Infrastructure Security for Cloud
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:00
>> This video is focused on
00:00
infrastructure security for the Cloud.
00:00
We're going to be going over
00:00
key takeaways for a few different domains,
00:00
Domain 6, Domain 7, and Domain 8.
00:00
If I touch on anything that seems a little fuzzy to you,
00:00
maybe you don't fully grasp,
00:00
feel free to jump back and
00:00
look at any of those older videos.
00:00
[NOISE] You may recall
00:00
the major virtualization categories in the Cloud.
00:00
Specifically, we reviewed each of
00:00
the four categories and
00:00
discussed different ways on how to secure them.
00:00
For example, in the compute world,
00:00
you want to make sure the hypervisor level
00:00
is very secured and
00:00
there's a good patch management process
00:00
to keep the hypervisors themselves up-to-date.
00:00
This allows you to isolate
00:00
virtual machines from each other.
00:00
Additionally, the Cloud provider needs
00:00
internal processes and technical controls to prevent
00:00
its own admins from having access to
00:00
the virtual machines and
00:00
the volatile memory associated with compute.
00:00
We're going to discuss networking
00:00
a little bit more detail later in this video.
00:00
But keep in mind that the Cloud provider has
00:00
certain responsibilities. The physical layer.
00:00
The Cloud provider needs to ensure there's good,
00:00
strong perimeter security defenses in place,
00:00
especially at that physical layer,
00:00
especially around the management plane.
00:00
Then there's storage.
00:00
We talked about the virtualization of storage,
00:00
the use of sand and NFS,
00:00
and some of those other methodologies that
00:00
the provider may use or as well as proprietary methods,
00:00
securing it and showing that there's encryption of
00:00
the data at rest, leveraging the keys,
00:00
maintaining and managing keys,
00:00
doing it even in a way that the tenant themselves
00:00
may or may not have access to the encryption keys.
00:00
Then finally, there were containers,
00:00
which is a form of compute.
00:00
But there's some specific
00:00
things that you want to make sure
00:00
for the platform that's hosting the containers,
00:00
the Cloud provider's ability,
00:00
if it's a past-based platform,
00:00
making sure you properly configure
00:00
the virtualization services.
00:00
Understanding the isolation capabilities
00:00
of the container platform itself
00:00
and the underlying operating system
00:00
that is hosting the different containers.
00:00
We discussed the importance of managing
00:00
third-party container images using container registries,
00:00
ensuring the appropriate controls were in
00:00
place so that the container images themselves
00:00
stored in these registries were not
00:00
being manipulated or altered without our knowledge.
00:00
Then implementing the appropriate
00:00
role-based access controls to ensure
00:00
strong authentication for the containers themselves,
00:00
the container to container communication,
00:00
as well as management of
00:00
the container repository that is the source of truth.
00:00
Diving a little deeper on the network management
00:00
and virtualized networks.
00:00
Software defined networks, we talked about those.
00:00
It's definitely the preferred way of doing things,
00:00
being that software-defined networks
00:00
are software defined,
00:00
it provides a lot more flexibility in how
00:00
you evolve the structure of your network.
00:00
Putting together virtual networks,
00:00
creating segmentation or micro-segmentation
00:00
within and amongst the different virtual networks.
00:00
You may recall we talked about
00:00
virtual appliances and being very weary and routing
00:00
all the network traffic through a single hub it's
00:00
very important that that hub be very
00:00
resilient in elasticity or can
00:00
create clear performance bottlenecks for you.
00:00
Implementing a denied by default with
00:00
your different Cloud firewalls into that
00:00
and leveraging the providers' Cloud firewalls
00:00
to control where traffic can flow,
00:00
what ports it can flow on between which
00:00
different nodes in your virtual network and communicate.
00:00
Ultimately, you're isolating
00:00
the blast radius in the event that one part of
00:00
your network or a particular machine within
00:00
your network gets breached somehow or compromised.
00:00
Then the attacker can only get
00:00
so far and can only move to certain things.
00:00
In fact, segregating those networks,
00:00
having the separate accounts even,
00:00
and using virtual networks really makes
00:00
it a lot more difficult for an attacker to
00:00
traverse and hop from
00:00
one Cloud resource to another and take control of things.
00:00
Were always want to restrict the traffic between
00:00
the different workloads that are using the same subnet.
00:00
Again, this is the network security groups,
00:00
we talked about application security groups,
00:00
these concepts which really evolved
00:00
from the Cloud providers, firewalls,
00:00
and the ability to manage and direct and
00:00
cater the flow of traffic
00:00
between your different Cloud resources.
00:00
[NOISE] We spoke about
00:00
immutable workloads and
00:00
leveraging these whenever possible,
00:00
especially for your virtual machines and your containers
00:00
and the non-pass type solutions,
00:00
you're disabling remote access.
00:00
This greatly enhances your security footprint.
00:00
You're going to integrate security
00:00
testing into the process
00:00
of creating these images. You set up alarm.
00:00
In the integrity of any files on
00:00
these immutable images somehow changes
00:00
or drifts, you're made aware of it.
00:00
In fact, you can even create
00:00
some automated procedures and
00:00
processes to isolate and rebuild those workflows.
00:00
This dramatically speeds up the patching process.
00:00
Instead of applying patches to images,
00:00
and servers, and containers that are
00:00
running in real-time, rather,
00:00
you're going to update the source image
00:00
and you're going to deploy
00:00
as opposed to applying
00:00
these patches to the running images.
00:00
Since these are immutable and we really don't want
00:00
content on these servers themselves,
00:00
it's important to store the logs
00:00
externally somewhere to a nice,
00:00
safe location that takes into
00:00
account who can modify it just in case you
00:00
need to deal with the chain of
00:00
custody consideration in some sort of a prosecution.
00:00
Of course, you don't want these log files to get
00:00
manipulated by a third-party user as it might be cleaning
00:00
up their fingerprints and covering up
00:00
the illicit activities that they've been
00:00
performing on your computer resources.
00:00
Carrying the management plane is a big one.
00:00
While a lot of the responsibility falls on the customer,
00:00
the Cloud provider needs to make sure that there is
00:00
perimeter security around the different API gateways and
00:00
web console that they're providing to the consumer to
00:00
use and interact with this management plane.
00:00
On this consumer side,
00:00
we want to set up strong authentication using MFA.
00:00
Be very sparing with
00:00
the use of these super admin accounts.
00:00
We have one super account,
00:00
we'll call it the God Mode account.
00:00
Then we create sub accounts and we apply the principle of
00:00
least privileges for these different admin accounts
00:00
as well as different service accounts.
00:00
It's important that the authentication
00:00
be over secure channels.
00:00
Single Sign-On has a great value here.
00:00
Finally, rotating the authentication tokens
00:00
for the service accounts regularly.
00:00
If one does get compromised,
00:00
if somehow the authentication token gets out,
00:00
an attacker can leverage that account,
00:00
even though they're not acting as an individual,
00:00
they can still perform actions.
00:00
Rotating those on a regular basis,
00:00
especially those that have powers to
00:00
perform actions at the management plane level.
00:00
This is the ability to create virtual networks,
00:00
modify virtual networks, create virtual machines,
00:00
reconfigure, change pass providers,
00:00
those types of accounts,
00:00
things with that privilege,
00:00
you want have a real strong control over those
00:00
because if an attacker compromises there,
00:00
as we learned in some of the real-world examples,
00:00
they can cause a whole lot of damage,
00:00
much more damage than just pulling out your data.
00:00
They can actually take and destroy
00:00
your entire environment and lock you out from
00:00
being able to do anything with
00:00
all those different Cloud resources that you own.
00:00
Then last but not least, there's cloud continuity.
00:00
We looked at continuity
00:00
and the controls that you can put in
00:00
place at each layer of that cloud logical model.
00:00
We start with the meta structure layer and making sure
00:00
we can backup the cloud configurations.
00:00
In its IS or pass model,
00:00
we leveraged Software Defined Infrastructure.
00:00
This is above and beyond
00:00
just software-defined networking.
00:00
We're actually using infrastructure as code and codifying
00:00
the build-out of the different Cloud resources
00:00
and how they should be configured.
00:00
It's a little different when we're in the SaaS model,
00:00
but work with your provider to do something about that.
00:00
This is really your backup.
00:00
This is your total, oh shoot.
00:00
If you want to do a cold site recovery type situation,
00:00
you can leverage this to rebuild in a different region of
00:00
the Cloud providers when needed or
00:00
completely reconfigure a SaaS deployment.
00:00
At the infrastructure layer,
00:00
we looked at leveraging.
00:00
What does the provider themselves have in
00:00
terms of data replication,
00:00
cross-region replication, and also being
00:00
considerate of the risk of outage relative to the cost.
00:00
Because when you're doing this stuff,
00:00
the cost can go and near
00:00
double especially if you're doing a hot-hot,
00:00
active-active type failover scenario.
00:00
Data replications when we're looking at infrastructure.
00:00
What is the information getting
00:00
those replicated across regions?
00:00
Again providers will give you mechanisms to do this.
00:00
In a SaaS world, they may
00:00
completely take care of this all for you.
00:00
Cloud storage and backup capabilities.
00:00
Make sure you're aware of the appropriate tier as well.
00:00
If you say have an active,
00:00
passive backup when you're
00:00
replicating your data to that passive site,
00:00
it doesn't necessarily need to be
00:00
the highest performing tier storage
00:00
because the data is there.
00:00
Then when you do need to perform a failover,
00:00
the data is still there,
00:00
and at that point, you take
00:00
advantage and you can upgrade
00:00
the performance tier of the data storage that you're on.
00:00
This way, you're not paying more than you need
00:00
to for that cold backup site that you have in play.
00:00
Then finally, the applistructure layer.
00:00
Understanding the limitations of
00:00
paths and some of the lock-ins that come with that.
00:00
More important than all of it,
00:00
designing for failure,
00:00
assuming that failure is going to happen.
00:00
We even discussed the concept of
00:00
chaos engineering and that philosophy. You may be there.
00:00
It's definitely advanced, but keeping it
00:00
in mind in all your design is resiliency
00:00
and failure is just going to be
00:00
a standard way you want to think when you're looking at
00:00
the Cloud paradigm and ultimately
00:00
you're designing it for the right amount of
00:00
resiliency and failure so that you don't
00:00
unnecessarily incur excessive costs that
00:00
couldn't otherwise be justified by
00:00
the business criticality of
00:00
the applications and systems
00:00
that you're deploying into the Cloud.
Up Next
Similar Content
