On a high level, Cloud Security is not much different from the overall IT security of a traditional IT system. The security concerns of access control, susceptibility to attacks to high availability affect both the traditional as well as cloud systems. With Cloud, the entire landscape of the security has become much more complex with the microservices based architectures, data vulnerability and autoscaling capability. In order to ensure the organizations trust the entire Cloud landscape, it is important to understand the possible areas of security concerns and streamline the necessary controls and policies to safeguard client applications and meet their business regulations. As Cloud Security is a shared responsibility of both Cloud Service Provider and the clients, both the parties would need to go hand in hand to meet the best security standards for the organizations.
To simplify, the high level security segment can be grouped into the following sub areas:
User Access Management/ IAM — The Identity and Access Management is to ensure that the right users have the adequate access to the right resources (Hardware, Software and Services).
Data Security — Data security ranges from Data Encryption to the complete Data life cycle management. With cloud based infrastructure, data confidentiality and data protection is a primary focus.
Disaster Recovery — Key defining parameters in the DR strategy include the RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Based on the agreed parameters, the required strategies needs to be chalked out.
Network Security —Rules and configurations, firewall, security group specifications must be optimized to ensure secure accessibility of the applications in cloud.
Governance and Compliance — Security controls such as ISO/IEC 27001, NIST 800–53 are some of the internationally accepted standard controls that are adopted according to the businesses. Apart from them, there are Audit and Assessment requirement that needs to be adhered and any miss on the same could result in huge business losses.
Hardware and Software Security — Physical security, biometric access, scans, audits and patches & server hardening.
Monitoring and Logging — Management of Vulnerabilities and attacks, traffic monitoring, log management, analysis and mitigation strategies.
There are other areas including Services Security Management for microservices/ API based architecture, Third party tools and software management, Application level security and finally, security practice adoption at every stage of software development.
*******************************************************************