES:-
Cloud computing opens up a new world of opportunities for businesses, but mixed in with these
opportunities are numerous security challenges that need to be considered and addressed
prior to committing to a cloud computing strategy.
Cloud computing security challenges fall into three broad categories:
•Data Protection: Securing your data both at rest and intransit
•User Authentication: Limiting access to data and monitoring who accesses the data
•Disaster and Data Breach Contingency Planning
1. Data Protection
Implementing a cloud computing strategy means placing critical data in the hands of a third
party, so ensuring the data remains secure both at rest (data residing on storage media) as
well as when in transit is of paramount importance.
Data needs to be encrypted at all times, with clearly defined roles when it comes to who will be
managing the encryption keys.
In most cases, the only way to truly ensure confidentiality of encrypted data that resides on a
cloud provider's storage servers is for the client to own and manage the data encryption keys.
2. User Authentication
Data resting in the cloud needs to be accessible only by those authorized to do so, making it
critical to both restrict and monitor who will be accessing the company's data through the
cloud.
In order to ensure the integrity of user authentication, companies need to be able to view data
access logs and audit trails to verify that only authorized users are accessing the data.
10. These access logs and audit trails additionally need to be secured and maintained for as long as
the company needs or legal purposes require.
11. As with all cloud computing security challenges, it's the responsibility of the customer to ensure
that the cloud provider has taken all necessary security measures to protect the customer's
data and the access to that data.
3. Contingency Planning
With the cloud serving as a single centralized repository for a company's mission‐critical data,
the risks of having that data compromised due to a data breach or temporarily made
unavailable due to a natural disaster are real concerns.
Much of the liability for the disruption of data in a cloud ultimately rests with the company
whose mission‐critical operations depend on that data, although liability can and should be
negotiated in a contract with the services provider prior to commitment.
A comprehensive security assessment from a neutral third‐party is strongly recommended as well.
Companies need to know how their data is being secured and what measures the service
provider will be taking to ensure the integrity and availability of that data should the unexpected
occur.
Additionally, companies should also have contingency plans in place in the event their cloud
provider fails or goes bankrupt.
Can the data be easily retrieved and migrated to a new service provider or to a non‐cloud
strategy if this happens? And what happens to the data and the ability to access that data if the
provider gets acquired by another company?
SECURITY ISSUES
In Software as a Service (SaaS) model, the client needs to be dependent on the service provider for
proper security measures of the system. The service provider must ensure that their multiple users
don‘t get to see each other‘s private data. So, it becomes important to the user to ensure that right
security measures are in place and also difficult to get an assurance that the application will be
available when needed. Cloud computing providers need to provide some solution to solve the
common security challenges that traditional communication systems face. At the same time, they also
have to deal with other issues inherently introduced by the cloud computing paradigm itself.
A. Authentication and authorization: The authorization and authentication applications used in
enterprise environments need to be changed, so that they can work with a safe cloud
environment. Forensics tasks will become much more difficult since it will be very hard or maybe
not possible for investigators may to access the system hardware physically
B. Data confidentiality: Confidentiality may refer to the prevention of unintentional or intentional
unauthorized disclosure or distribution of secured private information. Confidentiality is closely
related to the areas of encryption,intellectual property rights, traffic analysis, covert channels,
and inference in cloud system. Whenever a business, an individual, a government agency, or
any other entity wants to shares information over cloud,confidentiality or privacy is a questions
nay need to be asked
12. C. Availability :The availability ensures the reliable and timely access to cloud data or cloud
computing resources by the appropriate personnel. The availability is one of the big concerns of
cloud service providers, since if the cloud service is disrupted or compromised in any way; it
affects large no. of customers than in the traditional model.
D. Information Security :In the SaaS model, the data of enterprise is stored outside of the
enterprise boundary, which is at the SaaS vendor premises. Consequently, these SaaS vendor
needs to adopt additional security features to ensure data security and prevent breaches due to
security vulnerabilities in the application or by malicious employees. This will need the use of
very strong encryption techniques for data security and highly competent authorization to control
access private data.
E. Data Acces Data access issue is mainly related to security policies provided to the users while
accessing the data . Organizations have their own security policies based on which each
employee can have access to a particular set of data. These security policies must be adhered
by the cloud to avoid intrusion of data by unauthorized users. The SaaS model must be flexible
enough to incorporate the specific policies put forward by the organization.
F. Network Security In a SaaS deployment model, highly sensitive information is obtained from
the various enterprises, then processed by the SaaS application and stored at the SaaS
vendor‘s premises. All data flow over the network has to be secured in order to prevent leakage
of sensitive information.
G. Data breaches Since data from various users and business organizations lie together in a cloud
environment, breaching into this environment will potentially make the data of all the users
vulnerable. Thus, the cloud becomes a high potential target Identity management and sign-on
process.
H. Identity management : (IdM) or ID management is an area that deals with identifying
individuals in a system and controlling the access to the resources in that system by placing
restrictions on the established identities. Aria of IdM is considered as one of the biggest
challenges in information security. When a SaaS provider want to know how to control who has
access to what systems within the enterprise it becomes a lot more challenging task.
SaaS Application Security:‐
The SaaS model dictates that the provider manages the entire suite of applications delivered to
users.
Therefore, SaaS providers are largely responsible for securing the applications and components
they offer to customers.
Customers are usually responsible for operational security functions, including user and access
management as supported by the provider.
It is a common practice for prospective customers, usually under an NDA, to request information
related to the provider’s security practices.
13. This information should encompass
Design
Architecture
Development
Black‐and white‐box application security testing, and
Release management.
Some customers go to the extent of hiring independent security vendors to perform penetration
testing (black‐box security testing) of SaaS applications (with consent from the provider) to gain
assurance independently.
However, penetration testing can be costly and not all providers agree to this type of verification.
Extra attention needs to be paid to the authentication and access control features offered by
SaaS CSPs. Usually that is the only security control available to manage risk to information.
Example: Web based administration user interface tool Google DOC
Additional controls should be implemented to manage privileged access to the SaaS
administration tool, and enforce segregation of duties to protect the application from insider
threats. In line with security standard practices, customers should implement a strong password
policy—one that forces users to choose strong passwords when authenticating to an application
It is a common practice for SaaS providers to commingle their customer data (structured and
unstructured) in a single virtual data store and rely on data tagging to enforce isolation between
customer data.
In that multi tenant data store model, where encryption may not be feasible due to key
management and other design barriers, data is tagged and stored with a unique customer
identifier.
So the customers should understand the virtual data store architecture and the preventive
mechanisms the SaaS providers use to guarantee the compartmentalization and isolation
required in a virtual multi tenant environment.
WHAT IS IDENTITY AND ACCESS MANAGEMENT?
According to Gartner, Identity and Access Management (IAM) is the security discipline that enables the
right individuals to access the right resources at the right times for the right reasons. IAM addresses the
mission-critical need to ensure appropriate access to resources across increasingly heterogeneous
technology environments.
Enterprises traditionally used on-premises IAM software to manage identity and access policies, but
nowadays, as companies add more cloud services to their environments, the process of managing
identities is getting more complex. Therefore, adopting cloud-based Identity-as-a-Service (IDaaS) and
cloud IAM solutions becomes a logical step.
14. WHAT DOES CLOUD IDENTITY AND ACCESS MANAGEMENT INCLUDE?
Cloud IAM typically includes the following features:
Single Access Control Interface. Cloud IAM solutions provide a clean and consistent access
control interface for all cloud platform services. The same interface can be used for all cloud
services.
Enhanced Security. You can define increased security for critical applications.
Resource-level Access Control. You can define roles and grant permissions to users to access
resources at different granularity levels.
WHY DO YOU NEED IDENTITY AND ACCESS MANAGEMENT?
Identity and Access Management technology can be used to initiate, capture, record, and manage user
identities and their access permissions. All users are authenticated, authorized, and evaluated
according to policies and roles.
Poorly controlled IAM processes may lead to regulatory non-compliance; if the organization is audited,
management may not be able to prove that company data is not at risk of being misused.
HOW CAN CLOUD IAM HELP YOU?
It can be difficult for a company to start using cloud Identity and Access Management solutions
because they don’t directly increase profitability, and it is hard for a company to cede control over
infrastructure. However, there are several perks that make using an IAM solution very valuable, such
as the following:
The ability to spend less on enterprise security by relying on the centralized trust model to deal
with Identity Management across third-party and own applications.
It enables your users to work from any location and any device.
You can give them access to all your applications using just one set of credentials through
Single Sign-On.
You can protect your sensitive data and apps: Add extra layers of security to your mission-
critical apps using Multifactor Authentication.
It helps maintain compliance of processes and procedures. A typical problem is that permissions
are granted based on employees’ needs and tasks, and not revoked when they are no longer
necessary, thus creating users with lots of unnecessary privileges.
15. AUTH0 AS YOUR CLOUD IAM SOLUTION
Auth0 can authenticate your users with any identity provider running on any stack, any device or cloud.
It provides Single Sign-On, Multifactor Authentication, Social Login, and several more features.
You can read more about Auth0 features here: Why Auth0?
In terms of authorization, you can use the power of the rule engine to define coarse-grained
authorization — that is, rules that dictate who can login (for example: at what times, from which
locations and devices, and so on).
Auth0 also has a group memberships feature that can be exposed to the application (for example:
group memberships in Active Directory, in Azure Active Directory, in the user’s metadata, and so on);
based on that, you can do more fine-grained authorization (where only users in a particular group can
access some applications).
As organizations adopt more cloud services, security professionals face some new and interesting
issues. One of the more pressing problems is the rapid proliferation of various identities associated with
cloud service environments. Simply put, the more cloud services that are used, the more identities that
need provisioning within these environments.
Identity and access management (IAM) in cloud environments can be problematic for tracking,
monitoring and controlling accounts. Here, learn more about these problems and how to address them
in an enterprise cloud environment.
Common cloud IAM challenges
In addition to standard identity management issues plaguing enterprises today, such as user password
fatigue and managing a distributed workforce, there are several cloud-specific challenges enterprises
face, including the following:
improper service and user provisioning and deprovisioning -- for example, companies not
deprovisioning form employee SaaS accounts;
zombie SaaS accounts -- inactive assigned users;
too many admin accounts; and
users bypassing enterprise IAM controls.
What these issues illustrate is a lack of control over the account life cycle that many SaaS scenarios
present. But account management and life cycle maintenance aren't the only issues when it comes to
IAM in cloud settings -- the creation of roles and management of privileges within all types of cloud
environments can also be challenging.
16. For large organizations that may have hundreds or even thousands of defined roles across numerous
accounts, just gathering an inventory of the role assignments can be a huge undertaking.
For example, one case study on the impact of cloud IAM by the security research team at Rhino
Security Labs found a large number of incredibly common privilege escalation techniques in AWS in
early 2018 that took advantage of poorly defined roles and privilege models. For large organizations
that have hundreds or even thousands of defined roles across numerous accounts, just gathering an
inventory of role assignments can be a huge undertaking. Fortunately, the research team at Rhino
created a free tool that can remotely pull an inventory of all users with a breakdown of possible
privilege escalation susceptibility.
Best practices for meeting IAM challenges in the cloud
To combat cloud IAM challenges, organizations need to develop a governance strategy for identities.
While some may have enterprise IAM strategies in place internally, they will likely need to be adapted
for cloud environments. For all actual human users, accounts should be directly linked to central
directory services, such as Active Directory, which facilitate the provisioning, auditing and
deprovisioning of accounts from a central store.
All SaaS applications should require the use of single sign on linked to this central directory with
federation technology. For PaaS and IaaS environments, identity governance can be somewhat trickier
as all assets – servers, server less code, storage nodes and so on -- can have roles and privileges
assigned to them. Some of these identities -- whether simple users and groups or more complex role
assignments -- may not easily align with a central directory store. As such, DevOps teams may find it
easier to use cloud-native tools to manage accounts and identities in some scenarios.
There are several aspects of identity governance to focus on in these cases, including the following:
Enterprises should develop internal standards and account creation practices that govern how
DevOps and other teams integrate identities and privilege models into cloud deployments. This
should include account rationale, authentication and authorization methods and controls, and life
cycle parameters.
Companies should use cloud-native or third-party tools to regularly pull lists of users, groups, roles
and privilege assignments from cloud service environments. PowerShell for Azure and AWS
Command Line Interface can collect this type of data, which will still need to be sorted, stored and
analyzed by security admins.
Organizations must ensure logging and event monitoring mechanisms focus on all IAM activity in
cloud provider environments and then monitor for any unusual activity or unauthorized changes.
17. Developing a governance plan for cloud IAM can be a tedious and lengthy process, but there are
significant risks involved if enterprises don't. Also, don't forget to involve all relevant stakeholders as
this can get political quickly.
Security Governance
An organisation’s board is responsible (and accountable to shareholders, regulators and customers) for
the framework of standards, processes and activities that, together, make sure the organisation
benefits securely from Cloud Computing.
We are the leading provider of information, books, products and services that help boards develop,
implement and maintain a Cloud governance framework.
Trust boundaries in the Cloud
Organisations are responsible for their own information. The nature of Cloud computing means that at
some point the organisation will rely on a third party for some element of the security of its data. The
point at which the responsibility passes from your organisation to your supplier is called the ‘trust
boundary’ and it occurs at a different point for Infrastructure as a Service (IaaS), Platform as a Service
(PaaS) and Software as a Service (SaaS). Organisations need to satisfy themselves of the security and
resilience of their Cloud service providers. They also need to observe their Data Protection Act 1998
(DPA) – and, from May 2018, General Data Protection Regulation (GDPR) – obligations.
Cloud Controls Matrix
The Cloud Security Alliance (CSA) developed and maintains the Cloud Control Matrix, a set of
additional information security controls designed specifically for Cloud services providers (CSPs), and
against which customers can carry out a security audit. BSI and the CSA have collaborated to offer a
certification scheme (designed as an extension to ISO 27001) against which CSPs can achieve
independent certification.
Cloud security certification
The CSA offers an open Cloud security certification process: STAR (Security, Trust and Assurance
Registry). This scheme starts with self-assessment and progresses through process maturity to an
externally certified maturity scheme, supported by an open registry of information about certified
organisations.
Continuity and resilience in the Cloud
Cloud service providers are as likely to suffer operational outages as any other organisation. Physical
infrastructure can also be negatively affected. Buyers of Cloud services should satisfy themselves that
their CSPs are adequately resilient against operational risks. ISO22301 is an appropriate business
continuity standard.
18. Data protection in the Cloud
UK organisations that store personal data in the Cloud or that use a CSP must currently comply with
the DPA.
However, since the GDPR came into effect on 25 May 2018, data processors and data controllers are
now accountable for the security of the personal data they process.
CSPs and organisations that use them will need to implement appropriate technical and organisational
measures to make sure that processing meets the GDPR’s requirements and protects the rights of data
subjects.
G-Cloud framework
The UK government’s G-Cloud framework makes it faster and cheaper for the public sector to buy
Cloud services. Suppliers are approved by the Crown Commercial Service (CCS) via the G-Cloud
application process, which eliminates the need for them to go through a full tender process for each
buyer.
Suppliers can sell Cloud services via an online catalogue called the Digital Marketplace under three
categories, or ‘lots’:
Cloud hosting– Cloud platform or infrastructure services.
Cloud software– applications that are accessed over the Internet and hosted in the Cloud.
Cloud support– services to help buyers set up and maintain their Cloud services.
IT Governance G-Cloud consultancy services
IT Governance has been approved to provide six cyber security services via the Digital Marketplace for
Cloud support:
Cyber Health Check
Cyber Security Audit Review
Cyber Incident Response Management
SOC 2 Audit Readiness Assessment and Remediation
Technical Cyber Assurance
Cloud Security Compliance Readiness Assessment and Remediation
References:
[1] R Shyam, P Srivastava, DS Kushwaha, “A Taxonomy and Survey of Cloud Computing [Security
Issues and Challenges]”, BL Joshi, 62, 2012.
[2] PK Varshney, P Singh, R Shyam, “Weak Spots of Cloud Computing and Their Revelations”, BL
19. Joshi, 109, 2012.
[3] Kai Hwang, Geoffrey C. Fox, Jack G. Dongarra, “Distributed and Cloud Computing, From Parallel
Processing to the Internet of Things”, Morgan Kaufmann Publishers, 2012.
[4] Rittinghouse, John W., and James F. Ransome, “Cloud Computing: Implementation,
Management and Security”, CRC Press, 2017.
[5] Rajkumar Buyya, Christian Vecchiola, S. Thamarai Selvi, “Mastering Cloud Computing”, Tata
Mcgraw Hill, 2013.
[6] Toby Velte, Anthony Velte, Robert Elsenpeter, “Cloud Computing – A Practical Approach”, Tata
Mcgraw Hill, 2009.
[7] George Reese, “Cloud Application Architectures: Building Applications and Infrastructure in the
Cloud”: Transactional Systems for EC2 and Beyond (Theory in Practice), O’Reilly, 2009.