Hybrid Cloud and Shared Responsibilities
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> In this video,
00:00
we'll learn about Hybrid Cloud Design
00:00
and Bastion Networks.
00:00
We'll also talk about how
00:00
the shared responsibilities model
00:00
applies to Cloud Network Security.
00:00
In Module 1 we looked at the Hybrid Cloud Model,
00:00
this is the blend between
00:00
the on-premise traditional data-center
00:00
and either a public,
00:00
private, or community Cloud.
00:00
Looking at the diagram,
00:00
imagine each of those blue boxes at the top is
00:00
a different Cloud provider and you want
00:00
to build a link into your data-center,
00:00
the goal is to support arbitrary network addressing that
00:00
seamlessly extends into the Cloud user network.
00:00
If the Cloud networks and on-prem use
00:00
the same IP address range, this won't work.
00:00
At the same time,
00:00
you don't want to create a flat network
00:00
between the two environments.
00:00
Enter stage the Bastion or transit network approach,
00:00
this approach provides a method to connect on-prem with
00:00
Cloud networks through a dedicated Virtual Network.
00:00
The different Cloud accounts come through
00:00
the Bastion network and are
00:00
directly peered with the data-center.
00:00
You can deploy security tools for
00:00
more extensive rule enforcement and monitoring of
00:00
the traffic flow from on-prem to
00:00
the Cloud or even from one Cloud to the other Cloud,
00:00
this is another application of network segmentation
00:00
to limit the blast radius in case of a breach.
00:00
When implementing a hybrid Cloud,
00:00
directly peering the Cloud and data center
00:00
is a highly discouraged practice,
00:00
you should only use this as a last resort.
00:00
Keep in mind, a security chain is only
00:00
as strong as its weakest link,
00:00
so if you have the direct peering model and
00:00
there's a laptop that gets compromised,
00:00
that laptop could then begin scanning
00:00
your local network and reach
00:00
out into the Cloud network as well,
00:00
and potentially compromise those resources too.
00:00
Before wrapping up our examination
00:00
of network security in the Cloud,
00:00
let's take a moment to summarize the key aspects of
00:00
the consumer-provider shared responsibility model.
00:00
The consumer is responsible for
00:00
properly designing their virtual networks,
00:00
applying strategies like segmenting,
00:00
connecting the Bastion networks and micro-segmentation.
00:00
A good design is a great starting point,
00:00
but the consumer is also responsible for
00:00
implementing security controls within
00:00
those virtual networks,
00:00
this ensures that design is realized.
00:00
It's also important to secure the management plane.
00:00
Keep in mind that the SDN and
00:00
security roles are defined through management planes,
00:00
so if somebody gets access to that management plane,
00:00
they can throw your design and policies out
00:00
the window and rebuild the network however they see fit.
00:00
But let's not forget about the provider's role in this,
00:00
they need to secure the underlying network.
00:00
This is ensuring tenant isolation,
00:00
and it's critical to maintain
00:00
segregation and isolation in
00:00
a multi-tenant environment where you
00:00
could have hostile tenants.
00:00
The provider also needs to give
00:00
security controls to the consumer,
00:00
this allows them to secure
00:00
the management plane and implement
00:00
controls that work natively with
00:00
the provider's SDN implementation.
00:00
Finally, perimeter security to
00:00
protect and minimize impact on workloads,
00:00
This is more traditional network security outlook
00:00
to ensure that the network infrastructure,
00:00
the infrastructure which the SDN runs on top of,
00:00
isn't vulnerable to attacks from the outside world.
00:00
In this video, we talked about a way to more securely
00:00
design your hybrid Cloud
00:00
by incorporating Bastion networks.
00:00
We also reviewed the shared responsibilities between
00:00
provider and consumer when
00:00
it comes to Cloud network security.
Up Next
Similar Content
