Category: AWS Certification Exam

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft, Landing zone concepts

The core components of a landing zone– Cloud Security Fundamentals

The primary goal of a landing zone is to ensure consistent deployment and governance across various environments, such as production (Prod), quality assurance (QA), user acceptance testing (UAT), and development (Dev). Let us understand the core concepts associated with landing zones:

  • Network segmentation: Network segmentation is a critical aspect of a landing zone architecture, and it involves dividing the cloud environment into distinct network segments to ensure isolation and security between different environments and workloads. Each environment (Prod, QA, UAT, and Dev) has a dedicated network segment. These segments are logically separated to prevent unauthorized access between environments. Network segmentation ensures that activities in one environment do not impact others and that sensitive data is adequately protected.
  • Isolation of environments: The network segments for each environment are isolated from each other to minimize the risk of data breaches or unauthorized access. This can be achieved through various means, such as Virtual Private Clouds (VPCs) in AWS, Virtual Networks (VNets) in Azure, or VPCs in GCP.
  • Connectivity between environments: While isolation is crucial, there are specific scenarios where controlled connectivity is required between environments, such as data migration or application integration. This connectivity should be strictly controlled and monitored to avoid security risks.
  • Identity and access management (IAM): IAM policies and roles are implemented to regulate access to cloud resources within each environment. This ensures that only authorized users have access to specific resources based on their roles and responsibilities.
  • Security measures: Each landing zone environment should have security measures, including firewall rules, security groups, network access control lists (NACLs), and other security-related settings. This helps safeguard resources and data from potential threats.
  • Centralized governance: A landing zone architecture also implements centralized governance and monitoring to maintain consistency, compliance, and visibility across all environments. This involves using a central management account or a shared services account for common services.
  • Resource isolation: Within each environment, further resource isolation can be achieved by using resource groups (Azure), projects (GCP), or organizational units (AWS) to logically group resources and manage access control more effectively.
  • Monitoring and auditing: To maintain the health and security of the landing zone, comprehensive monitoring and auditing practices should be implemented. This includes monitoring for suspicious activities, resource utilization, and compliance adherence.

Overall, a landing zone architecture provides a solid foundation for an organization’s cloud deployment by enforcing security, governance, and network segmentation across different environments. This architecture is cloud provider-agnostic and can be adapted to various cloud platforms such as Azure, AWS, and GCP while following their respective best practices and services. To read more about it, you can search for Cloud Adoption Framework, followed by the cloud provider’s name, via your favorite search engine – you will get plenty of resources.

Summary

Cloud security is an interesting topic and fun to learn. I hope you enjoyed it as much as I enjoyed writing some of these fundamental concepts. In this chapter, we introduced you to some important security and compliance concepts. This included shared responsibility in cloud security, encryption and its relevance in a cloud environment, compliance concepts, the Zero Trust model and its foundational pillars, and some of the most important topics related to cryptography. Finally, you were introduced to CAF and landing zones. All the terms and concepts discussed in this chapter will be referred to throughout this book. I encourage you to deep dive into these topics as much as you can.

In the next chapter, we will learn about cloud security posture management (CSPM) and the important concepts around it. Happy learning!

Further reading

To learn more about the topics that were covered in this chapter, look at the following resources:

Star Hand AWS Certification Exam, Compliance concepts

Landing zone concepts– Cloud Security Fundamentals

In the past, a common practice was to manage all cloud operations within a single cloud account, including various stages such as development, testing, staging, and production. This approach posed several challenges, particularly regarding security management. The absence of proper security measures raised concerns about the integrity of sensitive data and resources across different environments within the same account. Additionally, this setup hindered scalability, making it difficult to accommodate new teams and applications seamlessly. Moreover, the lack of centralized control and monitoring prevented efficient oversight of cloud resources.

To overcome these limitations and enhance the cloud adoption process, the concept of a “landing zone” emerged.

A landing zone refers to a well-architected, standardized, and secure foundation that organizations establish to facilitate the migration of workloads to the cloud or to enable the deployment of new workloads in the cloud. It serves as the starting point for cloud adoption and provides the necessary building blocks to ensure a smooth and controlled transition to the cloud. CAF and the landing zone are closely related and complement each other in the process of migrating to the cloud.

CAF versus the landing zone

CAF and the landing zone are interrelated components of a comprehensive cloud migration strategy. Here is how they relate to each other:

  • Planning phase: In the planning phase of CAF, organizations evaluate their current IT landscape, business goals, and technical requirements. As part of this planning, they also define the landing zone architecture that aligns with their cloud strategy. The landing zone becomes the technical foundation based on the strategic decisions made in CAF.
  • Design and architecture: CAF addresses high-level architectural considerations, while the landing zone is more specific to the technical design and implementation. CAF sets the direction and objectives, and the landing zone translates those objectives into tangible technical solutions.
  • Governance and security: Both CAF and the landing zone emphasize governance and security. CAF establishes the policies and controls that govern cloud adoption, while the landing zone enforces these policies at the technical level, ensuring consistent security measures, compliance, and best practices.
  • Execution and deployment: Once CAF’s planning phase is complete, the organization can use the defined landing zone architecture as the blueprint for implementing the initial cloud deployment. The landing zone serves as a ready-to-use template, accelerating the migration process while maintaining a standardized and secure environment.
Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts

Cryptography – Cloud Security Fundamentals

In today’s digital world, even with the utmost efforts to safeguard data, there remains a risk of losing control, especially when data is transmitted over the internet. To mitigate this risk, one effective method is encryption. By encrypting data, it becomes incomprehensible and unusable to unauthorized parties who lack the means to decrypt it.

Note

Cryptography is a comprehensive and well-covered subject in numerous cybersecurity books. To maintain a focus on the topics of cloud security, this book will only address its crucial and pertinent aspects in the context of cloud environments.

Cryptography is the science and practice of securing information by converting it into a secret code, making it unreadable and unusable to unauthorized parties. It plays a crucial role in ensuring data confidentiality, integrity, authentication, and non-repudiation, making it a fundamental tool for protecting sensitive information and communication in various digital systems, including computer networks, cloud computing, and online transactions.

Encryption

Encryption is a specific process within the field of cryptography. It is the technique of converting plaintext data into ciphertext using cryptographic algorithms and keys. The purpose of encryption is to protect data during transmission or storage by making it unreadable and unintelligible to unauthorized individuals or entities.

Encryption is pure mathematics. There is a defined complex method/formula to encrypt messages and decrypt those messages; you should have the same method or formula to decrypt them. Over time, encryption has achieved complexity due to attackers continuing to find ways to decrypt messages.

There are two different types of encryption: symmetric and asymmetric.

In symmetric encryption, the same secret key is used for both encrypting and decrypting data. This means that both the sender and the receiver need to possess the same secret key to securely communicate and exchange information:

Figure 1.9 – Symmetric encryption (https://binarycoders.files.wordpress.com/2020/07/01_symetric_encryption.png?w=1024)

Asymmetric encryption, also known as public-key encryption, is a cryptographic technique that uses a pair of keys (public key and private key) for secure communication and data exchange. The public key is used for encryption, while the private key is used for decryption:

Figure 1.10 – Asymmetric encryption (http://www.giuseppeurso.eu/wp-content/uploads/2014/11/giuseppe-urso-asymmetric-key-encryption-in-java-03.png)

Let’s look at how asymmetric encryption works:

  • Key generation: A user generates a key pair consisting of a public key and a corresponding private key. The public key is made openly available, while the private key is kept secret.
  • Encryption: If someone wants to send a confidential message to the key pair owner, they use the recipient’s public key to encrypt the message.
  • Decryption: Only the recipient who possesses the corresponding private key can decrypt the encrypted message that was sent to them using their public key.

The security of asymmetric encryption relies on the mathematical properties that make it computationally infeasible to derive the private key from the public key. As a result, the public key can be freely shared with others for encryption purposes, while the private key remains securely held by its owner for decryption. This makes asymmetric encryption a fundamental component of secure communication, digital signatures, and authentication in various applications, such as secure web browsing (HTTPS), email encryption, and digital certificates. Now that you understand the different types of encryption, let us understand another important concept: encrypting data in different stages.

Star Hand AWS Certification Exam, Exams of Microsoft

Encryption in cloud environments– Cloud Security Fundamentals

In cloud environments, responsibility for encryption is typically shared between the cloud service provider and the customer. The cloud service provider is responsible for providing the underlying infrastructure and tools to enable encryption, while the customer is responsible for implementing encryption practices for their data and managing access to the encryption keys.

Encryption in a cloud environment can be achieved through a multi-step process that involves various responsibilities and tools. A cloud customer must understand these points. Let’s break down the process:

  1. Data classification and encryption strategy: The customer is responsible for classifying their data based on sensitivity and compliance requirements. They need to determine what data needs to be encrypted and what encryption algorithms to use. No specific tool is involved in this step. It’s more of a policy and decision-making process.
  2. Data encryption: The customer is responsible for encrypting their data before sending it to the cloud or storing it in the cloud service. Various encryption libraries and tools are available for data encryption, such as OpenSSL and HashiCorp Vault, as well as cloud provider-specific encryption via a software development kit (SDK).
  3. Key generation and management: The cloud service provider is responsible for providing a Key Management Service (KMS) that allows customers to create and manage encryption keys securely. Cloud service providers offer their own KMSs, including AWS KMS, Azure Key Vault, and Google Cloud KMS.
  4. Customer Master Key (CMK) creation and protection: The customer is responsible for creating and managing their CMKs within the cloud provider’s KMS. CMKs are used to protect and control access to data encryption keys. The KMS provided by the cloud service provider is used to create and manage CMKs.
  5. Data upload and storage: The cloud service provider is responsible for securely receiving and storing encrypted data. No specific tool is involved here. The cloud provider’s storage infrastructure handles the encrypted data.
  6. Data retrieval and decryption: The customer is responsible for retrieving the encrypted data from the cloud and decrypting it using the appropriate Data Encryption Key (DEK), which is decrypted using the CMK. The decryption process is performed using encryption libraries or tools, along with the cloud provider’s KMS to retrieve and use the necessary keys.
  7. Key rotation and life cycle management: The customer is responsible for regularly rotating encryption keys and managing their life cycle to minimize the risk of unauthorized access. The cloud provider’s KMS offers APIs and tools to facilitate key rotation and life cycle management.
  8. Monitoring and auditing: Both the cloud service provider and the customer share the responsibility of monitoring and auditing encryption-related activities to detect and respond to security incidents or unauthorized access. CSPM tools provide the visibility of risk associated with keys.

In summary, encryption in the cloud involves collaboration between the cloud service provider and the customer. The customer is responsible for data classification, encryption, key management, and data decryption, while the cloud provider is responsible for providing a secure KMS and ensuring the secure storage and retrieval of encrypted data. Various encryption libraries, KMSs, and CSPM tools play crucial roles in achieving a robust encryption process in the cloud environment.

Now that you have a fundamental understanding of encryption and its relevance in cloud environments, let us understand another important topic: the Cloud Adoption Framework (CAF). This is one of the most important topics for organizations planning to adopt the cloud for their infrastructure.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Division of responsibility

Compliance concepts – Cloud Security Fundamentals

We are in the age of data analytics and data science, where data has become more precious than ever. Organizations, institutions, and businesses now rely on data to function on a day-to-day basis. It has become even more crucial to take extra care when dealing with data when organizations are moving their data to the cloud. To protect personally identifiable information (PII), health-related data, and financial data, government agencies, regulatory authorities, and industry groups have issued regulations to help protect and govern the use of data.

Security and compliance are not the same concepts, even though they are very well interconnected and the line between them is blurred. Security refers to the set of policies, processes, and controls that a company implements to protect its assets, while compliance refers to the meeting that some regulatory body or third party has set as a best practice or legal requirement.

Some of the compliance concepts in cybersecurity include the following:

  • Regulatory compliance: This refers to adherence to legal requirements, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Regulatory compliance involves implementing security measures and protocols to protect sensitive data and ensure that organizations are following established legal requirements.
  • Industry-specific compliance: This refers to adherence to specific security requirements established by particular industries, such as the Payment Card Industry Data Security Standard (PCI DSS) for organizations that handle credit card information. Industry-specific compliance involves implementing security measures and protocols that are specific to the requirements of a particular industry. Another significant example would be the Health Insurance Portability and Accountability Act (HIPAA) as it ensures the protection and confidentiality of individuals’ sensitive health information, providing them with greater control over their medical data and promoting trust in the healthcare system. Its regulations establish standards for securely handling the protected health information of healthcare providers, insurers, and other entities in the United States.
  • Standards compliance: This refers to adherence to established security standards, such as the ISO/IEC 27001 and the National Institute of Standards and Technology (NIST) standards for information security management systems. Standards compliance involves implementing security measures and protocols that meet or exceed established industry standards.
  • Best practices compliance: This refers to adherence to established best practices for cybersecurity, such as the Center for Internet Security (CIS). Best practices compliance involves implementing security measures and protocols that are widely accepted as effective in the cybersecurity community. You can find the latest CIS benchmarks for cloud providers such as Alibaba, AWS, and Azure, as well as various other technologies, at https://www.cisecurity.org/cis-benchmarks.

Here are some important topics associated with data compliance:

  • Data residency: This refers to the physical or geographical location of the data. It sounds normal in the case of on-premises but it’s challenging to achieve when data is stored in the cloud. Some countries have regulations that their data must be stored on a server physically located within the country.
  • Data sovereignty: This refers to the laws and governance structures that data is subject to, due to the geographical location of where it is processed.
  • Data privacy: This refers to providing notice and being transparent about collecting, using, and sharing personal data. These are fundamental principles of laws and regulations.

Compliance in cybersecurity is important because it helps organizations establish a baseline of security measures and protocols that can protect sensitive data and ensure the security of computer systems and networks. Compliance can also be used to demonstrate to stakeholders that an organization is taking the necessary steps to protect data and mitigate cybersecurity risks.

Now, let’s understand another interesting and important topic: cryptography.

Star Hand AWS Certification Exam, Landing zone concepts

Encrypting data in different stages– Cloud Security Fundamentals

Data can be classified into different stages based on its level of activity or usage. The three main stages of data are data at rest, data in transit, and data in use. Encryption is a crucial technique that’s used to protect data in these states:

  • Data at rest: Data at rest refers to data that is stored on storage devices, such as hard drives, databases, or cloud servers, when it is not actively in use or being transmitted. Encryption at rest ensures that even if someone gains physical or unauthorized access to the storage medium, they won’t be able to read or understand the data without the appropriate decryption key. For example, when you store sensitive files on your computer’s hard drive, encrypting the files will protect them from unauthorized access if your device is lost or stolen.
  • Data in transit: Data in transit refers to data that is being transmitted over networks between different devices or systems. Encryption in transit ensures that data is secured while it is moving from one location to another, preventing interception or eavesdropping by unauthorized parties. Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols are commonly used for encrypting data during its transmission over the internet. For example, when you access a website using HTTPS, the data that’s exchanged between your browser and the website’s server is encrypted in transit.
  • Data in use: Data in use refers to data that is actively being processed or accessed by an application or user. Encryption at this stage involves protecting the data while it is being used to prevent unauthorized access or disclosure. This can be achieved using techniques such as memory encryption or secure enclaves. For example, when you open a password-protected document, the data in the document is decrypted in memory for you to view and edit it. When you close the document or log out, the data is encrypted back in memory to protect it from potential unauthorized access.

Now that we have briefly covered encryption, let’s understand the importance of encryption in the context of a cloud environment.

Importance of encryption for a multi-cloud hybrid environment

The importance of encryption in securing the cloud cannot be overstated. Encryption plays a vital role in ensuring the confidentiality, integrity, and privacy of sensitive data and communication within cloud environments. Here’s why encryption is essential for cloud security:

  • Data confidentiality: Encryption ensures that sensitive data stored in the cloud remains unreadable to unauthorized parties. Even if a security breach occurs, encrypted data appears as ciphertext, protecting it from exposure and misuse.
  • Secure communication: When data is transmitted between cloud services and users, encryption guarantees secure communication. It prevents interception and eavesdropping, ensuring that sensitive information remains private during transit.
  • Data integrity: Cryptographic techniques, such as digital signatures and hash functions, verify data integrity in the cloud. This prevents unauthorized modification or data tampering, maintaining its accuracy and reliability.
  • Access control: Encryption enables robust access control in the cloud. By encrypting data and managing cryptographic keys effectively, cloud providers can enforce access restrictions, ensuring that data is accessible only to authorized personnel.
  • Regulatory compliance: Many industries are subject to data protection regulations that require the use of strong cryptographic measures. By employing encryption, cloud providers can comply with these regulations and safeguard sensitive data.
  • User authentication: Cryptographic mechanisms such as digital certificates and public key infrastructure (PKI) facilitate secure user authentication in the cloud. This ensures that users and services are legitimate and authorized to access cloud resources.
  • Key management: Cloud environments involve managing a vast number of cryptographic keys for different purposes. Proper key management is essential for maintaining the security of encrypted data and protecting against unauthorized access.
  • Multi-tenancy security: In a cloud environment, multiple users and organizations share the same infrastructure. Cryptography helps ensure that data from different tenants remains isolated and inaccessible to others, even if they share the same physical resources.
  • Data residency and sovereignty: Encryption helps maintain data residency and sovereignty. Data can be encrypted in such a way that it remains unreadable to unauthorized entities, even if it’s stored in different jurisdictions or countries.
  • Data sharing and collaboration: With encryption, cloud users can securely share and collaborate on sensitive data with other authorized users or organizations without the risk of exposing the data to unauthorized parties.

Overall, encryption provides a critical layer of protection for cloud data and services.

Now, let’s understand how encryption is achieved in cloud environments.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Exams of Microsoft

How do organizations ensure confidentiality, integrity, and availability? – Cloud Security Fundamentals

Finding and maintaining the right balance of the CIA triad is challenging due to the diverse threat landscape, competing priorities, the complexity of IT systems, human factors, budget constraints, regulatory compliance, rapid technological advancements, and data sharing complexities. Organizations must proactively assess risks, prioritize assets, implement multi-layered (DiD) security strategies, and adapt to emerging threats. Collaboration among stakeholders is crucial for achieving a robust and effective security posture. It also requires a holistic approach to security and continual efforts to stay ahead of evolving security challenges. Organizations employ a combination of technical, administrative, and physical security measures to strike the right balance. Here are some common practices:

  • Confidentiality:
    • Access controls: Implementing RBAC to ensure that only authorized individuals have access to sensitive data and information.
    • Encryption: Encrypting data during transmission (for example, using SSL/TLS for web traffic) and at rest (for example, encrypting data in databases or on storage devices) to protect against unauthorized access
    • Secure Authentication: Using strong authentication methods such as passwords, MFA, or biometrics to verify the identity of users.
  • Integrity:
    • Data validation: Implementing validation checks to ensure that data is accurate, complete, and free from errors when it is entered into systems.
    • Audit trails: Creating logs and audit trails to track changes made to data and detect any unauthorized modifications.
    • Version control: Using version control mechanisms for critical documents to track changes and prevent unauthorized alterations.
  • Availability:
    • Redundancy: Implementing redundant systems and infrastructure to ensure high availability and fault tolerance. This includes redundant servers, network links, and power sources.
    • Load balancing: Using load balancing techniques to distribute traffic across multiple servers, preventing overload and ensuring continuous service availability.
    • Disaster recovery and business continuity planning: Developing comprehensive plans and procedures to recover from system failures, natural disasters, or other emergencies, thus minimizing downtime and maintaining service availability.

Additionally, organizations can achieve the CIA triad through various administrative practices and security policies:

  • Security awareness training: Conducting regular security awareness training for employees to educate them about security best practices, risks, and the importance of maintaining confidentiality, integrity, and availability
  • Risk assessment and management: Identifying potential security risks and vulnerabilities through risk assessments and implementing measures to mitigate those risks effectively
  • Incident response: Establishing incident response teams and procedures to quickly respond to and mitigate security incidents, ensuring the continuity of operations
  • Regular security audits: Conducting periodic security audits and assessments to evaluate the effectiveness of existing security measures and identify areas for improvement

Achieving the CIA triad is an ongoing process that requires continuous monitoring, updates to security measures, and adaptations to address emerging threats. Organizations must strike a balance between security requirements and business needs and implement appropriate security controls to safeguard their information, systems, and operations effectively.

Now, let us understand another important topic of cybersecurity – the three pillars.

Star Hand AWS Certification Exam, Division of responsibility

The Cloud Adoption Framework– Cloud Security Fundamentals

CAF is a collection of guidelines, best practices, tools, and templates from all major public cloud providers to accelerate an organization’s cloud adoption journey. Every organization has a diverse set of on-premises resources, critical data that they deal with, and regulatory compliance that they need to adhere to, and hence no one cloud adoption formula fits all. It is extremely important to have a strategy to adopt the cloud, and CAF helps business leaders and technology managers define the path of their adoption using CAF. All leading public cloud service providers have developed a version of CAF, which helps make the journey smoother for their potential customers moving into the cloud. It is a useful place to start your journey to understand your needs and do the initial assessment – that is, the maturity assessment. This maturity assessment helps you understand your existing infrastructure, processes, and readiness to adopt the cloud. It also helps the customer in choosing the right service model and IaaS, PaaS, and SaaS offerings.

Microsoft’s CAF involves the following steps. You should also refer to the other cloud frameworks from AWS and GCP:

  1. Strategy: This phase involves establishing the business case for cloud adoption and defining the organization’s cloud strategy. It includes defining the organization’s goals, identifying potential benefits and risks, and selecting the appropriate cloud service provider.
  2. Plan: In this phase, the organization develops a detailed plan for migrating to the cloud. This includes identifying the workloads to be migrated, assessing their suitability for cloud deployment, and determining the appropriate migration strategy.
  3. Ready: This phase involves preparing the organization’s environment for cloud adoption. This includes establishing the necessary infrastructure, networking, and security requirements to ensure a smooth transition to the cloud. This also includes setting up the landing zone for the cloud infrastructure and defining the best practices to expand as the need arises.
  4. Adopt: In this phase, the organization deploys its workloads to the cloud environment. This includes configuring and evaluating the cloud infrastructure and applications to ensure they are functioning as expected.
  5. Govern: In this phase, the organization establishes governance policies and processes to manage its cloud-based solutions. This includes monitoring and managing cloud resources, ensuring compliance with regulatory requirements, and establishing security controls to protect against cyber threats.
  6. Manage: This final phase involves ongoing management and optimization of the cloud environment. This includes monitoring performance, managing costs, and continually improving cloud-based solutions to meet the organization’s evolving needs.

Overall, CAF provides organizations with a structured approach to adopting cloud computing technologies. By following the framework, organizations can better plan, implement, and manage their cloud-based solutions, enabling them to realize the full benefits of cloud computing while minimizing risks and costs. Now that you understand CAF, let us understand the last but very important topic of this chapter: landing zones.

Star Hand Avoiding common pitfalls, AWS Certification Exam

The importance of a landing zone– Cloud Security Fundamentals

Implementing a landing zone is a recommended approach when adopting the cloud and migrating workloads. Here are some of the advantages of implementing a landing zone:

  • Isolation and security: With a landing zone, you can segregate different environments (development, test, staging, production, and so on) into separate accounts or sub-accounts. This isolation helps in containing any security breaches or issues, minimizing the impact on other environments.
  • Scalability and flexibility: A landing zone architecture is designed to be scalable and flexible. It allows you to easily onboard new teams and applications, providing a consistent and well-defined environment for them to work in.
  • Centralized control and monitoring: By using a landing zone, you can establish centralized governance and control over all cloud resources. This ensures that security policies, compliance requirements, and best practices are uniformly enforced across the organization.
  • Resource management: A landing zone often includes resource templates, predefined policies, and automation scripts that simplify resource provisioning, management, and deployment. This streamlines the process of creating and managing cloud resources.
  • Cost management: A well-designed landing zone can include cost management features, helping you track and optimize cloud spending across different accounts and environments.
  • Compliance and auditing: By adopting a landing zone, you can better address compliance requirements and facilitate auditing processes since all resources are organized and managed while following a standardized approach.
  • Risk reduction: Isolating environments and implementing security best practices in a landing zone helps reduce the risk of data breaches, unauthorized access, and other security-related issues.

Overall, a landing zone provides a solid foundation for an organization’s cloud environment, enabling them to deploy workloads in a secure, efficient, and cost-effective manner while ensuring consistency and compliance with organizational policies and standards.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Exams of Microsoft

The six foundational pillars – Cloud Security Fundamentals

The following are the six pillars of the Zero Trust model. They work together to provide overall robust security for your infrastructure:

  • Identities: Identities can refer to users, devices, or applications/services. It is important to verify and secure each identity with strong authentication across your entire digital estate. When an identity (user/device/service) attempts to access a resource, it must be verified with strong authentication and follow the least privilege principle.
  • Endpoints: These are the carriers through which data flows on-premises and in the cloud; hence, they are the reason for creating large attack surfaces in many cases. It is important to have the visibility of devices accessing the network and notice their activities. A device’s security posture and health, from a compliance perspective, is an important aspect of security.
  • Applications: Discovering the shadow IT and in-app permissions is critical because applications are the way organizations’ data is consumed. Not all applications’ access management is managed centrally, so it is important to put a stringent process for access reviews and privileged identity management (PIM) in place.
  • Data: Cloud computing services and offerings have completely changed the way data was managed traditionally, which resulted in perimeter-based whitelisting not being effective anymore in current hybrid/multi-cloud/SaaS-based systems. Many organizations do not have complete visibility of what kind of data they are dealing with, the most critical data, and where it resides in the organization. That is why it is important to discover, classify, label, and encrypt data intelligently based on its attributes. The whole effort is to protect the organization’s critical data and ensure that data is safe from both internal and external threats. This is critical especially when data leaves devices, applications, infrastructure, and the network controlled by the organization.
  • Infrastructure: Threats and attack vectors are very much a reality, whether they are on-premises or in the cloud. You can use intelligence-based telemetries such as JIT access, location, devices, and version to detect anomalies and attacks for ensuring security. This helps allow/block or automatically take action for any risky behavior almost at runtime, such as continuous failed login attempts.
  • Networks: To make this pillar stronger, it is important to ensure that the devices are not trusted by default, even if they are in a trusted network. Implementing end-to-end encryption, reducing the attack surface by policy, network segmentation, in-network micro-segmentation, and real-time threat detection are some of the critical practices to keep in place.

Implementing all six pillars strongly is extremely hard to achieve. It becomes even more challenging when organizations have an enormously complex and hybrid infrastructure where they do not include security as a priority at an early stage. Now, let’s understand the difference between security and compliance.