Get to Know Cloud Security Engineering
After completing this unit, you’ll be able to:
- Define cloud security engineering.
- Identify how cloud security engineers work with other teams and vendors.
- Explain the importance of cloud security engineering.
What Is Cloud Security Engineering?
Cloud computing presents many unique security issues and challenges. In the cloud, data is stored with a third-party provider and accessed over the internet. This means visibility into the structure that holds this data is limited. Thus, customers may not have a clear view of the attack surface, and may find it difficult to predict the attack vectors that a threat actor may exploit. It’s imperative both the customer and the cloud service provider (CSP) understand their respective roles and the security issues inherent in cloud computing.
As a cloud security engineer, you help your organization maintain a strong security posture in the cloud. You do this by protecting the confidentiality, integrity, and availability (CIA) of cloud systems as well as the information stored and processed by these systems. Let’s take a closer look at what each of these terms means.
- Confidentiality means keeping data private or secret by controlling access to data and preventing unauthorized disclosure. For example, only authorized payroll employees should have access to the employee payroll database.
- Integrity means ensuring that data has not been tampered with and, therefore, can be trusted. For example, the product and pricing information is correct in an ecommerce system.
- Availability means ensuring infrastructure, systems, and applications are up and running, and authorized users have timely, reliable access to resources when needed; for example, preventing denial-of-service attacks in which malicious actors intentionally render a system unreachable to the intended users.
Let’s meet Andrea. She’s a cloud security engineer at a college. She helps her organization adopt, build, and operationalize cloud technologies. She has worked on projects such as migrating the college’s legacy course scheduling system to the cloud, and planning and engineering a new cloud-native system for administrative functions.
Today, Andrea is assessing the college’s existing infrastructure and researching solutions for moving different functions, like database storage associated with academic coursework, to a cloud-based system. She evaluates the college’s existing IT infrastructure and proposes changes alongside the architecture and engineering teams. She works closely with these teams to integrate the database’s existing structure into a cloud-based system.
Migrating Systems, Enhancing Security, and Enforcing Policies
When the team decides to migrate database storage to the cloud, Andrea helps with the migration and maintains the system in the cloud. She also negotiates terms with the cloud service providers the college uses. Throughout the project, Andrea communicates progress to senior management at the college.
Every day Andrea works to enhance the security of the college’s cloud-based systems and the data of its students, faculty, and staff. She develops, implements, and evangelizes security best practices across the college’s IT footprint, including providing security recommendations on topics like microservice design (an architectural approach to developing a single application as a suite of small services) and application development. She’s always analyzing existing cloud structures to create new and enhanced security methods, and collaborates closely with security architects at the college to develop cloud security frameworks for their organization.
She also helps enforce security policies and implement security controls for cloud systems, including controls related to access management, authentication, application security, data protection, key management, encryption, and firewalls. She works with the application and infrastructure teams to architect infrastructure (network, operating systems, databases) and applications to protect against attackers and establish and maintain a secure cloud. She even gets hands on, implementing physical protection mechanisms such as firewalls and virtual private network (VPN) tunnels.
Monitoring Systems and Reporting on Metrics
In addition to implementing these security protections, Andrea monitors the security posture of the college’s cloud systems and infrastructure, works to detect threats, and assists with incident response. She protects against zero-day threats and inspects encrypted and unencrypted traffic to detect threats across the entire kill chain—a model to describe the stages of a cyberattack. She performs threat simulations to detect possible risks and tests for security vulnerabilities. She also configures monitoring for key systems to verify the CIA of resources and critical processes. She reviews system and application logs to verify completion of critical scheduled jobs such as backups.
Finally, Andrea develops, maintains, and reports on key cloud security metrics. Some examples of metrics she tracks include the number of unmanaged devices having access to sensitive data in the cloud, the number of instances of sensitive data on the cloud where the organization doesn’t manage the encryption keys, and the number of unmanaged cloud applications that do not have logs for tracking user activity and logins. She works with the technology and business teams to close the gaps represented by these metrics. She also works with the incident response team to repair and recover from incidents and technology failures, coordinating and communicating with impacted teams. She’s a real cloud security superhero!
Cloud Security Teams
As a cloud security engineer, you often serve as part of a larger team dedicated to cloud-based management and security. You instruct other teams on proper coding methods. You also work with cross-functional teams that are a mix of software, operations, and architecture teams.
In addition, the use of cloud computing might mean that an increasing number of IT functions are being outsourced. It’s common for a company to work with contractors and subcontractors to take advantage of specialized skills, such as data encryption, key management, and cloud authentication. In some cases, an engineer may need to communicate by phone or email with a technical resource in a distant city who is working on their cloud infrastructure. These cloud partners bring expertise to a project that may not be available in-house. It’s an effective strategy as cloud technologies continue to advance.
The Importance of Cloud Security Engineering
The whole world is becoming more computer technology-driven. Almost every industry increasingly relies on various forms of technology for their daily operations. As part of this changing landscape, security has become a critical consideration.
According to GlobeNewswire, the cloud computing industry is expected to grow from $371.4 billion in 2020 to $832.1 billion by 2025. As companies move away from an on-premise infrastructure model to a cloud-first approach when upgrading or designing new environments, the need to hire technologists with cloud experience has increased dramatically.
Any IT systems connected to the internet require robust security. The cloud is particularly vulnerable to attack because the threat surface is so vast. When applications are hosted in a company’s own data center, the security picture can be straightforward: You put the appropriate security technology at the right locations to address the specific security concerns. Data center security can be maintained by closely guarding external connections with firewalls and intrusion detection systems.
But in the modern distributed cloud computing environment, maintaining security is much more difficult. In the cloud environment, security is a shared responsibility between the cloud provider and the customer utilizing the cloud services.
Vendor and Customer Responsibilities
Designed in layers, security includes both the physical components and logical components. The cloud infrastructure provided by Infrastructure as a Service (IaaS) vendors is protected in various ways. From an availability point of view, the infrastructure is designed by the vendor to be highly available, and the infrastructure’s uptime is the responsibility of the vendor. From a security point of view, the vendor is only responsible for securing the infrastructure it provides.
As a customer, when you install one or more virtualized applications in the vendor’s cloud infrastructure, you’re responsible for securing the access, the network traffic, and the data applications. Many vendors supply some security tools so that various parts of the customer’s cloud application environment can be secured. However, these tools can pose a few problems.
First, these tools may provide only a few basic security functions, and they’re the same tools the vendors use to secure the underlying infrastructure. If an attacker were to bypass these tools at the infrastructure layer, they would likely be able to bypass them at the customer’s application level as well.
Second, and perhaps more important, is the fact that many organizations operate in a hybrid environment where some of their applications remain hosted in their own data centers, some in one vendor’s IaaS cloud platform, some in another vendor’s cloud platform, and various others with multiple Software as a Service (SaaS) vendors. This is what we call a “multi-cloud” environment, and it comes with a “multi-cloud” problem: multiple independent, uncoordinated security solutions—a problem where complexity can increase with the number of cloud vendors involved. This can pose a significant security challenge and underscores the importance and need of skilled cloud security engineers.
Sum It Up
Cloud computing provides many benefits to developers and can help make technology more accessible to the world. But for it to be successful, organizations must integrate security into the cloud. Migrating to cloud environments introduces new challenges and requires a reevaluation of security and compliance solutions. This means lots of work for you as a cloud security engineer to ensure the cloud solutions your organization uses are secure. Let’s take a closer look at your responsibilities and the corresponding skill set in the next unit.