Domain 8 Knowledge Recap

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> This module was everything virtualization.
00:01
It began reviewing the major virtualization
00:01
categories those being compute,
00:01
network, and storage.
00:01
We then reviewed virtual compute security.
00:01
There's roles and responsibilities of
00:01
the cloud provider versus the cloud user.
00:01
For example, making sure you take advantage of the
00:01
security controls that a cloud provider gives you,
00:01
leveraging lease privileged security settings to
00:01
determine who can create virtual resources,
00:01
who can log into virtual resources,
00:01
who can delete virtual resources, and so forth.
00:01
We then moved into virtual network security,
00:01
reviewing, monitoring and filtering.
00:01
Reviewing monitoring and filtering,
00:01
and how that's really different in
00:01
the cloud and continue to also
00:01
examine their roles and
00:01
responsibilities of cloud provider versus cloud user.
00:01
We discovered virtual storage security
00:01
talked about storage area networks,
00:01
network-attached storage,
00:01
and other aspects of storage virtualization.
00:01
We wrapped it up going over container security,
00:01
talking about the system components
00:01
of a container ecosystem,
00:01
the container engine, the
00:01
image repository, orchestrator,
00:01
and schedulers type software as well
00:01
as security basics for containers.
00:01
Let us commence ceremonies of
00:01
the end module recap quiz which are
00:01
responsibilities of the cloud provider
00:01
to ensure compute is secure,
00:01
hardened hypervisors and update
00:01
them with security patches.
00:01
Determine which workloads should be
00:01
hosted on dedicated hardware.
00:01
Ensure hypervisors isolate virtual workloads.
00:01
Add necessary technical controls
00:01
to make sure volatile memory of
00:01
workloads cannot be accessed by
00:01
any process other than the workload owner.
00:01
There are multiple correct answers on
00:01
this one starting with A very important,
00:01
to add hypervisors that's something
00:01
you rely on the cloud provider to do.
00:01
Determine which workloads should
00:01
be hosted on dedicated hardware.
00:01
That's a decision that the cloud user needs to make.
00:01
Cloud provider is not in a good position
00:01
to examine your specific workloads
00:01
and determine which ones are
00:01
secure and need that extra degree of isolation.
00:01
You're going to pay more for this.
00:01
But there are definitely circumstances when you want
00:01
to have the hardware dedicated
00:01
and really get those assurances that there are
00:01
no other workloads from
00:01
other tenants running on that same hardware.
00:01
Moving on ensure hypervisors isolated virtual workloads.
00:01
Yes, very important.
00:01
Isolation is just a key thing for cloud providers,
00:01
keep that in mind. Tenant isolation.
00:01
It's almost the Number 1 security priority,
00:01
and D add technical controls
00:01
to make sure volatile memory of
00:01
a workload cannot be accessed by
00:01
any process other than workload owner.
00:01
Yes, that is true as well.
00:01
I'm continuing with the questions,
00:01
what key security tactics should you
00:01
apply to container orchestration software?
00:01
Apply RBAC to accounts
00:01
that administer and manage the platform.
00:01
Ensure secrets are securely distributed to containers.
00:01
Group workloads of similar security contexts
00:01
in the same hosts and nodes.
00:01
Secure management plane using MFA.
00:01
Starting with A,
00:01
applying role-based access control to accounts.
00:01
Yes, you want to do this.
00:01
Just because somebody has an account,
00:01
doesn't mean they should be able to do everything.
00:01
Certain accounts should be used to deploy containers.
00:01
Certain accounts to expand nodes,
00:01
certain accounts to do
00:01
all those other administrative things.
00:01
Same principles of least privilege apply to
00:01
the accounts that are administering
00:01
your cloud orchestration platform.
00:01
You also want to ensure secrets are
00:01
securely distributed to containers.
00:01
Depending on the orchestrating platform you use,
00:01
there are different strategies to do this,
00:01
but it is important grouping workloads
00:01
of similar security contexts.
00:01
Do want them to run on the same nodes,
00:01
which is another word of saying, hosts?
00:01
In this ECSK, they won't use the term nodes.
00:01
This is something that I use because
00:01
we were examining Kubernetes.
00:01
The Kubernetes world, those hosts that the containers are
00:01
running on are called and referred to as nodes.
00:01
Last but not least, securing the management plane.
00:01
Don't forget Tesla, don't be a Tesla.
00:01
Make sure your management plane is secure.
00:01
Definitely, change the default passwords
00:01
and if possible, implement MFA.
00:01
We are on a roll. Let's go for another one.
00:01
cloud storage pools are usually
00:01
implemented by which technology?
00:01
SAN, NAS, Kubernetes,
00:01
NFS, or HashiCorp Vault? The answer is A.
00:01
Storage area networks is one of
00:01
the most common ways of implementing
00:01
storage in a cloud provider,
00:01
there are a lot of proprietary ways.
00:01
Network-attached storage does get used,
00:01
but it is not the usual,
00:01
and that's the key decision making.
00:01
Kubernetes is a container orchestration.
00:01
NFS, Network File System.
00:01
That's a way to remotely access and as from a Linux box,
00:01
NSF is the protocol.
00:01
HashiCorp Vault, I actually did
00:01
a different training on
00:01
Vault and went really deep into that product.
00:01
It's great for secrets management,
00:01
and can also be very helpful to tie it into Kubernetes.
00:01
It provides ways to send certificates,
00:01
passwords, and so forth to
00:01
your containers in a very secure manner.
00:01
That wraps it up for this domain on virtualization.
00:01
Look forward to seeing you in the next.
Up Next