CCSK Domain 8: Cloud Workload Security

8.1 Introduction to Cloud Workload Security

Cloud workloads are dynamic and diverse: Require adaptable, workload-specific security.
New workload types: Serverless, FaaS, managed containers.
Security controls: Use cloud-aware agents (EPP/EDR), avoid open inbound ports, centralise logs, scan images before deployment, use CWPPs for protection.

Isolation: VMs provide strong isolation via hypervisors.
Security practices:
- Use secure, versioned, immutable base images
- Patch management
- Minimise attack surface (remove unnecessary components)
- Least privilege access
- Automate scanning, patching, reporting
- Use IaC for configuration
- Centralised monitoring/logging
- Harden SSH, use host firewalls
- Secure boot
- Monitor hypervisors
Image factories: Automate VM image creation for consistency and security.
Image sources: Curate and maintain trusted components, version history, security checks.
Vulnerability management lifecycle: Identification → Assessment → Mitigation/Reporting → Documentation.
Snapshots:
- Limit access, encrypt, review/delete unnecessary snapshots, monitor for unauthorised access.

Container image creation:
- Use secure base images, immutable infrastructure
- Store images in secure artifact repositories
Container networking:
- Network isolation at multiple levels (Kubernetes, Ingress Controllers)
- Define network policies
Orchestration & management:
- Kubernetes (K8s) automates deployment, scaling, management
- Shared responsibility varies by service model
Orchestration security:
- Use CSP tools, harden services, patch/update, enforce policies
- Use CIS benchmarks, secure repositories, RBAC, image scanning/signing
- Harden host OS, encrypt storage, segment networks, validate images
Secure artifact repositories:
- Enforce digital signatures, restrict access, scan for vulnerabilities, maintain audit trails, update regularly
Runtime protection:
- Real-time monitoring, logging/auditing, micro-segmentation, container firewalls, automated threat response.

Serverless: Developers deploy code without managing infrastructure; CSP handles scaling, maintenance.
FaaS: Functions run in isolated, ephemeral containers/VMs, reducing attack surface.
Security issues:
- Third-party APIs/services
- Vulnerable dependencies
- Misconfigurations
- Over-privileged IAM
- Direct internet access
IAM for serverless:
- Least privilege, fine-grained access, context-aware authorisation
- Use secrets management, rotate credentials, audit IAM policies
Environment variables & secrets:
- Use environment variables for sensitive data
- Use cloud secrets managers (AWS Secrets Manager, Azure Key Vault)
- Rotate secrets, control access via IAM roles
Zero Trust: Continually verify trust, never assume.

AI workloads: Require large data, compute, and specialised hardware (GPUs/TPUs); benefit from cloud scaling.
Threat taxonomy:
1. Model manipulation
2. Data poisoning
3. Sensitive data disclosure
4. Model theft
5. Model failure/malfunction
6. Insecure supply chain
7. Insecure apps/plugins
8. Denial of Service (DoS)
9. Loss of governance/compliance
Risk mitigation strategies:
- Data security: Encryption, differential privacy, secure multi-party computation, confidential computing
- Model security: Hardening, robust/adversarial training, watermarking, output manipulation
- Infrastructure security: Hardware security features, firmware updates, network security, quotas/rate limiting
- Supply chain security: Cybersecurity policies, audit/update dependencies, vet third-party services, use trusted sources
Shared responsibility: AI security responsibilities are distributed among providers and consumers, similar to cloud computing

Subscribe to get the latest posts sent to your email.