Given a scenario, apply cybersecurity solutions to the cloud Flashcards
Cloud security controls
High availability across zones Resource policies Secrets management Integration and auditing Storage Network Compute
High availability across zones
CSPs divide the world into regions. Each region is independent of the others. The regions are divided into availability zones. The availability zones have independent data centers with their own power, cooling, and network connectivity. You can choose to host data, services, and VM instances in a particular region to provide a lower latency service to customers. Provisioning resources in multiple zones and regions can also improve performance and increases redundancy, but requires an adequate level of replication performance.
Resource policies
In the cloud, a resource policy acts as the ACL for an object. In a resource policy, permissions statements are typically written as a JavaScript Object Notation (JSON) strings. Misconfiguration of these resource policies is a widely exploited attack vector.
Secrets management
A cloud service is highly vulnerable to remote access. A failure of credential management is likely to be exploited by malicious actors. You must enforce strong authentication policies to mitigate risks:
Do not use the root user for the CSP account for any day-to-day logon activity.
Require strong multifactor authentication (MFA) for interactive logons. Use conditional authentication to deny or warn of risky account activity.
Principals—user accounts, security groups, roles, and services—can interact with cloud services via CLIs and APIs. Such programmatic access is enabled by assigning a secret key to the account. Only the secret key (not the ordinary account credential) can be used for programmatic access. When a secret key is generated for an account, it must immediately be transferred to the host and kept securely on that host.
Integration and auditing
Cloud-based services must be integrated within regular security policies and procedures and audited for compliance. Where indicators of on-premises attacks are found in local application logs and network traffic, indicators of cloud-based attacks are found in API logs and metrics. The same correlation to suspicious IP address ranges and domains and suspicious code strings must be made, but the source of this data is the cloud service provider (CSP). Accessing this auditing information in real time may be difficult, depending on the cloud service type. There are many cloud-based SIEM solutions that can perform this collection, aggregation, and correlation of security data from both on-premises and cloud-based networks and instances.
Storage
Permissions
Encryption
Replication
High availability
Permissions
As with on-premises systems, cloud storage resources must be configured to allow reads and/or writes only from authorized endpoints.
Encryption
Cloud storage encryption equates to the on-premises concept of full disk encryption (FDE). The purpose is to minimize the risk of data loss via an insider or intruder attack on the CSP’s storage systems. Each storage unit is encrypted using an AES key. If an attacker were to physically access a data center and copy or remove a disk, the data on the disk would not be readable.
Replication
Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).
High availability
One of the benefits of the cloud is the potential for providing services that are resilient to failures at different levels, such as component, server, local network, site, data center, and wide area network. The CSP uses a virtualization layer to ensure that compute, storage, and network provision meet the availability criteria set out in its SLA. In terms of storage performance tiers, high availability (HA) refers to storage provisioned with a guarantee of 99.99% uptime or better. As with on-premises architecture, the CSP uses redundancy to make multiple disk controllers and storage devices available to a pool of storage resource. Data may be replicated between pools or groups, with each pool supported by separate hardware resources.
Network
Virtual networks
Public and private subnets
Segmentation
API inspection and integration
Virtual networks
Within the cloud, the CSP establishes a virtualization layer that abstracts the underlying physical network. This allows the CSP to operate a public cloud where the networking performed by each customer account is isolated from the others. In terms of customer-configured cloud networking, there are various contexts:
Networks by which the cloud consumer operates and manages the cloud systems.
Virtual networks established between VMs and containers within the cloud.
Virtual networks by which cloud services are published to guests or customers on the Internet.
Public and private subnets
Each subnet within a VPC can either be private or public. To configure a public subnet, first an Internet gateway (virtual router) must be attached to the VPC configuration. Secondly, the Internet gateway must be configured as the default route for each public subnet. If a default route is not configured, the subnet remains private, even if an Internet gateway is attached to the VPC. Each instance in the subnet must also be configured with a public IP in its cloud profile. The Internet gateway performs 1:1 network address translation (NAT) to route Internet communications to and from the instance.
There are other ways to provision external connectivity for a subnet if it is not appropriate to make it public:
NAT gateway—this feature allows an instance to connect out to the Internet or to other AWS services, but does not allow connections initiated from the Internet.
VPN—there are various options for establishing connections to and between VPCs using virtual private networks (VPNs) at the software layer or using CSP-managed features.
Segmentation
API inspection and integration
The API is the means by which consumers interact with the cloud infrastructure, platform, or application. The consumer may use direct API calls, or may use a CSP-supplied web console as a graphical interface for the API. Monitoring API usage gives warning if the system is becoming overloaded (ensuring availability) and allows detection of unauthorized usage or attempted usage.
Number of requests—this basic load metric counts number of requests per second or requests per minute. Depending on the service type, you might be able to establish baselines for typical usage and set thresholds for alerting abnormal usage. An unexplained spike in API calls could be an indicator of a DDoS attack, for instance.
Latency—this is the time in milliseconds (ms) taken for the service to respond to an API call. This can be measured for specific services or as an aggregate value across all services. High latency usually means that compute resources are insufficient. The cause of this could be genuine load or DDoS, however.
Error rates—this measures the number of errors as a percentage of total calls, usually classifying error types under category headings. Errors may represent an overloaded system if the API is unresponsive, or a security issue, if the errors are authorization/access denied types.
Unauthorized and suspicious endpoints—connections to the API can be managed in the same sort of way as remote access. The client endpoint initiating the connection can be restricted using an ACL and the endpoint’s IP address monitored for geographic location.
