Explain cloud security architecture

Explain cloud security architecture using suitable diagram?

ANS: Introduction  :-  Cloud application developers have been successfully developing applications for IaaS(Amazon AWS, Rackspace, etcand PaaS (Azure, Google App Engine, Cloud Foundry)platforms.These platforms provide basic security features including support for authentication, DoS attack mitigation, firewall policy management, logging, basic user and profile management but security concerns continue to be the number one barrier for enterprise cloud adoption.  Cloud security concerns range from securely configuring virtual machines deployed on an IaaS platform to managing user privileges in a PaaS cloud. The solution architecture should match these concerns and build security safeguards(controlsinto the cloud application architecture.

Cloud Security Architecture – Plan

As a first step, architects need to understand what security capabilities are offered by cloud platforms (PaaS, IaaS). The figure below illustrates the architecture for building security into cloud services.





The following are cloud security best practices to mitigate risks to cloud services:


  •  Architect for security-as-a-service – Application deployments in the cloud involve orchestration of multiple services including automation of DNS, load balancer, network QoS, etc
  • Implement sound identity, access management architecture and practice – Scalable cloud bursting and elastic architecture will rely less on network based access controls and warrant strong user access management architecture.
  • Leverage APIs to automate safeguards – Any new security services should be deployed with an API (REST/SOAPto enable automation.
  • Always encrypt or mask sensitive data – Todays private cloud applications are candidates for tomorrows public cloud deploymentHence architect applications to encrypt all sensitive data irrespective of the future operational model.
  • Do not rely on an IP address for authentication services – IP addresses in clouds are ephemeral in nature so you cannot solely rely on them for enforcing network access control.Employ certificates (self-signed or from a trusted CAto enable SSL between services deployed on cloud.
  • Log, Log, Log – Applications should centrally log all security events that will help create an end-to-end transaction view with non-repudiation characteristics.
  • Continuously monitor cloud services – Monitoring is an important function given that prevention controls may not meet all the enterprise standards.




Related topics

Professor Jayesh video tutorial

Please use contact page in this website if you find anything incorrect or you want to share more information about the topic discussed above.