eBooks & Reports

O'Reilly's Automating Security in the Cloud

Issue link: https://resources.threatstack.com/i/872576

Contents of this Issue


Page 18 of 32

times of compromise (e.g. Natural or Man-Made). Cloud computing is just like any other technology with some new risks therefore new mitigation capabilities, which go beyond global security frameworks, by treating risks, eliminating manual processes, optimizing evidence and audit ratifications processes through rigid automation The security management or operations needs to implement. These controls are put in place to safeguard any weaknesses in the system and reduce the effect of an attack. While there are many types of controls behind a cloud security architecture, they can usually be found in one of the following categories: Deterrent controls—These controls are set in place to prevent any purposeful attack on a cloud system. Much like a warning sign on a fence or a property, these controls do not reduce the actual vulnerability of a system. Preventative controls—These controls upgrade the strength of the system by manag‐ ing the vulnerabilities. The preventative control will safeguard vulnerabilities of the system. If an attack were to occur, the preventative controls are in place to cover the attack and reduce the damage and violation to the system's security. Corrective controls—Corrective controls are used to reduce the effect of an attack. Unlike the preventative controls, the corrective controls take action as an attack is occurring. Detective controls—Detective controls are used to detect any attacks that may be occurring to the system. In the event of an attack, the detective control will signal the preventative or corrective controls to address the issue. Recovery controls—These are used to repair or restore services following the viola‐ tion of security policies. Compensation controls—These are used to provide various options to other controls. Authoritative source—identity Management Organizations should identify appropriate sources of policy and user profile informa‐ tion and ensure that the cloud service administrator use only trusted sources for pro‐ visioning. There are several of apps which can be used as a sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC) -compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure, because you don't have to embed and dis‐ tribute long-term security credentials with your application. Below is an example of a single or multiple authoritive source capability. Identity & Access Management (IAM) | 17

Articles in this issue

Links on this page

view archives of eBooks & Reports - O'Reilly's Automating Security in the Cloud