cloud Architectural Framework: the 4-pillars
1. Operational Excellence 2. Security, Privacy & Compliance 3. Reliability 4. Performance & Co$t Optimization
CLOUD SOLUTIONS: Governance, Risk and Compliance (GRC)
1. CLOUD IAM SERVICES:
Google Cloud Platform (GCP), Amazon Web Service (AWS) and Microsoft Azure Active Directory..
2. CLOUD SECURITY ALLIANCE & FRAMEWORKS:
Cloud Controls Matrix (CCM), NIST CSF & RMF, FISMA, FEDRAMP, ISO/ITIL, SOC1-2..
3. CLOUD AUTHENTICATION & AUTHORIZATION:
SAML, Kerberos, OAuth, LDAP, RADIUS..
Identity-access-management (authentication & authorization)
Identity Access Management (IAM)
1. Implementation of solution deployment initiatives to ensure that the proper identity and access management (IAM) protections are in place: Account Certification, MFA, PAM and Least Privilege Enforcement Verification.
2. Maintain the asset inventory register and ensure proper classification and categorization of assets.
3. Review and optimize existing controls.
4. Translate compliance requirements into specific defensive security controls.
5. Ensure organization-wide compliance with cybersecurity best practices, policies and standards (NIST, CEJIS).
6. Enforce endpoint security standards.
Google Cloud Platform (Managed Services)
The use of Google Cloud’s portfolio of services and products to manage any underlying servers or infrastructure.
1. Execution of the optimization phase to expand workloads, and the additional use of services, as well as the replacement of existing workloads within these services.
Examples of managed services are as follows:
· Cloud SQL for MySQL
· AutoML to tag and classify images instead of deploying and maintaining machine learning models.
· Deployment of workloads on GKE instead of the self-managed Kubernetes cluster, as well as the migration of VMs to containers and execution on GKE.
· App Engine for serverless web hosting.
Optimization for performance and scalability -
· Horizontal scaling. Elastically by adding or removing virtual machines, cluster nodes, and database instances. Use of services such as Compute Engine autoscaling groups, GKE cluster autoscaler.
· Vertical scaling. Adding more resources to the existing instances in a cloud environment without the provision of any additional physical infrastructure and the use of the Compute Engine instances to change the machine types.
DATA PRIVACY & PROTECTION:
Penetration Testing, Security Threat Analysis and Vulnerability Management: GDPR, CCPA, HSPD-12, SANS, ISO 1799, NSA, FDCC, ITIL -NIST, FIPS 200, 199 – SP 800-171, 800-68, 800-60, 800-53, 800-37, 800-18...
INFORMATION ASSURANCE:
Program Management Office (PMO) primary focus is on the Five (5) Core Functions of NIST Cybersecurity Framework (CSF), the Seven (7) Critical Steps in the NIST Risk Management Framework (RMF), FISMA and FEDRAMP Cloud Governance for Federal Government Systems to be granted the Authority to Operate (ATO).
Managed Trusted Internet Protocol Service (MTIPS):
24x7x365 Network Security Operations, Information Assurance/Security, Network Security, Security Awareness & Training, Data Privacy Protection, Amazon Web Services (AWS) Identity and Access Management (IAM):
· Fault Management (MTIPS Disaster Recovery Plan).
· Configuration Management (Configuration Policies and Procedures).
· Network Accounting Management (SOC/NOC Monitoring Tools).
· Security Management (Security Policy Assessment & Enforcement).
· Performance Management (Firewalls, IDS, URL, and Remote Access/VPN).
Iaas, Saas and Paas - Cloud Security Architecture
IaaS Cloud Computing Security Architecture
IaaS provides storage and network resources in the cloud. It relies heavily on APIs to help manage and operate the cloud. However, cloud APIs are often not secure, because they are open and easily accessible from the web.
The cloud service provider (CSP) is responsible for securing the infrastructure and abstraction layer used to access the resources. Your organization's security obligations cover the rest of the layers, mainly containing the business applications.
To better visualize cloud network security issues, deploy a Network Packet Broker (NPB) in an IaaS environment. The NPB sends traffic and data to a Network Performance Management (NPM) system, and to the relevant security tools. In addition, establish logging of events occurring on network endpoints.
IaaS cloud deployments require the following additional security features:
- Network segmentation
- Intrusion Detection System and Intrusion Prevention System (IDS/IPS)
- Virtual firewalls placed in front of web applications to protect against malicious code, and at the edge of the cloud network
- Virtual routers
SaaS Cloud Computing Security Architecture
SaaS services provide access to software applications and data through a browser. The specific terms of security responsibility may vary between services, and are sometimes up for negotiation with the service provider.
Cloud Access Security Brokers (CASB) offers logging, auditing, access control and encryption capabilities that can be critical when investigating security issues in a SaaS product. In addition, make sure your SaaS environment has:
- Logging and alerting
- IP whitelists and/or blacklists
- API gateways, in case the service is accessed via API
PaaS Cloud Computing Security Architecture
PaaS platforms enable organizations to build applications without the overhead and complexity associated with managing hardware and back-end software. In a PaaS model, the CSP protects most of the environment. However, the company is still responsible for the security of the applications it is developing.