Cloud Computing
17/07/2023Cloud computing is a type of a model allowing continuous access to a common pool which is composed of configurable information resources, from all points, under suitable conditions, upon request. Cloud computing has many advantages such as cost lowering, flexibility, energy saving, resource sharing and faster distribution. Centralization of data provides a one-stop point to attackers to steal data and to stop the data in motion. As a result, concerns about scalability, security, privacy, and efficiency are standing as obstacles preventing the adoption of cloud computing technology by the consumers at a large scale.
Obstacles concerning security should be resolved via applications of regulations and technologies that need to be adopted within the cloud computing concept before the transfer of data to the cloud.
Criteria such as service legitimacy, implementation of risk and crisis management awareness, periodic security checks shall be audited before picking a cloud computing service provider.
What is Cloud Security?
According to the definition made by the National Institute of Standards and Technology Special Publication 800-145 for the NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology; cloud computing is a model for enabling ready-to-use, convenient, on-demand network access to a shared pool of configurable computing resources that can be quickly implemented and released with minimal management effort or service provider interaction.
This definition implies that it is possible to access cloud computing data processing centers and facilities consistently and from all locations. The aim of centralized cloud security is to send push notifications to CT teams concerning common threats. Such a proactive approach aims to protect the organizations from disruptive DDoS attacks and more serious threats such as data breach. Security teams should assess all cloud checks and decide whether they are centralized or not before carrying any cloud security strategy into effect.
Advantages of Centralized Cloud Security
Centralized cloud security offers many advantages in management of threats against data security, protection of critical data and networks.
Intrusion Prevention
Intrusion Prevention is a security approach used for detection of potential threats and implement immediate response against those threats. Main function of the intrusion prevention systems is detecting suspicious activities, analyzing these suspicious activities-related data, and avoiding attacks using this data. Attackers can be stopped before accessing the cloud system and causing harm thanks to Intrusion Prevention Systems.
Load Balancing
Load Balancing plays an important role as well in cloud security. Off-Loading feature of a Load Balancer protects the organizations against DDoS attacks. They also assist in prevention of attacks by moving malicious traffic from organizations’ host to a public cloud host.
Data Loss Prevention (DLP)
DLP solutions in centralized security spaces ensure access to the data only by the authorized apps and encryption of all the data in the cloud. Cloud DLP solutions can remove or change the critical data before they are shared in order to protect them while transferred.
Advanced Threat Protection (ATP)
ATP describes the category of security tools which provide protection of critical data against complex, malicious software and sophisticated attacks. ATP solutions may be used as a managed service or as software. Each solution harbors its own components and approach. Nevertheless, most of the ATP solutions include the combination of a centralized administrative console, email network gateways, network devices, endpoint agents and malicious software protection systems in order to manage & ensure defense and associate the alerts.
Characteristics of Cloud Computing
There are five main characteristics of cloud computing according to its official definition: Resource pooling, wide area network, ubiquitous elasticity, on-demand self-service and scalable service.
1. Shared Resources: Resources such as clients, hosts, networks, storage, memory, and processing can be shared all at once. Vendors may allocate resources dynamically based on the fluctuation of demand. The customer still remains fully out of touch with the physical location of these services.
2. Wide Area Network: Cloud access to the wide area network from any device, through the internet.
3. Elasticity: The cloud is elastic and configurable. Customers experience unlimited resources.
4. On Demand Self-Service: Any customer is able to self-configure the cloud automatically, without interference from the service technicians in case it is necessary. Customers make their own decisions on timing and about data processor power as well as the required storage space.
5. Scalable Service: Different cloud services can be measured by using different metrics. Detailed utilization reports are kept protecting the rights of customers and providers.
Types of Cloud Service
Software as a Service (SaaS)
It is the type of cloud service where the service provider develops and protects the cloud application, provides automatic updates and offers pay-as-you-use option over internet.
Platform as a Service (PaaS)
Platform as a Service provides the customers with access to the developer tools that they need and enables mobile or app software management without investing in or maintaining the existent infrastructure. PaaS enables organizations to focus on distribution, application, and administration by resolving their need for infrastructure. (Usually hardware and operating systems)
Infrastructure as a Service (IAAS)
Provides the customer access to the infrastructure services anytime requested. It comprises building blocks for cloud computing and provides access to computers (virtual or on dedicated hardware), data storage space and to network properties in general.
Type of cloud service matters as security precautions differ based on the required type of cloud service.
Cloud Computing Distribution Models
There are four different distribution models of cloud computing:
Private Cloud
Located in company, on internet and behind the firewall; these types of clouds are usually administered by the same organization who uses them. This model simply provides data processing service to certain users with restrictions on a private internal network.
Public Cloud
Public clouds are positioned on the internet, outside of the organizations and they are usually administered by the cloud service provider. Public cloud security level is lower compared to the private cloud option. Certain features can be used through resources that are rented via third-party companies without paying to emails.
Hybrid Cloud
This model shows up as a mixture of Public and Private Cloud Models. It contains all the features of both. Security and privacy concepts are in the frame.
Community Cloud
Community Cloud concepts describes the common use of any service bought on the cloud with other companies & organizations. This model better fits business owners who run more than one company.
Regulations and Standards Related to Cloud Computing
Cloud Computing Security Within the Scope of KVKK (Law on Protection of Personal Data)
KVKK (Law on Protection of Personal Data) Technical and Administrative Measures Guide mentions the requirements and recommendations with regard to what can be done to ensure security in cloud systems, which is one of the most wondered subjects by data controllers:
Cloud Computing Security Within Presidency Digital Transformation Office Information and Communication Security (CB DDO BIG)
Cloud Computing Security Within ISO 27002
Ensuring cloud security has become very important with the 5.23 Information Security for Cloud Services Use clause which is newly added to the updated ISO 27002 standard.
The following controls are expected to be defined for Cloud Services within the scope of the standard:
Author
Mehmet Emre ATEŞ
Secure Information Technologies Unit Manager