Cloud security controls
1. Cloud security controls
As a cloud security professional, you’ll work closely with different types of controls in your day-to-day tasks to keep your cloud environments secure. Let’s explore common types of cloud security controls, including preventative, detective, and corrective controls. It’s important to remember that there are different levels of security controls. Let’s explore this more. Security controls used at the service level are applied to storage, computing, and networking. Security controls used at the workload level are applied to a collection of resources or code that delivers business value, like a customer facing application. In a workload view, there is a set of services and a flow of data through a system to achieve an outcome. Security controls used at the platform level are applied to a common environment for running applications, like operating systems, programming languages, and runtime environments. Security control architecture and selection is driven by business needs. Although there are nearly unlimited cloud security controls, most cloud security controls fall into the following groups or domains: deterrent controls, which serve as a barrier to a potential attacker; preventative controls, which manage, strengthen and protect assets; corrective controls, which reduce the aftereffects of an attack; and detective controls, which identify or detect an attack. A deterrent control makes the effort of an attack greater than the reward. For example, a passphrase, which is more complex than a traditional password, is difficult and time consuming to crack. The added difficulty may deter an attacker. Deterrent controls are like a sign on a building indicating it has an alarm. The sign acts as a deterrent in hopes an intruder will not even attempt to break in. What if an attack comes from inside the company? An example of a deterrent control against an insider attack is a company-wide policy stating the appropriate use of company assets and the consequences of nonadherence. Another control group is preventative controls, which are put into place to help prevent an attack. For example, you write code that disables unnecessary ports to ensure there are less entry points for attackers reducing the attack surface. Another way to reduce attack surface and help prevent attacks is to maintain a strong user authentication system. Corrective controls are put in place to correct a change from the desired security posture. For example, a corrective control could be a piece of code that corrects or repairs damage after unwanted or unauthorized activity and then notifies administrators of this action. Corrective controls are like an alarm that automatically calls the police in the event of an intrusion. The role of detective controls is to continually monitor the environment to identify when an attack or unexpected event is happening. Detective controls are similar to an alarm going off when motion or sound is detected inside a building. Antivirus software and network or service monitoring are examples of detective controls. Even billing reports are detective because they can show unusual computer activity. A compensating control is a control to mitigate a risk that cannot be fully addressed by the organization's existing security controls. Compensating controls are measures that make other controls more effective. For example, a lock on a door handle can be made more effective by adding a deadbolt lock for stronger security. Compensating controls are usually used when the organization is unable to implement a specific control because of technical or business constraints. Compensating controls can also be a part of a defense-in-depth strategy, where additional controls are added to compensate for gaps in other control coverage. The PCI Security Standards Council, or SSC, provides guidelines that are helpful for creating and implementing compensating controls. The criteria that compensatory controls must fulfill are: it must meet the intent and rigor of the original requirement; the level of defense must be similar to that of the original required control; it addresses the remaining risk introduced because of nonfulfilment of the original requirement; and the security level should be equal to or higher than the PCI DSS requirements. As a cloud security analyst, you’ll need to be knowledgeable about the different types of security controls and how to implement them. Controls will help you to maintain a strong security posture for your organization.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.