Cybersecurity is, of course, paramount in the minds of IT professionals. Cloud computing is not exempt from this concern. This article examines some of the cloud security concerns addressed by the new CompTIA Cloud+ (CV0-003). It is also the final article in my series on my favorite Cloud+ topics.
Check out the other articles in this series:
- My CompTIA Cloud+ Favorites: Virtualization and Resource Management
- My CompTIA Cloud+ Favorites: Cloud Migrations
When describing cybersecurity concepts, it’s common to use a layered approach. For example, when considering the security of a workstation in a business network environment, the following layers might be outlined as follows:
- Physical: Facility and server physical security
- Operating system: Hardening, patching and minimalist deployments
- Application: Hardening and patching
- Data: Integrity, confidentiality, backups and replication
- User: Training, authentication, authorization and restrictive access controls
By combining these layers, a workstation or server can be better secured against a variety of threats.
Cloud security relies on a similar concept. In fact, some layers remain the same. End-user training is still essential, as is data encryption and keeping operating systems patched. However, there are additional aspects to cloud security we must also consider.
Secure Remote Connectivity
Remote administration is not a new concept, but it is even more important when tied to cloud configurations.
First, cloud administrators need strong authentication to reach cloud resources. In addition, the remote administration channel must be properly secured. This might include the use of technologies like key-based SSH connections or HTTPS connectivity. Single sign-on (SSO) is critical as well, ensuring that there are as few connections as possible, making it easier to mitigate threats.
Day-to-day cloud consumers, like general employees using Microsoft Office 365 (a software-as-a-service (SaaS) model), also need a more protected path to the cloud. With cloud, the traffic that makes up confidential spreadsheets or proprietary designs is crossing the internet and not just the internal business network.
Principle of Least Privilege
One of the basic tenets of cybersecurity is the principle of least privilege. This concept states that administrators give users as little access as possible while still allowing them to do their jobs. For example, if an auditor only needs to be able to read a document, they are only granted read and not the read-write permission.
The principle of least privilege is even more critical with cloud services, where users can potentially deploy resources that will cost the company money in the form of usage fees. In addition, there are a great many different cloud services and cloud user roles, making it difficult for administrators to manage access controls effectively. Managing these roles is covered in the CompTIA Cloud+ exam objectives.
Offloading Security Responsibilities
Of course, some security layers are no longer your organization’s obligation. That’s part of the beauty of cloud computing: Your company is offloading some responsibilities to the cloud service provider.
Consider the following physical security features for a data center that your company no longer needs to provide in a cloud deployment:
- Physical security
- Redundant power
- Redundant cooling
- Redundant internet connectivity
- Hardware replacement
In the case of platform-as-a-service (PaaS), tasks like operating system and application patching are also usually managed by the cloud service provider. SaaS is the ultimate example of offloading responsibility to a provider; essentially your organization does nothing but manage which users can access the software subscription. The cloud service provider handles everything else.
Shared Security Model
The definitive concept for cloud security is the shared security model. Amazon Web Services (AWS) popularized the term, and it is summarized below:
- AWS responsibility = Security of the cloud
- Customer responsibility = Security in the cloud
The idea here is to clearly delineate who is responsible for what. Generally, the cloud service provider is responsible for the security of hardware, software, services and internal endpoints.
The cloud consumer (your organization) is responsible for the security of data stored in these infrastructures, data transmitted to and from the service provider, user access controls and the endpoints that originate at your organization (the company’s own internet connection).
Figure 1: The AWS Shared Responsibility Model. Note the emphasis on “in” the cloud for customer responsibilities and “of” the cloud for AWS responsibilities - https://aws.amazon.com/compliance/shared-responsibility-model/
That’s an over-simplification, of course, but it is a good introductory description. The exact software and services the cloud service provider is responsible for will vary by service.
In a SaaS situation, like Microsoft Office 365, the provider is responsible for everything from the software downward (operating system, physical hardware, data center).
With infrastructure-as-a-service (IaaS), however, the provider is only responsible for the physical hardware and data center. The consumer is responsible for configuring the operating system according to best practices and maintaining a patching mechanism.
AWS goes into a great deal more detail in its explanation of security responsibilities under the shared security model. It is well worth the time to examine the model and understand the boundaries.
Understanding Security Principles
Cloud security is a critical topic, of course, but I also find it to be one of the most interesting subjects in the new CompTIA Cloud+. The exam objectives clearly emphasize its importance, with Domain 2.0: Security accounting for 20% of the exam content.
The use of layered models to explain security concepts and responsibilities is a practical method that applies equally well to both traditional on-premises IT deployments and cloud-based implementations.
Secure communication paths between on-premises consumers and remote cloud service providers are critical, as is the application of the principle of least privilege. To be honest, these concepts are common to traditional security configurations, as well. Finally, the organization must understand and apply the shared security model.
My Favorite CompTIA Cloud+ Topics: A Recap
In this series, I have identified some of my favorite CompTIA Cloud+ topics as:
I find that these three topics are the most fun to research and write for the newly released Official CompTIA Cloud+ Study Guide. As a former technical trainer, I also view these three subjects as some of the most critical to Cloud+ certification candidates.
For those anticipating a job role working in a private cloud data center, consider CompTIA Server+ for a great deal more depth on the hardware and operating systems involved with maintaining on-premises data centers.
Reach out or comment with questions and observations about the series or CompTIA Cloud+ in general. I wish you well on the new CompTIA Cloud+ certification exam!
Ready to get started with CompTIA Cloud+? Download the exam objectives to see what’s covered on the exam or sign up for a free trial of CompTIA CertMaster Learn and Labs for Cloud+.