Cloud security is an emerging technology, and even some of the most seasoned professionals in the cloud community are still learning how it works, or at least thinking about it. If all of your data is stored on the cloud, and all of your apps are running on it, you want to know that those apps and that data are secure, and knowing that the cloud is an open, shared environment might not be an immediate comfort. Luckily, the cloud offers all kinds of security resources you can't access anywhere else. Understanding how these resources can protect your data and assets is crucial to doing the best work possible in a cloud environment.
Vijeta Pai is a C2C contributor and Google Cloud expert whose website Cloud Demystified provides comics and other educational content that makes cloud security accessible and intelligible to the average Google Cloud user. C2C recently invited Pai to give a presentation and host a discussion on all things cloud security, from threat modeling to shared responsibility arrangements to best practices, drawing on her work with Cloud Demystified as well as the content she's published on the C2C blog.
Watch her full presentation below, and read on for some of the key conversations from her C2C Talks: Cloud Security Demystified.
After providing some background on types of cloud providers (public, private, and hybrid) and the different elements of cloud security (technologies, processes, controls, and policies), Pai broke down the STRIDE threat model. This model defines every type of cybersecurity attack a cloud security system might be required to prevent. The six types are Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
Watch below for Pai's breakdown of the definitions and associated security considerations of each one:
Next, Pai explained the different possible models used to share the responsibility for security between an organization and a cloud provider. The three models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), and each allocates responsibility for people, data, applications, and the operating system (OS) differently:
Pai kicked off the open discussion portion with a comprehensive review of cloud security best practices, which referred back to a post she wrote for the C2C blog, 10 Best Practices for Cloud Security in Application Development.
As she does in the post, Pai went through these strategies one by one, from Identity and Access Management Control to Data Encryption to Firewalls. For anyone in the process of actively implementing their cloud security measures, Pai's full answer is worth the watch:
A unique opportunity for C2C members is the ability to ask questions directly to the experts, and Pai fielded several questions about specific aspects of the technology of Google Cloud itself.
The first question came from C2C member Dickson Victor (@Vick), who was concerned with whether the cloud can support better security than an on-premise system. Pai's answer spoke to the heart of the issue for most prospective cloud users: the policies, processes, and resources available in an open environment like the cloud versus those available in a locked, private system. Her response was nothing but encouraging:
Pai also took a moment to let C2C community member Lokesh Lakhwani (@llakhwani17) plug the Google Cloud Security Summit, the first-ever tech summit on cloud security:
The discussion wrapped up with a question about cybersecurity insurance and whether it might become an entire industry once cloud security becomes a new standard. Pai wasn't sure how quickly the industry would explode. Still, she thinks there is room out there for growth and innovation, precisely because of the extent to which technology has become a necessary part of day-to-day life for so many people living through the COVID-19 pandemic, including Pai's mother, who lives and works in India.
Moreover, the more we live our lives on the cloud, the more we will need cloud security, which, to Pai, means there is plenty of opportunities right now for cybersecurity insurance companies to make their mark:
Do you have questions or concerns about cloud security that Pai didn't answer in this session? Feel free to share them in the comments and also to connect with Pai directly. You can find her on LinkedIn or join C2C to keep up with her work and get in touch with other tech professionals working in the cloud security field.
