Security Implications of Cloud Technology Adoption

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Security implications of cloud technology adoption.
00:00
The learning objectives for this lesson are to
00:00
define business continuity and
00:00
disaster recovery with the cloud,
00:00
to explore cloud encryption and key management,
00:00
and to define cloud log collection and analysis.
00:00
Let's get started. One of
00:00
the biggest advantages that the cloud
00:00
can offer to an organization is
00:00
help with their business continuity
00:00
and disaster recovery.
00:00
However, before any cloud adoption
00:00
is considered for an organization,
00:00
they should conduct a business impact assessment.
00:00
This will allow them to find areas of
00:00
their company where maybe
00:00
the cloud won't work so well for them.
00:00
An example of this would be
00:00
legacy apps that might become too expensive to try to
00:00
shift them over to cloud or
00:00
even have that be a backup for them.
00:00
However, if you are able to define that
00:00
your particular organization or
00:00
your company is able to use cloud technology,
00:00
then this is one area where it can really
00:00
help and that's the business continuity
00:00
and disaster recovery.
00:00
When you choose to do this,
00:00
the company that you choose for
00:00
these services becomes your primary provider.
00:00
Now the cloud offers
00:00
significant advantages and stability,
00:00
scalability, and performance,
00:00
and this is especially true when we're
00:00
talking about the larger companies such as Amazon,
00:00
AWS, Microsoft Azure, and Google.
00:00
But one thing you want to keep in
00:00
mind when you're moving any resources to
00:00
a cloud provider is that you must do so within
00:00
the legal and regulatory restrictions
00:00
that your organization is under.
00:00
Shifting data to another provider away
00:00
from your direct control might invoke
00:00
additional restrictions and you
00:00
need to make sure that this
00:00
is handled properly when
00:00
you're choosing your primary provider.
00:00
In addition, since they are now
00:00
your primary provider for
00:00
your backup and disaster recovery,
00:00
what are their plans?
00:00
What do they have in place to ensure your availability?
00:00
Again, with your larger providers,
00:00
this is less of an issue,
00:00
but it's definitely something you want to address.
00:00
Are they keeping backups of your data
00:00
offsite and away from their data center?
00:00
Or if their data center would have come under attack,
00:00
or have a natural disaster,
00:00
or a fire,
00:00
what would be their ability to recover?
00:00
Because if you need them
00:00
and they're having their own issue,
00:00
then that becomes a problem.
00:00
When you do your business impact assessment
00:00
or your risk assessment,
00:00
you may end up finding that you
00:00
need an alternate provider.
00:00
This would be a backup to your backup.
00:00
Should your primary provider fail,
00:00
you would want to make sure that you add
00:00
a secondary for it.
00:00
Then shifting operations from
00:00
your primary provider can be
00:00
an automated or manual process.
00:00
Not all organizations are going to need this,
00:00
but those that really need the availability and
00:00
the ability to know that they are going
00:00
to be able to recover should something happen,
00:00
would have an alternate provider.
00:00
Encryption and key lifecycle.
00:00
Encryption is critical for
00:00
cloud data and this is because anything that's
00:00
sensitive that is no longer in your direct control
00:00
must be encrypted on the cloud service provider.
00:00
Not only must it be encrypted while it's stored there,
00:00
but it must be encrypted also
00:00
while it's in use and in motion.
00:00
Now, in the lessons on cryptography that are coming up,
00:00
we will go over in a little bit more
00:00
detail what that means.
00:00
But again, because of legal and compliance requirements,
00:00
you need to make sure that you are adhering to those
00:00
and most of those are going to
00:00
require that the data be encrypted.
00:00
In addition to that, you're going to
00:00
want to make sure you have policies and
00:00
procedures in place for the
00:00
following: you want to make sure that you are
00:00
managing the lifecycle of the keys that you're
00:00
using for your encryption and your key generation,
00:00
the replacement, and the revoking.
00:00
You also want to make sure that you have
00:00
guidance in place for which
00:00
cryptographic algorithms and protocols
00:00
are you going to allow to be used.
00:00
Some of these are no longer secure and shouldn't be
00:00
used and that needs to be defined in your policies.
00:00
How are you going to handle your key storage
00:00
and your key ownership?
00:00
You want to make sure that you're not
00:00
putting your keys anywhere
00:00
in the source code of your apps,
00:00
and also that your keys aren't
00:00
being stored in public repositories.
00:00
This has happened several times where people's keys
00:00
ended up in a GitHub repository to be downloaded
00:00
and then now that means that the data could be
00:00
decrypted by anyone that had access to that repository.
00:00
You also want to make sure that you're rotating
00:00
keys frequently and then
00:00
key management and the usage of the keys should
00:00
be separate duties and not performed by the same person.
00:00
Let's talk about key management system patterns.
00:00
First, we have cloud-native key management systems.
00:00
This is a KMS that is operated by
00:00
the same company that provides you the cloud services.
00:00
We also have external key origination.
00:00
This is when the KMS is
00:00
not the cloud provider being used.
00:00
It's a third party at that point.
00:00
We also have cloud service using external KMS.
00:00
It's similar to the external above
00:00
but this KMS has hardware that
00:00
may be used by the customer and it
00:00
is exclusively used by that customer.
00:00
Then finally, we have multi-cloud KMS.
00:00
This is where the KMS can be used by
00:00
multiple clouds and multiple clouds can use mini KMS's.
00:00
Data dispersion and bit splitting.
00:00
Data dispersion is intentionally spreading data across
00:00
multiple storage locations and/or
00:00
cloud providers to ensure that the data is safe.
00:00
This offers increased availability.
00:00
Bit splitting or cryptographic splitting is
00:00
the practice of splitting
00:00
encrypted data into multiple parts,
00:00
which are then stored in
00:00
different storage locations and then encrypted again.
00:00
This offers higher confidentiality.
00:00
Serverless computing.
00:00
All network architecture is hosted in the cloud.
00:00
We're not talking about
00:00
any form of physical server anymore.
00:00
This is designed to replace the local area network.
00:00
Applications are functions and microservices that
00:00
interact with each other for
00:00
handling different client requests.
00:00
The cloud will create a container,
00:00
and it will perform the processing
00:00
and then it will destroy the container.
00:00
Billing is handled by the execution of
00:00
time rather than hourly rates.
00:00
You're going to be billed on
00:00
how much time you're using instead of by the hour.
00:00
This is also known as function as a service.
00:00
Serverless computing removes the need
00:00
for anyone to have to manage VMs or physical servers.
00:00
The underlying architecture is managed
00:00
by the service provider rather than the organization.
00:00
They do have their own security risks.
00:00
One of these is because
00:00
the best practices and use cases are not very mature yet,
00:00
as this is new technology,
00:00
we don't really have a lot in the way of best practices.
00:00
It's very dependent on
00:00
the service provider that you've chosen.
00:00
It's event-driven.
00:00
When a client connects,
00:00
multiple services are called for authentication,
00:00
session creation, load allocations, and database access.
00:00
Software-defined networking.
00:00
This is known as infrastructure as a code.
00:00
It's partially facilitated by
00:00
both physical and virtual appliances
00:00
that can be configured using scripts and APIs.
00:00
As network complexity increases with
00:00
more and more virtual resources and physical devices,
00:00
it becomes difficult to manage
00:00
networks and security policies.
00:00
Software-defined networking
00:00
allows for fully automated deployment
00:00
or provisioning of network links,
00:00
appliances, and servers.
00:00
Collecting and managing cloud logs.
00:00
Logging must be enabled and set up
00:00
properly so that logs can be received.
00:00
Logs must be directed to a log management system that
00:00
will collect all the logs being
00:00
generated across your cloud network.
00:00
We're back to those legal and regulatory frameworks.
00:00
Those requirements may also state that
00:00
the use of log collection and alerting is required.
00:00
This is often the case.
00:00
I use HIPAA from time to time as an example,
00:00
but HIPAA also wants to
00:00
see that you're collecting the logs,
00:00
but also someone is reviewing those logs.
00:00
It's a lot easier on a local network because
00:00
it's easy to extract that data on your local network.
00:00
But you need to make sure that
00:00
you're doing the same thing in the cloud,
00:00
all of those log files are going to
00:00
a central point where they can be reviewed.
00:00
Let's talk about some cloud log monitoring services.
00:00
AWS CloudTrail is
00:00
an audit logging service for AWS applications.
00:00
AWS CloudWatch provides a graphical reporting and
00:00
analytics dashboard for monitoring and alerting.
00:00
Microsoft also has the Microsoft Monitor Logs.
00:00
This is collected and organized in
00:00
Azure and it can be visualized in Azure portal.
00:00
Cloud misconfigurations.
00:00
Cloud misconfigurations can cause
00:00
any number of security problems for an organization.
00:00
For example, when services are improperly provisioned on
00:00
the cloud platform or
00:00
maybe they have improper permissions,
00:00
unsecured data storage locations
00:00
where maybe your data is not encrypted,
00:00
or permissions aren't set properly on them,
00:00
and leaving default settings unchanged,
00:00
or even worse, disabling security controls.
00:00
These are all common things
00:00
that happen and you're going to want to make sure
00:00
that you take notice of if you were to use
00:00
Cloud technology for your organization.
00:00
I'm sure you've seen in the news there were
00:00
several times where data was found on
00:00
an open AWS bucket and
00:00
the people had put all information
00:00
there where they collected
00:00
information on millions of
00:00
individuals and they were maybe
00:00
going to use it for marketing purposes,
00:00
that type of thing, and they just left
00:00
it there with the default configurations,
00:00
no access control on them whatsoever.
00:00
Because of it, all that information
00:00
for all those millions of people was then exposed.
00:00
This usually happens because of the lack of
00:00
skills and lack of change controls
00:00
that we would normally have in place
00:00
to track these changes or these settings.
00:00
Not having those is a huge problem and we need to
00:00
make sure that all of
00:00
these things are checked off properly.
00:00
The cloud is great but
00:00
just like any other form of technology,
00:00
we have to make sure that
00:00
we're implementing them correctly.
00:00
Cloud access security broker or CASB.
00:00
This is an enterprise management tool
00:00
that will help mediate access to
00:00
cloud services by users of all types of devices.
00:00
Examples include Blue Coat,
00:00
SkyHigh Networks, Microsoft Cloud App Security.
00:00
A cloud access security broker will provide
00:00
visibility into how clients and
00:00
nodes are using cloud resources.
00:00
For example, single sign-on
00:00
authentication from network to cloud provider.
00:00
They also scan for malware or non-compliant devices,
00:00
and they can monitor and audit user activities.
00:00
This can help limit data exfiltration by
00:00
preventing access to unauthorized cloud resources.
00:00
Now, we can implement a cloud
00:00
access security broker in one of three ways.
00:00
We can use it forward proxy,
00:00
which is an appliance that would be at
00:00
the network edge of the customer,
00:00
and then traffic will be directed to
00:00
the cloud network if policies allow.
00:00
Now what this means is we would set up
00:00
specific policies for access to the cloud and
00:00
then whatever data match
00:00
those policies would be allowed to be
00:00
sent through the proxy to the cloud provider.
00:00
We can also use a reverse proxy,
00:00
and this is positioned at the cloud
00:00
network edge and it will direct
00:00
traffic to the cloud services
00:00
again if that traffic matches the policies.
00:00
Finally, we can use an API which brokers
00:00
connections between a cloud provider and
00:00
a customer. Let's summarize.
00:00
In this lesson, we went over
00:00
cloud and business continuity.
00:00
We went over primary and alternate providers for BCDR,
00:00
we also discuss cloud log management,
00:00
encryption and the key life cycle,
00:00
and we went over serverless computing,
00:00
software-defined networks,
00:00
and cloud access security broker.
00:00
Let's do some sample questions.
00:00
Question 1; this type of KMS pattern is where
00:00
keys are not managed
00:00
by the cloud provider where the keys are used.
00:00
External key origination. Question 2;
00:00
this allows for the fully automated deployment
00:00
or provisioning of network links,
00:00
appliances, and servers.
00:00
Software-defined networking. Question 3;
00:00
if a BIA finds that
00:00
a contingent cloud platform is needed, this is called?
00:00
Alternate provider. Keep in mind
00:00
sometimes questions on the test
00:00
will be exactly like this.
00:00
You would be expected to know what a BIA
00:00
means and that's why it will be written this way.
00:00
A lot of times it will not be spelled out and by knowing
00:00
the term automatically you should have
00:00
a good idea of what the answer is looking for.
00:00
Finally, Question 4. True or false.
00:00
Cloud services can be utilized
00:00
by any organization to save costs,
00:00
increase scalability, and security.
00:00
This is false. Because of legacy applications
00:00
some organizations with finite too
00:00
costly to use cloud services.
00:00
Well, that sums up this lesson.
00:00
I hope it was helpful for you
00:00
and I'll see you in the next one.
Up Next