Enterprise Cloud Security and Governance E-Book

BIRMINGHAM - MUMBAI

Enterprise Cloud Security and Governance

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: December 2017

Production reference: 1271217

ISBN  978-1-78829-955-8

www.packtpub.com

Credits

Author

Zeal Vora

Copy Editor

Ulka Manjrekar

Reviewer

Adrian Pruteanu

Project Coordinator

Kinjal Bari

Commissioning Editor

Vijin Boricha

Proofreader

Safis Editing

Acquisition Editor

Namrata Patil

Indexer

Tejal Daruwale Soni

Content Development Editor

Trusha Shriyan

Graphics

Tania Dutta

Technical Editor

Nirbhaya Shaji

Production Coordinator

Shantanu Zagade

About the Author

Zeal Vora has been working in the field in Linux and Security from past five years. His journey in security field started when few of his friends' websites were hacked and while analyzing the cause and resolving the issue, his interest in the field of defensive security arose and has been working into defensive security ever since.

Along with the work, Zeal has a great passion for teaching and he is currently one of the Premium Instructors at platforms like Udemy with more than 40,000+ students across all online platforms. Currently, Zeal has seven courses ranging from Wireless Security, AWS Certified Security Specialty, AWS Certified Solutions Architect - Professional and many more.

Currently, Zeal works primarily in the DevSecOps field, helping organizations and start-ups tighten up their security, specifically related to infrastructure, operating systems, and networks. His current day-to-day activities mostly revolve around cloud platforms mostly AWS.

In addition to this, Zeal has than then 13+ certifications ranging from “Certified Payment Card Industry Security Implementer”, AWS Solutions Architect Professional, Red Hat Certificate of Expertise in Server Hardening, Enterprise Virtualization, Openstack, Hybrid Cloud Storage with more to come :)

I’d like to give full credits to my parents and my sister Winshe who allowed me to take great risks along with his longtime friend Harsh who always suggested them :P. Great credits to my wife Depanjali who always takes care of me in everything, encourages me all the time, specially while I have been writing book and developing various video courses. A major credits to two of the most amazing managers Supratik and CNB who made me who made me who I am and gave me full flexibility to grow, if you get chance to work under them, simply join without any double thoughts :)

About the Reviewer

Adrian Pruteanu is a senior consultant who specializes in penetration testing and reverse engineering. With over 10 years of experience in the security industry, Adrian has provided services to all major financial institutions in Canada, as well as countless other companies around the world. You can find him on Twitter as @waydrian or on his seldom updated blog bittherapy.net.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1788299558.

If you'd like to join our team of regular reviewers, you can email us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products.

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book 

Errata

Piracy

Questions

The Fundamentals of Cloud Security

Getting started

Service models

Software as a service

Platform as a service

Infrastructure as a service

Deployment models

Cloud security

Why is cloud security considered hard?

Our security posture

Virtualization – cloud's best friend

Understanding the ring architecture

Hardware virtualization

Full virtualization with binary translation

Paravirtualization

Hardware-assisted virtualization

Distributed architecture in virtualization

Enterprise virtualization with oVirt

Encapsulation

Point in time snapshots

Isolation

Risk assessment in cloud

Service Level Agreement

Business Continuity Planning – Disaster Recovery (BCP/DR)

Business Continuity Planning

Disaster Recovery

Recovery Time Objective

Recovery Point Objective

Relation between RTO and RPO

Real world use case of Disaster Recovery

Use case to understand BCP/DR

Policies and governance in cloud

Audit challenges in the cloud

Implementation challenges for controls on CSP side

Vulnerability assessment and penetration testing in the cloud

Use case of a hacked server

Summary

Defense in Depth Approach

The CIA triad

Confidentiality

Integrity

Availability

A use case

Understanding all three aspects

The use case

Introducing Defense in Depth

First layer – network layer

Second layer – platform layer

Third layer – application layer

Fourth layer – data layer

Fifth layer – response layer

Summary

Designing Defensive Network Infrastructure

Why do we need cryptography?

The TCP/IP model

Scenario

The Network Transport Layer

The Internet Protocol Layer

The Transport Layer

The Application Layer

Firewalls

How a firewall works?

How does a firewall inspect packets?

3-way handshake

Modes of firewall

Stateful packet inspection

Stateless packet inspection

Architecting firewall rules

The deny all and allow some approach

The allow all and deny some approach

Firewall justification document

A sample firewall justification document

Inbound rules

Outbound rules

Tracking firewall changes with alarms

Best practices

Application layer security

Intrusion Prevention Systems

Overview architecture of IPS

IPS in a cloud environment

Implementing IPS in the cloud

Deep Security

Anti-malware

Application control

The IPS functionality

A real-world example

Implementation

Advantages that IPS will bring to a cloud environment

A web application firewall

Architecture

Implementation

Network segmentation

Understanding a flat network

Segmented network

Network segmentation in cloud environments

Segmentation in cloud environments

Rule of thumb

Accessing management

Bastion hosts

The workings of bastion hosts

The workings of SSH agent forwarding

Practical implementation of bastion hosts

Security of bastion hosts

Benefits of bastion hosts

Disadvantages of bastion hosts

Virtual Private Network

Routes – after VPN is connected

Installation of OpenVPN

Security for VPN

Recommended tools for VPN

Approaching private hosted zones for DNS

Public hosted zones

Private hosted zones

Challenge

Solution

Summary

Server Hardening

The basic principle of host-based security

Keeping systems up-to-date

The Windows update methodology

The Linux update methodology

Using the security functionality of YUM

Approach for automatic security updates installation

Developing a process to update servers regularly

Knowledge base

Challenges on a larger scale

Partitioning and LUKS

Partitioning schemes

A separate partition for /boot

A separate partition for /tmp

A separate partition for /home

Conclusion

LUKS

Introduction to LUKS

Solution

Conclusion

Access control list

Use case

Introduction to Access Control List

Set ACL

Show ACL

Special permissions in Linux

SUID 

Use case for SUID

Understanding the permission associated with ping

Setting a SUID bit for files

Removing the SUID bit for files

SETGID

Associating the SGID for files

SELinux

Introduction to SELinux

Permission sets in SELinux

SELinux modes

Confinement of Linux users to SELinux users

Process confinement

Conclusion

Hardening system services and applications

Hardening services

Guide for hardening SSH

Enable multi-factor authentication

Associated configuration

Changing the SSH default port

Associate configuration

Disabling the root login

Associated configuration

Conclusion

Pluggable authentication modules

Team Screen application

File Sharing Application

Understanding PAM

The architecture of PAM

The PAM configuration

The PAM command structure

Implementation scenario

Forcing strong passwords 

Log all user commands

Conclusion

System auditing with auditd

Introduction to auditd

Use case 1 – tracking activity of important files

Use case

Solution

First field

Use case 2 - monitoring system calls

Introduction to system calls

Use case

Solution

Conclusion

Conclusion

Central identity server

Use Case 1

Use case 2

The architecture of IPA

Client-server architecture

User access management

Best practices to follow

Conclusion

Single sign-on

Idea solution

Advantages of an SSO solution

Challenges in the classic method of authentication

Security Assertion Markup Language

The high-level overview of working

Choosing the right identity provider

Building an SSO from scratch

Hosted Based Intrusion Detection System

Exploring OSSEC

File integrity monitoring

Log monitoring and active response

Conclusion

The hardened image approach

Implementing hardening standards in scalable environments

Important to remember

Conclusion

Summary

Cryptography Network Security

Introduction to cryptography

Integrity

Authenticity

Real world scenario

Non-repudiation

Types of cryptography

Symmetric key cryptography

Stream cipher

The encryption process

The decryption process

Advantages of stream ciphers

Block cipher (AES)

Padding

Modes of block ciphers

Message authentication codes

The MAC approach

The challenges with symmetric key storage

Hardware security modules

The challenges with HSM in on-premise

A real-world scenario

HSM on the cloud

CloudHSM

Key management service

The basic working of AWS KMS

Encrypting a function in KMS

Decrypting a function in KMS

Implementation

Practical guide

Configuring AWS CLI

The decryption function

Envelope encryption

The encryption process

The decryption process

Implementation steps

Practical implementation of envelope encryption

Credential management system with KMS

Implementation

Best practices in key management

 Rotation life cycle for encryption keys

Scenario 1–a single key for all data encryption

Scenario 2–multiple keys for data encryption

Protecting the access keys

Audit trail is important

Asymmetric key encryption 

The basic working

Authentication with the help of an asymmetric key

Digital signatures

The benefits and use cases of a digital signature

SSL/TLS

Scenario 1 – A man-in-the-middle attack–storing credentials

Scenario 2 – A man-in-the-middle attack–integrity attacks

Working of SSL/TLS

Client Hello

Server Hello

Certificate

Server key exchange

Server Hello done

Client key exchange

Change cipher spec

Security related to SSL/TLS

Grading TLS configuration with SSL Labs

Default Settings

Perfect forward secrecy

Implementation of perfect forward secrecy in nginx

HTTP Strict Transport Security

Implementing HSTS in nginx

Verifying the integrity of a certificate

Online certificate status protocol

OCSP stapling

Challenge 1

Challenge 2

An ideal solution

Architecture

Implementing TLS termination at the ELB level

Selecting cipher suites

Importing certificate

AWS certificate manager

Use case 1

Use case 2

Introduction to AWS Certificate Manager

Summary

Automation in Security

Configuration management

Ansible

Remote command execution

The structure of the Ansible playbook

Playbook for SSH hardening

Running Ansible in dry mode

Run and rerun and rerun

Ansible mode of operations

Ansible pull

Attaining the desired state with Ansible pull

Auditing servers with Ansible notifications

The Ansible Vault

Deploying the nginx Web Server

Solution

Ansible best practices

Terraform

Infrastructure migration

Installing Terraform

Working with Terraform

Integrating Terraform with Ansible

Terraform best practices

AWS Lambda

Cost optimization

Achieving a use case through AWS Lambda

Testing the Lambda function

Start EC2 function

Integrating the Lambda function with events

Summary

Vulnerability, Pentest, and Patch Management

Introduction to vulnerability assessment

Common Vulnerabilities and Exposures 

Common Vulnerability Scoring System (CVSS)

Understanding risks

Determining the likelihood

Defining the impact

Risk mitigation

A sample scan report

How a vulnerability scanner works

Best practices

Patch management

Solution 1

Solution 2

Solution 3

Centralized patch management

Architecture

Installing the Spacewalk server

Import the CentOS 7 repository

Create activation keys

Configuring clients

Pushing updates to clients

Organizing servers in groups

Systems set manager

The life cycle of patch management

Important points to remember

Best practices

Standardize the stacks

All systems must be connected to Spacewalk

Develop a back out plan

Push in a systematic way

Rolling updates

All at once

Challenges

Containers and patch management

Introduction to Docker

Setting up Docker

Summary

Security Logging and Monitoring

Continuous security and monitoring

Real world scenario

Log monitoring is a must in security

Key aspects of continuous security monitoring

Operational considerations

Understanding what is normal versus abnormal

Choosing the right log monitoring tool

Let's get started with logging and monitoring

VPC flow logs

AWS Config

Configuring the AWS Config service

Let's analyze the functionality

Evaluating changes to resources

Security Incident and Event Management

Log monitoring is reactive in nature

Best practices

Set the right base

Structure your logs

Transform granular events to high level

Determine whom to notify when an event occurs

Summary

First Responder

Real world use case

Use case

Understanding the incident

Handling the incidents

Incident response plan

Preparation

Educate

Stick to the plan

Incident response process

Preparation

Use case

Detection

Use case

Containment

Use case

Remediation

Use case

Recovery

Use case

Lessons learned

Use case

Insider threats

Use case

Early indications of insider threats

Holding unexpected simulation

Summary

Best Practices

Cloud readiness

Network readiness

Server readiness

Bonus points

Summary

Preface

Cloud computing is one of most booming fields nowadays, and many of the big organizations, as well as start-ups, are now migrating to a cloud platform to host their websites and applications from traditional data centers shared hosting or managed VPS-based approach.

With this sudden and fast transition to the cloud, the number of hacking incidents has also increased tremendously because of lack of security awareness, guidance, and governance specifically related to the challenges in the cloud.

Many security approaches that were used in a datacenter or even on-premise cannot be implemented in the cloud because of lack of control and visibility. This poses new challenges related to how to effectively control the security.

This book is designed to provide you with a step-by-step guide along with tools and best practices required to secure your infrastructure based on cloud platforms. Most of the approaches can still be applied to on-premise infrastructure.

All the mentioned approaches, tools, and best practices specified in this book are well tested and are currently being implemented by many of the big organizations while dealing with stringent compliance standards such as PCI DSS and many more.

This book strives to create a balance between introductory, detailed and practical aspects of the topics discussed so that it can be useful for various individuals who might be reading the book.

What this book covers

Chapter 1, The Fundamentals of Cloud Security, begins with providing a solid foundation for cloud computing followed by the challenges faced when an organization moves into the cloud. At the end of the chapter, we look into at a case study of the real-world scenarios about servers of a known start-up getting hacked and analyze the security shortcoming that leads to the downfall.

Chapter 2, Defense in Depth Approach, provides insights into the structural approach for defensive security that can provide a solid base for security in an organization to protect against attacks. We have an abstract overview of the tools and technologies that can be used at these layers. This chapter provides the foundation for the rest of the book.

Chapter 3, Designing Defensive Network Infrastructure, begins with revising the fundamentals related to the TCP/IP model and then continues with understanding the stateful and stateless nature of firewalls, ideal approach to design firewall rules, and best practices. We also look into the implementation approach related to IPS in the cloud along with various technologies like Bastion Hosts and Virtual Private Networks. Throughout this chapter, we discuss the best practices both in terms of process and implementation side that will help the organization build strong network perimeter.

Chapter 4, Server Hardening, deals with the operating system level security. This chapter provides insights into the implementation of the principle of least privilege based approach with the help of various technologies related to centralized authentication and single-sign-on solutions. Along with this we have a great overview related to auditing functionality with help of AuditD and explore pluggable authentication modules as well. At the end, we look into various tools and technologies for disk level encryptions, server hardening, SELinux, host-based intrusion detection system and the approach for building “Hardening / Golden Images”.

Chapter 5, Cryptography Network Security, begins with revising the fundamentals of cryptography and then moves to explore various technologies like hardware security modules, Key Management Service along with looking into the SSL/TLS section along with the associated security best practices related to HSTS, Perfect Forward Secrecy, OCSP stapling and many more.

Chapter 6, Automation in Security, explore more about configuration management and infrastructure as code-based approach and their necessity and importance in building secure environments. In this chapter, we revise and explore tools like Terraform, Ansible along with it’s associated best practices. We look into the approach of “Desired State” that can be achieved with this configuration management and infrastructure as code-based tools and it’s significance in maintaining overall security posture in the organization.

Chapter 7, Vulnerability, Pentest, and Patch Management, gives you insights on how to implement an entire cycle of vulnerability assessment to patch management. This is one of the very important parts of any organization, and many big organizations have been compromised because of not being able to implement and follow this life cycle phase. We look into the industry standard tools, proven best practices, and approaches that you can implement in your organization related to this phase.

 Chapter 8,Security Logging and Monitoring, provides insights into operational considerations related to logging monitoring, an overview of log management activity, and tools and things that need to be captured to give you the right overview of the current happening within your organization.

Chapter 9,First Responder, walks you through incident response. This chapter gives you an overview of incident response and the ideal ways in which you can implement an incident response plan, along with ways in which you can continually check on the preparedness of your incident response team.

Chapter 10, Best Practices, condenses all the chapters and the associated tools into tabular form for easy insights into the overall book.

What you need for this book

Although this book can stand alone, it would be best if you were to practice the implementation approaches that have been discussed.

To begin with, you will need a virtual machine based on CentOS 6 or 7 as a base, followed by various tools that need to be downloaded, depending on the section that is being covered in the book. Most tools that have been discussed are open source variants, and some offer a trial period or free trials.

You will also need an AWS account, as there is a section that covers AWS security-related services.

Who this book is for

If you are a system administrator, or even a solutions architect with a desire to implement strong security in your organization, then this is the book for you. We not only discuss the security terminologies, but also give you the name of the exact tools that can be used, along with the approaches for implementing and using them in the best possible manner.

The things that have been discussed here have been thoroughly tested and proven to be very effective in start-ups as well as bigger organizations.

Conventions

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "If a developer wants to see the application logs on the server, there is no need to give him full sudo permission."

Any command-line input or output is written as follows:

Sent Message --> "Schedule Launch Date : 27 June 2017 "

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes, for example, appear in the text like this: "Once you click on Create Key, you will be asked to fill in a certain set of details."

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book-what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of. To send us general feedback, simply e-mail [email protected], and mention the book's title in the subject of your message. If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the color images of this book 

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from http://www.packtpub.com/sites/default/files/downloads/EnterpriseCloudSecurityandGovernance_ColorImages.pdf.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books-maybe a mistake in the text or the code-we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at [email protected] with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.

The Fundamentals of Cloud Security

This chapter, being the first chapter of this book, aims at establishing the base of cloud security, based on which we will discuss all the subsequent chapters in detail. Most chapters in this book will cover specific topics and challenges that one might face in implementing security in the cloud. In this chapter, however, we will cover the basics of cloud computing and the associated security aspect that will help us get started.

We can think of this chapter as the basic principles on which the security practices need to be applied.

Getting started

Cloud computing is basically delivering computing as a service. In this approach, infrastructure, applications, and software platforms are all available as a service to consumers to use anytime, ideally with a pay-to-go-based model.

Let's understand the cloud with a use case. Many years back, when we needed a dedicated server, we had to initially pay up-front for the entire month to the hosting provider and after this, we had to wait for servers to get provisioned. Meanwhile, if we wanted to resize the server, we needed to raise a support ticket, and the hosting provider would manually resize the server, which sometimes would take up to 24 hours.

Cloud computing is a model in which computing resources (for example, servers, storage, and networks) are available as a service that can be rapidly provisioned on the go with minimal intervention from the hosting provider.

Now that we've gone through a simple use case, let's go ahead and understand the three important characteristics of a cloud computing environment:

On demand and self serviced

: The consumer should be able to demand a provision of servers whenever he needs and the deployment should be automatic, without any manual intervention from any hosting provider.

For example, if John needs a 16 GB RAM server in the middle of the night, he should be able to do it in a few clicks of a button without any intervention of the cloud service provider (CSP).

Elasticity

: Consumers can scale the resources upwards or downwards to meet the end user's demands whenever required. This capability is largely dependent on the concept of virtualization, which is tightly integrated with the cloud computing approach.

For example, if John wants to increase or decrease the capacity of a server, he should be able to do it anytime he needs.

Measured service

: Cloud computing providers should monitor the usage of the service used by the consumer and charge according to what customers use. Typically, a cloud computing provider charges on an hourly basis; however, newer plans support payment based on 5 minutes intervals.

For example, if John uses a 16 GB RAM server only for 3 hours and terminates it, he should be charged for 3 hours only.

Service models

There are three major service models in the cloud computing environment, and depending on the use case of the organization, one of them is generally chosen:

Software as a service

(

Sa

aS

)

Platform as a service

(

PaaS

)

Infrastructure as a service

(

IaaS

)

Let's spend some time understanding each of these service models which will in turn help us decide the ideal one for our requirements. Depending on the service models that we choose, the security implementation varies considerably.

Software as a service

In its simplest terms, SaaS means a hosted application on the internet. A SaaS provider will provide the application on their servers that consumers will be able to use.

The entirety of installing, managing, security, and troubleshooting related to the application is the responsibility of the SaaS provider.

One of the disadvantages of the SaaS-based approach is that if the SaaS provider needs downtime for any reason, then the organizations using the application have no choice but to wait, which leads to less productivity.

For example, Google Docs is a famous SaaS service. We use Google Docs (similar to Microsoft Word) and Google Sheets (similar to Microsoft Excel) online.

Microsoft Word is also ported to the cloud through a service called Office 365. We can access Word, Excel, and PowerPoint all from a browser.

The following is an example of PowerPoint that is available online as a part of the Office 365 suite, where you can run various software, such as Word, Excel, and PowerPoint from your browser without installation:

Platform as a service

In a PaaS-based offering, the provider will allow consumers to host their own application onto their cloud infrastructure.

The PaaS provider, in turn, handles the backend support of the programming languages, libraries, and associated tools that allow a consumer to upload and manage their application. The consumer does not have to worry about underlying servers, OS, networks, and platform security as they're handled by the PaaS provider.

However, the hosted application's security and configuration is still the responsibility of the customer.

Google App Engine, which is part of the Google Cloud Platform, is one famous example. All we have to do is to upload our code and all backend stuff will be managed by them. However, if the code itself is vulnerable, then it is the responsibility of the customer and not the PaaS provider:

Infrastructure as a service

In IaaS, the hosting provider will host the virtual machine (VM) on behalf of the consumer at their end.

The consumer, with just a few clicks on the resources that are needed (RAM, CPU, and network), will be provided a server on the cloud.

The consumer does not control the underlying infrastructure, such as virtualization software, physical security, and hardware. It is the cloud provider's responsibility to handle the reliability of hardware and virtualization software used and the physical security of the servers, and the client is responsible for the VM configuration and its associated security:

For example, as shown in the previous figure, Amazon EC2 is one of the well-known examples for IaaS. Clients can launch an EC2 instance with customized configurations, such as operating systems, associated resources (CPU, RAM, and network), IP addresses, and even the firewall rules (security groups).

Deployment models

This approach generally appears when an organization is planning to use an IaaS-based service model. In such cases, before selecting a CSP, we need to understand what type of cloud service model we are looking for. Many of the organizations decide to create their own data center and launch a cloud environment with the help of OpenStack. One of the advantages in the long term would be the cost benefit, but this approach does take a large amount of investment.

Having said this, as illustrated in the following diagram, there are three deployment models for the cloud, based on which an organization has to decide which one to choose from:

Let's briefly look into each of them: 

Public cloud

: In this type of offering, the CSP opens up the service for everyone and anyone willing to pay for the service. This is one of the most common models that is being preferred by startups and mid-sized organizations. One of the benefits of this approach is that the initial investment needed is far less as, the organization will pay as per their resource usage in the cloud environments.

Private cloud

: As the name suggests, private cloud is meant to be used within organizations. In this type of approach, the services are not being offered in public, instead are made to be used for resources within the organization itself. Thus, entire responsibility related to the governance and security maintenance becomes the responsibility of the organization. Organizations choosing this approach generally use OpenStack for their environments.

Hybrid cloud

: In this type, some of the assets are being managed in the internal private cloud while others are moved to the public cloud. Servers can be managed internally, but for data storage, we can use

Amazon S3

or

Amazon Glacier

. Thus, an organization can plan out which assets are costly to handle internally and if the cloud is a cheaper option, then those assets are migrated to the cloud. Many organizations also decide to use a multi-cloud-based approach where services such as servers can be managed by cloud providers such as 

Linode

and

DigitalOcean

, which are quite cheap and reliable, while other services such as storage, message broker, and much more rely on the

AWS

platform.

Relying on a single cloud provider such as AWS might prove to be expensive and you will always have your finance team chasing you up over high cost. From what I have observed over the course of many years as a part of cost optimization projects, I prefer to use the hybrid cloud, where servers and services are distributed among different cloud providers such as AWS, DigitalOcean, and Linode. This approach is great but you will need a good amount of time to do all configurations. This approach is generally not preferred by startups that have limited bandwidth and might not have dedicated solutions/DevOps architects to take care of the infrastructure.

Cloud security

Now that we have covered the basics of the cloud computing environment, we can go ahead and start with the security aspect pertaining to cloud environments. Cloud security is generally considered a challenge and there are special certifications such as Certificate of Cloud Security Knowledge (CCSK) being released that are specific to cloud security-based knowledge.

The real reason why cloud security is a different challenge is because of the loss of control of the backend infrastructure and things related to the visibility of the underlying network. The scope of controls associated with the cloud platform differs depending on the service model being used.

The following diagram denotes how the scope would vary:

If we look at the preceding diagram, the responsibility of the consumer and security will vary differently depending upon the model that is being chosen. Let's look at an overview based on this aspect:

In a

SaaS

-based model, the

Cloud Provider

is responsible for

Infrastructure

,

Intermediary Layer

, and partial part of

Application Layer

; however, it is the

Cloud Consumer

who is responsible for data stored in the

Application

and its associated configuration

In a PaaS-based model, the

Cloud Provider

is responsible for

Infrastructure

and certain aspects of

Intermediary Layer

, while the

Cloud Consumer

is responsible for the

Application

and its associated security along with certain aspects of

Intermediary Layer

In an IaaS-based model, the

Cloud Provider

is responsible for the underlying backend

Infrastructure

such as the virtualization layer, backend switches, hardware, and others while the

Cloud Consumer 

is responsible for all the other aspects except server security, firewalls, and routing configurations

Why is cloud security considered hard?

One of the main reasons why cloud security is considered challenging is potentially due to the lack of full control of the environment. Along with the lack of control, lack of visibility is also one of the challenges as we don't really know how things look behind the scenes.

Since cloud environment is a giant resource pool, we generally share the underlying resources with multiple other users belonging to different organizations. This is often referred as multi-tenancy.

Since the resource is generally not dedicated to us, we are not allowed to do various things, such as performing external scans on our websites, that might affect the performance of other customers. There are many such reasons that causes a bit of limitations in terms of flexibility and visibility in cloud environments.

Our security posture

The tools, technologies, and approach that are used between data centers can be different from that of cloud environment. This is because of the limited visibility and control of the infrastructure in cloud.

Thus the way in which security posture of your organization is cannot always be the way it will be when you migrate to cloud environments. 

A typical data center environment can have the following things:

Stateful firewall

Log and

s

ecurity information and event management

 (

SIEM

) solutions

IDS connected with

Switched Port Analyzer

 (

SPAN

) port

Anti-malware at network level

We cannot have everything in the cloud. We need to assess risks and make a decision.

Virtualization – cloud's best friend

One of the very simple and best-known features of virtualization is that it allows us to run multiple operating systems together on a single hardware.

So, essentially, we can run Windows and Linux together simultaneously in a single box without having to worry about much.

I still remember my senior saying that I was very lucky to be born in the days of virtualization as earlier if they messed up their system during testing, they had to spend 2-3 hours re-creating it, while in virtualization, once the snapshot is taken, it takes just 2 minutes to go back to its original state. The snapshot and restore features have been one of the most preferred and useful features, specifically when doing testing related to compiling kernel.

In the following screenshot, I have run the latest version of CentOS 7 on my Macintosh with the help of VMware Fusion, which is a virtualization software:

Understanding the ring architecture

In x86-based computers, user applications have very limited privileges, where certain tasks can only be performed by the operating system code.

In this type of architecture, the OS and the CPU work together to restrict what a user level program can do in the system.

As illustrated in the following diagram, there are four privilege levels that start from 0 (Most privileged) to 3 (Least privileged) and there are three important resources that are protected, which are memory, I/O ports, and ability to run certain machine-level instructions:

It's important to remember that even having a root account means that you are still in user code - that is, Ring 3. It's very simple; all user code runs on Ring 3 and all kernel code runs on Ring 0.

Due to this strict restriction, specifically to memory and I/O ports, the user can do a minimal number of things directly and would thus need to call through the Kernel.

For example, if a user wants to open files, transfer data over the network, and allocate memory for the program, it will have to ask the Kernel (which is running on Ring 0) to allow it, and this is why the Kernel has full control over the program, which leads to more stability in the operating system as a whole.

Hardware virtualization

The x86-based operating systems are designed to run directly on hardware, so they assume that they have full control of the hardware on which they are running.

As discussed, x86 architecture generally offers four levels of privileges, namely Ring 0, Ring 1, Ring 2, and Ring 3, as is described in the following diagram:

These levels of privileges are assigned to operating systems and applications that allow them to manage access to underlying hardware on which they are running. Generally, User Application runs on Ring3, and the OS must run on Ring 0, which typically has, full privilege over the System Hardware.

Virtualization requires placing a new virtualized layer between the OS and the hardware that will control and manage the guest OS running on top of it, and this is the reason why the virtualization software typically needs higher privileges than that of a guest OS. There are three types of virtualization.

Full virtualization with binary translation

Based on this approach, any OS can be virtualized with the help of Binary Translation and direct execution-based technique. In this approach, the Guest OS is placed on a higher ring and the kernel code is translated by the hypervisor (virtualization software) to have the effect on the virtual hardware on which it is running. The hypervisor translates all the OS instructions on the fly:

The hypervisor gives virtual machines all the services provided by the hardware such as virtual BIOS, virtual memory, and access to virtual devices. The user code that typically runs on Ring 3 is directly executed to lead to higher performance. The Guest OS is not aware that it is being virtualized and does not require any modification.

Paravirtualization

This is also sometimes referred to as OS assisted virtualization