cybersecurity

• General Information

• Network Security

• Application Security (AppSec)

• Information and Data Security

• Identity and Access Management (IAM)

• Operational Security (OpSec)

• Mobile Security

• Cloud Security

• Business Recovery and Continuity

• Cybersecurity Guide

• News [Spanish]

Cloud Security

• Cybersecurity discipline dedicated to securing cloud computing systems.

• It includes keeping data private and secure across infrastructure, applications and online platforms.

• Technology, protocols, and best practices that protect cloud computing environments, applications running in the cloud, and data stored in the cloud.

• Securing these systems involves the efforts of cloud providers and the customers who use them, whether an individual, a small or medium-sized business, or an organization.

• Cloud service providers host services on their servers over always-on internet connections.

• Because your business depends on customer trust, cloud security methods are used to keep customer data private and stored securely.

• However, cloud security is also partially in the hands of the customer, who must focus above all on the proper configuration of the service and safe usage habits.

Categories

• Data security: threat prevention; tools and technologies that allow providers and customers to insert barriers between access and visibility of sensitive data (encryption, VPN, etc.).

• Identity and Access Management (IAM): access privileges offered to user accounts; authentication and authorization; restrict users (legitimate and malicious) from accessing and compromising sensitive data and systems; password management, multi-factor authentication, etc.

• Governance: threat prevention, detection and mitigation policies; they can help track and prioritize threats to keep critical systems carefully monitored; they are mainly applied in business environments; they can be useful for any user.

• Data Retention (DR) and Business Continuity (BC) Planning: technical disaster recovery measures in case of data loss; backups; technical systems to guarantee the continuity of operations.

• Legal compliance: protection of user privacy; companies must follow regulations; data masking, which hides the identity within the data using encryption methods.

Scope

• Physical networks: routers, electrical power, wiring, climate controls, etc.

• Data storage: hard drives, etc.

• Data servers: computer hardware and software on the core network.

• Computer virtualization platforms: virtual machine software, host machines and guest machines.

• Operating systems (OS): software that supports all computing functions.

• Middleware: management of the application programming interface (API).

• Execution environments: execution and maintenance of a running program.

• Data: all information stored, modified and accessed.

• Applications: traditional software services (email, tax software, productivity packages, etc.).

• End-user hardware: computers, mobile devices, Internet of Things (IoT) devices, etc.

Types of Cloud Services

• Core.

• Software as a Service (SaaS) cloud services.

• Platform as a Service (PaaS) cloud services.

• Infrastructure as a Service (IaaS) cloud services.

Core

• The core of any third-party cloud service involves the provider managing the physical network, data storage, data servers, and computer virtualization platforms.

• The service is stored on the provider's servers and virtualized across its internally managed network to be delivered to customers for remote access.

• This transfers the costs of hardware and other infrastructure to provide customers with access to their computing needs from anywhere through their internet connection.

Software as a Service (SaaS) Cloud Services

• They provide customers with access to applications that are purely hosted and run on the provider's servers.

• Providers: manage the applications, data, runtime, middleware, and operating system.

• Clients: they are only responsible for obtaining and using the applications.

• Examples: Google Drive, Slack, Salesforce, Microsoft 365, Cisco WebEx, etc.

Platform as a Service (PaaS) Cloud Services

• They provide customers with a host to develop their own applications, which run within the customer's own sandbox space on the provider's servers.

• Providers: manage the runtime, middleware, and operating system.

• Clients: are responsible for managing their applications, data, user access, end-user devices, and end-user networks.

• Examples: Google App Engine, Windows Azure, etc.

Infrastructure as a Service (IaaS) Cloud Services

• They offer customers remote connectivity hardware and platforms to host most of their computing tasks, including the operating system.

• Providers: they only manage basic cloud services.

• Clients: are responsible for securing everything that is stacked on an operating system, including applications, data, runtimes, middleware, and the operating system itself; they must manage user access, end-user devices, and end-user networks.

• Examples: Amazon Web Services (AWS), Microsoft Azure, Google Compute Engine (GCE), etc.

Types of Environments

• Public cloud environments: comprised of multi-tenant cloud services in which a customer shares a provider's servers with other customers, such as an office building or workspace; third-party services directed by the provider to give access to customers through the web.

• Third-party private cloud environments: are based on the use of a cloud service that provides the customer with exclusive use of their own cloud; they are typically owned by a third-party provider, and are managed and operated off-site.

• Internal private cloud environments: these are made up of single-tenant cloud service servers, but are operated from their own private data center; it is managed by the companies themselves to allow the complete configuration of each element.

• Multi-cloud environments: include the use of two or more cloud services from independent providers; they can be any combination of public or private cloud services.

• Hybrid cloud environments: these involve the use of a combination of a third-party private cloud or on-premise private cloud data center with one or more public clouds.

Risks

• Cloud-based infrastructure risks: including incompatible legacy computing platforms and disruptions to third-party data storage services.

• Internal threats: due to human error, such as misconfiguration of user access controls.

• External threats: almost exclusively caused by malicious actors, such as malware, phishing, and DDoS attacks.

Challenges

• There is no perimeter: cybersecurity professionals must take a more data-centric approach.

• Interconnection: security must be in the cloud and not serve as an exclusive element to protect against access to the data stored there.

• Storage of data by third parties.

• Access via internet.

• Power failure: could lead to permanent data loss.

Importance

• The introduction of cloud technology has forced everyone to reevaluate cybersecurity.

• Data and applications can float between local and remote systems, and always be accessible over the internet.

• Hence, protecting them is more difficult than when it was only a matter of preventing unwanted users from accessing a corporate network.

• Cloud security requires adjusting some prior IT practices, but it has become more essential for two key reasons:

  • 1. Convenience over safety.

  • 2. Centralization and storage for multiple users.

Whether you are self-employed, an SME or a large company, at U2-LAB™ we help you with everything you need, at all times, from the beginning of the project to its completion and beyond, so that you have peace of mind and can dedicate yourself to what really matters: growing your business/company and offering your clients services of the highest quality, effective and efficient.