Data Protection

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
19 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
20
Video Transcription
00:00
>> Hey everybody and welcome back.
00:00
In this lecture we're going to be talking
00:00
about Data Protection,
00:00
which is a topic that is going to basically be covering
00:00
the security controls that are specific to the data
00:00
that we're working with and storing in AWS.
00:00
In this learning objective,
00:00
we're going to be talking about encryption for AWS and
00:00
somethings you need to know about
00:00
when you're building out your architecture,
00:00
your environments in the Cloud.
00:00
To start off, we're going to talk about
00:00
server-side encryption at rest.
00:00
When we say at rest,
00:00
this is the data that is not being used or moving,
00:00
is not in transit,
00:00
this is staying in an S3 bucket
00:00
or in an EC2 Instance EBS volume, something like that.
00:00
It is stationary.
00:00
This data is encrypted after
00:00
being received by the server.
00:00
If you're moving the data from, let's say,
00:00
your On-premise environment to the Cloud,
00:00
and it's going to go to a server,
00:00
even if it's not an EC2 instance.
00:00
It's going to be going to some server,
00:00
it could be some type of storage,
00:00
but it's going to be received by a server.
00:00
When that happens, it's going to be encrypted.
00:00
The data is going to be decrypted before being sent.
00:00
It stays there and it's going to be encrypted.
00:00
This is just default.
00:00
This is just how it is in the Cloud.
00:00
For all you people who have
00:00
always wondered is the Cloud secure,
00:00
yes, it is secure.
00:00
Now there are sometimes when it's not secure,
00:00
like when you leave an S3 bucket public.
00:00
In that case, it's not being encrypted.
00:00
But you literally have to forget to do that because it's
00:00
always going to be private unless you
00:00
purposely turn it on to the public.
00:00
Fact of the matter there,
00:00
make sure you're auditing
00:00
your S3 buckets and you're shutting
00:00
off public access when you need to.
00:00
It's going to be decrypted
00:00
before it's going to be sent to anywhere else.
00:00
The data is going to be stored in
00:00
an encrypted form. We just said that.
00:00
It's going to be secured until it's unencrypted for use,
00:00
and it's going to meet your confidentiality concerns.
00:00
We talked about the CIA triad confidentiality,
00:00
integrity and availability,
00:00
confidentiality being the first one.
00:00
This is going to meet that concern, that principle.
00:00
That's thing that we
00:00
want to make sure that we're always doing.
00:00
Here are some options.
00:00
We have Client-Side Encryption.
00:00
This data is going to be encrypted by the client,
00:00
and then it's going to be
00:00
decrypted by the receiving clients.
00:00
You have your clients,
00:00
maybe it's like On-premise or something like that,
00:00
then you're going to be encrypting it,
00:00
sending it over the wire,
00:00
sending it over the Internet,
00:00
and then you're going to be
00:00
decrypting it by the receiving ends.
00:00
On the other side its going to have the public key,
00:00
I'm just throwing out an example,
00:00
it could have the public key
00:00
and it's going to go ahead and
00:00
unencrypt the encryption there.
00:00
It has what it needs in order to decrypt.
00:00
The server should not be able to decrypt the data.
00:00
Just keep that in mind.
00:00
It's only going to be the client.
00:00
We have AWS KMS.
00:00
This is the Key Management Service.
00:00
This is a service that is offered by AWS.
00:00
This is very commonly use for encryption within AWS
00:00
and it's very easy to
00:00
control the encryption of
00:00
your data and the management of your keys.
00:00
You can plug and play with IAM very
00:00
nicely as one would suspect,
00:00
all AWS services play very nicely with each other,
00:00
with other AWS services.
00:00
You're always going to have that to your benefit.
00:00
It can leverage the CLI and the SDK.
00:00
If you're building software
00:00
or if you're writing a script,
00:00
you can definitely leverage KMS,
00:00
and you're not going to have to write
00:00
the hard tokens to the code.
00:00
You can just leverage
00:00
the KMS string and you can use that to pass through.
00:00
AWS Secret Manager is another really cool solution.
00:00
Now I've used this
00:00
personally on other Cloud environments.
00:00
The Secret Manager is just like
00:00
any type of secrets keeper.
00:00
It's going to be keeping the passwords,
00:00
the storing of sensitive tokens
00:00
and keys and passwords and all that stuff,
00:00
and it's going to be
00:00
storing it in a centralized repository,
00:00
where you have to authenticate and you have to have
00:00
the access to permissions in
00:00
order to receive an access to secrets.
00:00
You can manage this at administrative levels,
00:00
so you can definitely handout
00:00
permissions to your developers,
00:00
but only within
00:00
their appropriate means of their job role,
00:00
and you can definitely leverage this service,
00:00
there's a newer service, but you can
00:00
definitely leverage the service for
00:00
all different types of development projects,
00:00
infrastructure projects, whatever it is you want to do.
00:00
You can perform things like forced rotation,
00:00
which is something that is very important
00:00
because a lot of compliance standards they like that,
00:00
they actually require that,
00:00
so being able to leverage
00:00
Secrets Manager is definitely a benefit.
00:00
You can automate the generation of secrets,
00:00
you can integrate it with databases,
00:00
relational databases and RDS,
00:00
and you can encrypt the secrets with KMS.
00:00
Like I said, AWS services play nicely with one another.
00:00
CloudHSM.
00:00
This is an AWS provision encryption hardware.
00:00
It's an HSM, but it's being provisioned by AWS,
00:00
and you can dedicate your hardware for security tokens.
00:00
You can definitely leverage this to
00:00
manage the tokens for your organization,
00:00
you can manage your keys,
00:00
and this is FIPS 140-2,
00:00
Level 3 compliance, temper resistance.
00:00
Now, you have to make sure that
00:00
this is going to work for whatever regulated environment.
00:00
I remember a project that I was
00:00
working on in Big 4 Consulting
00:00
where we wanted to leverage
00:00
CloudHSM for a FED ramp high,
00:00
I had to check to see if it is today,
00:00
but at the time it was not.
00:00
We weren't able to leverage this,
00:00
we had to go with a third-party solution.
00:00
That's very unique situation, first of all,
00:00
but it is definitely compliant with a lot of
00:00
other regulatory bodies and it's a very good service.
00:00
Lots of really good reviews on this one.
00:00
That about wraps up this lecture on
00:00
Encryption and Data Security and the Cloud.
00:00
In this discussion we covered
00:00
all different types of encryption options,
00:00
we talked about SSM,
00:00
we talked about KMS Secret Manager and CloudHSM.
00:00
Hopefully this makes sense.
00:00
If you feel like you need to dive a little deeper,
00:00
I would encourage you to take a look
00:00
at the documentation,
00:00
but also feel free to reach out to me too.
00:00
I'm happy to dive deeper into this with you,
00:00
either on my YouTube channel,
00:00
or maybe over a conversation or something like that.
00:00
Be sure to spark up a conversation
00:00
and we can chat more about it.
00:00
That wraps up this lecture.
00:00
Let's go ahead and move on to
00:00
the next one where we're going to be
00:00
concluding this module and closing out this course.
Up Next