What is Cloud Security?

IBM Technology

27 Sept 201910:17

Summary

TLDRIn this video, Nataraj Nagaratnam from IBM Cloud explains the shared responsibility model in cloud computing, highlighting the differences between IaaS, PaaS, and SaaS. He emphasizes the importance of securing data at rest, in motion, and in use, with robust key management and controlled access. Application security, container vulnerability scanning, identity and network protections, and continuous monitoring are discussed as essential practices. Nagaratnam also introduces the SecDevOps approach, integrating security throughout the development lifecycle to build resilient, compliant cloud applications. The video offers practical guidance for managing cloud security, risk, and compliance effectively.

Takeaways

☁️ Understand the shared responsibility model in cloud computing: responsibilities are divided between the customer and the cloud provider.
🛠️ In PaaS, customers secure applications, workloads, and data, while the provider secures the underlying platform and infrastructure.
💻 In IaaS, customers control everything above the hypervisor (OS, servers, and data), while the provider manages the hypervisor and hardware.
📦 In SaaS, the provider manages applications and security, while the customer is responsible for the data they bring in.
🔒 Implement a holistic data security approach: protect data at rest, in motion, and in use using encryption and key management.
🗝️ Consider bring-your-own-keys (BYOK) for sensitive or confidential data to maintain control over data security.
🛡️ Apply least-privilege access: restrict data and application access strictly on a need-to-know basis.
🐳 Scan applications and container images for vulnerabilities before deployment, leveraging cloud-native security practices.
-
👥 Manage identity and network security by controlling user and service access and using firewalls, DDoS protection, and intrusion prevention.
📊 Continuously monitor security posture and compliance, turning insights into actionable intelligence for remediation.
🔄 Adopt SecDevOps: integrate security throughout the application lifecycle, from design and build to deployment and ongoing management.
🔑 Embed security into DevOps processes ('shift left') to ensure secure application architecture, secure builds, and continuous security management.
⚡ Cloud-native approaches allow rapid remediation, such as redeploying containers instead of patching systems manually.

Q & A

What is the shared responsibility model in cloud security?
-The shared responsibility model divides security responsibilities between the cloud provider and the customer. The cloud provider secures the infrastructure, platform, and network, while the customer is responsible for securing their applications, data, and workloads.
How does security differ between PaaS, IaaS, and SaaS models?
-In PaaS, the cloud provider secures the platform, while the customer secures the applications and data. In IaaS, the provider secures the infrastructure and hypervisor, while the customer manages the operating system and data. In SaaS, the provider secures everything, and the customer only manages their data.
What are the key components of securing data in the cloud?
-Key components of securing data include encryption at rest, in motion, and in use. Customers should manage key management using their own keys (BYOK) and ensure secure storage using hardware security modules (HSM) for encryption processing.
Why is key management important in cloud security?
-Key management is important because it provides customers with control over their encryption keys, ensuring that they can manage access and data protection according to their needs, especially when handling sensitive or confidential data.
What steps should be taken to secure applications before deploying them in the cloud?
-Applications should undergo vulnerability scanning (dynamic or static), particularly for container images. Security policies should be enforced to ensure only secure images are deployed, and any vulnerabilities should be remediated quickly by replacing containers instead of patching them.
How does cloud-native security differ from traditional security approaches?
-Cloud-native security integrates security into every step of the development, deployment, and operation process. In contrast, traditional security typically involves applying security measures after the development process, rather than embedding them from the start.
What role does identity management play in cloud security?
-Identity management ensures that only authorized users and services can access specific data and applications. It is critical for controlling access and protecting cloud resources from unauthorized or malicious users.
What types of network protections should be in place for cloud applications?
-Cloud applications should use network protection methods such as Web Application Firewalls (WAF), network access control, and Distributed Denial-of-Service (DDoS) protection. Intelligence tools should also be used to detect and block unauthorized access attempts.
What is continuous security monitoring, and why is it important?
-Continuous security monitoring involves gathering and analyzing security events, audit logs, and network flow data to assess compliance and detect threats. This ongoing monitoring allows organizations to quickly identify and address security vulnerabilities.
How does the SecDevOps approach differ from traditional DevOps?
-In a SecDevOps approach, security is embedded throughout the entire development lifecycle rather than being a separate or later phase. It focuses on shifting security 'left' by integrating it during design, build, deployment, and continuous management stages.