Topics In Demand
Notification
New

No notification found.

Cloud Security Framework: A layered approach to secured by design
Cloud Security Framework: A layered approach to secured by design

409

0

Cloud Security framework employs a series of mechanisms to slow the advance an attack aimed at unauthorized access to information in the cloud environment. Each layer provides a mechanism such that if one layer is breached, a subsequent layer is already in place to prevent further exposure.

Cloud platforms applies a layered approach to security, both in its physical datacenters and across cloud services. The objective of cloud security framework is to protect information and prevent it from being accessed un-authorized entities. The common principles that help define a security posture are confidentiality, integrity, and availability.

  • Confidentiality: The principle of least privilege restricts access to information only to individuals explicitly granted access. This information includes protection of user passwords, remote access certificates, and email content.
  • Availability: Ensure that services are available to authorized users. Denial-of-service attacks are a common cause of loss of availability to users. Natural disasters also drive system design to prevent single points of failure and deploy multiple instances of an application to geo-dispersed locations.
  • Integrity: The goal is to prevent unauthorized changes to information at rest or in transit. A common approach used in data transmission is for the sender to create a unique fingerprint of the data by using a one-way hashing algorithm. The hash is sent to the receiver along with the data. The receiver recalculates the data's hash and compares it to the original to ensure that the data wasn't lost or modified in transit.

Layers of secured by design

Secured by design is a set of concentric tiers, with the data to be secured at the center. This approach removes reliance on any single layer. It also acts to slow down an attack and provide alert telemetry that can be acted upon, either automatically or manually.

#

Tiers

Example

Principle

1

Data

Data encryption at rest in Blob Storage

Integrity

2

Application

SSL/TLS encrypted sessions

Integrity

3

Compute

Regular application of OS and layered software patches

Availability

4

Network

Network security rules

Confidentiality

5

Perimeter

DDoS protection

Availability

6

Identity and access

Active Directory user authentication

Integrity

7

Physical security

Datacenter biometric access controls

Confidentiality

 

Here's a brief overview of the role of each layer:

  • The data layer secures access to business and customer data.
  • The application layer ensures that applications are secure and free of security vulnerabilities.
  • The compute layer secures access to virtual machines.
  • The network layer limits communication between resources through segmentation and access control.
  • The perimeter layer uses distributed denial of service (DDoS) mechanism to filter large-scale attacks before they can cause a denial of service for users.
  • The identity and access layer controls access to the infrastructure and change control.
  • The physical security layer secures the computing hardware in the datacenter.

 

These layers provide a guideline for you to help make security configuration decisions in all layers of your cloud applications. Cloud platform provides security tools and features at every level of the secured by design concept.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Sameer Paradkar
Enterprise Architect - Modernization Domain

Software Architect, Author & Speaker

© Copyright nasscom. All Rights Reserved.