Cloud Security

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 49 minutes
Difficulty
Beginner
CEU/CPE
10
Video Transcription
00:00
>> Now, in earlier chapter,
00:00
we talked about the Cloud,
00:00
and we talked about the ideas of Software as a Service,
00:00
Platform as a Service,
00:00
and Infrastructure as a Service.
00:00
But I did want to just
00:00
enhance that discussion a little bit,
00:00
and I have a chart here that
00:00
lists out basically SaaS, PaaS,
00:00
and IaaS, and it compares the various pros and cons,
00:00
if you will, or let's say
00:00
the various characteristics of each of these.
00:00
If you look at SaaS,
00:00
SaaS is designed for end-users.
00:00
I've got a bunch of end-users,
00:00
here is Software as a Service for
00:00
email applications or WebEx or whatever that may be.
00:00
The day-to-day users within my organization are
00:00
the ones that are using
00:00
the software tools that are out there,
00:00
Office 365, those are my end-users.
00:00
What I get as a service is the application,
00:00
pretty straightforward with Software as a Service.
00:00
Now, there are
00:00
responsibilities that the Cloud service provider has,
00:00
and those are generally indicated
00:00
in service level agreements.
00:00
When I get a service level agreement
00:00
with Software as a Service,
00:00
basically what they're committing to is me being able to
00:00
access this application and
00:00
the application having good performance,
00:00
not a lot of wiggle room there.
00:00
I mean, they give me the application,
00:00
the application is what they provide to everybody,
00:00
and I also have very minimal customization.
00:00
If I go to access Office through the web as a service,
00:00
I get Office as it is.
00:00
What you'll find is as you move from
00:00
SaaS to PaaS to IaaS,
00:00
you'll have greater capabilities for customization.
00:00
Let's talk about PaaS now.
00:00
PaaS, Platform as a Service
00:00
is a service for application developers.
00:00
Now, for anybody who is
00:00
testing from a purely certification point of view,
00:00
I can just about assure you when you
00:00
see PaaS in the sentence,
00:00
think about application development and vice versa.
00:00
Because that's one of the primary uses.
00:00
You can go much,
00:00
much deeper into Platform as a Service,
00:00
but for Network Plus,
00:00
we're going to keep it at that level.
00:00
I'm developing an application, well,
00:00
people need to be able to access my application,
00:00
they need an environment for it to run,
00:00
there needs to be a back-end database.
00:00
Maybe for my work,
00:00
I've created an application that's scheduling utility,
00:00
so you can come in and book an appointment
00:00
with one of our physicians maybe.
00:00
You access that through the web,
00:00
you go to our website.
00:00
But where's that application actually running?
00:00
We call that the runtime environment,
00:00
and that's what the Cloud
00:00
service provider is running there,
00:00
giving us back in service
00:00
in which to run the application.
00:00
When you enter information about
00:00
the appointment you'd like,
00:00
that gets dumped into a back-end database that's
00:00
also provided in Platform as a Service.
00:00
Essentially, our developers develop the application,
00:00
but with PaaS, we get the environment in which it runs,
00:00
they guarantee us a high degree of availability,
00:00
and I get a lot of customization
00:00
as far as the application is created.
00:00
I build the application.
00:00
You can make the app anything that you want it to be.
00:00
You also can determine
00:00
how many users can access the application,
00:00
whether or not people have to authenticate,
00:00
you just have a lot of control
00:00
with the application itself.
00:00
Now, from there, we look at IaaS,
00:00
which is Infrastructure as a Service.
00:00
This really is the blank slate on
00:00
which an administrator would build a network.
00:00
With IaaS, you get a virtual machine,
00:00
and that's pretty much it,
00:00
you don't even get an operating system
00:00
on the virtual machine.
00:00
As a network admin,
00:00
I spin up a virtual machine,
00:00
decide to make that my server,
00:00
install the operating system on that server,
00:00
I can spin up other servers,
00:00
I can configure a network environment,
00:00
and I can configure virtual firewalls,
00:00
virtual switches, I can route
00:00
traffic from segment to segment.
00:00
This in IaaS really,
00:00
takes everything that used to be
00:00
on-premises and moves that equipment up into the Cloud.
00:00
I'm given a blank slate with IaaS.
00:00
What do I technically get?
00:00
I get access to a physical system,
00:00
I get virtualization, I get Cloud storage,
00:00
and what we call the compute function.
00:00
What that means is,
00:00
in these virtual machines,
00:00
I'm getting the capability to
00:00
use them for the things that I would
00:00
use compute resources for locally.
00:00
I get processor utilization, I get memory,
00:00
I get storage,
00:00
and that's what we mean when we say the compute function.
00:00
Now, what does the Cloud service provider guarantee me?
00:00
Ideally, they guarantee me a secure hypervisor,
00:00
they guarantee me availability for my hardware.
00:00
But other than that,
00:00
they give me the capability to spin up
00:00
hard drives or remove them from the environment,
00:00
but they don't really provide anything above that.
00:00
There's no software, there's no operating system,
00:00
that's all up to the network admin.
00:00
Now again, that gives me
00:00
a lot of flexibility, a lot of freedom.
00:00
I choose what operating systems to run,
00:00
I choose how my network is designed
00:00
and configured, absolutely.
00:00
But that does also put a lot of
00:00
responsibility on the network admin.
00:00
Whereas if you go back to things
00:00
like Software as a Service,
00:00
everything being automatically configured
00:00
for you, that's much easier.
00:00
What ends up happening is you
00:00
trade customization for more control,
00:00
but if you have more control,
00:00
there's more responsibility as well.
00:00
Now, when we talk about secure access to the Cloud,
00:00
there are a few things just to elaborate on.
00:00
Endpoint protection.
00:00
Endpoint protection is always
00:00
going to be a critical role in security.
00:00
From the point when the end-user connects,
00:00
whether they connect in from a smartphone or
00:00
a laptop or some other device,
00:00
that system should be locked down.
00:00
That's a point of vulnerability,
00:00
certainly for devices that come and go with end-users.
00:00
These devices they may take home,
00:00
they may use in coffee shops or whatever.
00:00
So we have to harden those systems,
00:00
remove unnecessary services,
00:00
patch the system, make sure they're kept up
00:00
to date and scanned for vulnerabilities.
00:00
Same thing with the server
00:00
that they'll be connecting to,
00:00
and those devices on the Cloud,
00:00
our file servers on the Cloud
00:00
or our database servers or whatever,
00:00
need to be protected in the same way.
00:00
Then on top of that, we have to add hypervisor security.
00:00
There are rogue hypervisors,
00:00
there are ways that hypervisors can be corrupted,
00:00
so again, making sure we're patched and up-to-date,
00:00
making sure that the Cloud service provider is
00:00
keeping up with their due diligence
00:00
because that really goes to the Cloud service provider,
00:00
their responsibility to make
00:00
sure the hypervisor is secure.
00:00
We also have to think about maybe connecting with
00:00
firewalls or how traffic is filtered.
00:00
This traffic moves from one host to the next.
00:00
These are considerations for any network,
00:00
not just for the Cloud,
00:00
but certainly even if some of
00:00
these services are outsourced
00:00
to our Cloud services provider,
00:00
our due diligence requires us to
00:00
know how these pieces are coming together.
00:00
The next thing I want to talk about is I want to talk
00:00
about Software as a Service
00:00
and how we're going to incorporate identity and access
00:00
management for the software tools
00:00
that we're accessing through the Cloud.
00:00
When I say identity and access management,
00:00
we have two pieces there;
00:00
we have identity management
00:00
and we have excess management.
00:00
The first piece with identity management,
00:00
the idea here is,
00:00
I have an entire organization of end-users,
00:00
and let's say everybody in the company is going to
00:00
need access to Office 365.
00:00
Traditionally, what would
00:00
happen is that users would create accounts at
00:00
Office 365 with the account services for Office 365,
00:00
and then every time that
00:00
they'd go to access the software,
00:00
they'd have to login,
00:00
and those login credentials would be sent across
00:00
the Internet to the servers at Office 365.
00:00
They'd have to provide their password,
00:00
and if the passwords were correct,
00:00
they'd be allowed access.
00:00
But what I'd like to do is make
00:00
that a little bit easier on my users,
00:00
and I'd like to make it more secure.
00:00
I don't like the idea of
00:00
my 300 users sending usernames and
00:00
passwords across the Internet
00:00
five times a day, not a good idea.
00:00
One of the things that I can do is I can set
00:00
up a specific server called an identity provider.
00:00
You may hear that referred to as an IdP.
00:00
>> What we want is we want
00:00
the users that are going to be accessing
00:00
these servers to have
00:00
a separate database where those user accounts exist.
00:00
We've got them in our internal network they're on
00:00
active directory or some other single sign-on server,
00:00
usually active directory if
00:00
you're in a Windows environment.
00:00
But the thing is, I can't let
00:00
Cloud service providers in
00:00
to my active directory environment.
00:00
That would be a tremendous vulnerability
00:00
to open that up to external servers.
00:00
My internal land is locked down,
00:00
but I need the same list of
00:00
users that's on my active directory system.
00:00
What I'm going to do is I'm going to use
00:00
an interface to pull that information over
00:00
to an identity provider and then I'm going to open up
00:00
that identity provider to
00:00
all these different software as service providers.
00:00
If this doesn't make sense just yet,
00:00
I think it will, so just bear with me.
00:00
What I'm trying to do is take
00:00
the same accounts that are in
00:00
active directory and move them
00:00
over to a more public environment.
00:00
I'm not going to bring anything real sensitive over,
00:00
I'm basically just going to have a list of who my users
00:00
are and that'll be able to
00:00
pull information from active directory.
00:00
Notice I have the arrow pointing right,
00:00
meaning the identity provider
00:00
pulls information from active directory,
00:00
but nothing that happens in that area
00:00
could go back and interfere with active directory.
00:00
If that makes sense, it's a one directional trust.
00:00
The IDP can pull from the LDAP or single-sign-on,
00:00
but not the other way around.
00:00
Now in my demilitarized zone, my DMZ,
00:00
I have a server that has
00:00
all the user accounts that are in my environment.
00:00
Now of course, I could customize that and scale it back,
00:00
but we're just going to bring everything over.
00:00
What have I accomplished?
00:00
Well, not a lot, just yet.
00:00
Really all I've done is I have a list of
00:00
users that I can make available to external resources.
00:00
Now the next piece to this,
00:00
what I want to do is I want to
00:00
configure what we refer to as a federated trust.
00:00
The problem has been,
00:00
as you can see in the illustration, traditionally,
00:00
the software as a service providers
00:00
that I have listed up the top,
00:00
I've got Office 365,
00:00
I've got Salesforce and
00:00
Webex and if you notice on the diagram,
00:00
they each have little account databases
00:00
and just like I said,
00:00
what used to happen is users in the land would
00:00
authenticate against those account databases
00:00
sending their credentials across the network.
00:00
What have I done now?
00:00
I've created this IDP and I'm going to create
00:00
federated trust between Office
00:00
365 and Salesforce and Webex.
00:00
That way, those different SAS providers can get
00:00
authentication from the identity provider
00:00
as opposed to from the individual users.
00:00
What that's going to look like
00:00
is I come in in the morning,
00:00
now I logged in to what
00:00
my administrator has configured as a portal.
00:00
Users don't need to know it's a portal.
00:00
You can see it looks like what you see on the screen,
00:00
just asked me for my username and password.
00:00
But that username and password is then
00:00
sent my identity provider and I'm authenticated.
00:00
Claim to be Kelly Handrahan,
00:00
I provided credentials, I'm Kelly Handrahan.
00:00
That identity provider returns what we refer to as
00:00
a SAML token because
00:00
SAML stands for Security Association Markup Language.
00:00
It's a SAML token so that when I now go to
00:00
access through the portal, certain service providers,
00:00
that SAML token is sent to
00:00
the service providers and I no longer
00:00
have to provide username and
00:00
password for every one of the applications I access.
00:00
I login to a portal,
00:00
I'm given a token every time I
00:00
access an application from the dashboard.
00:00
That's part of this setup and configuration.
00:00
My token is used,
00:00
I never get prompted to identify or authenticate.
00:00
Throughout the workday, I access any one of
00:00
these applications that would normally
00:00
be something I authenticate to individually.
00:00
Now, we've taken the ideas
00:00
of single-sign-on that we see in
00:00
domain environments and because
00:00
of these federated trusting relationships,
00:00
we now have single-sign-on spread outside of our domain,
00:00
but throughout the web and really the credit
00:00
to those or to that goes to SCIM,
00:00
which stands for
00:00
System for Cross-domain Identity Management.
00:00
That's what pulls the applications from
00:00
active directory over to the identity provider and then
00:00
SAML is the service that
00:00
is going to create the tokens
00:00
and allow the tokens to be exchanged.
00:00
You may be familiar with OpenID Connect,
00:00
which works very comparable to how SAML does.
00:00
We have an OpenID provider
00:00
and they call their service providers,
00:00
relying parties or RPs,
00:00
but ultimately, same idea with
00:00
OpenID Connect that you get with SAML.
00:00
Let's talk a little bit about an API,
00:00
an application programming interface.
00:00
When we talk about this federated trust relationship and
00:00
the ability of one server to
00:00
communicate with another server and request,
00:00
send me your SAML token;
00:00
what we have is we have
00:00
these systems communicating with each
00:00
other on a deeper level than the end-user sees.
00:00
I don't know what's going on when my token
00:00
is sent to the service provider.
00:00
I don't see any of that,
00:00
which is a beautiful thing.
00:00
We want security, we want networking,
00:00
we want all of this to be seamless to the user.
00:00
We don't want our user bogged down with ideas like, well,
00:00
how does the token get exchanged
00:00
and is it digitally signed or is it this or that?
00:00
We don't want them to see any of that.
00:00
The way these applications communicate with each
00:00
other is through application programming interfaces,
00:00
APIs and this is basically
00:00
just a communication interface between apps,
00:00
is probably just a good definition of it.
00:00
Communications interface between applications
00:00
and all of your web apps
00:00
today communicate with each other.
00:00
I go online to Orbitz and I'm looking for a flight.
00:00
Well, Orbitz has to have an API to
00:00
communicate with Delta and an API to
00:00
communicate with American Airlines.
00:00
All these servers today are talking to
00:00
all these other servers through APIs.
00:00
How my API is designed and how it
00:00
functions is really important and
00:00
a poorly written API
00:00
could introduce a huge security vulnerability.
00:00
The way I want you to think about
00:00
an API is I
00:00
want you to think about going to a coffee shop.
00:00
I am a big fan of coffee.
00:00
I like coffee a lot and so
00:00
much so that I've
00:00
become a coffee snob throughout the years.
00:00
I don't know when that happened.
00:00
As a matter of fact, if you had told me
00:00
10 years ago that I would be
00:00
that person that goes to the coffee shop
00:00
and orders a medium,
00:00
half-caf, breve cappuccino,
00:00
one shot of sugar-free vanilla,
00:00
dry I would have laughed at you.
00:00
I never liked those people,
00:00
but now I'm one of those people.
00:00
That's how life works by the way.
00:00
I've got all these different things that I want
00:00
my coffee and a certain way I want my coffee made.
00:00
It would be easier if I just walked into the coffee shop,
00:00
walked right back to the kitchen and fix my own coffee.
00:00
Because I can do it just right,
00:00
I know exactly what I want.
00:00
But one of the basic rules of security,
00:00
keep untrusted entities away
00:00
from resources you want to keep,
00:00
because users will break your stuff.
00:00
That's what it comes down to.
00:00
Users will break your stuff.
00:00
The solution is don't let
00:00
users have access to your stuff.
00:00
If I were to show up at
00:00
Starbucks and try to walk back to the kitchen,
00:00
I can assure you someone would stop me,
00:00
but ultimately, what I
00:00
ordered needs to get to the kitchen.
00:00
But I can't be trusted to make a well-formed transaction.
00:00
Let's say I go to Starbucks.
00:00
There is the barista that takes
00:00
the information I provide
00:00
and passes it along to the kitchen.
00:00
The barista is just like that API.
00:00
I say, hey, "I'd like a large cup of,
00:00
" and the barista stops me,
00:00
"Not large, you mean grande, right?"
00:00
Well I mean large, but apparently I have to say grande,
00:00
so she tells me my transaction wasn't formatted properly.
00:00
All right, so I come back and say,
00:00
I'd like a grande cappuccino
00:00
and I tell her my order and then when I'm done,
00:00
I say, "And I'd also like a slice of pepperoni pizza."
00:00
Well, the barista comes back to me and says,
00:00
"We don't make pepperoni pizza here.
00:00
Have you never been to Starbucks?
00:00
You can have some yogurt. That's all you're getting."
00:00
She keeps coming back to me if
00:00
I'm requesting something that's not available.
00:00
If I give her the wrong parameters,
00:00
I can't say large, I've to say grande.
00:00
It makes sure that what I'm requesting is
00:00
a valid request and so basically that API
00:00
cleans up my request for
00:00
the back-end kitchen and make sure
00:00
that the kitchen can understand
00:00
what service needs to be provided,
00:00
and anything that would exceed the valid parameters,
00:00
the user would get an error message and have to resubmit.
00:00
APIs are really what gives us secure application to
00:00
application computing and secure
00:00
APIs are what make these web applications work.
00:00
Because not every system can communicate
00:00
or natively communicates the proper way
00:00
with every other system.
00:00
We can count on these APIs as being go-betweens between
00:00
users or other applications
00:00
and then back-end databases or services.
Up Next