3.6 - Given a scenario, apply cybersecurity solutions to the cloud. Flashcards
Cloud security controls
Cloud-native security controls
– Integrated and supported by the cloud provider
– Many configuration options
– Security is part of the infrastructure
– No additional costs
High availability across zones
*
Availability zones (AZ)
– Isolated locations within a cloud region (geographical location)
– AZ commonly spans across multiple regions
– Each AZ has independent power, HVAC, and networking
*
Build applications to be highly available (HA)
– Run as active/standby or active/active
– Application recognizes an outage and moves to the other AZ
*
Use load balancers to provide seamless HA
– Users don’t experience any application issues
Resource policies
*
Identity and access management (IAM)
– Who gets access, what they get access to
*
Map job functions to roles
– Combine users into groups
*
Provide access to cloud resources
– Set granular policies - Group, IP address, date and time
*
Centralize user accounts, synchronize across all platforms
Secrets management
*
Cloud computing includes many secrets
– API keys, passwords, certificates
*
This can quickly become overwhelming
– Difficult to manage and protect
*
Authorize access to the secrets
– Limit access to the secret service
*
Manage an access control policy
– Limit users to only necessary secrets
*
Provide an audit trail
– Know exactly who accesses secrets and when
Integration and auditing
*
Integrate security across multiple platforms
– Different operating systems and applications
*
Consolidate log storage and reporting
– Cloud-based Security Information and Event
Management (SIEM)
*
Auditing - Validate the security controls
– Verify compliance with financial and user data
Storage
*
Data is on a public cloud
– But may not be public data
*
Access can be limited
– And protected
*
Data may be required in different geographical locations
– A backup is always required
*
Availability is always important
– Data is available as the cloud changes?
Permissions
*
A significant cloud storage concern
– One permission mistake can cause a data breach
– Accenture, Uber, US Department of Defense
*
Public access
– Should not usually be the default
*
Many different options
– Identity and Access Management (IAM)
– Bucket policies
– Globally blocking public access
– Don’t put data in the cloud unless it really
needs to be there
Encryption
*
Cloud data is more accessible than non-cloud data
– More access by more people
*
Server-side encryption
– Encrypt the data in the cloud
– Data is encrypted when stored on disk
*
Client-side encryption
– Data is already encrypted when it’s sent to the cloud
– Performed by the application
*
Key management is critical
Replication
*
Copy data from one place to another
– Real-time data duplication in multiple locations
*
Disaster recovery, high availability
– Plan for problems
– Maintain uptime if an outage occurs
– Hot site for disaster recovery
*
Data analysis
– Analytics, big data analysis
*
Backups
– Constant duplication of data
High availability
Availability zones (AZ)
– Isolated locations within a cloud region (geographical location)
– AZ commonly spans across multiple regions
– Each AZ has independent power, HVAC, and networking
Build applications to be highly available (HA)
– Run as active/standby or active/active
– Application recognizes an outage and moves to the other AZ
Use load balancers to provide seamless HA
– Users don’t experience any application issues
Virtual networks
*
A cloud contains virtual devices
– Servers, databases, storage devices
*
Virtual switches, virtual routers
– Build the network from the cloud console
– The same configurations as a physical device
*
The network changes with the rest of the infrastructure
– On-demand
– Rapid elasticity
Public and private subnets
Private cloud
– All internal IP addresses
– Connect to the private cloud over a VPN
– No access from the Internet
Public cloud
– External IP addresses
– Connect to the cloud from anywhere
Hybrid cloud
– Combine internal cloud resources with external
– May combine both public and private subnets
Segmentation
The cloud contains separate VPCs, containers,
and microservices
– Application segmentation is almost guaranteed
*
Separation is a security opportunity
– Data is separate from the application
– Add security systems between application
components
*
Virtualized security technologies
– Web Application Firewall (WAF)
– Next-Generation Firewall (NGFW)
*
Intrusion Prevention System (IPS)
API inspection and integration
Microservice architecture is the
underlying application engine
– A significant security concern
API calls can include risk
– Attempts to access critical data
– Geographic origin
– Unusual API calls
API monitoring
– View specific API queries
– Monitor incoming and outgoing data
Compute
Security groups
*
A firewall for compute instances
– Control inbound and outbound traffic flows
*
Layer 4 port number
– TCP or UDP port
*
Layer 3 address
– Individual addresses
– CIDR block notation
– IPv4 or IPv6
Dynamic resource allocation
*
Provision resources when they are needed
– Based on demand - Provisioned automatically
*
Scale up and down
– Allocate compute resources where and
when they are needed
– Rapid elasticity
– Pay for only what’s used
*
Ongoing monitoring
– If CPU utilization hits a particular threshold, provision
a new application instance
Instance awareness
*
Granular security controls
– Identify and manage very specific data flows
– Each instance of a data flow is different
*
Define and set policies
– Allow uploads to the corporate box.com file share
*
Corporate file shares can contain PII
*
Any department can upload to the
corporate file share
– Deny certain uploads to a personal box.com file share
*
Allow graphics files
*
Deny any spreadsheet
*
Deny files containing credit card numbers
*
Quarantine the file and send an alert
VPC endpoint
Virtual private cloud endpoint
Microservice architecture is the
VPC gateway endpoints
– Allow private cloud subnets to communicate to other
cloud services
*
Keep private resources private
– Internet connectivity not required
*
Add an endpoint to connect VPC resources
Container security
Containers have similar security concerns as any other
application deployment method
– Bugs, insufficient security controls, misconfigurations
*
Use container-specific operating systems
– A minimalist OS designed for containers
*
Group container types on the same host
– The same purpose, sensitivity, and threat posture
– Limit the scope of any intrusion
Solutions
*
Third-party solutions
– Support across multiple cloud providers
– Single pane of glass
– Extend policies outside the scope of the cloud provider
– More extensive reporting
CASB
Cloud access security broker
Clients are at work, data is in the cloud
– How do you keep everything secure?
– The organization already has well-defined
security policies
*
How do you make your security policies
work in the cloud?
– Integrate a CASB
– Implemented as client software, local security
appliances, or cloud-based security solutions
*
Visibility
– Determine what apps are in use
– Are they authorized to use the apps?
*
Compliance
– Are users complying with HIPAA? PCI?
*
Threat prevention
– Allow access by authorized users, prevent attacks
*
Data security
– Ensure that all data transfers are encrypted – Protect the transfer of PII with DLP
Chapple 314
Gibson 164
Weiss 128-129, 428-429
Application security
*
Secure cloud-based applications
– Complexity increases in the cloud
*
Application misconfigurations
– One of the most common security issues
– Especially cloud storage
*
Authorization and access
– Controls should be strong enough for access
from anywhere
*
API security - Attackers will try to exploit interfaces and APIs
SWG
Next-generation secure
web gateway
*
Protect users and devices
– Regardless of location and activity
*
Go beyond URLs and GET requests
– Examine the application API
– Dropbox for personal use or corporate use?
*
Examine JSON strings and API requests
– Allow or disallow certain activities
*
Instance-aware security
– A development instance is different than production
Firewall considerations in a cloud environment
Firewalls in the cloud
Control traffic flows in the cloud
– Inside the cloud and external flows
Cost
– Relatively inexpensive compared to appliances
– Virtual firewalls
– Host-based firewalls
Segmentation
– Between microservices, VMs, or VPCs
OSI layers
– Layer 4 (TCP/UDP), Layer 7 (Application)
Cost (Firewall considerations in a cloud environment)
– Relatively inexpensive compared to appliances
– Virtual firewalls
– Host-based firewalls
Need for segmentation (Firewall considerations in a cloud environment)
– Between microservices, VMs, or VPCs
OSI (Firewall considerations in a cloud environment)
Open Systems Interconnection layers
– Layer 4 (TCP/UDP), Layer 7 (Application)
Cloud native controls vs. third-party solutions
Cloud-native security controls
– Integrated and supported by the cloud provider
– Many configuration options
– Security is part of the infrastructure
– No additional costs
Third-party solutions
– Support across multiple cloud providers
– Single pane of glass
– Extend policies outside the scope of the cloud provider
– More extensive reporting
