1.16 General Security Requirements

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

9 hours 48 minutes
Video Transcription
Okay, We're gonna move on and talk about some security requirements, and some of these requirements are gonna be specific to the cloud. And some of them are just going to be universal requirements. With security, we're gonna focus on the ones most generic at first, and then we'll kind of zero in more on cloud specifics.
So, uh, when we're looking at these particular ideas, we've got to talk about the network itself.
Now there's gotta be a pathway set of devices across which data travels very states of data itself, that it rest or in transit
cryptography. And that's a huge topic. We're not going down that road, but just a couple of ideas with crypto, we need to talk about things like key management and protecting our information.
Then we had access control, and that's going to be regulating what a subject can do with an object. So what a user can do with the file, what process can access how we regulate that? Uh, then, of course, we have to secure a virtualized environment.
And then, you know, there are other, like I said, more generic threats towards the
towards that, um, network security. So on the network. We've got a first of all, make sure that our network devices air physically secured door locks, security at the facility. Monitoring temperature, monitoring, keeping, you know your device is somewhere around 70 degrees.
Ah, humidity, not too high, because then you'll have compensation. Not too low. You get static electricity.
This really isn't the type of test that says, should you keep your data center at 64 degrees or 63 degrees, that they're not gonna get to that degree. But understanding that heating and cooling is a big part of savings that comes with infrastructures of service, right? All this equipment cost a lot of money. As a matter of fact,
I was reading an article that was talking about how
the standard for data centers many data centers are cooling to a lower degree than they had previously by, like, two or three degrees.
They're letting it be warmer by three degrees in their data centers because they've done some calculations and determine that it's actually cheaper just to replace components at that level. That it is with the heating and air conditioning bills, essentially the power bills.
So it's always that balance right Is it just cheaper for me to buy a new one and put it in or keep it cool to preserve it. Gotta make there's good decisions because there are a lot of costs associated with feeding.
Um, the technical controls of the networks. That's physical security. Technical controls of the network were about the wire. What about the cable align itself? Is that physically secure? Well, probably not
possibly. Maybe. Who knows? Maybe not at every point of the communication. It off the pennants, right? I mean, you know, his wife, I secure, uh, they're pieces of it that could be made secure, but that's we understand that, you know, with cloud security, I don't get to see
every aspect of that link. So we've got to think about links security from one point to the next.
All right, well, I can't see the link. What about my protocols?
If I were to ask you in General, would you say that, um, in the technology technology Rome, Would you say that we tend to be proactive and build security into products? Or do we tend to be reactive
and add? Security is an afterthought.
I'm gonna give you a hint. The answer is the last one.
We tend to be very reactive. We have a lot of protocols. A lot of service is a lot of applications that focus all the effort and energy on secure, not on secure button function on performance on a high performing system that does A, B, C and D, And that's all great.
But we've gotta We gotta build security into that product where it won't be secure. So most of our protocols I P H, g, p s and T P protocols are secure, so we have to add security on top.
All right. Application layer surfaces again. Things like D N s d h cp. There's not a whole lot of security built in Now we can install extensions that enhance the security, like with the N s second. We'll talk about that later. But again, most far, problems come from the fact that we don't design products securely.
We designed products, do a function.
And then later we go, uh, we should have secured that thing.
Yes, we should have.
All right, So technical controls the network perimeter. What provides what's on the boundary between one secure zone to the next. You know firewalls generally and and then even from a more conceptual idea, What part's mine in what part isn't,
you know, used to be very clear demarcation lines right
up to this point I own from this point forward is the telcos responsibility or my service providers? Well, a lot of that's getting more and more blurred. You can't just say Once it leaves my building, it becomes about service providers responsibility right? And it
puts the importance of well written service level agreement that much more to the forefront. We've got to make sure that we understand our responsibilities because they're no longer clearly drawn like they used to be.
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By