9 hours 29 minutes
this is domain seven infrastructure security.
We've talked about resource pooling. Being one of the key aspects of cloud
virtualization is what allows the common pools of physical resources to be allocated to logical cloud. Resource is when you have multiple tenants sharing the same physical resource pools, the cloud provider needs to design things in a way that tenants can isolate themselves within those pools.
This module will focus on how the cloud provider organizes things to support 10 and isolation.
And it will talk about how the tenant needs to organize their virtual workloads to keep themselves secure both from other tenants. But more importantly, from the various threats roaming the general Internet
in this module, we're going to cover Cloud Network, virtualization, Cloud Network security and Cloud Computer and workload, security
and the remainder of this video. We will gain a perspective on where in the stack this infrastructure security sits.
We'll talk about common designs for the underlying cloud networks, and we will review the OS I model of traditional networking.
So it's the pooling of the physical resource is that build the cloud. This is at the very bottom of that pyramid, the raw physical and logical compute networks and storage used by cloud providers to create the resource pools that the cloud customers then use.
Securing the physical is a discipline of its own. We're talking about creating man trapped doorways, guard dogs, camera systems and so on. We won't be getting into this, But if you ever want some entertainment, go to YouTube and search for videos of semi trucks testing vehicle barriers. You will see some serious metal carnage,
and there's no way someone's going to blow through one of those to get into your data center.
Being our focus is cloud. It's much more virtual, little more abstract, and we're going to place our emphasis on securing those. Resource is, this is the virtual infrastructure managed by a cloud user is a result of what the cloud user creates in the management plane. These air, the virtual networks, the virtual machines, virtual storage
and the many other virtual devices
on the right hand side is the logical stack that you've seen many times over Domain seven. The infrastructure security domain focuses on the infrastructure layer of that stack.
This shouldn't be much of a surprise, but is really worth burning this logical stack into your mind that you will definitely get questions about this stack. In the exam,
Cloud providers use some form of virtual networking to abstract the physical network and network resource pools.
Standard network designs won't allow the cloud provider to keep multiple tenants secure and empower them to define their own virtual networks. Physical segregation of the networks used in the cloud is important for operational and security reasons.
Specific providers are gonna have differences in the way they designed these, especially the very large scale providers. But there is generally a common theme.
The overall cloud network often consists of three separate networks. Thes air separated at the physical layer, meaning separate network cables, separate router devices and so forth.
Starting at the bottom, we have the service network. This is for communication between virtual machines and the Internet, and it's the basis for the network resource pool.
Then we have the storage networks. These connect data storage to the virtual machines to the compute, so that would include large scale storage devices as well as the logical hard drives associated with the virtual machines. And finally we have the management at work. This is what hosts that management plain and sends controlled all the notes
in domain. Six. We spent a good amount of effort talking about the management plane
and how you really want to secure that We're putting the servers themselves. That host that management plane is a great way to create a strong perimeter around the management plane for the provider to give that level of security and fulfill their portion of the responsibilities.
There are a lot of other ways to architect a cloud environment, But again, this is a common baseline often used in private cloud, where they don't quite have the same level of complexity and the need to deal with scale to such an extensive amount as the large public cloud providers dio,
the open Systems interconnection reference model is very commonly used when talking about network traffic. This is the OS I model.
You won't be directly tested on this in the CCS K, but since we're going to be talking about software defined networks, it's very important you have a grasp of this as a may make reference to the layers by numbers. For example, we just talked about the three networks within a cloud provider and these were physically separated.
In other words, I could say these air separated at layer watches the physical layer
that the media itself resides on and the information flows through.
For example, this includes fiber optic cable, co axial cable, even radio waves floating through the air, which is what we call WiFi or wireless.
Taking the moment to walk up the OS I layers, we have layer to.
This is where low level frames are created, the physical addressing its the either net. It's where your switches work, your bridges
and moving upto layer three. We have the networking layer. This is where the packets exist, where the logical network topology is determined and how routing of those packets across the logical topology is set up, often referred to as the I P. Layer and moving up one, we have the transport layer layer four,
and this layer helps ensure end end connections
and bring some reliability. You could have TCP where they ensure no packets get lost, and it has a protocol to have packets recent that they get lost or you can using GDP, which is gonna be a lot faster, but you're not gonna have the same level of reliability in the packet transmissions.
Moving up another layer. We have layer five, which is the session layer. This is the inter host communication. We're talking about a P eyes and sockets
and continuing up. We have the presentation layer. So data formatting and encryption. This is your SSL your ssh I map for e mails or FTP for file transfers. And then finally we have the application layer these air the network services, the top portion of the protocols. Http
Ssh and DNS are very common protocols at this layer.
And while this won't be directly tested on this see CSK exam, it's good to have a feeling of how these layers work and how they logically inter correlate. A lot of times, layer one and two are talked about together three and four, they work together, and then 56 and seven are often put into a similar bucket on discussions. And if you ever want a pneumonic
to memorize Theo s I model,
the one that I personally like and there's a lot of amount there, but one that I've I found have stuck with me is programmers do not throw sausage pizza away.
So programmers do not throw sausage pizza away. So please keep that one in mind. If you ever stuck, you can just write that down on a piece of paper and impress all your friends by knowing the OS I model.
In this video, we started out looking at infrastructure security and where it fits into the grander context of cloud. We talked about common designs for underlying cloud networks themselves. And then we did a review of the O S I model.
We will be building on this in the next video, and I look forward to seeing you there.
This course prepares you to take the CCSK certification by covering material included in the exam. It explains how the exam can be taken and how CCSK certification process works.