โ๏ธ Cloud Deployment and Service Models
Cloud computing enables scalable, flexible, and on-demand access to computing resources. Understanding how cloud services are deployed and consumed is foundational for securing them. Learn more about cloud computing on Wikipedia.
Deployment Models
- Public Cloud: Services offered over the internet by third-party providers (e.g., AWS, Azure, GCP). Typically multi-tenant environments. Organizations benefit from cost-effectiveness and scalability, but must trust providers' security controls.
- Private Cloud: Infrastructure dedicated to a single organization. Can be hosted on-premises or by a third party. Offers greater control over security configurations but is more expensive to maintain. More about private clouds on Wikipedia.
- Hybrid Cloud: Combines public and private models, allowing sensitive data to reside in private cloud while leveraging the scalability of the public cloud. Requires strong integration and consistent security policies.
- Community Cloud: Shared among multiple organizations with common concerns (e.g., regulatory requirements). Can be managed internally or by a third party.
Service Models
- IaaS (Infrastructure as a Service): Provides virtual machines, storage, and networking. Users must manage OS, applications, and data. Examples: AWS EC2, Azure VM. Learn more about IaaS on Wikipedia.
- PaaS (Platform as a Service): Offers runtime environments for development and deployment. Users manage apps and data but not the underlying infrastructure. Examples: Google App Engine, Heroku.
- SaaS (Software as a Service): Fully managed applications delivered via the web. Users only manage data and settings. Examples: Microsoft 365, Salesforce. Learn more about SaaS on Wikipedia.
- FaaS (Function as a Service): Event-driven, serverless compute model. Code is executed in response to events. Examples: AWS Lambda, Azure Functions.
๐งพ Shared Responsibility Model
Security in the cloud is a shared responsibility between cloud service providers (CSPs) and customers. Understanding this boundary is crucial for risk management. Learn more about the shared responsibility model on Wikipedia.
- Cloud Provider Responsibilities: Physical security of data centers, hardware maintenance, hypervisors, patching infrastructure.
- Customer Responsibilities: Configuring secure applications, managing data, enforcing access control, applying encryption, managing updates.
The line between responsibilities shifts depending on the service model: the more managed (e.g., SaaS), the less the customer has to secure. Misunderstandings here are a leading cause of data breaches in the cloud.
โ๏ธ Infrastructure as Code (IaC) & Orchestration
Modern cloud environments use code and automation to manage infrastructure, reducing manual errors and ensuring repeatable deployments.
- IaC: Technologies like Terraform, Ansible, and CloudFormation let you define infrastructure (servers, subnets, firewalls) as code. Enables version control and peer reviews of infrastructure changes.
- Orchestration: Coordinates multiple services and scripts (e.g., auto-scaling groups, container deployments with Kubernetes). Helps enforce compliance, availability, and recovery procedures.
- Benefits: Consistency, scalability, rapid rollback, disaster recovery automation.
๐ Zero Trust Architecture (ZTA)
Zero Trust is a modern security model that assumes no implicit trust, even inside the network perimeter. Core principles from NIST SP800-207 include:
- Micro-segmentation: Limit lateral movement by separating workloads with strict policies.
- Context-aware access: Access based on user, device, location, and behavior.
- Continuous validation: Re-authentication and ongoing monitoring of all access attempts.
- Policy enforcement points: Devices or services that enforce granular policies.
Zero Trust improves security posture, especially in hybrid and remote work environments. More about Zero Trust on Wikipedia.
๐ก Embedded, ICS & IoT Systems
Cloud-connected physical devices often lack robust security. This includes:
- ICS (Industrial Control Systems): Often control critical infrastructure. Vulnerable due to outdated software and default settings.
- IoT (Internet of Things): Devices like sensors, thermostats, and cameras. Risks include default passwords, weak firmware, open ports.
- Embedded Systems: Custom hardware with limited OS and memory. Patchability is often restricted, requiring strong perimeter defense.
Best practices: Isolate in segmented networks, apply device-level encryption, use network access control (NAC), monitor behavior, and apply secure updates.
๐ก๏ธ Security as a Service (SECaaS)
SECaaS delivers on-demand cloud-based security solutions. These include:
- CASB: Cloud Access Security Brokers enforce policies between cloud apps and users. Learn more about CASB on Wikipedia.
- SIEM: Centralized logging and real-time event analysis. Learn more about SIEM on Wikipedia.
- SASE: Integrates WAN and security functions (e.g., firewall-as-a-service, secure web gateway). Learn more about SASE on Wikipedia.
- Email Filtering & DLP: Tools to scan for phishing, spam, and data exfiltration attempts. More about DLP (Data Loss Prevention) on Wikipedia.
SECaaS improves agility and allows organizations to scale security with demand. Learn more about SECaaS on Wikipedia.