written by Kevin Klingbile || BHIS Staff

This article was originally published in the InfoSec Survival Guide: Green Book. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.

Cloud Security is a combination of policies, controls, and technologies that an organization uses to protect cloud-based infrastructure, applications, and data.

Primary Providers

There are three primary cloud providers: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Security in these environments is managed through a shared responsibility model. This means that some aspects of security will be managed by the cloud provider while others will be managed by your selected cloud provider. An organization’s responsibility within the shared model will depend on the service types that are used.

Responsibility

On-Premises

You are responsible for everything from the physical security to the applications hosted.

Infrastructure as a Service (IaaS)

You don’t worry about the physical things or even the virtualization, but you are responsible for the operating system and everything else.

Platform as a Service (PaaS)

Split responsibility between you and the cloud provider. You could be responsible for the security of deployed resources such as databases, accounts, and/or the authentication method. There are usually checkboxes for you to manage the security and limited options within the management interface.

Software as a Service (SaaS)

There is no direct control and often few security options available for you to manage. (Although, you are always responsible for your data no matter where it goes.) You may have control over the vendors you choose and verify what security is offered.

Working Together

Overall, effective cloud security involves people working together to protect cloud-based assets from potential threats and vulnerabilities. This role requires a blend of technical expertise, strategic thinking, and proactive risk management to address the unique challenges posed by cloud computing. Technical expertise can include securing operating systems, networks, applications, Identity and Access Management (IAM), devices (mobile and PC), and data.

Tips

• Always require multi-factor authentication (MFA)
• Stay up to date, cloud changes often
• Misconfigurations can easily lead to a compromise
• Always consider standard security principles including least privilege and need-to-know
• Review the provider’s security recommendations at a minimum
• Use third-party resources to see beyond the cloud provider’s recommendations
• Review all menus and checkboxes for available security options
• Disable unused “features”
• Always look for a new attack surface after changes or new deployments

Trust no one. Constant vigilance.

Resources

General

Use the ATT&CK® Cloud Matrix to be aware of tactics and techniques that apply to cloud-based technologies.
https://attack.mitre.org/matrices/enterprise/cloud/

Use Center for Internet Security (CIS) cloud benchmarks to compare against your cloud configuration.
https://www.cisecurity.org/cis-benchmarks

Comprehensive security guidance for cloud environments.
https://cloudsecurityalliance.org/artifacts/security-guidance-v5

Tools for Defense

Cloud Auditing Tool — works on all major cloud platforms. Quickly gathers configuration settings and highlights areas of risk.
https://github.com/cyberark/Security-Cloud-Auditing-Tool

Post-Exploitation toolset using the Microsoft Graph API. Recon, persistence, and data theft.
https://github.com/dafthack/GraphRunner

Find gaps within Azure MFA requirements.
https://github.com/absolomb/FindMFAccess

BloodHound data collector, Microsoft Azure.
https://github.com/BloodHoundAD/AzureHound

Azure AD hacking and admin toolkit.
https://github.com/Gerenios/AADInternals

Cloud Security Courses

https://antisiphontraining.com/course-catalog

---

---

---

---