Description
4.1 Cloud Security Concepts
-
Multi-tenancy: Multiple customers (tenants) share the same physical hardware; security relies on logical isolation to prevent cross-tenant data leakage.
-
Virtualization Security: The hypervisor is the primary target. VM Escape (an attacker breaking out of a VM to the host) is the biggest risk.
-
Data Outsourcing: Moving data to a third party. Security relies on Encryption and Trust Management (relying on the provider’s reputation and audits).
-
Metadata Security: Protecting “data about data” (e.g., file names, sizes, permissions) which can reveal sensitive patterns if intercepted.
4.2 – 4.5 Cloud Risks
Cloud risks are typically categorized into four main domains:
| Risk Type | Description & Key Examples |
| Policy/Organizational | Vendor Lock-in (hard to switch), loss of governance, and inadequate due diligence. |
| Technical | Hypervisor vulnerabilities, insecure APIs, account hijacking, and “Noisy Neighbor” (resource exhaustion). |
| Legal | Data Sovereignty (data stored in countries with different laws), e-discovery issues, and regulatory non-compliance (GDPR, HIPAA). |
| Operational | Service outages, provider bankruptcy, and poor backup/disaster recovery. |
4.6 Data Security Technologies & Risks
-
Encryption: * At Rest: Protecting data on disks (using AES-256).
-
In Transit: Protecting data moving over the network (using TLS/SSL).
-
-
Masking & Tokenization: Replacing sensitive data (like credit card numbers) with non-sensitive placeholders (tokens).
-
Data Loss Prevention (DLP): Tools that monitor and block sensitive data from being exfiltrated.
-
Risks: Key management failure (losing encryption keys), improper deletion (data remnants), and unauthorized access.
4.7 Digital Identity and Access Management (IAM)
IAM is the “bouncer” of the cloud. It ensures the right person has the right access at the right time.
-
Authentication (AuthN): Verifying who you are (Passwords, MFA, Biometrics).
-
Authorization (AuthZ): Verifying what you can do (Role-Based Access Control – RBAC).
-
Single Sign-On (SSO): One set of credentials for multiple cloud apps.
-
Privileged Access Management (PAM): Extra security for “Super-user” or Admin accounts.
4.8 Content Level Security & SECaaS
-
Content-Level Security: Security applied directly to the file/data itself rather than the network or server.
-
Pros: Security travels with the data; protection persists even if the cloud is breached.
-
Cons: High processing overhead; complex to manage keys for thousands of files.
-
-
Security-as-a-Service (SECaaS): Outsourcing security to a cloud provider (e.g., Cloudflare, Okta).
-
Features: Scalable, cost-effective (OpEx), access to expert tools, and continuous updates against new threats.
-
Quick Recall Keywords for Exams:
-
Shared Responsibility: Provider secures the “Cloud”; Customer secures “in the Cloud.”
-
Least Privilege: Giving users only the minimum access they need to do their job.
-
Data Residencies: Physical location of data affects legal jurisdiction.
-
Zero Trust: “Never trust, always verify” every request regardless of origin.
Reviews
There are no reviews yet.