Learning Cloud Security
Two main concepts to understand when learning cloud security are shared responsibility and blast radius.
Accept shared responsibility
One of the main concepts to understand is the shared responsibility model, which differs depending on which type of cloud you're talking about (infrastructure-, platform-, or software-as-a-service). Generally, this suggests that your cloud provider is responsible for security of the cloud, while you are responsible for security in (or on) the cloud.
Using a simple example of a cloud-hosted server (virtual machine or "instance"), your cloud provider takes responsibility for the security of the underlying hardware, network, and other infrastructure but expects you to secure the instance itself. Your cloud provider generally will not patch your cloud instances for you! The Center for Internet Security summarizes the shared responsibility model, and it's also addressed by providers including Amazon Web Services, Microsoft Azure, and Google Cloud.
Minimize blast radius
Much like traditional IT environments, one goal with cloud environments is to reduce the potential impact of a vulnerability or breach. Traditionally this might be done through network segmentation (perimeter ACLs, firewalls, etc) and these do transfer to cloud to some degree (VPCs, security groups). However, there are other elements to consider including provider acccounts and user identities.
For example, it may be sensible to have an application's production components deployed into a completely separate cloud provider account from development / staging or other non-production components. In the event that a staging system is breached, the production enviroment is less likely to be at risk.
Blast radius is not just a security concept - it can extend to reliability as well. You can think of blast radius as the maximum impact that might be sustained in the event of a system failure or breach. To build reliable and secure systems, you want to minimize the blast radius of any individual component.
See AWS Multiple Account Security Strategy for one view on how this can be implemented.
For concepts and guidance beyond the shared responsibility model, the Cloud Security Alliance is a great place to start, with content including their Security Guidance for Critical Areas of Focus in Cloud Computing and Cloud Controls Matrix.
Content from the National Institute of Standards and Technology tends to be somewhat evergreen as it covers concepts that remain valid for a longer period of time. Some examples include:
- SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing
- SP 800-146 Cloud Computing Synopsis and Recommendations
- SP 800-220 General Access Control Guidance for Cloud Systems
Looking for provider-specific content?
- Amazon Web Services provides a wide range of security learning content. Additionally, A Secure Cloud is an excellent third-party source on AWS security.
- Microsoft Azure's security fundamentals documentation covers cloud security principles and best practices.
- Google Cloud's Trust & security page links to a variety of resources.
Courses and tutorials
Amazon Web Services provides a free AWS Security Fundamentals online training which covers a range of topics including AWS access control, data encryption methods, and how network access to your AWS infrastructure can be secured.
Scott Piper of Summit Route created flAWS.cloud, an interactive tutorial that covers a common set of security mistakes that can be made when using AWS, how to exploit them, and more importantly how to avoid them. Once you're done with the original, flAWS2.cloud has separate attacker and defender sides to work through.