Time
5 hours 31 minutes
Difficulty
Advanced
CEU/CPE
6

Video Description

This lesson focuses on threats to cloud computing and specifically talks about the 'Notorious 9": 1. Data breaches 2. Data loss 3. Account or service hijacking 4. Insecure interfaces 5. DoS or DDos 6. Malicious insiders 7. Abuse of cloud services 8. Insufficient due diligence/due care 9. Shared technology vulnerabilities Moreover, different cloud categories have different security concerns: • IaaS: VM attacks • PaaS: Protection against malware • SaaS: Data segregation

Video Transcription

00:04
Okay, let's take a look at the top nine. The Notorious nine as faras common threats to cloud computing get so the first
00:13
we have to talk about data breaches and data breaches revolve around the loss of confidentiality of our information and too many organizations. This is one of the greatest risks that they have to consider. So if we're looking at confidentiality of credit card numbers
00:31
Aah! Financial data, health care, information companies, sensitive information, intellectual property
00:38
these air huge, huge concerns to an organization. So we talk about the potential for a breach. We're looking at that information becoming disclosed inadvertently.
00:49
Huge problem. Now, the second issue that we think about his data loss. So where if you look at breaches affecting the confidentiality of data, data loss affects the integrity and the availability.
01:02
So maybe the dad has been modified in unauthorized fashion. Or maybe the data is just all of a sudden not available. Could come from denial of service attacks could come from
01:12
Ah, you know, a failure. The cloud service provider, some sort of lack of redundancy there. But the bottom line is, if our dad is not available, it's worthless to us.
01:26
now account or service hijackings. So any time we talk about in a hijack, it's always an impostor taking over. So we could have in a pasta and impostor ah, masquerading as a service as a legitimate service
01:42
where, as ah, user from the inside of the organization tries to connect, thinking
01:47
that they're providing credentials or they're acting in a manner that's complaint in security policy. But if there's a masquerading service or process for system or whatever that might be, obviously we've got a violation here. We also run the risk of other individuals. Masquerading is as legitimate users.
02:07
Maybe that that false credentials, maybe they've stolen session information but any sort of a man in the middle sniffing account hijacking those air always gonna lead to bigger problems. Usually they're gonna rate lead to data breaches, at the very least. But perhaps other,
02:25
uh, more fraudulent activities as well
02:29
are insecure interfaces and application programming interfaces. So interfaces and AP eyes These were provided to us five vendors. You know, you can certainly see these when we're providing a platform is a service. Ah, one of the things that we do with coatings. We try not to reinvent the wheel.
02:46
So if I can use existing AP eyes, existing code assisting libraries, whatever those might be, that saves me time.
02:54
The problem is, I need to make sure I've verified and tested the security of these elements before I would introduce them.
03:02
Ah distributed denial of service or regular denial of service attacks. Always a concern. Not specific. Just a cloud computing. But if I were to take a clouds ah CSP offline Cloud service provider off line through some form of denial service, whether it's technical
03:22
or making a physical
03:23
threat or just natural disaster, you know, it could take a facility offline. What type of backup in redundancy does our cloud service provider have in place?
03:35
You know, again, we can have a denial of service without any sort of malicious intent. If a building loses power, that would certainly count. So we need to make sure that we understand our service providers
03:45
infrastructure and the mechanisms they put in place for redundancy.
03:51
All right, malicious insiders from our company or the cloud service providers you know, many times we will get all of these security mechanisms to keep the bad guys out of our organization. However, if we're realistic, we have to understand that the greatest threat comes from within.
04:10
So within our organization, but certainly within the Cloud Service providers organization.
04:15
So how did they get their employees? Ah, what? How are they insured against any sort of compromise from the inside? You know, those are questions that we really need to find out. Abuse of Cloud service is, well, you know, honestly, um,
04:30
it's inherent wink weakness of any Internet service is that it's on the Internet, right? I mean, that's the greatest vulnerability of anything on the Internet is that it's on the Internet, which again is You know, um, the whole purpose of cloud computing is availability
04:49
and ease of access,
04:51
so that can work both ways, right? It's like when we look at networking networking networking is designed to share well. If we're setting up a mechanism to share, sometimes that's the opposite of security. So in our rush to make things available for work user's home users, however, that might be
05:11
we need to make sure that we still
05:13
take into consideration all the risks that we have to look at when associating information across the Internet.
05:21
All right. Insufficient due diligence and do care. You know, um, we have to be very careful with making sure we understand the big picture. And any time a technology or an approach comes about very quickly
05:39
and it may seem it does to me that that cloud,
05:43
um, the cloud structure infrastructure designs there for a long time. But it really seems to me that only after the last couple of years has there really been a push. Go to the cloud, go to the cloud. And any time we start moving towards something very quickly because we don't want to be left behind,
05:59
we have to make sure that we've done our due care in our due diligence.
06:03
So don't take these definitions back to law school with you. But due diligence means the research. I've made myself aware of the standards of the industry. I've looked at the threats that looked at the vulnerabilities. That's due diligence, then do care, says that with the proper policies and procedures in place,
06:23
and I've applied the appropriate control. So really, the two of them have to go together.
06:27
So essentially, what we want to make sure of is the organization that we're entrusting with our information has followed their due diligence and do care that they're doing the right things to protect the assets that we've entrusted with them and also that we've used to diligence and Duke here in shifting to the cloud.
06:47
All right, in the last bullet point shared technology. Any time you're sharing a host of facility resource is with another organization, that organization presents a threat to you,
07:01
right? And you think about multi tendency on a single cloud server. How many different PM's belonging to how many different organizations? So what happens? Give one organizations doing something illicit, and the entire hard drive is seized by the FBI?
07:19
Or if they're irresponsible with their security mechanisms,
07:24
can they have their portion, you know, their virtual machine compromised? Would it be something that, in the way could affect the host or other virtual machines on the system? You know, eyes their potential for data leakage across the V EMS. Those are all questions that we have to look at. So these notorious nine on
07:42
big considerations with cloud computing in general
07:46
now for different flat cloud port categories there other specific, you know, types of consideration. So, for instance, for infrastructures, a server, a service, what we're mostly concerned about his weaknesses on the PM's right. Any type of virtual machine attack
08:05
er tops a little bit about VM escaping and being able to move from one of'em to another.
08:09
The virtual networks and virtual switches themselves many times. Those have inherent vulnerabilities root kit, SVM based root kits and malicious hyper visors. The hyper visors kind of that ultimate level that operates between the virtual machine
08:28
and the system as a whole. So if we get malware or something malicious in between,
08:35
you know, the VM and the hardware, we have real problems. Ah, a single point of access as well. We have to consider that, um, you know, a CZ where store as we're using surfaces from the cloud. What happens if we can no longer connect to our cloud provider
08:50
now platform as a service things that we're thinking about here, because again, what we're looking to do is have a good platform in which we can develop our software. Well, are we gonna have appropriate system and resource isolation where we're gonna have the amount that we need, you know, as far as resource is go.
09:09
But also, we're gonna have proper isolation from other processes and said,
09:15
user level permissions, Who else is gonna have access to our code? And is it going to be easy enough to make sure all of our developers have the pro appropriate access without anyone else? Having access is well,
09:28
and then protection against malware and software is vulnerable to a malware. So we have to make sure again, that's consideration.
09:37
And then last, we have software's a service. What we're really looking at their three big issues. Data segregation. So you know, again, I'm storing my data in the cloud I'm using. The application of the clown was storing my dad in the cloud. Is that truly isolated and protected for from other organizations that are doing the exact same thing
09:58
of what sort of policies are there around access to my data protection of the data and then Web applications? You know, Web applications have tremendous vulnerabilities, as a matter of fact, in this force later will be talking about a WASP and will become at the top 10 vulnerabilities
10:16
toe Web applications. So that's coming up shortly

Up Next

ISC2 Certified Cloud Security Professional (CCSP)

This online course will guide you through the contents of the CCSP certification exam. Obtaining your CCSP certification shows that you are a competent, knowledgeable, cloud security specialist who has hands-on experience in the field.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor