Virtualized Compute

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> Let's talk about virtualized compute.
00:01
Specifically, let's reiterate
00:01
the Cloud Provider Responsibilities
00:01
and the Cloud Consumer Responsibilities.
00:01
Being a Cloud provider isn't a carefree life.
00:01
The Cloud provider must enforce isolation.
00:01
Compute processes should not see each other.
00:01
In the sense of compute,
00:01
this means volatile memory
00:01
needs to be safe from monitoring.
00:01
When talking about serverless,
00:01
the consumer is not supposed to be able to
00:01
access the runtime environment.
00:01
This means providers need to limit access to
00:01
the serverless host's environments and keep
00:01
it to select individuals within their organization.
00:01
The provider needs to secure
00:01
virtualization infrastructure,
00:01
hypervisors or software,
00:01
unlike any software, it can have
00:01
defects and security vulnerabilities.
00:01
The host OS also needs to be patched from time-to-time,
00:01
just as firmware for the physical host machines.
00:01
Recall, we spoke about
00:01
spectra and meltdown vulnerabilities
00:01
in the last module.
00:01
The provider also needs to establish a secure boot chain.
00:01
The Cloud consumer has no direct control over how
00:01
the base image hosting
00:01
the compute gets provisioned onto the hardware.
00:01
The provider needs to make sure that the process is not
00:01
vulnerable to interception and compromise along the way,
00:01
it would be ashamed to go through
00:01
all the effort of implementing
00:01
immutable images just to find out
00:01
somebody modified the providers provisioning process,
00:01
so backdoors automatically installed
00:01
in all VMs and runtimes.
00:01
This would allow that individual
00:01
to compromise the entire Cloud.
00:01
The provider needs to make sure
00:01
the image is not compromised and have
00:01
preventative measures to prevent one tenant from
00:01
using or compromising another tenants custom image.
00:01
The shared responsibility model doesn't
00:01
afford a carefree life for the Cloud user either.
00:01
Take advantage of security controls you
00:01
are given to close gaps and security.
00:01
This includes establishing
00:01
least privileged security settings
00:01
to control who can manage
00:01
virtual resources and who can
00:01
log into the different compute environments.
00:01
We talked about restricting
00:01
interactive logins for immutable images.
00:01
But I'm realistic enough to know you
00:01
probably don't apply this practice in all circumstances.
00:01
It does no good to have a hardened VM with all the
00:01
latest and greatest security patches and so forth.
00:01
But the root account is called
00:01
admin and has a password of admin.
00:01
You're leaving yourself unnecessarily vulnerable.
00:01
Monitoring and logging is also different in the Cloud,
00:01
but it's very important to have these in place.
00:01
Cloud providers often equipped with
00:01
good monitoring for the Cloud resources.
00:01
But what you have available on your VM,
00:01
containers, and serverless is very different.
00:01
Operate with the assumption of ephemerality,
00:01
resources will come and go,
00:01
just great in the sense that attackers will have
00:01
a limited time to work on a compromised asset.
00:01
However, it also means you
00:01
won't have time to look through
00:01
local system logs after a breach.
00:01
In the case of serverless,
00:01
you won't even have access to the runtime environment,
00:01
so your application itself will need to
00:01
improve the way it logs activities.
00:01
Whether you're adopting immutable images or not,
00:01
you'll want to have guardrails to
00:01
manage the base images you work off of.
00:01
AWS provides a marketplace where people can post
00:01
images and virtual machines that
00:01
have pre-installed software configurations.
00:01
Many of these are great,
00:01
but be aware that you are exposing
00:01
your software supply chain to whatever vulnerabilities
00:01
that image creator has
00:01
purposely or inadvertently left in those images.
00:01
A few years back, there was a major scandal.
00:01
Numerous Cloud customers were using an image that
00:01
included a pre-installed SSH key.
00:01
In effect, let the backdoor for the individual that
00:01
had the key to login to all of those machines.
00:01
Today there are many automated scanner solutions
00:01
that you can use to examine
00:01
your virtual machine images and
00:01
automatically detect these kind of vulnerabilities.
00:01
Be sure to use dedicated hosting when needed.
00:01
This way, you ensure no other tenant is running
00:01
their compute on the host alongside your workloads.
00:01
This is more expensive,
00:01
so only do it when the circumstances require it.
00:01
If you feel unsure about any of
00:01
the items I just glossed over,
00:01
please review the prior module which goes
00:01
into each area with much more depth.
00:01
In this video, we covered
00:01
Cloud Provider Responsibilities and Cloud
00:01
Consumer Responsibilities
00:01
with regards to virtualized compute.
Up Next