Security in the Cloud – CompTIA Security+ SY0-501 – 3.7

Now that our applications and data are in the cloud, how do we secure them? In this video, you’ll learn about cloud security, cloud access security brokers, security as a service, and more.

<< Previous Video: Cloud Deployment Models Next: Resiliency and Automation >>

If you’re running an application infrastructure that is on premise, or on prem, all of your applications and all of the servers are going to be running in your data center. It’s inside of your building and you have complete control over everything that happens with those systems.

With a hosted environment, your servers are in a completely different building, and often, they’re not even your servers. The hardware itself is owned by someone else. Usually, this is in a hosted data center or some other kind of specialized computing environment.

And with a cloud-based infrastructure, you can create application instances any time you’d like, and tear them down when you don’t need them any longer. This allows you to maximize the resources so that they’ll run best for your application, and you don’t have to pay for extra time or extra hosting when you don’t need those resources to be available.

Another popular type of cloud service is cloud storage. This is where we can put our data into the cloud, and it’s available anywhere we happen to be located. And we can access it with any of the devices that we would normally use. If you connect to the internet, you’ll then have access to all of the data that you have in cloud storage.

This is something in the enterprise that integrates with your existing authentication. So someone could use their normal Windows credentials to log into the enterprise network, and those would be the exact same credentials that would allow you to access the data that’s in cloud storage. This can also be integrated with two factor authentication, to provide even more security for people that are connecting to these cloud storage repositories.

Because this cloud storage system is not one that’s under your direct control, it then becomes even more important to make sure that all of the information you’re storing their remains confidential to you. It’s very common, then, to use some very strong encryption, to make sure that all of the data that’s being stored is going to be as safe as possible.

With VDI, or a Virtual Desktop Infrastructure, you’re running applications in the cloud or in a data center, and you’re running as little of the application as possible on the local device. This virtualization of a user’s desktop is sometimes called VDE, or Virtual Desktop Environment.

This puts all of the computing power in the data center or in the cloud. What the end user sees is really a virtual desktop. All of the work is really happening in this centralized environment. This means that the client’s workstation has relatively small computing requirements, and the operating system that’s running on the client is less important, as long it can run the software required to connect to this virtual desktop infrastructure.

Security professionals like VDI because it makes security a lot more centralized. All of the data and applications are in the data center or in a centralized cloud infrastructure. If you need to make any changes, you make them in one single central place, and all of the virtual desktops are able to take advantage of those changes. And all of the data and all of the applications never leave the data center, making it that much more of a secure application environment.

As more applications are moving to the cloud, it becomes a lot more difficult to provide the same level of security. If the clients are working, but the data is in the cloud, how do you manage to keep everything secure?

Most organizations have a well-defined set of security policies. So the goal is to take those security policies, that worked well with your local applications, and apply them to all of your cloud-based applications as well. You can do this by integrating a cloud access security broker, or CASB. This could be integrated as client software, it can be local appliances that run on your network, or it can be based in the cloud itself.

Now you can take your normal security policies and apply them to these cloud-based applications. These CASBs can provide visibility, so you can see exactly what cloud based applications are in use, and you can see what users are using which applications. You can also check to see if a user is indeed authorized to use that cloud-based based app.

Many environments also have regulations and compliance that must be considered, so using a CASB, you can determine if the users and the data are complying with HIPAA, with PCI, or any other type of compliance. Since our app is in the cloud, we also need threat prevention in the cloud, and the CASB is able to allow us to manage what users are authorized to the app and what type of access may be unauthorized.

And our cloud access security broker can also allow us to set policies on the type of data that’s exchanged. We may want to ensure that all of the data going across the network is encrypted, and you can implement and require the use of data loss prevention, to make sure that no personally identifiable information is being transferred over the network.

If we’re moving all of our applications to the cloud, we should also think about moving all of our security technologies to the cloud. And you can do that with security as a service.

Instead of having your own firewalls, and intrusion prevention systems, and data loss prevention devices, you can have all of those moved into the cloud. So you pay only for what you use, and you can scale it up and scale it down as needed.

These security as a service devices can sit in the cloud, between you and the rest of the internet, so it can constantly monitor all the traffic going back and forth between your organization and the rest of the world. This also means that you’re able to react to problems very quickly, because you’re able to make one change in the cloud and update anti-virus, anti-malware, intrusion prevention signatures, or anything else that may allow you to stop any of these unknown threats.