3.6 Cloud Cybersecurity Solutions Flashcards
• Availability zones (AZ)
– Isolated locations within a cloud region (geographical location)
– AZ commonly spans across multiple regions
– Each AZ has independent power, HVAC, and networking
• Build applications to be highly available (HA)
– Run as active/standby or active/active
– Application recognizes an outage and moves to the other AZ
• Use load balancers to provide seamless HA
– Users don’t experience any application issues
HA across zones
• Identity and access management (IAM)
– Who gets access, what they get access to
• Map job functions to roles
– Combine users into groups
• Provide access to cloud resources
– Set granular policies - Group, IP address, date and time
• Centralize user accounts, synchronize across all platforms
Resource policies
• Cloud computing includes many secrets – API keys, passwords, certificates • This can quickly become overwhelming – Difficult to manage and protect • Authorize access to the secrets – Limit access to the secret service • Manage an access control policy – Limit users to only necessary secrets • Provide an audit trail – Know exactly who accesses secrets and when
Secrets management
• Integrate security across multiple platforms
– Different operating systems and applications
• Consolidate log storage and reporting
– Cloud-based Security Information and Event
Management (SIEM)
• Auditing - Validate the security controls
– Verify compliance with financial and user data
Integration and auditing
• Data is on a public cloud – But may not be public data • Access can be limited – And protected • Data may be required in different geographical locations – A backup is always required • Availability is always important – Data is available as the cloud changes?
Cloud storage
• A significant cloud storage concern
– One permission mistake can cause a data breach
– Accenture, Uber, US Department of Defense
• Public access
– Should not usually be the default
• Many different options
– Identity and Access Management (IAM)
– Bucket policies
– Globally blocking public access
– Don’t put data in the cloud unless it really
needs to be there
Permissions
• Cloud data is more accessible than non-cloud data – More access by more people • Server-side encryption – Encrypt the data in the cloud – Data is encrypted when stored on disk • Client-side encryption – Data is already encrypted when it’s sent to the cloud – Performed by the application • Key management is critical
Encryption
• Copy data from one place to another – Real-time data duplication in multiple locations • Disaster recovery, high availability – Plan for problems – Maintain uptime if an outage occurs – Hot site for disaster recovery • Data analysis – Analytics, big data analysis • Backups – Constant duplication of data
Replication
• Connect cloud components – Connectivity within the cloud – Connectivity from outside the cloud • Users communicate to the cloud – From the public Internet – Over a VPN tunnel • Cloud devices communicate between each other – Cloud-based network – East/west and north/south communication – No external traffic flows
Cloud Networks
• A cloud contains virtual devices
– Servers, databases, storage devices
• Virtual switches, virtual routers
– Build the network from the cloud console
– The same configurations as a physical device
• The network changes with the rest of the infrastructure
– On-demand
– Rapid elasticity
Virtual networks
• Private cloud
– All internal IP addresses
– Connect to the private cloud over a VPN
– No access from the Internet
• Public cloud
– External IP addresses
– Connect to the cloud from anywhere
• Hybrid cloud
– Combine internal cloud resources with external
– May combine both public and private subnets
Public and private subnets
• The cloud contains separate VPCs, containers,
and microservices
– Application segmentation is almost guaranteed
• Separation is a security opportunity
– Data is separate from the application
– Add security systems between application
components
• Virtualized security technologies
– Web Application Firewall (WAF)
– Next-Generation Firewall (NGFW)
• Intrusion Prevention System (IPS)
Segmentation
• Microservice architecture is the underlying application engine – A significant security concern • API calls can include risk – Attempts to access critical data – Geographic origin – Unusual API calls • API monitoring – View specific API queries – Monitor incoming and outgoing data
API inspection and integration
• The IaaS component for the cloud computing environment – Amazon Elastic Compute Cloud (EC2) – Google Compute Engine (GCE) – Microsoft Azure Virtual Machines • Manage computing resources – Launch a VM or container – Allocate additional resources – Disable/remove a VM or container
Compute cloud instances
• A firewall for compute instances – Control inbound and outbound traffic flows • Layer 4 port number – TCP or UDP port • Layer 3 address – Individual addresses – CIDR block notation – IPv4 or IPv6
Security groups
• Provision resources when they are needed
– Based on demand - Provisioned automatically
• Scale up and down
– Allocate compute resources where and
when they are needed
– Rapid elasticity
– Pay for only what’s used
• Ongoing monitoring
– If CPU utilization hits a particular threshold, provision
a new application instance
Dynamic resource allocation
• Granular security controls
– Identify and manage very specific data flows
– Each instance of a data flow is different
• Define and set policies
– Allow uploads to the corporate box.com file share
• Corporate file shares can contain PII
• Any department can upload to the
corporate file share
– Deny certain uploads to a personal box.com file share
• Allow graphics files
• Deny any spreadsheet
• Deny files containing credit card numbers
• Quarantine the file and send an alert
Instance awareness
• Microservice architecture is the
VPC gateway endpoints
– Allow private cloud subnets to communicate to other
cloud services
• Keep private resources private
– Internet connectivity not required
• Add an endpoint to connect VPC resources
Virtual private cloud endpoints
• Containers have similar security concerns as any other
application deployment method
– Bugs, insufficient security controls, misconfigurations
• Use container-specific operating systems
– A minimalist OS designed for containers
• Group container types on the same host
– The same purpose, sensitivity, and threat posture
– Limit the scope of any intrusion
Container security
• Clients are at work, data is in the cloud
– How do you keep everything secure?
– The organization already has well-defined
security policies
• How do you make your security policies
work in the cloud?
– Integrate a CASB
– Implemented as client software, local security
appliances, or cloud-based security solutions
• Visibility
– Determine what apps are in use
– Are they authorized to use the apps?
• Compliance
– Are users complying with HIPAA? PCI?
• Threat prevention
– Allow access by authorized users, prevent attacks
• Data security
– Ensure that all data transfers are encrypted
– Protect the transfer of PII with DLP
Cloud access security broker (CASB)
• Secure cloud-based applications – Complexity increases in the cloud • Application misconfigurations – One of the most common security issues – Especially cloud storage • Authorization and access – Controls should be strong enough for access from anywhere • API security - Attackers will try to exploit interfaces and APIs
Application security
• Protect users and devices – Regardless of location and activity • Go beyond URLs and GET requests – Examine the application API – Dropbox for personal use or corporate use? • Examine JSON strings and API requests – Allow or disallow certain activities • Instance-aware security – A development instance is different than production
Next-Gen Secure Web Gateway (SWG)
• Control traffic flows in the cloud – Inside the cloud and external flows • Cost – Relatively inexpensive compared to appliances – Virtual firewalls – Host-based firewalls • Segmentation – Between microservices, VMs, or VPCs • OSI layers – Layer 4 (TCP/UDP), Layer 7 (Application)
Firewalls in the cloud
• Cloud-native security controls
– Integrated and supported by the cloud provider
– Many configuration options
– Security is part of the infrastructure
– No additional costs
• Third-party solutions
– Support across multiple cloud providers
– Single pane of glass
– Extend policies outside the scope of the cloud provider
– More extensive reporting
Security controls
