Architecting Cloud Security
There are 5 very important cloud security strategies which everyone should follow if they are using cloud service for their applications
- Understanding the principle of shared responsibility
It is not alone that cloud provides responsibility to keep your infrastructure secure. It is both responsibility, i.e. you and the cloud provider to make your infrastructure secure. This strategies describe a model for assigning ownership of various security aspects between the cloud provider and you. This principle is mostly used in AWS but it applies to all cloud providers.
When you operate an application running on one or more EC2 instances, you create an agreement between you and AWS to manage the application’s security on those
services. For the EC2 service, AWS is responsible for the following security aspects of operating your application:
• Hardware security.
• Network infrastructure security.
• Virtualization system.
You are responsible for the security of your application. For example:
• Operating system.
• Software.
• Your application.
• Application data.
• Credentials.
- Policies and Procedures.
2. Principle of least privilege
The idea behind the principle of least privilege is to:
1. Grant an entity the minimum permission it absolutely needs to perform its operations.
2. Grant no more permission than that.
Let’s take an example, suppose there are two users, one has permission to write to a database and one has permission to read from database. In this case, first users should not have permission to read from database and second users should not have permission to write the database.
3. Privilege Escalation
We have already discussed the principle of lease privilege where users have minimum access to database but there could be scenarios where users need extra permission. In this scenario, users can request for extra permission on demand and can perform the action. This whole process of giving extra permission to user can be logged for later use.
4. Securing Data
There are two types of data. Data at rest and data in transit.
Data at rest — This data is stored within your applicaion. This could be database, files in file system or key/value store.
Data in transit — Data which is move into and out of the application for e.g customer send their username/password for validation purpose.
To secure data at rest, you can encrypt it so that no authorized user can access it.
To secure data in transit, you can use token system as well as TLS/SSL certificate to encrypt data.
5. Create and maintain security policies
The Principle of Separation of Duties says that there should be no such “special” people with special permissions. No one person should have all the access that is required to perform business-dangerous activities. Instead, the permissions needed to perform these activities should be divided across multiple people so that in all cases, more than one person is required to perform critical activities that require special access.
