Cloud Workload Security
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> In this video, we will cover Cloud workloads
00:00
security and its impacts on compute,
00:00
security controls, monitoring and logging,
00:00
as well as vulnerability assessments.
00:00
We've covered the different categories of Cloud
00:00
compute and it's become clear that
00:00
tenants share compute nodes and
00:00
the provider must maintain some form of isolation.
00:00
This is often done using hypervisors
00:00
so that the same physical machine can
00:00
host different virtual machines from
00:00
different tenants without them
00:00
accessing each other's memory.
00:00
Some providers give control to
00:00
dedicate physical machines which will run
00:00
your specific virtual machines and
00:00
therefore not be co-tenant with anybody else.
00:00
But generally, you have minimal control on where
00:00
your workload physically executes within the data center.
00:00
The new approach of running workloads
00:00
in the Cloud brings many benefits,
00:00
and it also impacts traditional security controls.
00:00
The method of endpoint security,
00:00
having agents on machines that do
00:00
things like run antivirus checking
00:00
or some centralized configuration management
00:00
or monitoring capability.
00:00
Those aren't well suited for workloads running in
00:00
serverless container or platform based modes.
00:00
In many situations, it will
00:00
just not be feasible to install
00:00
agents because of the performance problems and
00:00
low level incompatibilities even on virtual machines,
00:00
agent management must support a high rate of node change.
00:00
Again, the servers are cattle,
00:00
that are being cycled frequently.
00:00
They're coming on and off,
00:00
and they need to register an unregistered from
00:00
any centralized mechanism that
00:00
these agents are reporting into.
00:00
Finally, the agent should not increase
00:00
the attack service by having to do
00:00
things like expose extra ports.
00:00
Consider the micro-segmentation philosophy
00:00
we discussed earlier.
00:00
It's really making sure we
00:00
manage the network traffic closely.
00:00
Every open port increases the attack surface,
00:00
and we want to keep this to an absolute minimum.
00:00
When we look at monitoring and logging in the Cloud,
00:00
keep in mind that an IP address is not a good identifier.
00:00
Other unique identifier should be used.
00:00
Many Cloud-native monitoring systems help
00:00
realize the concept of observability.
00:00
This is where an application is designed with
00:00
health and performance monitoring top of mind,
00:00
the ephemeral nature of Cloud requires offloading logs.
00:00
You just don't know how long
00:00
the server or the container will be around.
00:00
Logging architectures may not work in the Cloud topology.
00:00
The mindset of centralized security information
00:00
and event management is not going to work well.
00:00
We talked about agents and some of
00:00
their shortcomings in the Cloud.
00:00
The mindset of a centralized security information
00:00
and Event Management System is not going to work well.
00:00
The more distributed you get across
00:00
different regions within the Cloud.
00:00
SIEM vendors may have an answer for
00:00
deploying their solution in the Cloud,
00:00
but you'll need to make the
00:00
judgment call if it's adopting
00:00
Cloud-native mindsets or is it just a lift and shift.
00:00
Beware of points we talked about for virtual appliances,
00:00
scalability, failover, and bottlenecks.
00:00
Then there's vulnerability assessments.
00:00
These are tests to determine
00:00
whether there's a potential vulnerability.
00:00
It's very similar to a pen test.
00:00
But there not only you
00:00
are identifying the vulnerabilities,
00:00
but you also try to exploit the vulnerabilities.
00:00
When you try to perform a vulnerability assessment
00:00
on a Cloud provider.
00:00
To them, it's not clear whether you're just doing
00:00
a vulnerability assessment or if you're doing a pen test.
00:00
And for that matter, they don't know if you're
00:00
a good guy or a bad guy.
00:00
They'll often be limited by the provider.
00:00
It's very important that you let the provider know,
00:00
you inform the provider that you're going to be doing
00:00
a vulnerability assessment before you actually do it,
00:00
because it may set off a lot of
00:00
legitimate alarms as the provider
00:00
thinks you're trying to hack them.
00:00
The default deny nature of networks also
00:00
limit the effectiveness of external testing.
00:00
Hopefully your teams aren't
00:00
overriding the default deny all with
00:00
a higher priority allow all type rule
00:00
because so many ports will be
00:00
locked down and traffic routes,
00:00
this testing process itself will be very constrained.
00:00
In the grander scheme of things,
00:00
this is good news,
00:00
but if somebody does open up network ports
00:00
or allow additional path to be included,
00:00
that can really expose a lot of
00:00
vulnerabilities that your assessment overlooked.
00:00
That's where putting your focus and energy on
00:00
assessing the server images is going to improve.
00:00
When reviewing the immutable workload pipeline,
00:00
you may recall that we add security testing integrated
00:00
with the actual creation of the server images.
00:00
This is a great example of having
00:00
the vulnerability assessments focused on the images,
00:00
instead of working at the Cloud provider and
00:00
examining the system and a black-box manner.
00:00
These concepts change a little bit when you're
00:00
dealing with PaaS and SaaS scenarios.
00:00
In the same way you'll tell
00:00
your IS provider when you're about
00:00
to do a vulnerability assessment.
00:00
You want to do that also for
00:00
your PaaS and SaaS providers,
00:00
an open line of communication is
00:00
invaluable when performing vulnerability assessments.
00:00
In this video, we talked about Cloud workload security,
00:00
its impact on compute,
00:00
risk controls, monitoring, logging,
00:00
as well as vulnerability assessments.
Up Next
Similar Content
