3.6 Cybersecurity Solutions for Cloud

Cloud Security Controls

AZ (availability zone) - isolated locations within a cloud region

IAM (identity and access management) - who gets access, what they get access to - map job functions to roles, combine users into groups

Securing Cloud Storage

Data is on public cloud but not necessarily a public data. Cloud can limit the access to certain users.

Permission, Encryption, Replication

Securing Cloud Networks

Virtual networks - a cloud contains virtual devices such as servers, databases, storage devices, routers, switches - configuring virtual device is identical to configuring a physical device

Segmentation - separate VPCs, containers, and microservices - data is separate from the application

Securing Compute Clouds

VPC endpoint allows private cloud subnet to communicate to other cloud services, keeping the private resources private which no internet connectivity required

Cloud Security Solutions

CASB (cloud access security broker) = security policy enforcement point that sits between cloud service users and cloud service providers to monitor all activity and enforce security policies. Used to extend the security controls of an organization's on-premises infrastructure to the cloud key characteristics - visibility = what cloud services are being used, by whom, and how - compliance = compliance with regulations and corporate security policies, ensuring that data in the cloud is properly handled - threat prevention = by monitoring for and responding to suspicious activities and malware in cloud services - data security = encryption, tokenization, and access control to protect sensitive data in the cloud

Next-Gen Secure Web Gateway (SWG) - a content filter that monitors traffic to and from web and cloud sources and uses this granular visibility to enforce acceptable use policies - it is not only designed to block malicious web traffic, but also deals in both cloud and web traffic - examines application API, JSON strings, and many more