Time
5 hours 49 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello, everybody, and welcome to the I T Security episode number 29 80 Clouds. Security controls. My name is Alejandro Pena, and I'll be instructive for today's session.
00:14
Learning operatives off this session is to understand and be able to identify the main and basic gaiety Club security controls
00:24
well, even did the you know, but that the cloud service is that we have to date and the service's providers that support, Iet's deployments each cloud and stakeholder in point place. You know a really important role in securing the multiple, and you know all the transactions
00:44
basic controls such as authentication and encryption.
00:47
Do the clowns are supported by, you know, the close service provider, But you should carefully review the conceit and considerate you're closers provider based under offerings are off other areas.
01:00
Let me try to help you designed your closer is provider or even your you actually are in, even to the sight of you actually need to go to the cloud
01:11
because at the end, after these models mind, think twice of going to the cloud or not.
01:17
Ah, and to do that, let's check what security control you should be requesting for closers Well, the 1st 1 is the basic one. Authentication and authorizations. Well, basically. And I did it in management program. Our service
01:32
usually check of your class of survivor support some aspects, like, you know, verify administrator
01:38
authenticity on the dedication for individual access in the you know, the cloud
01:44
authenticate the users and cloud application. Authenticate cloud application itself. Authenticate, you know, devices on request. Uh,
01:56
double of that double factor authentication,
01:59
uh, authenticate anything that connects to this to the server, even if it is a user, even if it is at the BIS or even if there is that get away. So anything that touches to the men work until your infrastructures will be authenticated against the closer.
02:15
Uh um, some has a great deal with that. As I told you before, Amazon has something called I Am, which is identity other than the of medication. Management on the service is supported. You know, about the cloud by Amazon Cloud
02:30
has multi feature authentication platform and supports you. No Federated identity.
02:37
That's a huge deal for Federated our identity or fairly rated authentication. It means that maybe let me give the example. Maybe you're an airport and and you're trying to sell a ticket and you know I'm a plane ticket
02:52
and then you go to with the same credentials. You may go to another hotel page to actually book room or, you know, book any anything in the in the hotel with the same credentials of Federated of medication in means that you're actually authenticated against Other systems are
03:10
not even owned by yourself, but about your partner or about your even by your customer. So that's a huge deal,
03:16
and Amazon does that really cool.
03:20
Multi factor authentication. Well, that's that and, you know, useful role in permission management. That's a really cool future from Amazon. But Asher doesn't you know it is not far behind, uh, with active directory in the cloud with Asher, it will. He will leave you some
03:38
cool features like out, too,
03:40
on open I D, which are based on XML, which make meaning that the integration of this identity management with other service's are really smooth. So, yeah, Parker's office fighting rather well, another important control, if you check. Is this our subway for work up that, um
04:00
Thus the cloud provider gives you daily updates or daily stuff for updates. That's engage my things. Good. But imagine how that affect your network performance. How often do you get the framework?
04:17
And you know, is the food weren't passed through? Ah, que es environment.
04:21
Meaning that the cloud provider actually tested really, really trust? Totally. Um,
04:29
actually, the update there sent to you or we'll leave Break your your agency communication.
04:36
That's another huge deal
04:38
s Oh, yeah, you should check. Uh, what provider is actually doing that? And if it's actually feeling your needs
04:46
into insecurity, You know, uh, you should you should consider some aspect, like and should that security is not lost in the getaway. Uh, for example, guard to type of communication that link encryption and the Internet encryption
05:02
link. Encryption is means that even the Heathers off Baylor are encrypt and they have to be a secret and re encrypt every hub in this case, for example, in to get away.
05:16
And there's into an encryption with only the pay look with the data will be improved, but that the header will believed in clear text.
05:25
It's easier for transportation, but you know it's not a secure settling encryption, so you should evaluate your classroom providers or your you know, they can't provide that security control, and they're taking actually provide both type of communication
05:42
appear, you know, secure configuration to your databases. You know, a seed,
05:47
um,
05:49
that the well arena, which is a Timmy city consistency, isolation and dude ability, but something they have to provide and they have to guarantee,
06:00
intend, really controls. You know, uh, you have video is,
06:05
um Karam ensures encrypted data will really talk about that. Front transactions and messages between devices itself was being dedicated. That something will raise. See a swell and truck, you know, every every single transaction
06:24
to guarantee the privacy, security and safety of the controls.
06:29
Ah, The other patrol is the secure enrollment of the devices. I mean, they have to actually double check and triple check if necessary. Other advice or a user is who is saying that is
06:42
on and you know about it is attacked lice poof in, um,
06:46
because at the end, that's a really huge deal. When dealing with, for example, medical devices.
06:51
And lastly, but not least important. Clear s lace clear service level agreements, folks, I cannot emphasize this enough. If you don't have a clear, clear, clear, clear, uh, service level agreement with your cloud provider.
07:11
This will definitely affect yourself
07:14
at the end. Most control discussed, dependent. The Gaiety Club service provider, for instance. We can actually perform apprenticed over or even a vulnerabilities can against the cloud providers. So in order to make sure that the controls are being meant,
07:30
we should define a Clearasil A, as I told him for or even always operated, operated liberal agreements.
07:38
Ah, we needed on the penalties to the non compliant. And now this is a tricky part because at the end of penalties would say OK, this will throw J. D. P. R and the PC. I will give me a fine off our penalty off $1 million. Of course, they will not be the case, but that's just assume that's the case.
07:57
I will $1,000,000. So that's what I'm charging that my Flowserve exploiter. But you know, Jules also, uh, lose clients and the image of your business will also be affected. So that's money you're not taking into consideration and losing a client
08:16
and losing trust, meaning that the client doesn't trust your
08:20
your business, are your are the image of your business, but that's a huge deal. We're not putting that in the S L. A's penalties. So you have to take into considerations every aspect when the only with s allies,
08:37
what does agent stands for and how it is useful to class by class security?
08:43
Well, it stands for a Timmy city consistency, isolation in durability. And these are the four pillars of any database you should be using. So, yeah, your club service providers should be guaranteeing that they are actually following these rules.
09:01
What is Federated authentication? Well, it's when you actually authenticate with other party system. It could be your own system or located in a different infrastructure. Or it could be actually ah, system from your furnished from your partners or your
09:20
clients. Revenge. Your providers.
09:22
Your users are authenticated with the sax and credentials to those systems.
09:30
If a new somewhere up there comes up, you have to implement it or apply right away. Well, this is a tricky question, because at the end it depends of this A very on the impact this will have under systems. For example, when they want a crying came out, people were not actually concerned with, uh,
09:50
passing that up the truth through the Q A. Environments they were actually concerning to tiu were actually concern off applying and right away that they were in a planet to two positive. Que environment good, too. You know the severity of the case?
10:07
Yeah. This is something you should ever let it have a policy in place for that
10:15
in today's lecture with this custom anti clown security control.
10:22
Uh huh. And the clouds security alliance. That's something you should definitely check. I mean, I put the name before, but I'm not putting the link so you can actually go to the Lincoln and read every every article. You can possible rate for these guys
10:37
looking forward in the next video, we'll review the main concepts behind a 90 development life cycle.
10:45
Well, that's it for today, folks. I have in your video and talk to you soon

Up Next

IoT Security

The IoT Security training course is designed to help IT professionals strengthen their knowledge about the Internet of Things (IoT) and the security platforms related to it. You’ll also be able to identify the security, privacy and safety concerns related to the implementation of an IoT infrastructure.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor