Self-paced

Explore our extensive collection of courses designed to help you master various subjects and skills. Whether you're a beginner or an advanced learner, there's something here for everyone.

Bootcamp

Learn live

Join us for our free workshops, webinars, and other events to learn more about our programs and get started on your journey to becoming a developer.

Upcoming live events

Learning library

For all the self-taught geeks out there, here is our content library with most of the learning materials we have produced throughout the years.

It makes sense to start learning by reading and watching videos about fundamentals and how things work.

Search from all Lessons

LoginGet Started
← Back to Lessons
Edit on Github

Cloud Security

Locally or in the Cloud
What Does a Cloud Have?
Key Components of Cloud Security
Where is it Easier to Implement Security?

We are already familiar with general security; when we focus on "cloud security," we are specifying the subset of tasks, policies, controls, technologies, and anything else necessary to apply security in a "cloud" environment like Amazon Web Services, Microsoft Azure, or Google Cloud.

Locally or in the Cloud

Before the cloud's existence, companies managed their IT infrastructure locally. This approach, known as on-premises or on-site computing, required companies to have all the necessary hardware and software within their facilities.

The cloud is the opposite; in "the cloud," servers and services are not located on company premises but are accessed via the Internet. Amazon, Google, and Microsoft have "clouds" that companies hire to have their servers online.

Companies generally prefer the cloud for its scalability, reduced costs, and flexibility. However, some opt for local infrastructure for the control and security it offers. Many use a hybrid approach to combine the best of both worlds.

What Does a Cloud Have?

All corporate clouds consist of the same components or functionalities:

  • Infrastructure as a Service (IaaS): Provides virtualized resources like servers, storage, and networks. Examples: Amazon EC2, Google Cloud Compute Engine.
  • Platform as a Service (PaaS): Offers a complete development environment to build, test, and deploy applications. Examples: Google App Engine, Microsoft Azure App Services.
  • Software as a Service (SaaS): Provides ready-to-use applications over the Internet. Examples: Microsoft Office 365, Google Workspace.
  • Storage: Space to store data in the cloud, such as Amazon S3 and Google Cloud Storage.
  • Networking: Connectivity and network services to link resources, like virtual networks and load balancers.
  • Security: Tools and services to protect data and applications, such as firewalls, encryption, and identity management.
  • Databases: Services to manage structured and unstructured data, like Amazon RDS and Google Cloud Bigtable.

Key Components of Cloud Security

Cloud security has advantages because major cloud providers like Amazon, Google, and Microsoft handle part of it and already include encryption mechanisms, data protection, etc. However, part of the responsibility falls on our implementation, and for that, we must consider our security and how to divide it:

  • Identity: MFA, SSO, Role-Based Access Control, etc.
  • Data Protection: Encryption.
  • Infrastructure Security: Network segmentation and monitoring (intrusion detection).
  • Application Security: Vulnerability testing, updates, and patches.
  • Compliance and Governance: Policies, regulations like GDPR, etc.
  • Business Continuity and Disaster Recovery: Backups, recovery plans.

Identity

Identity management is essential for controlling who can access cloud resources and what actions they can perform. This is achieved through several mechanisms:

  • Multi-Factor Authentication (MFA):

    • Adds an extra layer of security by requiring more than one method of identity verification. This may include passwords, fingerprints, codes sent to mobile devices, etc. MFA helps prevent unauthorized access even if credentials are compromised.

  • Single Sign-On (SSO):

    • Allows users to access multiple applications with a single authentication. This simplifies the login process and enhances the user experience while centralizing identity management.

  • Role-Based Access Control (RBAC):

    • Assigns permissions and accesses to users based on their roles within the organization. This ensures that employees only have access to the resources necessary for their function, minimizing the risk of unnecessary access.

Data Protection

Protecting data stored and transferred in the cloud is a priority to ensure the confidentiality and integrity of information:

  • Encryption:
    • In Transit: Protects data as it moves through networks using protocols like SSL/TLS. This ensures that data cannot be intercepted and read by third parties.
    • At Rest: Encrypts data stored on disks or databases so they are not accessible without the appropriate encryption key. This is crucial to protect data in case of unauthorized access or hardware theft.

Infrastructure Security

Infrastructure security involves protecting the physical and virtual components that make up the cloud:

  • Network Segmentation:

    • Divides the network into smaller, more secure segments to isolate different parts of the infrastructure. This limits the scope of potential attacks and facilitates the implementation of specific security measures for each segment.

  • Monitoring and Intrusion Detection:

    • Implements systems that detect suspicious or unauthorized activities within the infrastructure. Intrusion detection (IDS) and prevention (IPS) solutions help identify and mitigate threats before they cause harm.

Application Security

Securing applications running in the cloud is essential to protect against vulnerabilities and attacks:

  • Vulnerability Testing:

    • Conducting regular assessments to identify and correct weaknesses in applications. This includes static code scanning, penetration testing, and automated security analysis.

  • Updates and Patches:

    • Keeping applications and systems updated is essential to protect against new threats. Patches fix known vulnerabilities and improve the overall security of the system.

Compliance and Governance

Governance and legal compliance ensure that cloud security practices align with regulations and internal policies:

  • Security Policies:

    • Defining clear policies that establish the rules and procedures for data protection and cloud access. These policies must be consistently communicated and applied throughout the organization.

  • Regulations (GDPR, HIPAA, etc.):

    • Complying with industry-specific legal regulations is crucial to avoid penalties and protect the company's reputation. GDPR, for example, sets strict requirements for personal data protection in the European Union.

Business Continuity and Disaster Recovery

Planning for business continuity and disaster recovery ensures that a company can continue operating after an incident:

  • Backups:

    • Making regular backups of critical data to ensure they can be recovered in case of loss or damage. Backups should be stored securely, both locally and in remote locations.

  • Recovery Plans:

    • Developing and testing detailed recovery plans that describe the steps to restore normal operations after a disaster. This includes assigning roles and responsibilities, establishing communication processes, and defining recovery time metrics.

Where is it Easier to Implement Security?

AspectCloud SecurityOn-Premise SecurityEase of Applying Security
Infrastructure ManagementShared responsibility model; scalability and elasticityFull control over infrastructure; fixed resourcesCloud: Easier due to provider-managed infrastructure.
Data SecurityEncryption managed by provider and client; data residency considerationsLocal data storage with encryption and custom key managementCloud: Easier with provider-managed encryption.
Access ControlIAM tools with MFA and SSO; remote access considerationsLocal network access with physical security measuresCloud: Easier with integrated IAM tools and MFA.
Threat Monitoring and DetectionIntegrated cloud tools with automated responsesCustom monitoring with manual interventionsCloud: Easier with integrated monitoring and automation.
Cost and MaintenanceOpEx model with pay-as-you-go pricing; provider handles maintenanceCapEx model with upfront costs; organization handles maintenanceCloud: Easier with provider-managed maintenance.
Compliance and GovernanceShared responsibility for compliance; dynamic governance policiesDirect control over compliance; consistent governance policiesOn-Premise: Easier due to direct control and consistency.

Key Points

  • Cloud Security: Generally easier for infrastructure management, data security, access control, monitoring, and maintenance due to provider-managed services and integrated tools.
  • On-Premise Security: Easier for compliance and governance due to direct control over policies and regulatory compliance, allowing for customized solutions to meet specific needs.

This table offers a concise summary of which environment is easier to apply security measures and why, focusing on the strengths of each approach.