3.9 Risk Assessment and Analysis in the Cloud

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

12 hours 48 minutes
Video Transcription
General Cloud Service risks.
Can they meet our requirements? Well again, Don't assume on this exam we're always talking about an Amazon cloud service or Microsoft or any of these large players
All we're talking about. How that specified by the cloud. Remember, there's five requirements from N'EST,
so basically, the cloud service provider could be much smaller scale. Maybe if we have a very specific need, we might be using a smaller cloud service provider. We might be hosting our own data in the cloud, right. So don't just go and say, Well, of course Amazon has enough servers historic at it. Yeah, they probably do.
But that's not all we're looking at. So can they meet our requirements?
Specifically, things like scale, ability can we grow? Can do they have that capability of the elasticity that we may need. Do they provide appropriate service level agreements? Protection for security? What are our requirements? And does the CSP meet them?
Uh, you know, how can they adapt to changes? Technical controls are moved over to the cloud service provider. That, to me, is a risk.
Right? Any time you take things out of my direct protection where I can hold them and I can look at them and I can monitor them and you hand our resource is over to someone out.
To me, that's a risk many people say, Well, you know, you're reducing your risk Maybe, but I like things in my direct controls when I turn the management that protection over someone else.
They're certainly risks associated with anybody that's ever worked with a contractor outsourced anything you know you don't eliminate risks by outsourcing. Sometimes your risk increase
now with accessing resource is across the clouds. So this isn't necessarily just cloud based risk, but you know a lot of these irrelevant cloud service providers. So we talked about with software defined networking separating out the management plane
because the idea is if the management plane is compromised and traffic can be rerouted, traffic be compromised. You know that management aspect once we don't have protection of the management elements of our network
that our network is no longer secure. If we turn over management credentials or if someone's able to determine management credentials,
they can re figure whatever they want, right. That's one big benefit of keeping that management plane off the network and further protected behind an interface
resource. Exhaustion is always gonna be a risk for anything you put on the network. Particularly because denial of service attacks, denial of service attacks have been around as long as the Internet has on. Actually, as long as servers have been around, they'll continue, you know, to increase will continue to see those.
So with those types of attacks,
the real key is to have redundancy, but not just redundancy of servers. Redundancy of D. N s. We saw a huge hit prior to the election in 2016
several major Internet players were taken off line. I believe it's Amazon and Facebook. Don't don't quote me on
each of those with major Internet players were taken off line. And what the Attackers did is they attacked the D. N s servers, not the individual company servers. So they weren't launched an attack Facebook or Amazon or Twitter. And those that were the company was called dyn d y n. And they provided name resolution.
You take d n s down.
You take down, you control the world, right? Nobody knows i p address of Amazon. And trust me, if anybody should, it would be me because I love some Amazon. I shop on Amazon. What we need to face boom here Amazon. Please put toothpaste on my doorstep by 8 a.m. Tomorrow.
Boom. I've got toothpaste.
Any service that keeps me out of the grocery store,
that's awesome.
I don't know that I p address of Amazon. I would weep if I had to get up. And I needed toothpaste one day and couldn't reach him. You know what? I wouldn't cry along because I'd go to Wal Mart and I'd order it and have it delivered. You know, it's estimated that for every hour Amazons offline, they lose
millions of dollars,
and I don't doubt that at all. Right? There's so many places we can go to buy. Resource is so denial of service attacks still continue to be the type of attack that really hits organizations where accounts in the pocketbook and usually that's the purpose
for most of them. If you hear of hacktivism, taken a server down for political purposes to make a point, whatever that's what that particular attack was was rumored to be about.
Traffic analysis may be sniffing the network. That's certainly traffic analysis, but in addition to sniffing out traffic, The other thing I may want to just do is watch where traffic is going. Because if I see a whole lot of traffic going to a particular server 8 a.m.
I might say, Oh, that's a domain server or old That's a D. N s server or this that or the other. So any type of analysis of traffic
will lead to having more information. You know, we'll help in attacker gained information
manipulation, interception of data. Protect your networks, right?
Don't allow data to go across the network in plain text. Use hashing for your files to make sure that they haven't been modified from the cloud isolation failures that's generally due to a compromise with the hyper visor or improperly configured settings.
Insecure or incomplete data Deletion. Yeah, that's an issue because traditionally we've been able to do things like zero isa disk. Well, once your dad is in the cloud and you decide to remove your data,
who's to say that that data you know, that you're not gonna be able to physically destroy that disk? So earlier we talked about crypto shredding back in Chapter one, and that's encrypting your information with strong publicly known algorithm and destroying the key
controlling conflicts between stakeholders. Man, that is not a cloud specific risk, is it? That is a risk with life.
Forget i t. I have a hard time keeping my stakeholders happy in my life. Spouse, kids, employers. So that's nothing universal to the cloud.
So from a cloud service providers perspective, they have a lot of different customers, a lot of different stakeholders, that they're satisfying. They have internal stakeholders. We have internal stakeholders, keep our employees. Our customers are four members.
So the more stakeholders you have, the more potential there is for conflict. Everybody wants something and rarely is it the same thing.
Ah, software risks well again. It really depends on what as a service you're using. But all software has an inherent risk of being poorly written, poorly tested, poorly updated, poorly patched. So we have to look at the software we're using
and then again on the next slide. Some of these are just non cloud specific. They're just universal
and anything that applies toe having information protected, particularly information that exists on a network. All of those risks carry over to the cloud, and many of them are amplified because of the nature off. Sharing across this massive cloud environment
Up Next
Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By