Lesson 15 Secure Cloud Solutions Flashcards
CASB
Could Access Security Brokers
Enterprise management SW used to mediate access to cloud services by users across all types of devices
controls how your users interact with the application (on the CSP) and how the application interacts with the user
Functions provided:
- enable single sign-on authentication, access controls, and authorizations
- scan for malware and rogue access points (APs)
- monitor and audit user and resource activity
- mitigate data exfiltration through prevention of access to unauthorized could services
- prevent unauthorized application and plugin updates
implemented using
- forward proxy at the client net edge (user config)
- reverse proxy at the cloud net edge (no user config)
- application programming interface (API) using connections between the cloud service and cloud consumer
Data Bias
a problem with Machine Learning in which attackers can skew data points to ‘teach’ bad things or trend bad things to the norm
Community cloud service
A community cloud service is shared by a group of similar organizations with similar needs
Example: a cloud service built to serve hospitals
MSSP
Managed Security Service Provider
A third party organization hired to manage another companies security
SWG - Secure Web Gateway
Secure Web Gateway
a class of products used to perform content filtering
an on premise SWG is a proxy-based firewall, content filter, and IDS/IPS system that mediates user access to internet sites and services
Security Groups
provides stateful inbound and outbound filtering at layer 4 transport layer
A security group is a set of firewall rules that control traffic for your instance
multiple instances (of a compute instances) can be assigned to the same security group
Cloud Deployment Models
Classifies how the service is owned and provisioned
- Public or multi-tenant
- Hosted Private
- Private
- Community
Can have a hybrid of these
Flexibility is key advantage of cloud computing but must watch for data risks
Public or Multi-tenant Deployment model
Using shared resources in the cloud
Multi-cloud is where you use services from multiple CSPs
Hosted Private Deployment model
a 3rd party hosted cloud deployment offering better level of performance at a cost
gives exclusive use
Private Deployment model
cloud infrastructure completely owned and operated by the organization
gives organization more control over privacy and security
geared toward banking and government services
can be on-site, better for performance and less likely to have outages
can be off-site if need to be shared between business units
Community Deployment model
Several organizations share the cost of the either hosted private or fully private cloud
Done to pool resources for a common concern
Cloud Service Models
Infrastructure as a Service (IaaS)
- CSP provides IT resources
Software as a Service (SaaS)
- CSP provides software applications
Platform as a Service (PasS)
- CSP provides a mix of IaaS and SaaS allowing for developers to create applications
- Includes a multi-tier database
XaaS Anything as a Service
Can provision almost anything in the cloud
Security concern is where the responsibility lie
Security in the cloud (you) vs security of the cloud (CSP)
Security as a Service
Depending on 3rd party support for security
3 tiers:
Consultants - use for big picture framework analysis and alignment or for specific product focused projects
Managed Security Services Provider (MSSP) - fully outsourced responsibility for information assurance
- expensive and requires great trust
Security as a Service (SECaaS) - typically means implementing a particular security control, such as virus scanning or SIEM-like functionality in the cloud
Virtualization
Installing and running multiple OSs on a single host computer
Requires three components:
- host hardware as the platform
- hypervisor or virtual machine monitor (VMM) to manage the vm environment and facilitates interaction with host hw and network
- Guest OSs, Virtual Machines (VM) or instances of operating systems under the virtual environment
Virtual platforms
Type 1 - Bare metal - the hypervisor is installed directly onto the computer and manages access to the host hw without going through a host OS
Type 2 - Guest OS system - the hypervisor is installed onto the host operating system
VDI and Thin Clients
Virtual Desktop Infrastructure (VDI)
- using a VM to provision corporate desktops
- allows for use of thin clients
Thin Client
- minimal OS to startup
- connects to VM stored on corporate infrastructure
- uses Remote Desktop protocol
- all work is done in the virtual desktop environment (VDE) is on the server side
Provides better data security, easier support, and can offload IT infrastructure to 3rd party
Failure of server and network can cause outage to the user, downtime is more costly in terms of lost productivity
App Virtualization
a more limited VDI
think Citrix
client access the application from the server or streams the app from the server for local processing
Used with HTML5 Remote Desktop apps and referred to as clientless as they are accessed via the web browser
Container Virtualization
Containers do away with the hypervisor
enforces resource separation at the OS level
Think Docker
supports micro services and serverless architecture
VM Escape Protection
VM Escape is malware running on a guest OS jumping to another guest or to the host
Attackers use timing of certain actions to determine if on VM
Attackers then compromise the hypervisor
This is a concern if another guest OS has the malware and the attackers can then gain access to your guest OS and make a copy of the your server image
Patching in a timely manner is key to preventing VM escape
Reduce the impact of VM escape by using effective service design and network placement when deploying VMs
Think Internet - firewall - web host - firewall - middleware/backend services - LAN
VM Sprawl
This happens when a system has many VMs which are not properly managed.
Users bring up a VM for just a minute to test something but never really destroy it.
These VMs then are undocumented and unpatched leaving them vulnerable to attacks. This increases the attack surface of the network.
Policies and procedures for tracking, securing, and when no longer used, destroying virtualized assets should be put in place and enforced
Also tightly control the VM image since they are easy targets for logic bombs or backdoors or any malicious code for insider threats.
XssS diagram from class
SaaS
client - Data
CSP - brings App, OS, HW
example - webmail
PaaS
client - Data and Apps
CSP - OS, HW
example - Azure Dev Platform
IaaS
client - Data Apps OS
CSP - HW
example - AWS
Cloud Security Controls
App Security and Identity and Access Management (IAM)
- similar to on-premise solutions
- enables the creation of user and user security groups plus role based management and policy
Secrets Management
Enforce strong authentication policy
- do not use root CSP user for day to day logon activity
- require strong MFA for interactive logons
- use conditional authentication to deny or warn of risky account activity
- keep programmatic secrets safe after generation put on host
Container Security (between containers)
Namespaces prevent one container from reading or writing processes in another
Control groups ensure one container cannot overwhelm others in a DoS type attack
API Inspection and Integration
API usage gives warning of system overload or allows for detection of unauthorized usage or attempted usage
- number of requests
- latency watch for high values as could be compute resources are insufficient or a DoS attack
- error rates watch for authentication/access denied type errors
- unauthorized and suspicious endpoints
Instance (VM & Container) Awareness - Security managed instances
Instances should be monitored to avoid sprawl
Should restrict rights to launch instances
Configure logging and monitoring to track usage
Could Storage security
Permissions & Resource Policies
- allow read/writes only from authorized endpoints
- like an ACL for an object
- can be an attack vector if misconfigured
- watch for wildcard entries for permissions and/or prinicpals (accounts) - breaks least privilege principle
Encryption
- in the Cloud this is equivalent to FDE for the on-premise system
- uses an AES key and must be available to the VM or container using the storage object
- keys are stored on the HSM in the cloud
- use encrypted protocols, HTTPS or IPSec
Cloud High Availability
CSPs use redundancy for this
- Replication to copy data to where it best utilized
- hot storage is lower retrieval rates
- cold storage is higher retrieval rates
- HA across Zones
- local replication, data is located in region you created the data
- regional replication, data is replicated across multiple data centers; safeguards data if a single data center goes offline
- geo-redundant storage (GRS), replicates data to a secondary region distant from primary regions to provide safeguards in the event of a disaster
VPCs
Virtual Private Clouds (VPCs) (like a VLAN in the cloud) is isolated from other CSP accounts and from other VPCs operating in the same account
- isolates the workload for each VPC
- a resource pool created in a public cloud
- common to create multiple application clouds
Public and Private Subnets
VPC can either be a public or private subnet
- defaults to private
- public must be configured within the VPC
- requires two things to be public/internet access
- connection to internet gateway
- internet gateway must be the VPCs default gateway
- requires two things to be public/internet access
Transit Gateway
A means of connecting multiple VPCs together
- similar to a router, a cloud ‘router’
- connects users to VPCs
- users connect using a VPN connection
VPC Endpoints
a means of publishing a service making it available to to other VPCs
- means the traffic is never exposed to the internet
- two types: gateway and interface
VPC Gateway Endpoint
configured as router to the service in the VPC’s route table
VPC Interface Endpoints
Allows private access to custom services
Cloud Firewall security
cloud firewalls filter traffic within and to and from the cloud and can be implemented several ways
- as sw running on an instance as a sort of host based firewall, similar to a stateful packet filtering or web app firewall with rulesets tuned to prevent malicious attacks
- as a service at the virtualization layer to filter the traffic between VPC subnets and instances, similar to a network firewall
Security Groups aws
An AWS implementation
provides a stateful inbound and outbound filtering at layer 4
- default security groups allows all traffic
- custom security group sets the ports and endpoints which are allowed for in/outbound traffic - only allowed traffic is permitted, all other traffic is dropped
Next-generation SWG
Next generation Secure Web Gateway (SWG) combines the functionality of a SWG with the data loss prevention (DLP) and a cloud access secure broker (CASB) providing a cloud-hosted platform for client access to websites and cloud apps
Supports secure access service edge (SSAE)
SOA vs microservices
Service Oriented Architecture (SOA) allows from a service to be built from other services
- loose coupling
Microservices should be capable of being developed, tested, and deployed independently
- highly decoupled
Orchestration
performing a sequence of automated tasks
- run in proper sequence
- consider dependencies
- provide credentials at each step
Service API
the means by which external entities interact with the service, calling the service with expected parameters and receiving the expected output
To test and create web APIs:
- SOAP (simple object access protocol) uses XML and is tightly specified
- REST (Representational State Transfer) uses a URL and is a looser framework than SOAP
Serverless Architecture (FaaS)
All architecture is hosted in the cloud
- different than VPCs
- services are developed as functions and microservices each interacting to facilitate a client request
- a request will spin up a container to run the code and then destroy the container
- also known as Function as a Service (FaaS)
- depends on event-driven orchestration to facilitate operations
- all underlying architecture is managed by the service provider
- security is then based on ensuring the client is not compromised when accessing the service
- guard against impersonation
IaC and Snowflake system
Infrastructure as Code is an approach to infrastructure management where automation and orchestration fully replaces manual configuration
A snowflake is a configuration or build that is different from any other
This lack of consistency or drift in the platform leads to security issues, unstable systems
The goal of IaC is to eliminate snowflake systems by ensuring idempotence
idempotenece is making the same call with the same parameters will produce the same result.
Cloud network functional model using planes
Cloud networks are complex containing many devices. A model is used to simplify the required functions found in a network
Control Plane
- makes decisions about how traffic is prioritized and secured, and where it should be switched
Data Plane
- handles the actual switching and routing of traffic and imposition of security access controls
Management Plane
- monitors traffic conditions and network status
SDN
Software Defined Networking (SDN) is an application used to define policy decisions on the control plane
NFV
Network Functions Virtualization is the architecture supporting rapid deployment of virtual networking general purpose VMs and containers
SDV
Software Defined Visibility (SDV) supports assessment and incident response functions
- gathers statistics from forwarding systems
- applies classifications to those systems
- detect network traffic that deviates from baseline levels
Fog computing
Address the need to prioritize sensor data for analysis
A fog node will perform aggregation of sensor data, analyzes and remediates alertable conditions and backhauls remaining data to the data center for storage and low priority analysis
Target of DoS and data exfoliation attacks
Edge computing
Edge devices are those that collect and depend on data for their operation
Edge gateways preform pre-processing of data to and from edge devices to enable prioritization.
- will forward the data for trending on to the fog node
- are targets of DoS and data exfoliation attacks
