Infrastructure as Service as a Service (IaaS) Risks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Now that we've covered the core elements
00:00
of Infrastructure as a Service,
00:00
let's discuss the specific risks
00:00
to consider when using Infrastructure as a Service.
00:00
In this lesson, we're going to cover
00:00
the common threats to Infrastructure as a Service,
00:00
and talk about how we identify and address these risks.
00:00
Now, I want to go over
00:00
a few definitions before we go any further.
00:00
A threat in this context is anything that can
00:00
cause damage or disruption to a cloud-based system.
00:00
A vulnerability is a weakness
00:00
that could be exploited by a threat,
00:00
and a risk is a probability
00:00
that a threat will exploit a vulnerability.
00:00
It's very important to know these definitions for
00:00
the exam and I'll be referring to them going forward.
00:00
Infrastructure as a Service risk, personnel risks.
00:00
As we said in the last module,
00:00
we can't really vet
00:00
the vendors that supply the hardware to
00:00
Infrastructure as a Service and we don't really have
00:00
that much visibility into the data center activity.
00:00
Now you can audit those items,
00:00
and it's somewhat difficult
00:00
to actually audit a data center.
00:00
Many hosting providers do not allow people to go into
00:00
their data center even for auditing purposes.
00:00
You can review the policies that are
00:00
provided by the data center, however,
00:00
you really don't have
00:00
that much assurance that those policies are being
00:00
followed unless you look at
00:00
a third-party audit report but there
00:00
are even some limitation to those.
00:00
Let's talk about some of the risks that are
00:00
caused by that, personnel threats.
00:00
Because of the lack of visibility into
00:00
what's going on in the data center,
00:00
you really are trusting the hosting provider
00:00
to hire appropriate people who won't be
00:00
tempted or potentially not
00:00
received the necessary training to make
00:00
mistakes that could impact
00:00
your environments and Infrastructure as a Service.
00:00
Many organizations they address this by having
00:00
background checks to ensure that there
00:00
aren't any temptations in a person's background that
00:00
might lead them to commit some fraud or sabotage.
00:00
The other thing important is
00:00
segregation of duties to ensure that no one
00:00
really has the ability to do anything that might be too
00:00
malicious or impactful for
00:00
the customer environments that are
00:00
hosted in Infrastructure as a Service.
00:00
There are always external threats,
00:00
these are threat actors who might be
00:00
deploying malware which is
00:00
malicious software onto the cloud-based systems.
00:00
Denial-of-service or distributed denial-of-service
00:00
refers to an attack on availability where
00:00
threat actors try to use an individual endpoint or
00:00
many different machines to overwhelm
00:00
the capacities of a cloud-based system.
00:00
Man-in-the-middle attacks are those where
00:00
a threat actor tries to intercept
00:00
information when it's being transmitted.
00:00
One of the other aspects that
00:00
are external threats to Infrastructure
00:00
as a Service are geographic risks.
00:00
If you're hosting providers in
00:00
an area where there are a lot of
00:00
either physical disasters such
00:00
as: storms, earthquakes, etc,
00:00
or it maybe hosted in
00:00
an area where there's a lot of political unrest
00:00
and that may shut off services
00:00
or affect the performance of that data center.
00:00
Now, that is a fairly remote possibility because
00:00
most large-scale hosting providers
00:00
have significant geographic diversity,
00:00
but if you are only utilizing
00:00
one specific data center
00:00
that's a very important risk to consider.
00:00
Another risk that's really
00:00
more of the Cloud customer to consider is that,
00:00
as we said Infrastructure as a Service
00:00
provides the most control over the environments.
00:00
The customer is really
00:00
maintaining those operating systems and
00:00
environments that are hosted on
00:00
the Cloud providers hardware.
00:00
Now that has a lot of
00:00
different tasks involved in maintaining the security
00:00
as well as the operational capacity
00:00
of those environments.
00:00
Every organization has to take a hard look at
00:00
their IT and security resources and say,
00:00
"Do we really have the specific skill-set to
00:00
maintain the operational security practices
00:00
for this environment?"
00:00
Now, every person probably potentially is up
00:00
to the challenge of learning how to do this properly,
00:00
but an organization to really weigh the risks
00:00
of their bench depth in terms of moving to the Cloud.
00:00
Quiz question, what is the most significant risk that
00:00
a customer can evaluate and
00:00
control in Infrastructure as a Service?
00:00
Is it personnel threats,
00:00
external threats,
00:00
>> or lack of a cloud specific skill-set?
00:00
>> The answer, lack of a cloud specific skill-set.
00:00
I think this in some ways
00:00
>> is a very hard risk to mitigate
00:00
>> because when you have to
00:00
evaluate your organization's capacity,
00:00
you may have personal connections
00:00
to many of the people in
00:00
IT or security and
00:00
want to give them the benefit of the doubt,
00:00
so it's difficult to sometimes look at
00:00
an organization's capabilities in a dispassionate way
00:00
which really determines do
00:00
we need to bring in consultants?
00:00
Do we really need to leverage
00:00
managed services provider to get the
00:00
most out of the Cloud and ensure we're
00:00
doing it in a secure fashion?
00:00
In this module we talked about the different threats,
00:00
vulnerabilities, and risks.
00:00
We talked about the common risks when
00:00
using Infrastructure as a Service,
00:00
and we talked about some of the controls that
00:00
organizations can provide
00:00
>> to address some of these risks.
00:00
>> See you in the next lesson.
Up Next