---

MODULE 34

Cloud Security

---

In Module 33, we discussed third-party security and mentioned cloud computing in the context of third-party service providers. In this module, we’ll go more in-depth on cloud computing and discuss exactly what it is, what kind of services cloud computing provides for us, and security considerations involved with it. We’ll also talk about the security controls that should be implemented when our business engages in contracts with cloud providers, to protect the data we’re handing over to them.

Cloud Computing

So what really is this “cloud computing” thing we keep talking about? We’re used to seeing computers in our offices, our work centers, data centers, and at home. But how do we store computers in the “cloud”? Cloud computing has become a logical extension of the Internet. It enables you not only to look for data on the World Wide Web, but actually store it there, so it’s accessible from anywhere— and it goes even a step beyond that by actually processing the data in the World Wide Web/Internet/cloud. You can think of cloud computing just as you would any other service or utility you pay for—such as water, electricity, cable, phone, Internet, and so on—except that now you’re paying for computing as a utility. All you need is an Internet-capable computer (which doesn’t even have to be very powerful) and a decent connection, and you, too, can access the great and powerful cloud.

Cloud computing got its name from the many network architectural diagrams, such as the one shown in Figure 34-1, where the Internet is portrayed as a cartoonish cloud figure, meaning it’s abstracted from the rest of your network beyond your perimeter and Internet service delivery point. So it really does mean computing via the Internet.

Figure 34-1 The cloud

Cloud computing offers many advantages, because it removes all the responsibility and overhead for maintaining data storage and processing in your computer or even on your premises, and hands it over to what is known as a cloud provider. A cloud provider essentially is a third-party that owns a huge data center full of physical and virtual servers, with multiple, extremely fast connections to the Internet. The provider installs different types of operating systems and applications on its servers to be able to provide different services to their customers via the Internet. In Figure 34-2, you can see a notional example of how cloud services might be organized.

Figure 34-2 A notional cloud service architecture

As you’ll see in the next several sections of this module, all types of services can be offered via a cloud provider. We’ll discuss those coming up, and then we’ll get to the real point of this module: the risks associated with cloud services. We’ll also talk about the security controls to consider when you’re outsourcing data and services to a cloud provider.

Types of Cloud Services

There’s not really a one-size-fits-all cloud service. As we’ll discuss in the next few sections, several types of cloud services can be offered from a provider. Some of these are simplistic, such as data storage, for example, but others are very complex and can supplement or even replace parts of enterprise-wide infrastructures. Many of these types of services are scalable, meaning that anyone from home users, to small businesses, to large corporations can make use of them. We’ll discuss these from a business perspective, of course, but similar principles apply, whether a business is a small-office/home-office type of setup or large corporate enterprise that spans several geographical locations.

Software-as-a-Service

Software-as-a-Service, or SaaS, is used to reduce costs associated with buying and managing commercial software applications. In this model, a business can actually purchase software that’s stored and used via the Internet, or in the cloud. Users can simply click an icon on their desktops and be connected with an Internet-based version of an application, or they can even use it via a web browser. A popular example of a cloud-based software service would be Google Docs, although many popular software titles are now becoming cloud-enabled. Microsoft Office 365 software is another popular example of cloud-based software.

SaaS offer several advantages to businesses. First, the licensing cost of software is often less expensive when it is used via the cloud. The software licensing may be subscription-based, so an organization may purchase licenses based upon numbers of users or concurrent connections. Second, the organization is spared the legal ramifications of software piracy, since an application on the cloud can’t be easily copied and transferred from computer to computer or taken home by employees. In fact, the organization doesn’t have to store or manage any media at all, because the software is stored and used in the cloud, with the exception of occasional small components that may be downloaded to a user’s workstation.

Infrastructure-as-a-Service

The second type of cloud-based service we’ll discuss is Infrastructure-as-a-Service (IaaS). This service goes beyond posting simple software applications in the cloud. In IaaS, entire machines, such as Windows or Linux hosts, for example, are provided for remote connection and use. Of course, these aren’t physical machines; they are virtual machines hosted by a cloud provider’s infrastructure. Users simply connect to them via the Remote Desktop Protocol (RDP) or another secure remote connection protocol and use them as they would any other computer. Users can run applications installed on the virtual machine, create content, process data, and perform any other typical tasks they would perform on a physical machine.

Usually, however, user workstations aren’t seen as often in IaaS implementations as servers are; server virtual machines are usually what most businesses need out of an IaaS provider. The advantage of having virtual servers through an IaaS provider are that the business doesn’t have to provision, manage, or maintain huge server farms or data centers—all that’s done for them by the provider. The provider is responsible for patches, updates, configuration, and so on. Additionally, licensing for servers provided through an IaaS contract is usually far more streamlined, and cheaper.

Platform-as-a-Service

The next type of cloud service is Platform-as-a-Service (PaaS). PaaS offers a business a computing platform—such as a web application server or database server, for example—that it can use to provide services both internally and to customers on the Internet. Many online storefronts use this model to conduct business, rather than have the physical servers, web sites, databases, and applications hosted on their own premises. Again, the advantages of using this type of service are cost savings, no requirement to build and maintain the infrastructure on site, and the guarantee of around-the-clock availability—plus, someone else takes care of the patching and configuration work.

Although the types of services we’ve mentioned are the main ones listed in the exam objectives, they are also the three primary types of services you’ll see in the cloud provider world. There are many other types of “Something-as-a-Service” that cloud providers offer; most of these, however, fall into the category of PaaS. Some examples of these include Mobile Device Management-as-a-Service (MaaS), Metal-as-a-Service (a uniquely Ubuntu Linux term for high-performance computing services, also called MaaS), and others. In fact, providers are coming up with all types of services they can offer via the cloud. All pretty much offer the same advantages that cloud computing offers for all types of services. They also have the same disadvantages, which include control over data, security, availability, and other items that we’ll discuss shortly.

Cloud Architecture Models

Although we stated that cloud environments are operated primarily by large companies with huge data centers, this isn’t always the case. In fact, an increasing number of clouds are popping up that follow a few different architecture models. These include private clouds, public clouds, and a few other models we’ll briefly go over. Any of these various cloud architectures may be used, depending on the organization’s specific needs and its reliance on third-party providers or its requirements to keep computing resources in house.

Private Cloud

In a private cloud, as you’d expect, the cloud environment—all of the infrastructure, network devices, connections, and servers—are for the exclusive use of one party, such as a business. Now, just because it is a private cloud, it doesn’t necessarily mean that the infrastructure also resides physically within the business’s own data center on its physical premises. It could certainly be that way (military organizations and very large corporations often host their own private cloud, for example), but a private cloud can also be hosted by a third-party provider as a contracted service. Regardless of where the environment is hosted, a private cloud is for the use of the business that’s paying for it—it’s not for public or shared use. It can still host the same types of services we’ve described. A private cloud may cost the organization a bit more if it’s hosted within a data center it owns and operates, but this cost is usually absorbed by the cost of operating the data center itself. An organization can save a bit of money if a third-party provider operates it for them, however. Another advantage of a private cloud, other than exclusive use, is that the organization may be able to exert more control over data security and availability levels.

Public Cloud

A public cloud is pretty much the opposite of a private one. A public cloud is usually operated by a third-party provider that sells or rents “pieces” of the cloud to different entities, such as small businesses or large corporations, to use as they need. These services and the “size” of the piece of cloud an organization gets may be scalable, based on the customer’s needs. Customers usually don’t get direct connections to the provider, as they might in a private cloud model; the connections are typically made over the existing customer’s Internet connections. Several business models are used for these types of clouds, including subscription models, pay-per-use, and so on. Unlike a private cloud, the security and availability levels are pretty much standardized by the provider and offered as part of the contract; organizations purchasing those services may not have any control over those terms. Examples of public cloud providers include offerings from Amazon Web Services (AWS), Google Cloud Storage, and the Microsoft Cloud.

Community Cloud

A community cloud is made up of infrastructures from several different entities, which may be cloud providers, business partners, and so on. In this structure, common services are offered to all participants in the community cloud, to one degree or another. An example of a community cloud is one that is shared among universities or educational institutions. Each institution provides a piece of infrastructure, and the cloud may include third-party providers as well, to form a cloud shared by all.

Hybrid Cloud

A hybrid cloud is, as you would probably guess, any combination of the cloud models described previously. You could have public/private hybrids, private/community hybrids, and so on. A hybrid might be used because all parties need common cloud services (common application or web platforms, for instance, on linked or connected web sites), while maintaining their own private or community clouds for other purposes. Hybrid clouds could be constructed in many different ways, using third-party providers, private or shared data centers, and so on, as well as different types of connections (direct, Internet-only, and so on). Figure 34-3 sums up the relationships between the different cloud types.

Figure 34-3 Types of cloud environments

Cloud Computing Risks and Virtualization

Now that we’ve discussed exactly what cloud computing is, how it works, and the different services that you can access from the cloud, let’s talk about some of the risks that are incurred with cloud computing. We’ll also discuss the risks that are inherent to virtualization, because virtualization is one of the core technologies that make cloud computing work the way it does. Cloud computing depends on virtualization because these cloud-based services, such as platforms, infrastructure, and software, don’t all run on physical computers; virtual computers are provisioned to provide these services to a particular customer or business, so they have their own distinct infrastructures that can be changed as needed. Remember that virtualization basically means that a computer can host multiple instances of operating system environments, so a single powerful server can potentially host dozens or even hundreds of virtual machines dedicated to different customers and services. Data centers belonging to cloud services providers contain sometimes hundreds of servers that can host literally thousands of virtual computers for their customers.

Of course, even powerful, redundant technologies like cloud computing and virtualization have security risks. No infrastructure is without risk completely, so you have to take into account the risks that are inherent to cloud computing and virtualization when managing risk within your organization. Although these services are outsourced to third-party providers, the organization still incurs a degree of risk, as well as the business and legal responsibility for maintaining services and data. In the next two sections, we’ll talk about some of the risks involved with virtualization and cloud computing.

Virtualization Risks

As mentioned earlier, some risks are inherent to virtualization. Depending upon how the third party has structured the virtual environments it manages, virtual machines suffer the same risks as physical computers. For example, just as a physical computer could be vulnerable to a data loss, a virtual machine could also be vulnerable to virtual drive crashes, data corruption, and so on. These virtual machines could be single points of failures if they are not backed up regularly, or if there are no redundant systems to take their place if they go down. These two risks, however, are easily mitigated by providers that design and build robust virtualization environments in data centers. Virtual machines are very easy to back up and replicate, simply by taking snapshots and regular full backups of their data on a periodic basis. In the event a virtual machine goes down, an exact copy of it could almost immediately take its place with very little loss of processing time.

Other, more practical, risks of virtualization include risks to the entire data center, or even the physical server the virtual machines reside on. This could include power loss, environmental disasters, and hardware or operating system issues with the physical machine. These risks can also be mitigated with proper backup and redundant systems. Probably a more realistic risk is that of improper access by employees or other unauthorized parties to data that resides on a virtual machine. Just like physical machines, virtual machines can be hacked or compromised if appropriate security controls are not in place.

Cloud Computing Risks

Risks to cloud computing are really variations on a recurring theme; we’ve discussed the risks of allowing third parties to store, handle, and process our data. Cloud computing falls into that category and incurs the same types of risks. Lack of control is probably the biggest risk to the organization, in that the business has to depend on someone else to secure its data. Risks include all of those that may affect data confidentiality and unauthorized disclosure, data and system availability to authorized users and customers, and data integrity through unauthorized modification of data the business entrusts to cloud providers.

Because data is placed in the hands of a third-party for safekeeping, the organization doesn’t often have the control or visibility into the security measures taken by cloud providers to protect its information. The business must rely on the cloud provider’s due care and diligence in protecting data the same way it would be protected if it resided within the confines of the business’s infrastructure. One particular risk involves cloud storage services, which use the cloud to store critical and sensitive data belonging to the business. In addition to being a possible single point of failure for data loss through potential infrastructure issues, cloud storage is also a possible leaking point for data to unauthorized persons. Although the company may have contracted cloud storage services for all employees to use, there’s still the possibility that certain persons, even within the organization, can access data they should not be able to when it is stored in the cloud. There’s also a possibility that employees have their own personal cloud storage services to which they may transfer organizational data, resulting in data loss or unauthorized access.

Appropriate Controls to Ensure Data Security

Although we like to say that cloud computing is unique and different from services that are hosted on premises within a business, both the risks and the security controls are very similar to what you would encounter when storing data locally on business-owned servers. There are a few differences, of course, but the major risks of data loss and compromise, as well as data availability, are the same in both cloud-based and in-house models. Likewise, the controls used to protect data are also similar. In the next two sections, we’ll discuss some of the controls that should be considered with regard to cloud services, emphasizing the controls that are somewhat different from in-house models where needed.

Contract Agreements and Security Policy

One major difference between controls used in cloud models versus in-house data storage and processing is the use of contract agreements. Although there may be memorandums of understanding between different divisions within the same business, these aren’t the same thing as the contracts that you usually find between a business and a cloud service provider. Such a contract is extremely important, because it sets the tone for the expectations of data security, system availability, and the responsibilities both parties have to live up to in protecting data. The contract between the parties sets the minimum security and privacy expectations; legal and regulatory governance may also provide protections for the type of data the cloud provider is responsible for protecting. In Module 33, we discussed the different types of contract documents a business can establish with third-party providers, as well as the importance of outlining all of the security requirements in those documents. The contract should specify, either in its content or as an attachment, security requirements and controls that the third-party provider must adhere to. The contract should also specify details regarding access controls, availability levels, disclosure, and other security issues.

Although both organizations have their own internal security policies, these policies are often incompatible with each other and usually apply only to data that’s processed internally to an organization. The contract agreement should set up a joint security policy that both the business and the provider have to adhere to, with regard to system interfaces, data protection, and so on. Some of these things can be negotiated between the parties; often, however, some businesses find that cloud providers are fairly rigid in how they will conduct security and privacy within their infrastructures, even with regard to protecting data that belongs to the business. All of this should be carefully considered and negotiated up front, whenever possible.

Security Controls

Beyond the contract agreements, practical security controls have to be considered by both parties when outsourcing services to cloud-based providers. Tight authentication and authorization controls should be in place, so that only authorized users in the business can access data stored and processed in the cloud. These could include multifactor authentication technologies, restrictive permissions, limited application access to data, and so on. Data and system availability controls must also be in place; these include the typical controls such as redundant systems, regularly scheduled backups, redundant communication lines, and so forth. Data should also be protected while at rest (in storage) and in transit (during transmission) through encryption whenever possible.

In addition to the technical controls designed to protect data and systems, security programs should be in place that cover disaster recovery and incident response. The business may be relying on the cloud provider to provide those services to the organization itself, so these guarantees must be in place; however, the cloud service provider also needs to implement their own programs and procedures in the event a disaster or incident affects their own data center or infrastructures or the ability to provide services. Cloud providers should have created processes to respond to disasters that directly affect them and the services they provide to their customers, as well as to respond to incidents that may affect unauthorized disclosure of data, denial-of-service conditions, and so on. In addition, the business should be allowed audit or review the cloud provider’s security controls to ensure that the provider is following the terms of the agreement. All of this should be spelled out in the contract.

Module 34 Questions and Answers

Questions

1. Which of the following can be outsourced to cloud service providers? (Choose two.)

A. Sales

B. Application platforms

C. Training

D. Software

2. Which of the following cloud services provides web application services for a business?

A. Platform-as-a-Service

B. Software-as-a-Service

C. Infrastructure-as-a-Service

D. Security-as-a-Service

3. All of the following are usually provided under Software-as-a-Service, except:

A. Desktop applications

B. Line-of-business applications

C. Group workflow applications

D. Operating systems

4. A server provisioned with an enterprise version of a Linux-based operating system would be an example of what kind of service?

A. MDM-as-a-Service

B. Software-as-a-Service

C. Infrastructure-as-a-Service

D. Platform-as-a-Service

5. You are a security administrator in a company, and your boss wants you to set up a cloud exclusively for the use of the employees in the company. You intend to host this cloud infrastructure within the confines of the business premises. What type of cloud architecture model are you going to use?

A. Private

B. Community

C. Hybrid

D. Public

6. Which of the following would be a good example of a reason to use a community cloud model?

A. A military base needs to share information exclusively with other military agencies located in the same geographical location.

B. A university needs to share databases and applications with other similar educational institutions across the country.

C. A public awareness nonprofit needs to share information with everyone in the world regarding social issues.

D. A company needs to share only certain proprietary applications with another business partner, while keeping other data separate and confidential.

7. Which of the following are advantages to using cloud services for a business? (Choose two.)

A. Control over data

B. Outsourcing responsibility and liability for services

C. Cost

D. Minimizing infrastructure

8. Which of the following cannot be outsourced to a third-party cloud service provider?

A. Methods for data protection

B. Control over data storage

C. Legal liability and responsibility

D. Services the business provides

9. All of the following are advantages to using virtualization technology within cloud computing, except:

A. Reduction of single points of failure in a redundant environment

B. Ease of backup and virtual machine replication to support availability

C. Elimination of the numbers of physical machines required to support

D. Increase in physical servers needed to support a business

10. Which of the following is the key difference in security controls used between cloud-based services and in-house services?

A. Contract agreements between the business and the provider

B. Encryption controls protecting data in transit

C. Data backups and redundant systems used to ensure availability

D. Strong authentication mechanisms used to ensure authorized access to data

Answers

1. B, D. Application platforms as well as software used within an organization can both be outsourced to cloud service providers.

2. A. Platform-as-a-Service is a cloud-based service that provides web application services for a business.

3. D. Operating systems aren’t normally provided under Software-as-a-Service; they are usually provided as part of an Infrastructure-as-a-Service contract.

4. C. A server provisioned with an enterprise version of a Linux-based operating system would be an example of Infrastructure-as-a-Service.

5. A. A private cloud is the most appropriate model for a cloud architecture designed exclusively for the use of the employees in the company, particularly one that is hosted within the confines of the business premises.

6. B. A university needing to share databases and applications with other similar educational institutions across the country could take advantage of a community cloud to share that information within the educational community.

7. C, D. Cost and the opportunity to reduce or minimize infrastructure are two advantages to using cloud services.

8. C. Although cloud providers have some legal obligations to the businesses they serve, ultimate legal liability and responsibility for data protection cannot be outsourced to a third-party cloud service provider.

9. D. Increasing the physical servers needed to support a business is not an advantage of using virtualization; in fact, the number of physical servers needed to support a business can be reduced by using virtualization.

10. A. Contract agreements between the business and the provider are the key difference between controls used in-house and those used with a third-party cloud provider.