eBook - ePub

Securing Cloud Services

Name: Securing Cloud Services
Author: Lee Newcombe

A pragmatic approach, second edition

Lee Newcombe

Share book

452 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Securing Cloud Services

A pragmatic approach, second edition

Lee Newcombe

Book details

Book preview

Table of contents

Citations

About This Book

Securing Cloud Services – A pragmatic guide gives an overview of security architecture processes and explains how they may be used to derive an appropriate set of security controls to manage the risks associated with working in the Cloud. The book:

Introduces the concepts of Cloud computing and the associated security threats;
Explains key security architectures and how they can be applied to Cloud services; and
Covers security considerations for the different Cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service) and FaaS (Function as a Service).

Cloud computing represents a major change to the IT services landscape, but it also introduces changes to the risk landscape, which need to be understood and addressed. The flexibility of Cloud computing does not come without compromise or risk.

Security remains a major concern for CIOs (chief information officers) considering a move to Cloud-based services. This book gives organisations pragmatic guidance on how to achieve consistent and cohesive security across their IT services – regardless of whether those services are hosted on-premises, on Cloud services or using a combination of both.

This guidance in Securing Cloud Services – A pragmatic guide is provided through the application of a Security Reference Model to the different Cloud delivery models – IaaS, PaaS and SaaS – and also considers the changes in approach required to work securely with the newer FaaS model.

Part 1 introduces the concepts embodied within Cloud computing, describes the associated security threats and lists some of the leading industry initiatives dedicated to improving the security of Cloud services.

Part 2 introduces security architecture concepts and a conceptual Security Reference Model. This model is then applied to the different Cloud service models to show how the conceptual security services within the reference model can be delivered for each Cloud service model.

This book will help organisations looking to implement Cloud services aimed at the enterprise – such as Amazon Web Services, Microsoft Azure, Google Cloud Platform and Salesforce – and to do so in a risk-managed manner.

It is aimed at business decision makers, senior IT stakeholders, enterprise architects, information security professionals.

Manage the risks associated with Cloud computing – buy this book today!

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Securing Cloud Services an online PDF/ePUB?

Yes, you can access Securing Cloud Services by Lee Newcombe in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Science General. We have over one million books available in our catalogue for you to explore.

Information

Publisher

ITGP

Year

2020

ISBN

9781787782075

Edition

Topic

Computer Science

Subtopic

Computer Science General

Index

Computer Science

Part 1: Securing Cloud services – setting the scene

INTRODUCTION

Part 1 provides the foundation for the rest of this book as it introduces the concepts embodied within Cloud computing, describes the associated security threats and lists a few of the existing industry initiatives dedicated to improving the security of Cloud services.

Part 2 introduces a number of security architecture concepts and a conceptual Security Reference Model. This model is then applied to the different Cloud service models – Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) and Function as a Service (FaaS) – to show how the conceptual security services within the reference model can be delivered for each Cloud service model.

If you are already familiar with Cloud computing models, terminologies and associated risks then you could go straight to Part 2, although you may find the contents of Part 1 a useful refresher.

Throughout this book, I have italicised the names of the security services defined within the Security Reference Model (SRM). This is to distinguish between the name of a service such as identity management and the wider topic of identity management.

CHAPTER 1: INTRODUCTION TO CLOUD COMPUTING

Cloud computing

One of the more evocative labels for an IT delivery model – certainly more so than the utility computing label to which Cloud owes much of its heritage. However, like its rain-carrying namesake, Cloud computing can be difficult to describe, with many observers having their own perspective on what is, and what is not, Cloud. Many people use Cloud services without realising that they are doing so – iTunes, Facebook and Twitter are all examples of Cloud services. However, these are consumer Cloud services, aimed at individual users, and the security of such consumer services is not discussed within this book.

The purpose of this book is to help those organisations looking to implement Cloud services aimed at the enterprise – the likes of Salesforce, Amazon Web Services, Microsoft® Azure and the Google Cloud Platform – to do so in a risk-managed manner.

Figure 1: Cloud computing model

Figure 1 shows a high level representation of the Cloud computing model. On the left, we have a Cloud computing provider – essentially a set of servers offering some form of shared IT service. On the right, we have a set of organisations with users and client devices capable of accessing that shared service. In the middle we have the Internet (or some other delivery network) that acts as the transport mechanism enabling the access devices to connect to the shared service. You can also see some individual users sitting on the Internet that are just as capable of accessing those shared services as the larger organisations. The shared service on offer could be anything from the original Amazon Web Services model of access to compute and/or storage resources through to the Salesforce, Concur or SuccessFactors model of access to specific software applications.

Regardless of the service on offer, there are a number of key characteristics that the service must display in order to be truly 'Cloud', these are:

•Multi-tenant – the service should (at some level of the technology stack) be shared amongst its users rather than dedicated to the use of a single consumer. In the case of services like Amazon Web Services, multi-tenancy traditionally exists at the level of the physical hardware and the hypervisor,¹ which can host virtualised images serving many consumers.² In the case of services such as Salesforce, the multi-tenancy sits at the application level – many different consumers access the same instance of the applications on offer. Consumers are, therefore, separated only by the barriers implemented by the provider within their applications. This is a prime differentiator of Cloud services from a more traditional data centre outsourcing model, where resources would more typically be dedicated to individual clients.

•Ubiquitous network access – the service should be available to all over a common network. For public Cloud services, the common network is usually the Internet. For other types of Cloud services, the network could be a more private network such as a government or academic network.

•Elastic – the service should be able to respond quickly to spikes in demand, with the Cloud consumer able to add the additional resources needed to maintain service levels during a spike in demand and, then, to rapidly release resources again once the spike has passed. Cloud providers should look to reduce the amount of manual effort required to support this elasticity.

•Pay per Use – consumers should be charged for the amount of resources that they actually consume; in the case of infrastructure services this could be by charging per CPU per hour or charging per GB of data stored or transferred. For Cloud providers offering SaaS this could be a case of charging per user per month rather than charging on the traditional basis of a perpetual license.

•On-demand self-service – consumers should be able to provision the services they need themselves, without needing to talk to the Cloud provider. In many popular Cloud services, customers can obtain the services they need with only a network connection and a credit card.

That is my view of Cloud, a view heavily influenced by the now de facto definition of Cloud computing produced by the American National Institute of Standards and Technology (NIST). The NIST definition of Cloud computing is discussed in much more detail in chapter 2. There are a number of services that seek to use the Cloud label, but which do not display all of the characteristics described above. A number of service providers continue to jump on to the Cloud bandwagon, and many services that would normally just be viewed as a shared service or a virtualised data centre have been relabelled as Cloud services. This relabelling is so common that it earned its own title – ‘Cloud-washing’.

This book is not dogmatic about whether or not a Cloud service displays all of the expected characteristics described above; the guidance it provides is also generally applicable to wider classes of shared services.

¹ Hypervisors are responsible for allocation of physical hardware resources such as compute, storage and communications to virtualised operating system guests hosted on that hardware.

² Although bare-metal services dedicated to the usage of a single customer can also be used at additional cost.

CHAPTER 2: OVERVIEW OF EXISTING CLOUD TAXONOMIES AND MODELS

Chapter 1 provided an informal introduction to the main concepts underlying the Cloud computing model. This chapter provides a more formal set of definitions and a common terminology to enable a joint understanding of what is meant by terms such as IaaS, community Clouds and deployment models.

There are a number of different definitions of Cloud computing, with probably the most widely accepted being the definition of Cloud computing produced by NIST.³ The NIST definition describes Cloud computing as being:

[A] model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

The five essential characteristics, as defined by NIST, are:

1.On-demand self-service

2.Broad network access

3.Resource pooling

4.Rapid elasticity

5.Measured service

The three service models defined by NIST are the familiar terms of IaaS, PaaS and SaaS. These service models are described in more detail shortly.

The four deployment models within the NIST definition comprise the commonly used terms of public and private Clouds together with the less commonly used models of community and hybrid Clouds (though hybrid Cloud is becoming increasingly popular in the enterprise space). Each deployment model is described more fully a little later on in this chapter.

There are some interesting things to note about the NIST model of Cloud computing, one of which is that it focuses on the three main traditional delivery models of IaaS, PaaS and SaaS. New models have emerged since the publication of the NIST definition, notably FaaS and the different, but often related, model known as serverless computing. As both the FaaS and ‘serverless’ models are likely to become increasingly popular over the next few years, particularly with respect to the implementation of microservices architectures, we will consider the security of such models in this book.

Whilst this book is relevant to Business Process as a Service (BPaaS), and, indeed, to many of the other *aaS terms that have been coined since the publication of the NIST definition, it is structured so as to consider IaaS, PaaS, SaaS and FaaS in turn. Those deploying other *aaS models should take the relevant guidance and adapt it to their purposes.

Service models

Infrastructure as a Service (IaaS)

In their definition, NIST describe Cloud IaaS as the model where:

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure, but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g. host firewalls).

The most popular IaaS services are those offered by the ‘Big 3’ comprising Amazon Web Services (AWS), Microsoft Azure and the Google Cloud Platform (GCP); however, some of the major systems integration companies, such as IBM and HPE, also offer IaaS specifically targeted at enterprise users. You can also find smaller local Cloud service providers (CSPs) offering ‘sovereign’ Cloud services, i.e. Cloud services hosted and supported from a single host country, which target those organisations with specific regulatory or national security requirements necessitating that data and services remain in-country.

An example of a more focussed IaaS is that of companies offering Disaster Recovery as a Service (DRaaS) whereby organisations can store machine images and data in a Cloud-based service ready for use in a disaster scenario rather than building a secondary data centre. Another example of an IaaS is that of desktop as a service which enables end users to access their company 'desktop' over the Internet, with the desktop infrastructure itself being hosted within a Cloud provider and shared with other clients.

The primary selling point of IaaS is that the Cloud provider has already invested in providing the infrastructure and so end user organisations only have to concern themselves with the operational expenditure of using the service rather than the capital expenditure of building their own services. Consumers, therefore, pay for the capacity that they actually use rath...