Cloud Security--- How to protect your public cloud applications and systems.

Hi firends， I want to share some experiences about how to protect  public cloud applications and systems.
our all know security is more and more important today.  so what could we do to improve our cloud security ?
Some parts you could pay attentions:
Basic Security: DDoS, WAF, Host Security, Monitor, Log ,Security Group.
Data Security: SSL certificate, Database, KMS, RAM.
Application Security: content security, API security.
Security Service: vulnerability scan，penetration test.I had summarize a table l for your reference

Big category	Subclass	content	Remarks
Equipment and computing security	Identification	1. When remotely managing the equipment in the cloud computing platform, a two-way authentication mechanism should be established between the management terminal and the cloud computing platform. 2. MFA authentication should be enabled for all accounts . 3. Set an appropriate password (the password must be at least 8 digits long, and the password contains numbers. , Letters, special symbols, etc.) 4. Passwords and keys should be rotated regularly every 90 days	Avoid account sharing, recording and auditing operation and maintenance operations are the most basic security requirements. The necessary security measures are necessary to ensure system-level security and prevent server intrusion. (Mainframe protection software vulnerabilities are regularly scanned and updated, bastion host)
	Access control	1. Different accounts should be established and assigned permissions according to the role of the management user. 2. According to the principle of least permission, different roles (administrator, operation and maintenance, development, finance, etc.) should be given different authorizations (read, write, modify, comprehensive control, etc.) 3. According to the principle of least privilege, grant different resource permissions to different roles (for example, separate from the project and business dimensions)
	security audit	1. The privileged commands executed by cloud service providers and cloud service customers during remote management should be audited, including at least virtual machine deletion and virtual machine restart . 2. Centralized monitoring of the operation of virtual machines, virtualized security devices, etc.
	Intrusion prevention	1. It should be able to detect the failure of resource isolation between virtual machines and give warnings . 2. It should be able to detect unauthorized new virtual machines or re-enable virtual machines and give warnings . 3. It should be able to detect malicious code infections and spread between virtual machines. Situation and give an alert
	Mirror and snapshot protection	1. Reinforced operating system images or operating system security reinforcement services should be provided for important business systems. 2. The virtual machine image and snapshot integrity check function shall be provided to prevent the virtual machine image from being maliciously tampered with. 3. Password technology or other technical means should be adopted to prevent virtual machine mirroring and sensitive resources that may exist in snapshots from being illegally accessed.
	Cloud host security protection	1. Confirm the compliance baseline of the cloud host deployed by the application. 2 The cloud host deployed by the application should pass security protection tests such as copper leak scanning and penetration testing.
	Cloud host operation and maintenance	1. Measures should be taken to identify the security vulnerabilities and hidden dangers of cloud hosts, pay attention to the newly released system vulnerabilities in a timely manner, and evaluate the possible impact before patching
Network and communication security	Network Architecture	Different network areas should be divided, and addresses should be assigned to each network area in accordance with the principle of convenient management and control	According to the role and importance of the server, the network is divided into security domains . The security domain boundaries of the internal and external networks are set up with access control policies, and the requirements are specific to the port. Record and audit user behavior logs and security event information in
	Access control	1. Access control rules should be set based on access control policies between network boundaries or areas. By default, the controlled interface denies all communications except for allowing communications (by security group configuration, default Deny all) 2. Security group policy is not necessary In this case, public network traffic is not allowed (0.0.0.0) 3. It should be able to provide explicit permission/deny access for incoming and outgoing data flows based on session state information,
	Communication transmission	1. Check code technology or encryption and decryption technology should be used to ensure the integrity of the data during the communication process and boundary protection. (SSL certificate, etc.) 2. The access and data flow across the border should be guaranteed, and communication should be carried out through the controlled interface provided by the border protection device (security devices such as fortresses)
	Intrusion prevention	1. It should be detected at key network nodes to prevent or limit network attacks initiated from the outside. 2. It should be able to detect network attacks on virtual network nodes and record the attack type, attack time, attack traffic, etc. 3. It should be able to detect abnormal traffic between the virtual machine and the host machine, and between the virtual machine and the virtual machine. 4. Alarms should be issued when network attacks or abnormal traffic conditions are detected (third-party application probes on the network side)
	security audit	1. To record changes to the virtualized network 2. To centrally monitor the operating status of the virtualized network
Application and data security	Data integrity and confidentiality	1. Encrypted storage of important and sensitive data. 2. Access to the public network by open storage is not allowed unless necessary. 3. Check code technology or encryption and decryption technology should be used to ensure the integrity and confidentiality of important data during transmission, and necessary recovery measures should be taken when integrity damage is detected. 4. Cloud service customers should be supported to deploy key management solutions to ensure that cloud service customers implement the process of data encryption and decryption by themselves.	Application is the direct realization of specific services, and does not have the characteristics of relatively standardized networks and systems. The identity authentication, access control, and operation audit functions of most applications are difficult to replace with third-party products; for data integrity and confidentiality, in addition to security protection at other levels, encryption is the most effective method. Remote backup is one of the most important requirements that distinguishes the third-level guarantee from the second-level guarantee, and is the most basic technical guarantee for business continuity.
	Data backup and recovery	1. Cloud service customers should save the backup of their business data locally . 2. After some components of the application fail, they can continue to work (the application can decouple the components by adding message queues, workflow, load balancing, etc.), and automatically restore (Auto Healing). ), the fault is weakened. When the dependency of the component is abnormal, the component itself will not be reported as abnormal. It can continue to service the request in a degraded manner)
	Log service	1. Collect common log sources, such as virtual machine logs, load balancing logs, network logs, and other cloud application logs . 2. Log monitoring of important changes, monitoring of abnormal conditions, and alerting
	Disaster recovery plan	1. The RTO and RPO recovery time of the corresponding application should be defined . 2. There should be a disaster recovery plan and steps for the corresponding application
Security Policy System	security strategy	Cloud Service Level Agreement	Security strategies and systems are a very important foundation for ensuring continuous security.
		Confidentiality management	A confidentiality agreement should be signed with the selected cloud service provider, requiring them not to disclose cloud service customer data
		Asset management, compile, save and update the cloud asset list in time
		Configuration management, basic configuration information should be recorded and saved
		Emergency plan management and security incident handling

You can keep your cloud applications and data safe by removing the bottleneck itself. Ensure that the Cloud provider that you use the service of like Windows virtual server provider stands tall on below factors.


When a company partners with a cloud provider in an IaaS model, security becomes a shared responsibility. A company now is as reliant on its cloud provider as it is on its in-house IT group to provide security for company applications and data. Internal data and network security has to evolve to be consistent with the cloud provider’s service offerings.


What does that mean?


The enterprise must align their internal security policies to be consistent with cloud service providers as data is moved to the cloud.


Evaluate and understand any gaps in security between on-premise systems and the cloud environment(s) being used.
Implement procedures to ensure end users (and administrators) are not creating cloud deployments without approval from the IT department.
Embrace dev-ops (a collaborative relationship between software developers and the IT department) and rein in shadow IT by integrating cloud resources/applications into the life cycle management process.
Ensure compliance mandates are not being violated by the movement of regulated data to the cloud.

More and more businesses are nowadays moving to the online platform since the digital platform is no longer an option, rather it has become a necessity for almost every person out there. And you should know that it is not only about moving to the digital platform and using powerful websites for building online stores but it is also about embracing powerful technological solutions like cloud computing.

But you should know that everything out there has its own pros and cons and this doesn’t mean that you should stop using something just because it comes along with cons. Well, the same thing can be said about the very powerful public cloud applications and systems that have become almost a new normal for everyone out there.

Even if you are running a small or medium-sized business, there are maximum chances that you must be using a public cloud application or system but just using that system is not enough as you will also have to make sure that the public cloud system is safe from all the cyber attackers out there. Well, there are many things that you can do to keep your public cloud application safe and we have discussed some of those tips here.

Fit cloud like a glove in your firm

The public cloud is not a one-size-fits-all solution. Every business has its own unique needs, requirements, and goals. A transition to the public cloud, or a hybrid cloud solution, entails careful research, planning, execution, and regular review for a successful implementation.

Security is paramount to cloud adoption because, without proper security surrounding sensitive and/or regulated information, business continuity, financial loss, and company reputation are at stake. The cloud – public, private, or hybrid – offers many advantages to businesses of all sizes but needs to be done in a responsible and thoughtful manner.

Never miss the updates

Regular and routine updates to security architecture are vital with any cloud environment. In many ways, network security is a moving target and necessitates constant vigilance. This function could be performed by the third-party security provider or done in-house within the IT department. If an internal IT is unable to provide these services, consider enlisting a managed security service provider (MSSP) that has expertise in these areas for support.

Don’t miss the configuration

Configure the environment with security best practices in mind. For example, each AWS service has a public-facing set of application programming interfaces (APIs) that should be disabled if not in use. Many new AWS users may not be aware that Amazon Simple Storage Service is a public-facing service, exposing anything stored within the internet unless locked down by policy. On Azure, when establishing an initial VNet within a resource group, users should understand that all outbound ports are open by default, introducing potentially unwanted exposure.

Concentrate on data

Application developers should have a laser focus on data security because that's where most attacks occur, but don't let your applications give hackers a path to that data. Think of data security in the cloud as a series of levels:

The platform level. This is the operating system of the machine instance, including items such as data files. Inadequate protection of the platform is a fundamental flaw that most application developers fail to consider. They may protect access to the data but not the database itself, which is exposed in the platform. In order to deal with this vulnerability, make sure you encrypt the data. That way, if someone copies the data files, they'll be useless. While this is the best approach, it sometimes can cause performance problems, so many developers prefer not to use it. Always use this approach during cloud security and data protection.

Thanks for giving this solution I will protect my best smoker grill combo files and all things. Highly Appreciated.