Segregation: Security Principle of the month

No matter which service models is in-use (IaaS, PaaS, SaaS, etc.), we need to ensure we have the right segregation controls in place, backed by a process, across Networks, Data, Services and Users. Some organisations avoid the public cloud due to its multi-tenant nature and data security concerns, so as security professionals, we have the opportunity to enable confidence back to our stakeholders, by ensuring an appropriate adoption of segregation techniques, maximising their value, while leaning on the 'Shared Responsibility Model' for the CSP adhering to the best practices of segregation (both physically and logically).

The guiding Principle is:

Hosted environments/services/data within the Cloud, must be segregated from others in an appropriate manner, to support the necessary services and data requirements of the business

Here are few high-level key points to help us improve data protection, in the spirit of the Principle:

• Define Security Trust Zones to separate systems/tiers/users along logical lines, for greater security and access control, with each zone can have its own security controls and monitoring, based on its specific needs and risk level

• Consider enabling a Proxy capability between layers of application’s stack (e.g. AWS RDS Proxy) to manage connections securely

• Ensure the design/environment has a clear Accounts structuring and Tagging design, for segregating resources of different purposes, types, characters, etc., on the logical account level (e.g. Landing Zones)

• Adopt ‘Swim-lane isolation’ methodology where possible, for differentiating access

• 'Dedicated' vs. 'Shared' Tenancy: This must be looked at per the use-case (based on environment's sensitivity, classification of data and business’ appetite for risk). The main driver will be on reducing the risk of data theft and an overall Guests tenancy access/attack type (e.g. Guest-to-host breakout, HW exhaustion, etc.). To date, there are no major security benefits of ‘Dedicated’ over ‘Shared’ and it needs to be reviewed with the CSP when relevant. (Note: AWS are moving away from ‘Xen’ to ‘Nitro’ type hosts, which intends to enhance HW security)

*The "Security Principle Of The Month" posts are a series of short articles aim to help and guide the security SME, whether it's a Consultant who is reviewing a solution design proposal, or a DevSecOps engineer deploying a solution, by listing key points of various security controls which should be considered for the proposed solution or to an existing product/environment. This list should be used as a 'complementary' list to any other security controls and strategies already in use within solutions.

**Sources:

- (ISC)² CCSP certification exam materials

- 'AWS Certified Security Speciality' certification exam materials

- 'Azure Security Technologies certification exam materials

- NCSC (National Cyber Security Centre); Cloud Security Principles

- Broad projects experience

- Online information