Within a few years, all solutions and applications will be shifted from on-premises environments to the cloud. Merely transferring servers to the cloud does not enhance the security of the applications. This is because cloud service providers (CSP) follow a shared responsibility model, where the responsibility for the security “of the cloud” lies with the cloud providers and the responsibility for the security “in the cloud” falls on the customers. According to research, user misconfigurations are responsible for 95% of security breaches in the cloud. The security of the cloud platform relies heavily on how consumers configure and utilize it.
A recent book, entitled Analyzing and Mitigating Security Risks in Cloud Computing, has been published by a team of cybersecurity researchers in IGI Global. Its objective is to guide organizations in dealing with their apprehensions regarding security, privacy, and trust in cloud environments.
“Most of the cloud security breaches occur due to insufficient identity, credentials, access and key management, insecurely exposed interfaces and APIs, insecure software development, misconfigurations, and exploitation of serverless & container workloads, “says Prathibha Muraleedhara, cyber security researcher and author of the chapter Threat Modeling and Risk Analysis for Cloud Deployments.
In this chapter, the researcher highlights the different types of security breaches and attacks that occur due to human errors and misconfigurations in the cloud environment. She explains in detail the Cloud Architecture Threat Modeling methodology by assessing the architecture of an application hosted in the AWS cloud.
The described methodology includes critical Threat Modeling phases like preparing architecture diagrams, organization asset classification, vulnerability and threat identification, vulnerability severity risk analysis, and planning of remediation. This would help organizations in creating their asset inventory, understand their threat landscape, and take proactive security measures to prevent security breaches.
The research and the book chapters intend to highlight the importance of educating cloud customers regarding the cloud threat landscape and the security risks involved. It also provides details methodology and tools that organizations can use to protect their cloud space.
The latter chapter offers several recommendations that can be advantageous for readers, particularly with regard to securing cloud services. These suggestions encompass using IAM roles for authenticating connections between services, instead of relying on static passwords and hardcoding them in application config files. It mentions utilizing Secrets Manager and key vaults to protect credentials, certificates, and secrets, along with KMS for key management. Other recommendations include encrypting data both in transit and at rest, enabling instance-level encryption for services such as S3, lambda, and EFS, using SSM agents rather than exposing SSH ports externally, implementing least privilege policies for creating IAM roles and users, and setting up VPN peering and direct connect security policies. Customers must install security agents on virtual machines, implement WAF to safeguard against web-based security threats, and ensure sufficient logging and monitoring via cloud services like CloudWatch and CloudTrail.
“It is important for organizations to evaluate the cloud architectures and designs early in the process, so that if any security threats are identified the architecture can be updated with additional security controls. Thus, it is crucial to perform Threat Modeling to assess your application cloud architectures,” Muraleedhara said.
Organizations must realize the severity of the damage that can be caused by these security breaches and proactively take appropriate precautionary measures. They must prioritize and clearly define and execute security programs that include a Secure Development Life Cycle (SDLC), Threat Modeling, Security Architecture Reviews, and Risk Assessments. The book provides a comprehensive approach to fill the knowledge gap and equip professionals at all levels with the necessary skills, ranging from grasping the basics of cloud computing to tackling emerging trends and establishing strong security measures.
“The research addresses the very challenges that organizations face in securing their cloud infrastructures. With a focus on real-world examples, case studies, and industry best practices, the book equips its readers with actionable insights and tools to fortify their cloud security posture,” Muraleedhara added.
Those interested in the book, Analyzing and Mitigating Security Risks in Cloud Computing, can secure it on IGI Global.