Securing Hardware and Compute in the Cloud
- Customers don’t usually have direct access to hardware in cloud
- need to understand HSM and TPMs
- Hardware Security Modules (HSM)
- used to generate, store, and manage cryptographic keys and for conducting cryptographic operations
- holds some of the most sensitive information
- critical component to secure
- Cloud providers may provide HSMs as a service or as a hardware device
- device is in physical control of the CSP
- redundancy and backups are critical
- Trusted Platform Module (TPM)
- hardware device used to secure, store, and manage cryptographic keys
- same with TPMs as above
Securing Cloud Storage
- Use CSP built-in tools to configure securely
- Amazon Trusted Advisor
- Azure Advisor
- Least privilege
- Encryption in data at rest and in transit
- Block public access by default
- Ensure wildcard or broad access to storage buckets is not allowed
- Build secure default access control lists
- Versioning and replication for availability
- Monitoring, auditing, and alerting