What is a cloud service?
- NIST → National Institute of Standards and Technology
- NIST defines cloud as a technology that has the following five characteristics:
- On-demand self-service: Imagine you wish to open a blog and you need compute resources.
- Broad network access: having enough network access (the type that large Internet Service Providers (ISPs) → to serve millions of end users with your application.
- Resource pooling: having thousands of computers, running in a large server farm, and being able to maximize their use.
- Rapid elasticity: having the ability to increase and decrease the amount of compute resources.
- Measured service: having the ability to pay for only the resources you consumed and being able to generate a billing report.
What are the cloud deployment models?
- Private cloud:
- An infrastructure deployed and maintained by a single organization.
- example: large financial organization (such as a bank or insurance organization).
- Public cloud:
- An infrastructure deployed and maintained by → a service provider for serving multiple customers and organizations,
- with reference to various services offered by AWS, Azure, and GCP.
- Hybrid cloud: A combination of a private cloud (or on-premises cloud) and at least one public cloud infrastructure.
- Multi-cloud: A scenario where our organization is either using multiple managed services (SAAS) or using multiple public cloud infrastructure (IAAS - PAAS).
What are the cloud service models?
- Infrastructure as a Service (IaaS):
- most fundamental service model
- where a customer can select :
- the virtual machine size (CPU and memory)
- a pre-configured operating system
- deploy software inside the virtual machine instance according to business needs
- services such as: Amazon EC2, Azure Virtual Machines, and Google Compute Engine
- Platform as a Service (PaaS):
- This type of service model varies from :
- managed database services
- managed application services
- where a customer can import code and run it inside a managed environment
- services such as: AWS Elastic Beanstalk, Azure Web Apps, and Google App Engine
- Software as a Service (SaaS):
- most widely used service model
- is a fully managed software environment where, as a customer, you usually open a web browser, log in to an application, and consume services.
- These could be messaging services, ERP, CRM, business analytics
- services such as: Microsoft Office 365, Google Workspaces
Why we need security
- The cloud has changed the paradigm of organizations controlling their data on-premises (from HR data to customers' data) and investing money in maintaining data centers, servers, storage, network equipment, and the application tier.
- Using public clouds has changed the way organizations look at information security (cloud security).
- common examples of the difference between on-premises data solutions and the cloud:
few questions often asked by organizations' management:
- Are my servers going to behave the same as if they were on-premises?
- Server behavior in the cloud may differ from on-premises, but can be configured for similar performance and functionality.
- How do I protect my servers outside my data center from a data breach?
- implementing robust security measures, like encryption, access controls, and regular monitoring.
- How do I know the cloud provider will not have access to my data?
- Cloud providers typically have security measures in place, but you can enhance data privacy through encryption and access controls to minimize their access.
- Do my employees have enough knowledge to work in new environments such as the public cloud?
- Ensure your employees receive adequate training and support to work effectively in new environments, such as the public cloud, to bridge any knowledge gaps.
- The public cloud secure enough to store my data?
- The public cloud can be secure for storing data if you implement appropriate security measures, like encryption, access controls, and regular monitoring, to protect your data from breaches and unauthorized access.
cloud security enables our organization to achieve (among other things) the following:
- Decreased attack surface: Using central authentication, data encryption, DDoS protection services, and more
- Compliance with regulation: Deploying environments according to best practices
- Standardization and best practices: Enforcing security using automated tools and services
Shared Responsibility Model
- Shared Responsibility Model: which tries to draw a line between the cloud provider and the customer's responsibilities regarding security.
- the cloud provider is always responsible for the lower layers → from the physical security of their data centers, networking, storage, host servers, virtualization layers
Shared Responsibility Model
- When working with IaaS
- select a pre-installed image of an operating system → with or without additional software installed inside the image
- deploy our applications
- manage permissions to access our data.
- When working with PaaS
- have the ability to control code in a managed environment
- manage permissions to access our data.
- When working with SaaS
- received a fully managed service
- all we can do is manage permissions to access our data.
Command-line tools
- One of the things that makes cloud environments so robust is the ability to control almost anything using
- Application Programming Interface (API)
- using the command line.
- Most mature cloud providers have already published and maintain → their own Command Line Interface (CLI) to → allow customers to perform actions in an easy and standard way.
- An alternative to using the command line to interact with the cloud provider's API is using a Software Developer Kit (SDK) a method to :
- control actions (from deploying a virtual machine to encrypting storage)
- query information from a service (checking whether auditing is enabled for my customers logging into my web application).
- AWS CLI
- AWS CLI can be installed on Windows, Linux, macOS, and even inside a Docker container.
- Azure CLI
- Azure CLI can be installed on Windows, Linux , and macOS.
- Google Cloud SDK
- The Google command-line tool (gcloud CLI) → can be installed on Windows, Linux , and macOS.