Some Key Security Patterns that can be implemented within Cloud platforms are below covering keys, encryption and data protection. Patterns are simply a method of solving a common problem. They are reusable templates you will adjust to the project demands. They are fundamental to IT deployment. A Pattern book (security, applications, infrastructure, integration, testing, compound patterns, etc); is a reusable, scalable IP artefact that every IT professional within Cloud needs to develop. A good set of templates can be found at: http://cloudpatterns.org/design_patterns. Pattern books by Thomas Erl are worth buying and referencing. There are dozens are security patterns that we can use. Some common ones are listed below.
Cloud Key Management
| Pattern Name | Description |
| PAT-CKM | Managing Private/Public Encryption Keys |
| Solving Issues | While encryption is foundational to cloud security, the management of encryption keys is one of the most difficult challenges in cloud computing. Failure to adequately manage encryption keys can lead to a range of administrative and security problems. |
| Explanation of pattern / Resolution in the cloud | A cloud key management system is employed, available either as a physical or virtual network attached device. This pattern can be combined with Cryptographic Key Management System, Hardware Security Module patterns to create a compound pattern. |
| Implementation | A cryptographic key management system (CKMS), optionally using a hardware security module (HSM) for key protection, consisting of systems, personnel and policies is implemented to manage keys for encryption of all required data for both on-premise and cloud resources |
| Structure |  |
| Benefits | Azure is IaaS and PaaS – not SaaS, note the ideal model if want only to consume the data. Stable, HA, console based management. |
| Notes | It is recommended that firms mandate no Shadow IT and force end-users to migrate their own Access DBs or other Shadow IT into Sharepoint |
Cryptographic Key Management
| Pattern Name | Description |
| PAT-CKM | Key management compliance with regulatory audits |
| Solving Issues | Service components within a Cloud system need to have keys to render secure access. The problem is managing the keys in compliance with regulatory policies. |
| Explanation of pattern / Resolution in the cloud | The cryptographic key management system (CKMS) consists of policies, procedures, components and devices that are used to protect, manage, and distribute cryptographic keys and certain specific information, called metadata. A CKMS includes all devices or sub-systems that can access an unencrypted key or its metadata. Encrypted keys and their cryptographically protected metadata can be handled by computers and transmitted through communications systems and stored in media that are not considered to be part of a CKMS.. |
| Implementation | A cryptographic key management system (CKMS), optionally using a hardware security module (HSM) for key protection, consisting of systems, personnel and policies is implemented to manage keys for encryption of all required data for both on-premise and cloud resources |
| Structure | 
CKMS managing the organization’s keys. Many industry regulations require organizations to control their own keys, which can be done on-premise or from a trusted third-party service. It shows the requirement for multiple administrators to accomplish management tasks requiring multiple split keys to perform a cryptographic operation. |
| Benefits | Keys are locked down. |
| Notes | HSM is an AWS implementation (3rd party products available as well) |
Federated Cloud Authentication
| Pattern Name | Description | ||
| PAT-FCA | Federated certificate implementation to avoid CRL failure | ||
| Solving Issues | If the certificate revocation list (CRL) corresponding to a cloud consumer’s certificate is unavailable, either from communication or public key infrastructure (PKI) failure, cloud service providers are unable to authenticate submitted certificate credentials. | ||
| Explanation of pattern / Resolution in the cloud | Federated authentication allows cloud services to authenticate cloud consumers incorporating a certificate status checking responder on the local area network (LAN), which supports authentication independently when the CRL for a given organization is unavailable due to failure. | ||
| Implementation | A local certificate validation service (CVS) is implemented to check the revocation status of submitted certificates from multiple organizations. | ||
| Structure | 
The component as a cloud service consumer sends the required certificate to an authentication service to be authenticated (1). The authentication service sends a request to the CVS that includes the issuer and serial number of the certificate (2). The CVS compares the serial number with the associated issuer’s CRL to determine if the certificate is revoked (3). The CVS signs a response indicating if the certificate is good, revoked, or unknown (4). The CVS also checks to see if the CRL is valid. If the CRL is stale and the CVS cannot retrieve a current one, the CVS can be configured to send an alert to a cloud resource administrator (5). |
||
| Benefits | With the implementation of a CVS, the availability problems associated with an expired CRL are mitigated. | ||
Secure Cloud Interfaces and APIs
| Pattern Name | Description | |
| PAT-SCI-API | Securing APIs against unauthorised access | |
| Solving Issues | On-premise and cloud-based resource interfaces and APIs are, by default, vulnerable to attacks through a number of vectors and methods. | |
| Explanation of pattern / Resolution in the cloud | A cloud identity and access management (IAM) system is instituted to differentiate intruders from legitimate consumers.
Application: An authentication gateway service (AGS) and an IAM system are implemented to identify and authenticate legitimate consumers and grant them access, while denying access to intruders. |
|
| Implementation | Mechanisms: Authentication Gateway Service, Identity and Access Management | |
| Structure |  |
|
| Benefits | The AGS authenticates cloud consumers for access to APIs. | |
| Notes | ||
Encryption of Data at Rest
| Pattern Name | Description | ||
| PAT-EDR | Encrypting Data at Rest | ||
| Solving Issues | Data stored in a cloud environment requires security against access to the physical hard disks forming the cloud storage device. | ||
| Explanation of pattern / Resolution in the cloud | Secure data on the physical hard disks in order to prevent unauthorized access. | ||
| Implementation | An encryption mechanism supported by the physical storage arrays can be used to automatically encrypt data stored on the disks and decrypt data leaving the disks. | ||
| Structure | 
Data can be secured on physical disks by encrypting the data as it enters the physical storage array and decrypting data as it leaves the physical hard disks. |
||
| Benefits | NIST compliant | ||
| Notes | EBS volumes need to be encrypted by default | ||
Data Breach
| Pattern Name | Description |
| PAT-EDB | Protecting Enterprise Data from a breach |
| Solving Issues | Unprotected data is vulnerable to a wide variety of breaches by attackers that can have significant consequences on the cloud architecture security and/or the organization’s business itself. |
| Explanation of pattern / Resolution in the cloud | A system is established that provides encryption of sensitive data so that if it is lost, it is not readable by an attacker. Encryption, governance and policies are merged. |
| Implementation | Using validated encryption and governance that meets enterprise security assurance levels, data at rest is encrypted. Key management, encryption, asset config inventory, and data inventory automation. |
| Structure | 
The use of enterprise encryption for sensitive data. |
| Benefits | Enterprise protection |
| Notes | Would use IAM, volume encryption, HTTPS, TLS
Related to Encryption |