M10: Cloud, AI and IoT security Flashcards
What is Cloud Computing?
M10: Cloud, AI and IoT security
A model for enablish ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.
NIST definition
What motivates Cloud Computing?
M10: Cloud, AI and IoT security
- Efficiency,
- Scalability,
- Agility,
- Resilience
What are the key techniques in creating a cloud?
M10: Cloud, AI and IoT security
Abstraction and orchestration.
Essential Charactertistics
M10: Cloud, AI and IoT security
Shared resources
* Broad Network Access,
* Rapid Elasticity,
* Measured Service,
* On-Demand Self-Service
Service Models
Sometimes refered to as SPI tiers
* SaaS - Software as a Service
* PaaS - Platform as a Service
* IaaS - Infrastructure as a Service
Often providers dont fall neatly into any one categoy
Deployment Models
M10: Cloud, AI and IoT security
- Public
- Private
- Hybrid
- Community
Simple Reference Architecture
M10: Cloud, AI and IoT security
SaaS build on PaaS build on IaaS
IaaS
M10: Cloud, AI and IoT security
Physical facilities and Hardware. Pooled using abstraction and orchestration. APIs allows remote management of resources and delivery to consumers.
PaaS
M10: Cloud, AI and IoT security
A difficult to define middle layer between Infrastructure and Software. It provides abstraction from the underlying infrastructure. Additionally, here software can be deployed without worrying about the complexities.
SaaS
M10: Cloud, AI and IoT security
Software as a service. Full, multitenant applications are exposed here through API or web browsers. The Applications are build and maintained by the provider and consumers consume these.
Locical Model
M10: Cloud, AI and IoT security
Consists of 4 diffierent layered structures
* Infrastructure - Harware components
* Metastructure - Middleware
* Infostructure - Data
* Applistructure - Applications
Key Difference between Cloud and Traditional Computing
M10: Cloud, AI and IoT security
Metastructure. In cloud the Metastructure layer also includes a management plane, which allows remote access and configuration of the infrastructure.
Virtual and physical layers in cloud
M10: Cloud, AI and IoT security
In cloud computing each layer often has two separate layers. The infrastructure layer thus has both an actual infrastructure on which the cloud is running, and a virtual layer exposed to the consumers.
Shared Responsibility Model
M10: Cloud, AI and IoT security
As Cloud computing is a shared resource, so does Security become a shared responsibility
SaaS security responsibility
M10: Cloud, AI and IoT security
Provider (higher) - responsible for almost all security. Perimeter, Logging, Monitoring and Auditing.
Consumer (lower) - Authorzation and Entitlements
PaaS security responsibilities
M10: Cloud, AI and IoT security
Provider (equal) - responsible for the platform security.
Consumer (equal) - responsible for all they implement
IaaS security responsibilites
M10: Cloud, AI and IoT security
Provider (lower) - is responsible for foundational security
Consumer (Higher) - is responsible for everything they build.
Most important security consideration
M10: Cloud, AI and IoT security
Exactly who is responsible for what in any given cloud project.
Shared responsibility correlates to two recommendations
M10: Cloud, AI and IoT security
Providers must clearly document their security controls and security features.
Consumers must build a responsibility matrix to document who is implementing which controls and how.
High-level process for Managing cloud security
M10: Cloud, AI and IoT security
- Identify necessary security and comliance requirements and existing controls
- Select cloud provider, service and deployment model
- Define Architecture
- Asses security controls
- Identify control gaps
- Design and implement controls to fill gaps
- Manage changes over time
Important to do this on a per provider basis
What are the CSA recommendations
M10: Cloud, AI and IoT security
- Understand differences between cloud and traditional. Impact of virtualization, abstration and automation on security
- Become familiar with the NIST and CSA
- Cloud providers should clearly document security controls and features.
- Assess and documnet cloud project security, compliance, controls and responsibilities
- Use a cloud security process model to select providers, design architectures, identify control gaps and implement security and compliance controls
Cloud computing impacts 4 areas
M10: Cloud, AI and IoT security
- Governance - how the org is run
- Enterprise risk management - the overall risk management of the org
- Information risk management - the overall management of risk to information
- Information security - the tools and practices used to manage the information risks.
Impact on governance and management
M10: Cloud, AI and IoT security
Impacts include
* Governance can never be outsourced
* Cloud provider is (yet) another third party
* Cloud provider is often rigid in their contractual offerings, by necessity.
Managed with
* Contracts
* Provider Assessments
* Compliance Reporting
* Audits
Enterprise Risk Management
M10: Cloud, AI and IoT security
Overall risk management for the org, cannot be outsources.
Risk management is based on shared risk model.
Relies on good contracts and documentation. Can delve into technical details.
What is Risk Tolerance?
M10: Cloud, AI and IoT security
The amount of risk that leadership and/or stakeholder are willing to accept.
Impact of SaaS on security
M10: Cloud, AI and IoT security
Relies heavily on the contracts and on the providers ability to deliver.
Impact of PaaS on security
M10: Cloud, AI and IoT security
Less reliance on provider, more on consumer. Providers usually have little room for negotiation in contracts.
Impact of PaaS on security
M10: Cloud, AI and IoT security
Much the same security considerations as for a normal data center, with the added complexity of shared resources and the Mangament Plane
Impact of Public Deployment
M10: Cloud, AI and IoT security
Shared resourced.
Consumer has greatly reduced ability to govern operations.
Impact of Private Deployment
M10: Cloud, AI and IoT security
A private cloud can still be managed by a third party, and while you no longer have a shared resource, you still have a third party to negotiate with.
Impact of Hybrid Deployment
M10: Cloud, AI and IoT security
Since hybrid cloud environments span two or more deployment models, both models must be considered.
Impact of Community Deployment
M10: Cloud, AI and IoT security
It is not public, but does involve negotiating the community to reach concensus.
Cloud Risk Management Trade-Offs
M10: Cloud, AI and IoT security
- Less physical control over assets and their control and processes.
- Greater reliance on contracts, audits and assessments
- Increased requirement for proactive management of relationships and adherence.
- Cloud customer has reduced need to manage risks that Provider accepts.
- Outsources mangement or some risks, but none of the accountability.
What are the LLM kategori
Large Language Model
M10: Cloud, AI and IoT security
- Customer/Product LLM
- Company LLM
- Consumer LLM
What is a primary consumer concern
M10: Cloud, AI and IoT security
Sharing of proprietary data with the cloud
What are 3 common AI-Security issues
M10: Cloud, AI and IoT security
- Attacks on AI
- Theft AI
- Errors
What is a simple model of IaaS, PaaS, SaaS
M10: Cloud, AI and IoT security
- IaaS - Ops without hardware
- PaaS - Devs without ops
- Saas - Business without devs
Cloud security tips and tricks
M10: Cloud, AI and IoT security
- Design for failure
- Paranoid Architecture
- Update and roll out new instances
- Encryption at rest
What are the legal implications of Cloud Computing?
M10: Cloud, AI and IoT security
It is your responsibility to pick a supplider who delivers the necessary level of safety, security and proceedures. It is your responsibility to kontrol that they honor this agreement.
- Data must remain in EU or be compliant
- Use of encryption
- Limit suppliers access to data
- Registered rights
What defines IOT?
M10: Cloud, AI and IoT security
- Millions of devices
- Multiple communication protocols
- Simple Cheap (sensorts, meters)
- Fast Expensive (cars, homes)
- Smart Cities, Industry 4.0, Smart Agriculture