Category: Compliance concepts

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft, Landing zone concepts

The core components of a landing zone– Cloud Security Fundamentals

The primary goal of a landing zone is to ensure consistent deployment and governance across various environments, such as production (Prod), quality assurance (QA), user acceptance testing (UAT), and development (Dev). Let us understand the core concepts associated with landing zones:

  • Network segmentation: Network segmentation is a critical aspect of a landing zone architecture, and it involves dividing the cloud environment into distinct network segments to ensure isolation and security between different environments and workloads. Each environment (Prod, QA, UAT, and Dev) has a dedicated network segment. These segments are logically separated to prevent unauthorized access between environments. Network segmentation ensures that activities in one environment do not impact others and that sensitive data is adequately protected.
  • Isolation of environments: The network segments for each environment are isolated from each other to minimize the risk of data breaches or unauthorized access. This can be achieved through various means, such as Virtual Private Clouds (VPCs) in AWS, Virtual Networks (VNets) in Azure, or VPCs in GCP.
  • Connectivity between environments: While isolation is crucial, there are specific scenarios where controlled connectivity is required between environments, such as data migration or application integration. This connectivity should be strictly controlled and monitored to avoid security risks.
  • Identity and access management (IAM): IAM policies and roles are implemented to regulate access to cloud resources within each environment. This ensures that only authorized users have access to specific resources based on their roles and responsibilities.
  • Security measures: Each landing zone environment should have security measures, including firewall rules, security groups, network access control lists (NACLs), and other security-related settings. This helps safeguard resources and data from potential threats.
  • Centralized governance: A landing zone architecture also implements centralized governance and monitoring to maintain consistency, compliance, and visibility across all environments. This involves using a central management account or a shared services account for common services.
  • Resource isolation: Within each environment, further resource isolation can be achieved by using resource groups (Azure), projects (GCP), or organizational units (AWS) to logically group resources and manage access control more effectively.
  • Monitoring and auditing: To maintain the health and security of the landing zone, comprehensive monitoring and auditing practices should be implemented. This includes monitoring for suspicious activities, resource utilization, and compliance adherence.

Overall, a landing zone architecture provides a solid foundation for an organization’s cloud deployment by enforcing security, governance, and network segmentation across different environments. This architecture is cloud provider-agnostic and can be adapted to various cloud platforms such as Azure, AWS, and GCP while following their respective best practices and services. To read more about it, you can search for Cloud Adoption Framework, followed by the cloud provider’s name, via your favorite search engine – you will get plenty of resources.

Summary

Cloud security is an interesting topic and fun to learn. I hope you enjoyed it as much as I enjoyed writing some of these fundamental concepts. In this chapter, we introduced you to some important security and compliance concepts. This included shared responsibility in cloud security, encryption and its relevance in a cloud environment, compliance concepts, the Zero Trust model and its foundational pillars, and some of the most important topics related to cryptography. Finally, you were introduced to CAF and landing zones. All the terms and concepts discussed in this chapter will be referred to throughout this book. I encourage you to deep dive into these topics as much as you can.

In the next chapter, we will learn about cloud security posture management (CSPM) and the important concepts around it. Happy learning!

Further reading

To learn more about the topics that were covered in this chapter, look at the following resources:

Star Hand AWS Certification Exam, Compliance concepts

Landing zone concepts– Cloud Security Fundamentals

In the past, a common practice was to manage all cloud operations within a single cloud account, including various stages such as development, testing, staging, and production. This approach posed several challenges, particularly regarding security management. The absence of proper security measures raised concerns about the integrity of sensitive data and resources across different environments within the same account. Additionally, this setup hindered scalability, making it difficult to accommodate new teams and applications seamlessly. Moreover, the lack of centralized control and monitoring prevented efficient oversight of cloud resources.

To overcome these limitations and enhance the cloud adoption process, the concept of a “landing zone” emerged.

A landing zone refers to a well-architected, standardized, and secure foundation that organizations establish to facilitate the migration of workloads to the cloud or to enable the deployment of new workloads in the cloud. It serves as the starting point for cloud adoption and provides the necessary building blocks to ensure a smooth and controlled transition to the cloud. CAF and the landing zone are closely related and complement each other in the process of migrating to the cloud.

CAF versus the landing zone

CAF and the landing zone are interrelated components of a comprehensive cloud migration strategy. Here is how they relate to each other:

  • Planning phase: In the planning phase of CAF, organizations evaluate their current IT landscape, business goals, and technical requirements. As part of this planning, they also define the landing zone architecture that aligns with their cloud strategy. The landing zone becomes the technical foundation based on the strategic decisions made in CAF.
  • Design and architecture: CAF addresses high-level architectural considerations, while the landing zone is more specific to the technical design and implementation. CAF sets the direction and objectives, and the landing zone translates those objectives into tangible technical solutions.
  • Governance and security: Both CAF and the landing zone emphasize governance and security. CAF establishes the policies and controls that govern cloud adoption, while the landing zone enforces these policies at the technical level, ensuring consistent security measures, compliance, and best practices.
  • Execution and deployment: Once CAF’s planning phase is complete, the organization can use the defined landing zone architecture as the blueprint for implementing the initial cloud deployment. The landing zone serves as a ready-to-use template, accelerating the migration process while maintaining a standardized and secure environment.
Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts

Cryptography – Cloud Security Fundamentals

In today’s digital world, even with the utmost efforts to safeguard data, there remains a risk of losing control, especially when data is transmitted over the internet. To mitigate this risk, one effective method is encryption. By encrypting data, it becomes incomprehensible and unusable to unauthorized parties who lack the means to decrypt it.

Note

Cryptography is a comprehensive and well-covered subject in numerous cybersecurity books. To maintain a focus on the topics of cloud security, this book will only address its crucial and pertinent aspects in the context of cloud environments.

Cryptography is the science and practice of securing information by converting it into a secret code, making it unreadable and unusable to unauthorized parties. It plays a crucial role in ensuring data confidentiality, integrity, authentication, and non-repudiation, making it a fundamental tool for protecting sensitive information and communication in various digital systems, including computer networks, cloud computing, and online transactions.

Encryption

Encryption is a specific process within the field of cryptography. It is the technique of converting plaintext data into ciphertext using cryptographic algorithms and keys. The purpose of encryption is to protect data during transmission or storage by making it unreadable and unintelligible to unauthorized individuals or entities.

Encryption is pure mathematics. There is a defined complex method/formula to encrypt messages and decrypt those messages; you should have the same method or formula to decrypt them. Over time, encryption has achieved complexity due to attackers continuing to find ways to decrypt messages.

There are two different types of encryption: symmetric and asymmetric.

In symmetric encryption, the same secret key is used for both encrypting and decrypting data. This means that both the sender and the receiver need to possess the same secret key to securely communicate and exchange information:

Figure 1.9 – Symmetric encryption (https://binarycoders.files.wordpress.com/2020/07/01_symetric_encryption.png?w=1024)

Asymmetric encryption, also known as public-key encryption, is a cryptographic technique that uses a pair of keys (public key and private key) for secure communication and data exchange. The public key is used for encryption, while the private key is used for decryption:

Figure 1.10 – Asymmetric encryption (http://www.giuseppeurso.eu/wp-content/uploads/2014/11/giuseppe-urso-asymmetric-key-encryption-in-java-03.png)

Let’s look at how asymmetric encryption works:

  • Key generation: A user generates a key pair consisting of a public key and a corresponding private key. The public key is made openly available, while the private key is kept secret.
  • Encryption: If someone wants to send a confidential message to the key pair owner, they use the recipient’s public key to encrypt the message.
  • Decryption: Only the recipient who possesses the corresponding private key can decrypt the encrypted message that was sent to them using their public key.

The security of asymmetric encryption relies on the mathematical properties that make it computationally infeasible to derive the private key from the public key. As a result, the public key can be freely shared with others for encryption purposes, while the private key remains securely held by its owner for decryption. This makes asymmetric encryption a fundamental component of secure communication, digital signatures, and authentication in various applications, such as secure web browsing (HTTPS), email encryption, and digital certificates. Now that you understand the different types of encryption, let us understand another important concept: encrypting data in different stages.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Exams of Microsoft

How do organizations ensure confidentiality, integrity, and availability? – Cloud Security Fundamentals

Finding and maintaining the right balance of the CIA triad is challenging due to the diverse threat landscape, competing priorities, the complexity of IT systems, human factors, budget constraints, regulatory compliance, rapid technological advancements, and data sharing complexities. Organizations must proactively assess risks, prioritize assets, implement multi-layered (DiD) security strategies, and adapt to emerging threats. Collaboration among stakeholders is crucial for achieving a robust and effective security posture. It also requires a holistic approach to security and continual efforts to stay ahead of evolving security challenges. Organizations employ a combination of technical, administrative, and physical security measures to strike the right balance. Here are some common practices:

  • Confidentiality:
    • Access controls: Implementing RBAC to ensure that only authorized individuals have access to sensitive data and information.
    • Encryption: Encrypting data during transmission (for example, using SSL/TLS for web traffic) and at rest (for example, encrypting data in databases or on storage devices) to protect against unauthorized access
    • Secure Authentication: Using strong authentication methods such as passwords, MFA, or biometrics to verify the identity of users.
  • Integrity:
    • Data validation: Implementing validation checks to ensure that data is accurate, complete, and free from errors when it is entered into systems.
    • Audit trails: Creating logs and audit trails to track changes made to data and detect any unauthorized modifications.
    • Version control: Using version control mechanisms for critical documents to track changes and prevent unauthorized alterations.
  • Availability:
    • Redundancy: Implementing redundant systems and infrastructure to ensure high availability and fault tolerance. This includes redundant servers, network links, and power sources.
    • Load balancing: Using load balancing techniques to distribute traffic across multiple servers, preventing overload and ensuring continuous service availability.
    • Disaster recovery and business continuity planning: Developing comprehensive plans and procedures to recover from system failures, natural disasters, or other emergencies, thus minimizing downtime and maintaining service availability.

Additionally, organizations can achieve the CIA triad through various administrative practices and security policies:

  • Security awareness training: Conducting regular security awareness training for employees to educate them about security best practices, risks, and the importance of maintaining confidentiality, integrity, and availability
  • Risk assessment and management: Identifying potential security risks and vulnerabilities through risk assessments and implementing measures to mitigate those risks effectively
  • Incident response: Establishing incident response teams and procedures to quickly respond to and mitigate security incidents, ensuring the continuity of operations
  • Regular security audits: Conducting periodic security audits and assessments to evaluate the effectiveness of existing security measures and identify areas for improvement

Achieving the CIA triad is an ongoing process that requires continuous monitoring, updates to security measures, and adaptations to address emerging threats. Organizations must strike a balance between security requirements and business needs and implement appropriate security controls to safeguard their information, systems, and operations effectively.

Now, let us understand another important topic of cybersecurity – the three pillars.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility

The three pillars of cybersecurity – people, process, and technology – Cloud Security Fundamentals

People, process, and technology are the three most important pillars of cybersecurity that are essential for creating a comprehensive and effective cybersecurity strategy. If any of the people, process, or technology pillars are missing or inadequate in a cybersecurity strategy, it can significantly weaken the overall security posture of an organization and increase the risk of cyber threats. It will be as effective as a two-legged stool, unable to bear the full weight of an organization’s security requirements. The following figure explains how each pillar is crucial for cybersecurity and, if missing, what impact it can bring to defect cybersecurity:

Figure 1.7 – Three pillars of cybersecurity

Let us look at these areas in detail:

  • People: The people pillar refers to the human element of cybersecurity, including employees, contractors, and other stakeholders. People are an important part of any cybersecurity strategy because they can be both the weakest link and the strongest asset. Properly trained and aware employees can help prevent security breaches and quickly respond to incidents, while employees who lack awareness and training can inadvertently create security risks. To ensure the people pillar is strong, organizations should provide cybersecurity training to all employees, implement policies and procedures for cybersecurity best practices, and establish a culture of security awareness.

If the people pillar is missing or inadequate, it can lead to security risks such as human error, insider threats, and social engineering attacks. Employees who lack cybersecurity awareness and training may inadvertently click on phishing emails or download malware, putting sensitive data at risk. Insider threats, where employees intentionally steal or leak data, can also be a significant risk if proper access controls and monitoring are not in place.

  • Process: The process pillar refers to the policies, procedures, and standards that govern an organization’s cybersecurity strategy. Effective processes are important for ensuring that security controls are consistently applied, security incidents are identified and responded to promptly, and risks are managed effectively. To ensure the process pillar is strong, organizations should implement a cybersecurity framework such as NIST or ISO, conduct regular risk assessments, establish incident response plans, and regularly review and update policies and procedures.

If the process pillar is missing or inadequate, it can lead to inconsistent or ineffective security controls and responses to incidents. Without established policies and procedures, organizations may not know how to respond to security incidents, which could result in delays and increased damage. Risk assessments, vulnerability management, and incident response plans are all essential components of a strong process pillar.

  • Technology: The technology pillar refers to the hardware, software, and other technological solutions that are used to protect an organization’s systems and data. Technology is an important part of any cybersecurity strategy because it can help automate security controls and provide real-time threat intelligence. However, technology alone is not enough to ensure security. To ensure the technology pillar is strong, organizations should implement a layered DiD approach, including firewalls, intrusion detection and prevention systems, endpoint protection, encryption, and other security controls.

If the technology pillar is missing or inadequate, it can leave systems and data vulnerable to a wide range of cyber threats. Without proper security controls, such as firewalls, intrusion detection systems, and encryption, cybercriminals may be able to breach systems and steal or damage sensitive data. Additionally, outdated software and systems can leave vulnerabilities open for exploitation.

Overall, by focusing on the three pillars of cybersecurity – people, process, and technology – organizations can create a comprehensive and effective cybersecurity strategy that is designed to protect against a wide range of cyber threats. Weakness in any of these pillars can have significant implications for an organization’s cybersecurity. However, it is easier said than done when it comes to building a well-balanced program between these three pillars. Too often, organizations lack a solid foundation in all three pillars, which makes them vulnerable. In many cases, organizations look for managed service providers (MSPs) to get a more stable cybersecurity platform to protect their critical assets.

Now that you understand the three important pillars of cybersecurity, let us understand another important concept called the Zero Trust model.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Landing zone concepts

Why is it important to maintain confidentiality, integrity, and availability? – Cloud Security Fundamentals

Cybersecurity professionals and cybercriminals work on the same strategy; the former works to develop the strategy to protect the confidentiality, integrity, and availability of a system, while the latter put all their effort to disrupt it. Maintaining the CIA triad is crucial because it serves as a comprehensive framework for addressing and balancing critical aspects of information security. Here is why it is essential to maintain the CIA triad:

  • Comprehensive security: The CIA triad covers three fundamental dimensions of information security. By considering all three aspects, organizations can ensure a holistic approach to protecting their data and systems from a wide range of threats.
  • Risk management: The triad helps organizations identify and prioritize potential risks. By understanding the vulnerabilities associated with confidentiality, integrity, and availability, they can implement appropriate security measures to mitigate these risks effectively.
  • Compliance and regulations: Many laws and industry regulations mandate the protection of sensitive data and information. Adhering to the CIA triad assists organizations in complying with these legal requirements and demonstrating due diligence in safeguarding information.
  • Trust and reputation: Maintaining the CIA triad instills confidence and trust among stakeholders, customers, and partners. Organizations that prioritize security and protect information gain a reputation for being reliable and trustworthy.
  • Business continuity: Ensuring availability through the CIA triad helps organizations maintain operations even in the face of disruptions or attacks, thus safeguarding business continuity and reducing the impact of potential downtime.
  • Intellectual property protection: The triad’s integrity aspect is particularly vital for safeguarding intellectual property, trade secrets, and proprietary information. Maintaining data integrity prevents unauthorized changes or theft of valuable assets.
  • Incident response and recovery: The CIA triad aids in developing effective incident response and recovery plans. Understanding how confidentiality, integrity, and availability may be compromised allows organizations to respond swiftly and appropriately to security incidents.
  • Defense against evolving threats: As cybersecurity threats continue to evolve, the CIA triad remains a fundamental principle for guiding security strategies. By continually assessing and adapting security measures, organizations can stay ahead of emerging threats.
  • Competitive advantage: Demonstrating a strong commitment to the CIA triad can become a competitive advantage. Organizations that effectively protect their data and systems may gain a competitive edge by inspiring trust and attracting security-conscious customers and partners.
  • Proactive security culture: The CIA triad encourages organizations to cultivate a security-focused culture. By embedding security principles into their practices, employees become more aware of their role in protecting information and are better prepared to respond to security challenges.

In short, maintaining the CIA triad is vital for establishing a robust and resilient information security foundation. It helps organizations protect sensitive data, maintain business continuity, comply with regulations, and build trust among stakeholders, ultimately contributing to their overall success and longevity. Now, let us understand how organizations can maintain the CIA triad.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Landing zone concepts

Security products and strategies at different layers – Cloud Security Fundamentals

Let us take a closer look at what security products and strategies are appropriate and applied at different layers:

  • Physical security: Physical security controls are an important part of DiD as they help protect an organization’s physical assets, such as its buildings, servers, and other infrastructure. Here are some examples of physical security controls that are applied in the same way:
    • Perimeter security: Perimeter security controls are used to control access to the organization’s property. Examples include fences, walls, gates, and barriers.
    • Access control: Access control measures are used to control who has access to the organization’s physical assets. Examples include ID badges, security guards, and biometric authentication systems.
    • Surveillance: Surveillance measures are used to monitor the organization’s physical assets for potential security threats. Examples include CCTV cameras, motion detectors, and security patrols.
    • Environmental controls: Environmental controls are used to protect the organization’s physical assets from damage caused by environmental factors such as fire, water, and temperature. Examples include fire suppression systems, water leak detection systems, and temperature control systems.
    • Redundancy: Redundancy measures are used to ensure that the organization’s physical assets remain operational even in the event of failure. Examples include backup generators, redundant HVAC systems, and redundant network connections.
  • Identity and access: This implements security controls such as MFA, condition-based access, attribute-based access control (ABAC), and role-based access control (RBAC) to protect infrastructure and change control.
  • Perimeter: A protection mechanism that is used across your corporate network to filter large-scale attacks such as DDoS so that the resources are not exhausted, causing a denial of service.
  • Network: Security techniques such as network segmentation and network access control are used to segregate different resources together and to limit communication between resources to prevent lateral movement.
  • Compute: This involves limiting access to VM from limited/whitelisted IPs only and also restricting certain ports and opening only the required ones.
  • Applications: Four primary techniques can be used to secure applications, each with its strengths and weaknesses. Let us take a look:
    • Runtime Application Self-Protection (RASP): RASP is an application security technology that is designed to detect and prevent attacks at runtime. RASP integrates with the application runtime environment and monitors the behavior of the application to identify potential threats. RASP can detect attacks such as SQL injection, cross-site scripting (XSS), and buffer overflow attacks, and can take action to block the attack or alert security personnel.
    • Interactive Application Security Testing (IAST): IAST is an application security testing technique that combines aspects of both SAST and DAST. IAST is a real-time security testing technology that provides feedback on vulnerabilities during the testing process. IAST can detect vulnerabilities such as SQL injection and XSS attacks by monitoring the application during testing.
    • Static Application Security Testing (SAST): SAST is an application security testing technique that analyzes the application’s source code for security vulnerabilities. SAST can identify vulnerabilities such as buffer overflows, SQL injection, and XSS attacks. SAST is typically run during the development process and can help developers identify and fix vulnerabilities before the application is deployed.
    • Dynamic Application Security Testing (DAST): DAST is an application security testing technique that analyzes the application while it is running. DAST can identify vulnerabilities such as SQL injection, XSS attacks, broken authentication, and session management. DAST is typically run after the application is deployed to identify vulnerabilities that may have been missed during the development process.

Overall, these techniques can be used in combination to provide a comprehensive approach to securing applications. Each technique has its strengths and weaknesses, and the choice of which technique to use depends on the specific needs of the organization and the application being secured.

  • Data: RBAC and ABAC are both access control models that are used to enforce data security:
    • In an RBAC model, access to resources is granted based on the user’s role or job function within an organization. This means that users are assigned specific roles, and those roles are granted permission to access specific resources. For example, an administrator role might be granted full access to a system, while a regular user role might only be granted access to certain parts of the system.
    • In an ABAC model, access to resources is granted based on a combination of attributes, such as the user’s job function, location, and time of day. This means that access control policies can be more flexible and granular than in an RBAC model. For example, a policy might be created to grant access to a resource only if the user is accessing it from a specific location and during specific hours.

Both RBAC and ABAC can be used to enforce data security by ensuring that only authorized users are granted access to sensitive data. Which model to use depends on the specific needs of the organization and the level of granularity and flexibility required for access control policies.

At this point, you should have a clear and baseline understanding of DiD. Now, let’s try understanding a benchmark model in information security famously known as the confidentiality, integrity, availability (CIA) triad.

Star Hand AWS Certification Exam, Compliance concepts, Landing zone concepts

The shared responsibility model – Cloud Security Fundamentals

Cloud security is a tricky area. There are many myths about securing the cloud. Some think that once you have moved to the cloud, it is the cloud provider’s responsibility to protect everything in the cloud, while others think that nothing is secure in the cloud and it is not safe to move to the cloud, especially when you are dealing with sensitive data. The fact is security and compliance in the cloud is a shared responsibility between cloud providers and cloud customers.

This brings a lot of questions to our minds. Who is responsible for what? How do you define the responsibility matrix between cloud providers and customers? Who defines those responsibilities and on what basis?

Let us understand this with a simple and fun analogy of a Pizza-as-a-Service model. The cloud’s shared responsibility model can be explained using the analogy of ordering pizza in different ways: making it at home, ordering a Take and Bake pizza, ordering a pizza for delivery, or dining out at a restaurant:

Figure 1.3 – Pizza-as-a-Service model

  • Making pizza at home is like managing your IT infrastructure. You are responsible for everything, including buying the ingredients (hardware and software), preparing the dough and toppings (setting up the infrastructure and applications), cooking the pizza (maintaining the infrastructure), and cleaning up afterward (managing security, backups, and disaster recovery).
  • Ordering a Take and Bake pizza is like using IaaS. You order the pizza with the toppings you want, but the pizza is not cooked yet. You must take it home and cook it yourself. Similarly, with IaaS, you are provided with a virtual infrastructure that you configure and manage yourself, including installing and configuring the operating system, middleware, and applications.
  • Ordering a pizza for delivery is like using PaaS. You order the pizza with the toppings you want, and it is delivered to you fully cooked. You do not have to worry about the cooking process, but you still have control over the toppings. Similarly, with PaaS, you are provided with a platform for developing and deploying applications, and the CSP takes care of the underlying infrastructure.
  • Dining out at a restaurant is like using SaaS. You order the pizza, and it is delivered to you fully cooked and ready to eat. You do not have to worry about cooking or toppings as the restaurant takes care of everything. Similarly, with SaaS, you use a cloud-based application that is fully managed by the cloud service provider, and you do not have to worry about the underlying infrastructure, security, or backups.

In all these scenarios, the shared responsibility model applies. You, as the customer, are responsible for selecting the pizza toppings you want, just as you are responsible for configuring and securing your data and applications in the cloud. The cloud service provider is responsible for providing a secure and reliable environment for your data and applications, just as the restaurant is responsible for providing a clean and safe dining experience.

Now that you have understood shared responsibility via an interesting analogy, let’s understand the concept with the help of an actual responsibility model provided by every cloud provider for their customers. This responsibility is also known as security of the cloud versus security in the cloud:

Figure 1.4 – Shared responsibility model

Let us quickly discuss what security of the cloud and security in the cloud mean:

  • Security of the cloud: Security of the cloud means protecting the infrastructure that runs all the services offered by the cloud provider, which is composed of the hardware, software, networking, and facilities that public cloud services use. Cloud providers are responsible for the security of the cloud, which includes protecting the cloud environment against any security threats.
  • Security in the cloud: This refers to the responsibility held by customers and is solely determined by the cloud services that customers choose for consumption and where those workloads are hosted, such as IaaS, PaaS, SaaS, Database-as-a-Service (DBaaS), Container-as-a-Service (CaaS), or even Security-as-a-Service (SECaaS).

Customers must carefully consider the services they choose from different providers as their responsibilities vary depending on the services they use, the integration of those services into their IT environment, and applicable laws and regulations.

The responsibility model makes responsibility clear. When an organization does not have a cloud footprint, the organization is 100% responsible for the security and compliance of the infrastructure. When an organization moves to the cloud in a hybrid or cloud-native setup, the responsibility is shared between both parties.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft

The CIA triad – Cloud Security Fundamentals

Not to be confused with the central intelligence agency of the same acronym, CIA stands for confidentiality, integrity, and availability. It is a widely popular information security model that helps an organization protect its sensitive critical information and assets from unauthorized access:

Figure 1.6 – The CIA triad (https://devopedia.org/images/article/178/8179.1558871715.png)

The preceding diagram depicts the CIA triad. Let’s understand its attributes in detail.

Confidentiality

Confidentiality ensures that sensitive information is kept private and accessible only to authorized individuals. This attribute focuses on keeping sensitive information private and accessible only to authorized individuals or entities. It aims to prevent unauthorized disclosure of information, protecting it from being accessed or viewed by unauthorized users. Let’s understand this by looking at an example of the payroll system of an organization. The confidentiality aspect of the payroll system ensures that employee salary information, tax details, and other sensitive financial data is kept private and accessible only to authorized personnel. Unauthorized access to such information can lead to privacy breaches, identity theft, or financial fraud.

Integrity

Integrity maintains the accuracy and trustworthiness of data by preventing unauthorized modifications. The integrity aspect ensures that information remains accurate, trustworthy, and unaltered. It safeguards against unauthorized modifications, deletions, or data tampering efforts, ensuring that the information’s integrity is maintained throughout its life cycle. Let’s understand integrity using the same example of the payroll system of an organization. The integrity aspect of the payroll system ensures that the data remains accurate and unchanged throughout its life cycle. Any unauthorized modifications to payroll data could lead to incorrect salary payments, tax discrepancies, or compliance issues.

Availability

Availability ensures that information and services are accessible and operational when needed without disruptions. This aspect emphasizes ensuring that information and systems are available and operational when needed. It focuses on preventing disruptions or denial of service, ensuring that authorized users can access the information and services they require without interruptions. Let’s understand availability by using the same example of the payroll system of an organization. The availability aspect of the payroll system ensures that it is accessible and functional when needed. Payroll processing is critical for employee satisfaction and business operations, and any disruptions to the system could result in delayed payments or other financial issues.

Overall, the CIA triad provides a framework for organizations to develop effective cybersecurity strategies. By focusing on confidentiality, integrity, and availability, organizations can ensure that their systems and data are protected from a wide range of threats, including cyberattacks, data breaches, and other security incidents.

Star Hand AWS Certification Exam, Compliance concepts, Exams of Microsoft, Landing zone concepts

Technical requirements – Cloud Security Fundamentals

In the age of digital innovation, cloud computing has become the backbone of modern business operations. The convenience, scalability, and cost-efficiency of the cloud have revolutionized how we store, process, and share data. As we embrace the cloud’s potential, we must also acknowledge the growing importance of cloud security. Protecting our digital assets from a range of threats is paramount in this interconnected world. Cloud security encompasses a wide range of concerns, including data protection, access control, compliance with regulatory requirements, and the overall integrity and confidentiality of information stored and processed in the cloud.

 This chapter focuses on building baseline understanding of cloud security, which means understanding the key principles and strategies that underpin our ability to operate securely in the cloud. You will learn about some of the most important topics of cloud security, such as the shared responsibility model, defense in depth, the Zero Trust model, compliance concepts in the cloud, and the Cloud Adoption Framework.

The following main topics are covered in this chapter:

  • What is cloud computing?
  • Exploring cloud security
  • The shared responsibility model
  • Defense in depth
  • The Zero Trust model
  • Compliance concepts
  • Cryptography and encryption in the cloud
  • The Cloud Adoption Framework

Let us get started!

Technical requirements

To get the most out of this chapter, you are expected to have the following:

  • A baseline understanding of cloud computing concepts.
  • A general understanding or experience of working in an IT environment. To have a better understanding, you can use the sandbox environment of the organization’s CSPM tool, if available.

What is cloud computing?

Cloud computing is a technology that allows organizations and individuals to access and use computing resources such as processing power, storage, and software over the internet without having to buy and maintain physical infrastructure. Cloud service providers (CSPs) such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and many other providers offer these services. Cloud offerings empower traditional IT offerings by adding many other services such as artificial intelligence (AI), machine learning (ML), Internet of Things (IoT), and security.

Cloud computing is a powerful technology for organizations of all sizes. Here are some of the key features of cloud computing:

  • Agility: Cloud computing allows organizations to rapidly deploy and scale computing resources up or down as needed, which means they can be more agile and respond quickly to changing business requirements. With cloud computing, businesses can avoid the time and expense of building and managing their IT infrastructure, allowing them to focus on developing and delivering their products and services.
  • Productivity: Cloud computing can improve productivity by providing access to computing resources and software from anywhere, on any device, and at any time. This flexibility allows employees to work remotely and collaborate more easily, which can lead to increased productivity and efficiency:

Figure 1.1 – Cloud computing

  • Resiliency: Cloud computing can improve resiliency by providing redundancy and failover options, which means that if one computing resource fails, others can take over seamlessly. This reduces the risk of downtime and improves the availability and reliability of applications and services.
  • FinOps: Cloud computing offers Financial Operations (FinOps) capabilities that allow organizations to manage and optimize their cloud spending. This includes tools for monitoring cloud usage, forecasting costs, and optimizing resource allocation to reduce costs and maximize value.
  • Pay-as-you-go model: Cloud computing is often priced on a pay-as-you-go basis, which means that organizations only pay for the computing resources they use. This allows businesses to avoid the capital expense of buying and maintaining their IT infrastructure, and instead, pay for computing resources as an operational expense.

In summary, cloud computing provides organizations with agility, productivity, resiliency, FinOps, and a pay-as-you-go model, making it an attractive option for businesses looking to optimize their IT operations and focus on delivering value to their customers.

Gartner estimates the following by 2025 (https://www.gartner.com/en/newsroom/press-releases/2021-11-10-gartner-says-cloud-will-be-the-centerpiece-of-new-digital-experiences):

  • More than 95% of new digital workloads will be deployed on cloud-native application platforms, up from 30% in 2021
  • 70% of the new applications developed by companies will use low-code or no-code technologies
  • More than 50% of organizations will have explicit strategies to adopt cloud-delivered Secure Access Service Edge (SASE), up from less than 5% in 2020
  • 85% of organizations will embrace cloud-first principles

While these fact-based estimations look very overwhelming, there is no doubt that the cloud provides extraordinary benefits to the data-driven business world.