Build and Implement Cloud Services and Controls
Learning Objectives
After completing this unit, you’ll be able to:
- Describe a cloud security engineer’s role in building secure cloud services.
- Operationalize security policies and controls in the cloud.
Build Secure Cloud Services
Albert is a cloud security engineer at Apex Services, a consulting firm. His primary role is to build secure cloud services to maintain the trust of Apex’s customers and partners. Albert knows that cloud systems process and store lots of data, and it’s his responsibility to build and maintain systems that use that data in a secure, responsible way. As a cloud security engineer, he provides the tools and settings to make sure that only authorized users/integrations touch Apex customers’ data.
It’s Albert’s job to build, maintain, link to, upgrade, and continuously improve cloud networks and cloud-based systems. He writes code to build and contribute to the various cloud security tools at Apex. He uses languages such as Java, AngularJS, C++, and Python. He works across cybersecurity, risk management, and architecture teams, meeting on a regular basis to discuss ongoing work and address any impediments. For example, he may analyze infrastructure code, identify a security gap, and work with other software developers to write code to better secure Apex’s cloud infrastructure. He also reports to the project manager in charge of the project on his progress and any blockers.
Operationalize Policies and Controls
Let’s review what Apex does in order to contextualize this a bit more. Apex maintains a cloud-based software application that allows tenants of government housing units to report discrimination. Albert has a key role to play in protecting the data stored and processed by the system, such as tenants’ names, dates of birth, and Social Security numbers. He enforces security policies and implements security controls for the system. As he designs and implements new software releases, he thinks about the kinds of policies and controls he must put in place to secure the data the system will store and process.
Let’s meet another cloud security engineer, Lisa. She works at a nonprofit that defends and celebrates free expression through the advancement of human rights. She’s been tasked with building a cloud-based application to house the organization’s research and resources to help supporters advocate for free expression in their community.
While Lisa is proud of the work her organization does, she knows that the nature of their work makes them a target for threat actors who may disagree with the organization’s mission. These hacktivists—individuals who misuse a computer system for a politically motivated reason—may be interested in compromising the system she’s building by negatively impacting the availability of the resources to be accessed by legitimate users, defacing the system’s homepage, or stealing the personal data of customers who log in to the portal to view the research.
To help prevent these attackers from compromising the system, Lisa includes a number of security controls in the system design, including identity and access management controls and application security controls. Let’s take a closer look at examples of security controls that cloud security engineers may use to secure cloud-based systems.
Security Control |
Description |
Usage |
---|---|---|
Identity and access management
|
Cloud security engineers integrate the cloud platform with the company’s identity and access management systems, such as single sign-on. They also leverage industry best practices for authentication and authorization, such as strong authentication, least privilege, and regular privilege reviews. Cloud security engineers must ensure strong authentication mechanisms for the user, the application programming interface (API) calls, and the application itself. |
Controls who can create and configure cloud resources to ensure data security. |
Application security
|
While a cloud service provider secures and maintains the cloud infrastructure, cloud security engineers are responsible for everything they put in the cloud, including the configuration and patching of applications. |
Prevents code or data within an application from being stolen or compromised. |
Data protection
|
A cloud security engineer’s company may require guidelines related to data protection or follow a set of norms and procedures in order to reduce potential security threats. |
Uses secure configurations, strong permission settings, and encryption to limit sensitive data exposure and preserve data integrity. |
Encryption
|
When data is encrypted, the information within it is hidden so that it cannot be read without a secret key. Encryption uses an algorithm to scramble data, and then uses a key for the receiving party to unscramble the information. |
Encodes a message or file so that it can only be read by certain people. |
Key management
|
Cloud security engineers use key management services to create and control the encryption keys that are used to encrypt and protect data. |
Allows cloud security engineers to control who can access the master encryption keys and gain access to their data. |
Firewalls
|
Cloud security engineers set rules that define how the firewall should inspect web requests and what to do when a request matches certain criteria. |
Protect applications and APIs against common exploits that may affect application availability, compromise security, or consume excessive resources. |
Virtual private network (VPN)
|
Cloud security engineers help implement VPN portals for cloud system users. |
Requires users to connect to VPN before accessing cloud platforms and services. |
Multitenancy controls
|
These controls ensure that where a single instance of software and its supporting infrastructure serves multiple customers, each tenant’s data remains isolated and invisible to other tenants. This ensures that users can see only their own data, and that activities of one set of users cannot impact another set of users. |
Isolates tenant data logically even though it is physically integrated. |
Microservice security
|
Microservices are an architectural style that develops a single application as a set of small services. It’s common for developers to induce problems among microservice implementations by not building in security controls for a stack. |
Controls like segmentation, API security hygiene, and secure coding practices to protect against Structured Query Language (SQL) injection and cross-site scripting are key to securing microservices. |
API hygiene
|
API security hygiene is a crucial first step for cloud security engineers. This is because cloud infrastructure is built on publicly exposed APIs, making them a rich target for exploitation. It’s therefore key to implement API controls to present this exploitation from happening. |
Ensures APIs are designed with authentication, access control, encryption, and activity monitoring in mind. |
Network monitoring
|
It’s important to monitor network traffic for unusual activity, such as off-hours access, remote connections, and other outbound activities. |
Detects if an attacker or malicious insider is trying to compromise an organization’s data. |
Strong configurations
|
It’s always a good idea for cloud security engineers to double-check cloud storage security configurations upon setting up a cloud server, and pay attention when moving data into the cloud. They can also use specialized tools (such as CloudCheckr’s Cloud Data Security and Compliance tool, or CloudSploit and Dome9) to check cloud storage security configurations on a schedule, and identify vulnerabilities before it’s too late. |
Protects cloud storage from an attacker. |
In engineering these controls, Lisa works with the application and infrastructure teams at her organization to architect the network, operating systems, databases, and application in such a way that protects against attacks and maintains the security of the data processed and stored in the cloud. She collaborates with a team of developers working on the application by providing security recommendations on how to design, develop, and code it.
As development progresses, Lisa works to identify security gaps and provide recommendations to address them on both the new platform and existing ones. She analyzes code to ensure there are no security gaps in the implementation. She also assists with the development and maintenance of scripts to support security and DevOps.
Once the application has been developed, tested, and released to production, Lisa works with the operations team to ensure the application—and the underlying infrastructure, platforms, and software—continues to operate securely and in compliance with company cloud policies. She helps administer and maintain systems including firewalls, network threat detection, cloud infrastructure tools, and identity management platforms. She also manages cryptography—which provides for secure communication in the presence of malicious third parties—and encryption of data in the cloud. Finally, Lisa checks to ensure security controls have been properly implemented and configured, and follows up with the appropriate teams on the remediation of any gaps.
Knowledge Check
Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the security control in the left column next to the matching description on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.
Great work! Now you have a better understanding of how you, as a cloud security engineer, can build secure cloud systems and operationalize security controls and policies in the cloud. Next, let’s go over how you monitor the security posture of your cloud system and detect threats and vulnerabilities as they evolve.
Resources