4.1 Other Enterprise Security Areas Part 1

00:00

and welcome to the episode on clout, security and cybersecurity. Architectural fundamentals.

00:09

In this session,

00:10

I'll cover the basics of cloud.

00:13

What is the shed responsibility model

00:16

and cover some tools and consideration for clout. Security.

00:21

This session is by no means an in depth study and clout security,

00:26

but more to highlight that different considerations you have in the cloud environment versus traditional on premise environment.

00:37

Now to begin, I just want to emphasize that cloud security is not just a technology play. You also need to consider your processes, controls and policy around the usage off the cloud environment.

00:52

We also need to pay attention to things like configuration off the security and how you do logging. Almost all major breach off cloud environment was due to human error or or configuration in the cloud environment,

01:10

and most investigations are hampered due to poor logging.

01:17

It's cloud computing. It's not a new concept,

01:21

but it's only in recent times that the use have picked up very rapidly.

01:26

This model, which I'm showing which is then this cloud Computing Security Reference Architecture was first published in 2013

01:36

and the focus was on. How would you categorize different aspects off the clock security model.

01:44

This is by no means the only way to view clout security.

01:48

When we talk about clout, we usually refer to one off three ways. That the cloud issues software as a service

01:57

platform. It's a service or infrastructure as a service

02:01

in this session, my topics are fairly general and could be applied to all tree usage off the club.

02:09

Do search around the cost catalog to look for more in depth sessions on the various topics that catch your interests.

02:17

Now let's talk a little bit about the shed responsibility model

02:23

that's the club is managed by a clock provider. There are some things that they are responsible for

02:30

and some things you are responsible for.

02:32

No, if you look at this diagram

02:37

the bottom layer, which contains the physical infrastructure, network infrastructure

02:43

and virtual ization platform. These are the responsibility off the crop provider.

02:50

This is what we term security off the cloud.

02:53

It is the cloud environment which you would hold your application or data

03:00

on top off this you. It holds your application and data, and you would be responsible for your network configuration,

03:09

identity and excess management. All your systems and platform configuration, including the data security standards, which is set, which is your encryption standards, your key management, et cetera.

03:23

This is term security in the club.

03:29

Obviously, this is a very simplistic view

03:31

off the situation.

03:34

Armed is using this to illustrate that it takes both parties to secure the public cloud environment

03:43

in a private cloud. It will be a different team, which is your internal clock team, which would be responsible for the lower stack.

03:53

There are a few common issues with today's clout. Security situation.

03:59

Firstly,

04:00

as there is no real standard off clout environment,

04:04

most off the security stack is still very vendor specific in many aspects.

04:12

You also have a lack of control off the technology.

04:16

Some vendors have partnerships with different club providers that gives them different level of service than what you might expect as a direct customer. On your premise environment,

04:30

Miss Configuration Off systems, for example, your authorization, your authentication, your excess rights and so on are still the number one issue in a cloud environment today,

04:42

and commercial contracts are not easy to fit into a security model.

04:48

For example, if you have a need to do investigation off a breach. Do make sure that you have access to what you need to do in your contracts,

05:00

because by default, many club providers do not give access to death locks off the stack that they're responsible for.

05:10

It is good to brief the legal or procurement person on what you would need in terms, off investigation or in terms of excess of certain locks. When negotiation contracts

05:24

in terms of threats to the clout, I look at it in two ways. Thea application tracks and the data trends and the application treads. Some of the more common ones are

05:33

having insecure or untested AP eyes

05:39

supply chain weakness. For example, The Spectra and meltdown situation with Intel processes

05:45

all the set of libraries available in a past environment.

05:50

D does both ways, either as a target. Aw, your club environment use as a sauce off Adidas attack.

06:00

Similarly, for AP tease, many cloud applications have been hijacked To serve

06:08

S a P T platform. Do take care off the security off your applications.

06:14

In terms of data, data leak is usually the biggest concern for most organizations

06:20

in the shed platform environment. We have to be very careful off data contamination across different accounts or across different users,

06:32

and unauthorized access to the data is also a major concern.

06:40

Some awful things to do to ensure that you have a good clout security process

06:46

is to, firstly work out your instant response process with the clock vendor.

06:51

What are the shed responsibilities and what? Ah, the objects you need to perform investigation all incident response.

07:01

Next, do check and recheck all configurations off your cloud environment

07:08

and share. You have a make a checker process and a good workflow. That person is authorized to make the change

07:15

as the cloud environment. It's accessible, true many different areas. Please make use of multi factor authentication, especially for all your privilege uses

07:28

in terms off disaster recovery. Do check with the club provider. While it's the process, you have to fit in your own company's disaster recovery to fit what the club providers can provide

07:42

and lastly, do consider the use off a cat's be a cloth access security broker.

07:48

This helps simplify

07:50

your policy management across various club providers and also says providers

07:57

most cast me today are implemented. That's a smart proxy

08:01

where you can filter and control the traffic to and from your cloud environment.

08:07

It is an increasingly popular tool to manage clout security.

08:13

I would also like to promote this chart created by Adrian and Morris and post it on his Lincoln account.

08:22

Please follow the link and get a copy off this to see the details. It showcase all the different security controls and what is available natively from each off the major clock vendors from AWS Toe Azure, Google, Arkle, IBM and Ali Clough.

08:43

This chart is extremely useful when deciding what tools to use for different controls within your cloud environment.

08:52

Other things to consider

08:54

this lot frequency em timeliness.

08:58

This is especially important. For example, if you're using AWS cloudtrail to do audit locks, you bear in mind that it is not really time, and that could be a delay of up to five for 15 minutes and some instance. Consider how you would do privilege was a management,

09:16

which you use a PM solution.

09:20

Oh, which you do your own control recording for certain route users like your uses.

09:26

Be very careful how you manage your secrets and keys like you're a P I excess keys or your encryption keys

09:35

do consider the use of a hitch, sm to manage him off these instances on the cloud

09:41

to wrap up.

09:43

In today's brief lecture, we discuss the basics of clout,

09:48

shared responsibility, model What is security in the cloud and what its security off the cloud and lastly, some twos and consideration for you in terms of managing your clout. Security.

10:03

Here are some good publications you can read. One is the nous cloud computing standards, and the other is from the Clot Security Alliance on the Our guidance for critical areas of Focus in cloud Computing. Both our recently been updated and service a very good reference sauce

10:22

for designing

10:24

your clock security.

10:26

In the next session, I'll cover a few more. Advance into price security areas like mobile security and data center security if you have to time. I look forward to seeing you in the next session.