8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst

Cloud Security - A Primer

The discussion whether cloud is more secure than on-premise or not, is almost over now because of several
reasons – cloud providers have deeper security funding and they have more at stake, if they are breached. We
know cloud is more secure and better managed than most of our on-prem infrastructures.

Cloud technology is disruptive, going to stay for long so it becomes very imperative for us to
understand cloud security and get our basics right before we dive into more complex technologies securing the
cloud. What is cloud and how do we secure it?

What is cloud

There are number of definitions out there by nist, ISO/IEC, ENISA etc but I would like to explain it in a very
simple way. “Cloud” is a very large pool of resources, like, processors, memory, storage etc. A consumer asks
for specific resource that it wants, like 2 CPUs and 4GB memory, provider assigns those to the client, who
then uses those resources over the network. When client is done, he releases the resources back into the pool
for someone else is use.

There are two techniques which make cloud viable – abstraction and orchestration. Abstraction(virtualisation)
is used to abstract resources from the physical infrastructure to create large set of pools and Orchestration
(Automation) is used to coordinate chunking and delivering the resources requested by the consumer.

And, Orchestration is the technique which differentiates cloud from the traditional virtualisation. In traditional
virtualisation, the process of assigning resources is manual.

Now, how cloud is delivered to the consumer? NIST defines 5 characteristics, 3 service models and 4
deployment models as shown below (image take from a Cloud Security Alliancedocument)

https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 1/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst

You can read NIST publications – NIST SP 800-143, NIST SP 800-144, NIST SP 800-145 for more details.

How to secure the cloud

Let us, first, understand the logical model of the cloud to have more informed decisions on securing the cloud.

According to functionality, cloud can be divided into several layers as depicted in the figure below :

Infrastructure: This, as name suggests, is the physical infrastructure on which the foundation is built. It
consists of core components like compute, network and storage.

Metastructure: This layer provides the interface between infrastructure and the other layers. It consists
of protocols and technologies that helps in management and configuration.

https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 2/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst

Applistructure: This layer is all the applications who have been migrated to cloud or applications that built on
PaaS. It consists of applications and services like messaging, AI, SNS(in case of AWS).

Infostructure: This is the information layer which consist of data. It could be databases, files, content PII etc.

One thing to note here is the key difference between cloud computing and traditional computing is
the Metastructurelayer which includes management plane and it allows us accessthe resources remotely.

Now it will be easier for us to understand how to secure cloud as different security mechanisms can be applied
to different layers of logical model like, Application security to Applistructure, Data security to Infostructure
and Infrastructure security to Infrastructure layer.

The cloud security can be divided into four broad categories:

Infrastructure-level cloud security

Security at infrastructure-level is very much similar like traditional infrastructure security –

Firewalls, IDS & IPS, DMZ etc. But in cloud scenario, we need to understand that this layer doubles up, in
the sense, there is two sub-layers of infrastructure – Physical infrastructure and virtual infrastructure. Physical
infrastructure is the infrastructure built by the cloud provider which consist of hardware and supporting
equipment’s. Virtual infrastructure is the network that we build upon that infrastructure.

And that is why, as far as security at infrastructure level is concerned, it is a shared responsibility between the
cloud provider and cloud consumer. The provider will take care of the physical infrastructure security and the
consumer will take care of the virtual infrastructure security. This also resonates, in the AWSshared
responsibility model, when they term these two layers as “Security in the cloud” and “Security of the cloud”.
AWS is responsible for Security of the cloud and customer is responsible for security in the cloud.

Application-level Cloud Security

Security at application level brings in its scope everything from

secure software development lifecycle & DevOps to Vulnerability Analysis & penetration testing. Some of the
key activities include.

Secure coding practices & use of code standards.

Threat modeling at design phase,
Code review, Unit test, regression and Function Test.
Static Application Security testing (SAST)
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 3/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst

Dynamic Application Security Testing (DAST)

Vulnerability Assessment and Penetration Testing

Some of the relevant standards and frameworks used by industry are Microsoft’s
Secure Development lifecycle, NIST 800-64, ISO27034 & OWASP (Open Web Application Security Project)

Data-level cloud security

The piece of security is perhaps, the most important bit of security as far as consumer is concerned. And, I
would like to highlight a caveat here which is often misunderstood and you need to understand this very
clearly. “You do not pass on the responsibility to the cloud provider when you store your data in the cloud
whether its databases or even PII” You, as a customer, is ultimately responsible and legally liable for
any data loss or breaches. You can claim financial redressal or other things from cloud provider but it is
limited only to what is written in the Service Level Agreement (SLA).

Now, data-level cloud security, mainly, consist of controls and process around the following key points:

Access Controls (Who accesses what)

Encryption (Protecting data at rest, in-use and in motion)
Data Loss Prevention (monitoring data going in and out of the cloud)
Monitoring/alerting (of usage, configuration, lifecycle state, etc.)
Enforcing information lifecycle management security (managing data location/residency)

User-level cloud security

This level of cloud security focusses more on users, groups, policies and entitlement processes. There is
separate domain, Identity and Access Management, which focusses on this level of security. Some of keys
areas of focus under User-level cloud security are:

Multi-factor Authentication (MFA)

Single sign-on and Federated Identity management
Provisioning and De-provisioning of Users
Directory Services
Controlling privileged user access
Audit Logging
Password Management

So, what I have explained above is brief cloud security overview and presents a picture of cloud security as
you will see from the top. Of course, We can dig deep into each and every point above which will reveal more
and more layers of technologies and processes which makes our cloud secure and available.

There are other controls as well like API security which interfaces with multiple layer and is of great
importance. APIs are like gates of our traditional physical infrastructure. If an adversary gets access to our
Management plane, he has access to just everything on our virtual infrastructure.

https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 4/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst

In the last, I would like to put and disclaimer that this is just overview of cloud security to begin with and may
not cover each and every aspect of cloud security.

Next, I would like to cover compliance in the cloud, as remember, security and compliance are two pieces of
big puzzle. I think compliance is more like a secure baseline as this is what minimum we should do and the
security is something that you build upon compliance to take overall organisational security towards more
maturity.

But I would cover compliance in another piece of article.

To reach out to me for cloud security discussions and consulting, you can reach me through Secloud
LLC at contact@secloud.guru

cloud the cloud services standards providers ISO compliance management storage

application security audit network cloud computing n h P A l c f c e

d i m d t i r i s p a i d d a f p v I I
o s h s d l a d E v c d D p p p s n w d
a s t p s show more

14 5 20

Chad Calease and 7 others are sharing insights

Join the discussion...

Dennis LeberMar 20, 2018

Great article, with organizations moving to the cloud and selecting the various as a service, providing a
baseline of security requirements is very important. If you are in an organization that utilizes or is
required to utilize request for proposals (RFP) it is important to list the security requirements upfront.

This same knowledge contributes to the overall evaluation to determine if it is a better choice to
go cloud or hostlocally.
Upvote 1 Reply

Chad CaleaseSept 26, 2017

I agree with the others, Yogesh Gupta, CISSP® CCSP - you've done a nice job of building a high-
level frameworkof understanding the building blocks. Naturally, I'd like to see these built out further in
friendly ways for business audiences to understand. For example, whenever we use specialized words
like "Federated" I like to help explain exactly what that means.

https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 5/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst

There is a vast level of fluency present here within the Peerlyst Community. However, if we are trying
to build a body of knowledge that is accessible, it is important for us to liberate that knowledge by
expressing it in ways that are friendly to broader audiences and cultures of learning. You've succeeded
in doing that here! Well done! Thanks for inviting me to chime in.
Upvote 2 Reply

Yogesh Gupta, CISSP® CCSK CCSPSept 27, 2017

Chad Calease Thank you for your feedback. Yes, I would build this further with more deep
dives and I will make sure it will remain relevant to both business and technical community.
Upvote 2 Reply

Dragan StevanovicSept 25, 2017

Hi Yoges Gupta, I think your arcticle is good introduction to cloud security in general.I am qute sure
you are already aware how big is the topic and had chance to read publications of Cloud Security
Alliance. I would suggest you to continue by answering real life challenges that many organizations
have nowadays, like for instance which public cloud provider to select or how to combine
existing security solutions with those provided by cloud providers.Moreover, I have seen you
mentioned Vulnerability Analysis and Penetration testing to Application security. Of course that is
not wrong, however cloud infrastructure may also contain vulnerabilities and/or missing security
configurations.Therefore all the layers of cloud security should be regularly evaluated either
by vendor provided services (e.g. AWS Inspector, AWS Trusted Advisor ) or through "deep
diving" pentestexersizes by involving trusted third party.
Upvote 2 Reply

Yogesh Gupta, CISSP® CCSK CCSPSept 25, 2017

Dragan Stevanovic Thank you for your inputs

!!! Cloud Security Alliance and ENISA documentshas contributed a lot to my understanding
and study of cloud security and infact, I have quoted their documents here as well in this
aritcle.

About writing on real life challenges, yes, that is plan. This is just an introduction for people
who know or may not know much of cloud and cloud security.

About vulnerability analysis and penetration testing, it has been mentioned

in application security as that is what is allowed on cloud platform (and that too, you have
limitation for eg, AWS allows to Pentest only some of EC2, and databases workload) And in
fact, none of the providers will allow you to do a VA for cloud infrastructure. The only
assurance you get from provider as a part of CSA CCM Matrix because doing
regular vulnerability assessmentis one of the security controls mentioned there.
Upvote 2 Reply

Dragan StevanovicSept 25, 2017

Yogesh Gupta, CISSP® CCSP Thank you for your feedback, I see you have already taken
very good direction. Regarding pentests you may be right in some cases, but I think it also
depends on type of contract. From my experience security assessments on infrastructure level
were also allowed by AWSafter being included in authorization request and some additional
https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 6/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst

discussions.They may have different approach depending on customer's region.Of course,

they would be more confident if customers use health check services which they offer.
Upvote 2 Reply

Rob ChaykoskiSept 25, 2017

Great article Yogesh Gupta, CISSP® CCSP ! I really like starting with the basics and working your way
up :) It gives an opportunity to understand the concepts you are building on as you continue to dive
more in depth. I find it interesting to not only see where the subject is but the thought process on
developing material. I have been stagnate in my writing as of late but hopefully will make time to pick
it up again.
Upvote 5 Reply

Claus Cramon HoumannSept 25, 2017

+1
Upvote 1 Reply

Yogesh Gupta, CISSP® CCSK CCSPSept 25, 2017

Rob Chaykoski Thanks for your kind observation. Yes, I do have a desire of creating more
and more training material but time constraint is there !! I am working on a
cyber security training platform though but lets see how it goes.

About writing, I have realised that one can never make enough time so, its better to keep
jotting down points after points on cellphone or iPADand then compile them over the
weekend ... Thats the way to go :-) :-)
Upvote 2 Reply

GuurhartSept 26, 2017

Yogesh Gupta, CISSP® CCSP So much motivation in you, and it spreads!

Upvote Reply

GuurhartSept 25, 2017

Fantastic primer, no comments except some things that did not seem proper English but hey who is a
German to try to correct anyone on UK language!
Upvote 3 Reply

4 replies

Anthony Noblett CISSP, CISA, CGEIT, CRISC, CCSK, CCSPSept 25, 2017

The back end of this article is good, the front end is information that all
information security professionalsshould know by now. Are you going to go further and talk about what
actual processes and tools are available to implement cloud security controls?
Upvote 5 Reply

https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 7/8
8/15/2018 Cloud Security - A Primer by Yogesh Gupta, CISSP® CCSK CCSP - the cloud, services, standards | Peerlyst

Claus Cramon HoumannSept 25, 2017

Yogesh Gupta, CISSP® CCSP Awesome, glad to hear it!
Upvote Reply

https://www.peerlyst.com/posts/cloud-security-a-primer-yogesh-gupta-cissp-r-ccsp?utm_campaign=peerlyst_shared_post&utm_content=peerlyst_… 8/8