How to build a secure cloud architecture

  • TECHNOLOGY
  • 10 MIN READ
Prasobh V Nair Chief Technology Officer
Cloud Architecture

There was a time when businesses were concerned about migrating to the cloud. Previously, shifting to the cloud meant opening your data to the risk of being breached. There was a lot of questions about whether a cloud can genuinely be secured.

However, as years have gone by, the cloud has become a staple in most organizations. As technology becomes advanced, public trust in the safety of using cloud has also increased. Still, there are many that continue to regard cloud solutions to be unsafe. Such organizations and people tend to rely on on-premise data centers instead

On-Premise vs. Cloud

Regardless of how you store your data, whether it be on-premise or through a public cloud system, you need to invest in securing it. And you must perform the task of securing the architecture. Even though on-premise data storage are sought because of better security, it is the architecture of a public cloud that is much easier to secure. This is because the responsibility of cloud security falls on the shoulder of the cloud provider while the organization is solely responsible for security within the system.

With this shared responsibility, the act of building a secure cloud architecture becomes easier than in the case of on-premise solutions where the responsibility has to be shouldered alone. Here, you are required to obtain the necessary tools and processes for securing the architecture. You are also responsible for securing the network infrastructure and have physical access to the storage. Therefore, compared to the cloud, this method of storage is very static. You can’t change it as per your desire, unlike cloud storage.

cloud premise

In the cloud, you can scale the infrastructure as per the business needs. You can also share the application host with other users. This means that you must modify the tools you use according to the cloud requirements.

Public Cloud Security

When it comes to building a secure cloud architecture, one of the core concepts that come into play is the shared responsibility model. As per this model, the cloud provider shoulders the responsibility of various aspects of the public cloud. This includes services, infrastructure, and security. The only thing you need to ensure is the security of your operating systems, data and platforms used.

How does the cloud provider deliver a secure structure? They do so by configuring the various components of the infrastructure made available to the user. So, a lot of the job is already done by the cloud provider. Once the architecture has been configured as required, you must boost the security of the cloud system from within.

When building a secure cloud architecture from within, you make use of Amazon Web Services (AWS). Here, you have to begin by deciding which of the users you will grant access to the data. You must then identify their permissions to the service. For this, the IAM service, or Identity and Access Management service, is used. This service allows an organization to manage both users and permissions within the AWS cloud. Let’s say you are not using AWS. The process will still remain the same in the case of Google and Azure clouds. Here too you will access the Cloud Identity and Azure Active Directory respectively.

public cloud

Within cloud security

Your job is simple. You must build a secure cloud architecture from within the system. When you use the cloud, you will be provided with an array of services. This includes abstracted, container and infrastructure services. You have to enhance the security of each of these services. Each service respectively will have a shared responsibility model. If you decide to use some of these services fully, you will have to burden a greater responsibility than your cloud provider.

Infrastructure service security

For instance, if you opt for virtual machine services within the cloud. This will come under infrastructure service. To make your data safe within the virtual machine services, the AWS will be responsible for securing facilities, physical hardware, network infrastructure, and virtualization architecture. On the other hand, you will have to secure AMIs (Amazon Machine Images), applications, data at rest, system updates of the operating software, firewall rules, data stores, data in transit, policies, credentials, and configuration. So, as you can see, a greater share of the responsibility is with you in this service.

virtualization in cloud
Container service security

In the case of the container service category, there are various aspects of the platform layer that cannot be managed or accessed. This holds true for services like Azure SQL Database and Amazon RDS. In such services, updates, operating system, and security patches are all managed by the cloud provider. This leaves limited responsibility on the business.

Abstracted service category

This category includes services like messaging, database and high-level storage. Here, the services are abstracted on a management or platform layer. Hence, you are given the autonomy of building and operating application of the system. You can access these services’ endpoints with the help of APIS and then effectively access and manage the service components the endpoints are built on. To secure abstracted services from within, an organization has to make use of the various security services delivered by the cloud solution provider. Use MFA authentication to access your cloud provider’s account to begin.

Security Best Practices

There are a lot of best practices when it comes to securing a cloud. The four major ones include:

Perform due diligence

As a cloud consumer, it is essential to understand the applications, network, and security of the system. Due diligence is required throughout the lifecycle of the system. This includes during the planning, development, operations and decommissioning stage.

  • Planning:  Begin by choosing the best system to build your cloud on. Make use of a cloud adoption framework to help identify applications and cloud providers. The cloud adoption framework you use can either be CSP specific or CSP agnostic. After using the cloud adoption framework to identify the application for cloud deployment, educate your employees on the fundamentals of the selected service and architecture.
  • Development and Deployment: Have an efficient deployment team that is trained on how to use the CSP services you chose correctly. CSPs help in delivering the guidance required for building new applications on the cloud. So, if you are migrating an application to the system, it helps in understanding what changes would be needed to deploy on the app.
  • Operation: After the development and deployment of the system and applications, the part of security comes into play. Here, the infrastructure is treated as a source code which must be managed via a source code control system. So far, such systems have proved to be effective in managing the development of software. And they can be used for developing a secure cloud architecture as well.
  • Decommission: Instances might occur that will make the decommission a cloud-deployed system necessary. This can happen if the CSP price features a spike, making the current system too expensive for use. One must always be prepared for decommissioning. In fact, the planning for the process should precede the deployment stage. Understand the process of data extraction from one CSP and how to securely move it to another in case of decommissioning.

Related Reads:

 Managing Access

There are three capabilities that come under access management. This includes the following:

• Identifying and authenticating users: Here a multifactor authentication system should be used to minimize the risk of a credential leak or breach. Remember, if a hacker gets access to user credentials, they can access and control your cloud data. Using multiple factors ensures this doesn’t happen.

• Assigning user access rights: Never give one person enough access to affect the entire data center negatively. Instead, plan roles in such a way that they are shared by the different individuals. This reduces the power of any one entity. Limited access further mitigates the effect of a credential compromise.

Data protection

Access control isn’t the only way of building a secure cloud architectures. Instead, data protection is also required. There are three significant challenges to deal with here. Firstly, you must protect your data from authorized access. Secondly, you must ensure continued access to essential data even in case of failure of the system, and thirdly you must prevent accidental disclosure of information that was deleted.

Data protection from unauthorized access

The best way to protect data from unauthorized access is by encrypting it. Cloud services deliver encryption features. For it to be effective, it is crucial that you manage the encryption keys properly. CPPs offer consumers a choice between consumer managed and CSP managed keys. The latter takes away the control from you regarding how and where the keys are stored. However, it reduces the responsibility on your end. On the other hand, consumer-managed keys give enhanced control to you. But, the burden of responsibility is with the owner in this case.

Guaranteeing the availability of crucial data

Since no system is perfect, you can expect accidental losses to occur on the cloud system. To secure your data against such losses, it is essential that you check the data backup and recovery process of the CSP in question. If they are not up to par, you can consider augmenting them with additional recovery actions and back-ups.

Preventing disclosure of all deleted data

Just because you have deleted the data from your cloud system doesn’t mean it is always gone. Instead, many clouds often replicate and copy your data in case of accidental loss. This is why it is possible for deleted sensitive data to make its way back to monitoring services. Therefore, any data that you delete might have a replicate copy within the system. For a secure structure, it is important to thoroughly analyze the cloud deployment and see what needs to be done to delete the data permanently.

Monitor

After a cloud deployment has been made, the next step is to monitor and defend the resources as the situation requires.

Also read:

While the CSP is responsible for monitoring the infrastructure and services of the cloud, you are in charge of securing the applications created using the services provided by the platform. You can rely on the monitoring provided by CSP to identify any unauthorized access and use of the data. Moreover, you must also design and implement additional monitoring systems on your end to secure the structure.

Learn how you can collaborate with the cloud service provider to deal with security threats. Here, it is vital to understand the type of information CSP has the power to share. Also, understand how the given information will be shared and the limitations they have. For instance, CSP cannot provide services that act as an obstacle for other customers. So, your SOPs need to be aligned with the guidelines of CSP.

Conclusion

All in all, your data will be safe and secure if you were to make use of a cloud system rather than on-premise storage. However, one should always strive for continuous improvement of the system. This should be done to make your information secure and less susceptible to attacks.

Remember, the information you have is a very crucial resource for your company. Whether it be data about the products, your customers or operation guidelines, the safety of it all should be your priority. Securing cloud architecture might not be a simple process. However, it is necessary to ensure the integrity of the data. Don’t just invest in securing the architecture once. Instead, continue to do so repeatedly. Attackers are getting advanced with every passing day. Hence, you need better security to combat such attacks. CPS keep providing new features to make your data secure. You must be well-versed on these changes to improve the quality of your structure. Be vigilant with your cloud security. Monitor it continuously and respond to any threats that spring up.

Originally published Feb 26,2019 12:35:00 PM
CONTACT