# Cloud Hardening

## Network security in the cloud 

<div class="cds-1 css-xl5mb3 cds-2" id="bkmrk-in-recent-years%2C-man"><div class="cds-1 rc-Paragraph css-1lz62pp cds-3 cds-grid-item"><div class="phrases"><div aria-label="toggle video from In recent years, many organizations are using network services in the cloud." class="rc-Phrase css-ugczj4" data-cue="1" data-cue-index="0" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">In recent years, many organizations are using network services in the cloud. </span></div><div aria-label="toggle video from So in addition to securing on-premises networks," class="rc-Phrase css-ugczj4" data-cue="2" data-cue-index="1" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">So in addition to securing on-premises networks, </span></div><div aria-label="toggle video from a security analyst will need to secure cloud networks." class="rc-Phrase css-ugczj4" data-cue="3" data-cue-index="2" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">a security analyst will need to secure cloud networks. </span></div><div aria-label="toggle video from In a previous video, you learned that a cloud network is a collection of" class="rc-Phrase css-ugczj4" data-cue="4" data-cue-index="3" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">In a previous video, you learned that a cloud network is a collection of </span></div><div aria-label="toggle video from servers or computers that stores resources and" class="rc-Phrase css-ugczj4" data-cue="5" data-cue-index="4" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">servers or computers that stores resources and </span></div><div aria-label="toggle video from data in a remote data center that can be accessed via the internet." class="rc-Phrase css-ugczj4" data-cue="6" data-cue-index="5" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">data in a remote data center that can be accessed via the internet. </span></div><div aria-label="toggle video from They can host company data and applications using cloud computing to" class="rc-Phrase css-ugczj4" data-cue="7" data-cue-index="6" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">They can host company data and applications using cloud computing to </span></div><div aria-label="toggle video from provide on-demand storage, processing power, and data analytics." class="rc-Phrase css-ugczj4" data-cue="8" data-cue-index="7" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">provide on-demand storage, processing power, and data analytics. </span></div><div aria-label="toggle video from Just like regular web servers, cloud servers also require proper maintenance" class="rc-Phrase css-ugczj4" data-cue="9" data-cue-index="8" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">Just like regular web servers, cloud servers also require proper maintenance </span></div><div aria-label="toggle video from done through various security hardening procedures." class="rc-Phrase css-ugczj4" data-cue="10" data-cue-index="9" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">done through various security hardening procedures. </span></div><div aria-label="toggle video from Although cloud servers are hosted by a cloud service provider," class="rc-Phrase css-ugczj4" data-cue="11" data-cue-index="10" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">Although cloud servers are hosted by a cloud service provider, </span></div><div aria-label="toggle video from these providers cannot prevent intrusions in the" class="rc-Phrase css-ugczj4" data-cue="12" data-cue-index="11" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">these providers cannot prevent intrusions in the </span></div><div aria-label="toggle video from cloud—especially intrusions from malicious actors, both internal and" class="rc-Phrase css-ugczj4" data-cue="13" data-cue-index="12" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">cloud—especially intrusions from malicious actors, both internal and </span></div><div aria-label="toggle video from external to an organization." class="rc-Phrase css-ugczj4" data-cue="14" data-cue-index="13" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">external to an organization. </span></div></div></div></div><div class="cds-1 css-xl5mb3 cds-2" id="bkmrk-"><div class="cds-1 rc-Paragraph css-1lz62pp cds-3 cds-grid-item">  
</div></div><div class="cds-1 css-xl5mb3 cds-2" id="bkmrk-one-distinction-betw"><div class="cds-1 rc-Paragraph css-1lz62pp cds-3 cds-grid-item"><div class="phrases"><div aria-label="toggle video from One distinction between cloud network hardening and" class="rc-Phrase css-ugczj4" data-cue="15" data-cue-index="14" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">One distinction between cloud network hardening and </span></div><div aria-label="toggle video from traditional network hardening is the use of a server baseline image for" class="rc-Phrase css-ugczj4" data-cue="16" data-cue-index="15" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">traditional network hardening is the use of a server baseline image for </span></div><div aria-label="toggle video from all server instances stored in the cloud." class="rc-Phrase css-ugczj4" data-cue="17" data-cue-index="16" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">all server instances stored in the cloud. </span></div><div aria-label="toggle video from This allows you to compare data in the cloud servers to the baseline image to" class="rc-Phrase css-ugczj4" data-cue="18" data-cue-index="17" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">This allows you to compare data in the cloud servers to the baseline image to </span></div><div aria-label="toggle video from make sure there haven't been any unverified changes." class="rc-Phrase css-ugczj4" data-cue="19" data-cue-index="18" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">make sure there haven't been any unverified changes. </span></div><div aria-label="toggle video from An unverified change could come from an intrusion in the cloud network." class="rc-Phrase css-ugczj4" data-cue="20" data-cue-index="19" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">An unverified change could come from an intrusion in the cloud network. </span></div><div aria-label="toggle video from current lecture segment: Similar to OS hardening, data and applications on a cloud network are kept" class="rc-Phrase active css-ugczj4" data-cue="21" data-cue-index="20" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">Similar to OS hardening, data and applications on a cloud network are kept </span></div><div aria-label="toggle video from separate depending on their service category." class="rc-Phrase css-ugczj4" data-cue="22" data-cue-index="21" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">separate depending on their service category. </span></div><div aria-label="toggle video from For example, older applications should be kept separate from newer applications," class="rc-Phrase css-ugczj4" data-cue="23" data-cue-index="22" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">For example, older applications should be kept separate from newer applications, </span></div><div aria-label="toggle video from and software that deals with internal functions should be kept separate" class="rc-Phrase css-ugczj4" data-cue="24" data-cue-index="23" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">and software that deals with internal functions should be kept separate </span></div><div aria-label="toggle video from from front-end applications seen by users." class="rc-Phrase css-ugczj4" data-cue="25" data-cue-index="24" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">from front-end applications seen by users. </span></div></div></div></div><div class="cds-1 css-xl5mb3 cds-2" id="bkmrk--1"><div class="cds-1 rc-Paragraph css-1lz62pp cds-3 cds-grid-item">  
</div></div><div class="phrases" id="bkmrk-even-though-the-clou"><div aria-label="toggle video from Even though the cloud service provider has a shared responsibility with" class="rc-Phrase css-ugczj4" data-cue="26" data-cue-index="25" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">Even though the cloud service provider has a shared responsibility with </span></div><div aria-label="toggle video from the organization using their services, there are still security measures that" class="rc-Phrase css-ugczj4" data-cue="27" data-cue-index="26" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">the organization using their services, there are still security measures that </span></div><div aria-label="toggle video from need to be taken by the organization to make sure their cloud network is safe." class="rc-Phrase css-ugczj4" data-cue="28" data-cue-index="27" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">need to be taken by the organization to make sure their cloud network is safe. </span></div><div aria-label="toggle video from Just like traditional networks, operations in the cloud need to be secured." class="rc-Phrase css-ugczj4" data-cue="29" data-cue-index="28" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">Just like traditional networks, operations in the cloud need to be secured. </span></div><div aria-label="toggle video from You're doing great! Meet you in the next video." class="rc-Phrase css-ugczj4" data-cue="30" data-cue-index="29" role="button" tabindex="0"><span aria-hidden="true" class="cds-137 css-80vnnb cds-139">You're doing great! Meet you in the next video. </span></div></div>## secure the cloud  


Earlier in this course, you were introduced to [cloud computing<svg aria-labelledby="cds-react-aria-1484-title" class="css-1lzqdox" fill="none" focusable="false" height="16" id="bkmrk--2" role="img" viewbox="0 0 16 16" width="16"></svg>](https://www.coursera.org/learn/networks-and-network-security/lecture/BGlnq/cloud-networks)

**Cloud computing** is a model for allowing convenient and on-demand network access to a shared pool of configurable computing resources. These resources can be configured and released with minimal management effort or interaction with the service provider.

Just like any other IT infrastructure, a cloud infrastructure needs to be secured. This reading will address some main security considerations that are unique to the cloud and introduce you to the shared responsibility model used for security in the cloud. Many organizations that use cloud resources and infrastructure express concerns about the privacy of their data and resources. This concern is addressed through cryptography and other additional security measures, which will be discussed later in this course.

## Cloud security considerations

Many organizations choose to use cloud services because of the ease of deployment, speed of deployment, cost savings, and scalability of these options. Cloud computing presents unique security challenges that cybersecurity analysts need to be aware of.

### Identity access management

**Identity access management (IAM)** is a collection of processes and technologies that helps organizations manage digital identities in their environment. This service also authorizes how users can use different cloud resources. A common problem that organizations face when using the cloud is the loose configuration of cloud user roles. An improperly configured user role increases risk by allowing unauthorized users to have access to critical cloud operations.

### Configuration

The number of available cloud services adds complexity to the network. Each service must be carefully configured to meet security and compliance requirements. This presents a particular challenge when organizations perform an initial migration into the cloud. When this change occurs on their network, they must ensure that every process moved into the cloud has been configured correctly. If network administrators and architects are not meticulous in correctly configuring the organization’s cloud services, they could leave the network open to compromise. Misconfigured cloud services are a common source of cloud security issues.

### Attack surface 

Cloud service providers (CSPs) offer numerous applications and services for organizations at a low cost.

Every service or application on a network carries its own set of risks and vulnerabilities and increases an organization’s overall attack surface. An increased attack surface must be compensated for with increased security measures.

Cloud networks that utilize many services introduce lots of entry points into an organization’s network. However, if the network is designed correctly, utilizing several services does not introduce more entry points into an organization’s network design. These entry points can be used to introduce malware onto the network and pose other security vulnerabilities. It is important to note that CSPs often defer to more secure options, and have undergone more scrutiny than a traditional on-premises network.

### Zero-day attacks

Zero-day attacks are an important security consideration for organizations using cloud or traditional on-premise network solutions. A **zero day** attack is an exploit that was previously unknown. CSPs are more likely to know about a zero day attack occurring before a traditional IT organization does. CSPs have ways of patching hypervisors and migrating workloads to other virtual machines. These methods ensure the customers are not impacted by the attack. There are also several tools available for patching at the operating system level that organizations can use.

### Visibility and tracking 

Network administrators have access to every data packet crossing the network with both on-premise and cloud networks. They can sniff and inspect data packets to learn about network performance or to check for possible threats and attacks.

This kind of visibility is also offered in the cloud through flow logs and tools, such as packet mirroring. CSPs take responsibility for security in the cloud, but they do not allow the organizations that use their infrastructure to monitor traffic on the CSP’s servers. Many CSPs offer strong security measures to protect their infrastructure. Still, this situation might be a concern for organizations that are accustomed to having full access to their network and operations. CSPs pay for third-party audits to verify how secure a cloud network is and identify potential vulnerabilities. The audits can help organizations identify whether any vulnerabilities originate from on-premise infrastructure and if there are any compliance lapses from their CSP.

### Things change fast in the cloud

CSPs are large organizations that work hard to stay up-to-date with technology advancements. For organizations that are used to being in control of any adjustments made to their network, this can be a potential challenge to keep up with. Cloud service updates can affect security considerations for the organizations using them. For example, connection configurations might need to be changed based on the CSP’s updates.

Organizations that use CSPs usually have to update their IT processes. It is possible for organizations to continue following established best practices for changes, configurations, and other security considerations. However, an organization might have to adopt a different approach in a way that aligns with changes made by the CSP.

Cloud networking offers various options that might appear attractive to a small company—options that they could never afford to build on their own premises. However, it is important to consider that each service adds complexity to the security profile of the organization, and they will need security personnel to monitor all of the cloud services.

## Shared responsibility model

A commonly accepted cloud security principle is the shared responsibility model. The **shared responsibility model** states that the CSP must take responsibility for security involving the cloud infrastructure, including physical data centers, hypervisors, and host operating systems. The company using the cloud service is responsible for the assets and processes that they store or operate in the cloud.

The shared responsibility model ensures that both the CSP and the users agree about where their responsibility for security begins and ends. A problem occurs when organizations assume that the CSP is taking care of security that they have not taken responsibility for. One example of this is cloud applications and configurations. The CSP takes responsibility for securing the cloud, but it is the organization’s responsibility to ensure that services are configured properly according to the security requirements of their organization.

## Key takeaways

It is essential to know the security considerations that are unique to the cloud and understanding the shared responsibility model for cloud security. Organizations are responsible for correctly configuring and maintaining best security practices for their cloud services. The shared responsibility model ensures that both the CSP and users agree about what the organization is responsible for and what the CSP is responsible for when securing the cloud infrastructure.