Chapter 10: Cloud and Virtualization Security
Virtualized Servers
Allows organizations to provision servers with a specific number of CPU cores, amount of RAM, and storage capacity, and then interact with them in the same way they would a server running in their own datacenter
Type 1 Hypervisors
Also know as bare metal hypervisors Operate directly on top of the underlying hardware
Virtual Machine Escape
An exploit in which malicious code is run on the VM that allows the guest operating system to break out of its environment and interact directly with the hypervisor
Vertical Scaling
Increases the capacity of existing servers by adding more In the physical world, this entails opening a server and adding physical hardware In the could, you just click a few buttons and add memory or computing capacity
Inline CASB
Reside physically or logically in the connection path between user and the cloud service, in the form of a hardware appliance or endpoint agent that reroutes requests through the CASB Can block requests that violate policy before sending them to the CASB
Type II Hypervisors
Run as an application on top of an existing operating system The operating system supports the hypervisor and the hypervisor requests resources for each guest operating system from the host operating system. Common for personal computers and technologists Less efficient than a bare metal hypervisor
Disadvantages of separating development and IT operations
1) Inhibits the operations team's understanding of business requirements 2) Leads to designs that are wasteful in terms of processor, memory, and network consumption 3) Requires a lengthy transition phase in handing off development to operations 4) Leads to many small enhancements and fixes getting lumped into a major release, which increases time to requirement satisfaction
Cloud Computing
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
Cloud Security Alliance (CSA)
A nonprofit organization with a mission to promote best practices for using cloud computing securely
"Private Public" Cloud
A prime example is AWS Commercial Cloud Services (C2S), which is a cloud region that is operated by AWS but physically resides at the CIA and is completely air gapped from the internet Other examples: AWS Secret Region (for broader government use), Microsoft Azure Government Secret
Data Sovereignty
A principle that states that data is equally subject to the legal restrictions of any jurisdiction where it is collected, stored, or processed. Therefore, a customer may wind up subject to the legal requirements of a jurisdiction where they have no involvement because of where datacenters are stored Security professionals should understand how data is stored, processed, and transmitted in the cloud. They may choose to encrypt data using keys that remain outside the providers control
Cloud Controls Matrix (CCM)
A reference document designed to help organizations understand the appropriate use of cloud security controls and map those controls to various regulatory standards
Agility and Flexibility
Ability to quickly provision cloud resources and use them for a short period of time
Horizontal scaling
Adding more servers, can be done with a few clicks with cloud computing
Block Storage
Allocates large volumes of storage for use by virtual server instance(s). These volumes are then formatted as virtual disks by the operating system on those server instances and used as they would a physical drive. The customer pays for the amount of storage they are allocated, regardless of how much they use. Much more expensive than Object storage AWS offers block storage through their Elastic Block Storage (EBS) service
Cloud transit gateways
Allow direct interconnection of cloud VPCs with on-premises VLANs for hybrid cloud operations
VPC Endpoints
Allow the connection of VPCs to each other using the cloud provider's secure network backbone
Object Storage
Allows customers to place files in buckets and access them as independent entities through the provider's API. Hides the storage details from the end user, and the customer only pays for the amount of storage that they use AWS Simple Storage Service (S3) in an example
Segmenation
Allows network engineers to place systems of differing security levels and functions on different network subnets On a physical network, Virtual LANs (VLANs) are used. In a cloud network, virtual private clouds (VPCs) are used. With VPCs, subnets can be designated as public or private, depending on whether internet access is needed
Software Defined Visibility (SDV)
Visualization combined with the capability to dynamically respond to events across software-defined networks
API Inspection
Cloud applications rely heavily upon the use of APIs to provide service integration and interoperability. Therefore, API inspection technology should be used, because it scrutinizes API requests for security issues
Virtualization
Cloud computing providers use virtualization to allow multiple guest systems to share the same underlying hardware. A special operating system called a hypervisor mediates access to the underlying resources Virtual machines may not be aware that they are running in a virtualized environment because the hypervisor tricks them into thinking they have normal access to the computer's underlying hardware. Hypervisors enforce isolation between virtual machines
Hybrid Cloud
Cloud deployments that blend public, private, and/or community cloud services together, and require the use of technology that unifies the different cloud offerings into one single coherent platform
Shared Responsibility in a Iaas environment
Customer responsible for everything that isn't infrastructure (i.e. the operating system, applications, and the data that they run in the Iaas)
Platform as a Service (PaaS)
Cloud provider offers an environment where clients can build and run applications and have access to code libraries, services, and tools that facilitate code execution
On-demand self-service computing
Cloud resources are available when and where you need them. This provides developers and technologists with incredible agility, reducing cycle times and increasing the speed of deployment
Cloud Roles
Cloud service providers Cloud customers Cloud partners - Organizations that offer ancillary products or services that support or integrate with the offerings of a cloud service provider (i.e. training, development and integration services) Cloud auditors - Independent organizations that provide third party assessments of cloud services and operations Cloud carriers - Serve as intermediaries that provide the connectivity that allows the delivery of cloud services from providers to customers The same organization may take on multiple roles
Security Groups
Cloud service providers do not provide customers with direct access to firewalls because doing so would violate the isolation principle Instead, cloud providers offer the use of security groups that define permissible network traffic. They are often considered a feature of a provider's virtual servers and do not incur additional costs
Cloud Security Controls
Cloud-native controls offered by service provider - offer direct integration with the provider and are more cost effective Third party solutions - more costly, but can be integrated with a variety of cloud providers A customer may combine the two
DevOps
Combines development and IT operations into an agile process Software testing and release becomes highly automated Reduces the lengthy release process and allows for many frequent releases
AWS Outposts
Customers receive a rack of equipment that they install in their own datacenters. The equipment is maintained by AWS but provisioned by the customer An example of hybrid cloud because customers can manage both their on-premises AWS Outposts and public cloud AWS services through the same platform
Edge Computing
In areas where internet access isn't strong, Edge Computing places some processing power on the remote sensors, allowing them to preprocess data before shipping it back to the cloud Computing is being done by sensors that are on the "edge" of the network
Infrastructure as a Service (Iaas)
Delivers hardware networking capabilities, including the use of servers, networking, computing and storage, over the cloud using a pay-per-use revenue model Major providers: AWS, Microsoft Azure, Google Cloud Platform (GCP)
Private Cloud
Describes any cloud infrastructure that is provisioned for use by a single customer May be built and managed by the organization that will be using the infrastructure, or it may be built and managed by a third party Due to only being used by one customer, private clouds have unused capacity and aren't as cost efficient
Anything as a Service (XaaS)
Describes the wide variety of services that are available in the cloud, where 'X' indicates the nature of the specific service
API-based CASB
Interact directly with the cloud provider through the provider's API, rather than interacting directly with the user Provides direct access to to cloud services and does not require end user configuration Does not block requests, but monitors and reports on activity
Secure Web Gateways (SWG)
Monitor web requests made by internal users, evaluate them against the organization's security policy, and block them if needed Serve to block malicious content and implement content filtering restrictions
Oversubscription
Occurs when more users are connected to a system than can be fully supported at the same time. This is possible with cloud computing because not everyone will use all their resources at the same time
Resource policies
Offered by cloud providers to limit the actions that users of their accounts may take. May limit the damage caused by an accidental command, a compromised account, or a malicious insider
Infrastructure as Code (IaC)
One of the key enabling technologies behind DevOps Automates provisioning, management, and deprovisioning of infrastructure A key feature of all major IaaS environments, such as Microsoft Azure, AWS, and Google Cloud Platform May either be a feature offered by a cloud service provider or a functionality enabled by a third-party cloud management platform IaC depends on APIs, which allow developers to use the cloud provider APIs to programmatically provision, configure, modify, and deprovision cloud resources
Managed Service Providers (MSPs)
Organizations that provide information technology as a service to their customers. MSPs may handle an organization's IT needs completely, or may offer specific services such as network design and implementation, application monitoring, or cloud cost management. They may also be a cloud provider MSPs that offer security services are known as Managed Security Service Providers (MSSPs)
Software as a Service (SaaS)
Provide a fully managed application running in the cloud. The provider manages the physical datacenters and the performance management of the application itself. The customer just handles limited configuration, the data they wish to use, and access controls to the data Examples: email, enterprise resource planning (ERP), and customer relationship management (CRM) Paid for via a subscription model
Containers
Provide application-level virtualization that package applications and allow them to be treated as units of virtualization that become portable across operating systems Containerization platforms provide standardized interfaces to operating system resources which remain consistent regardless of the underlying operating system or hardware. Must enforce isolation
Public Cloud
Public cloud service providers deploy infrastructure and then make it accessible to any customers who wish to take advantage of it in a multitenant model Examples: AWS, Microsoft Azure, Google Compute Platform
Three Key Security Considerations for Cloud Storage
Set permissions properly Consider high availability and durability options: Use the provider's replication capabilities or implement your own to accommodate availability and integrity requirements (in case the provider's hardware fails) Use encryption to protect sensitive data: Either apply your own encryption to individual files stored in the cloud or use full disk encryption options offered by the provider
Community Cloud
Shares the same characteristics of both public and private models. They do run in a multitenant environment, but the tenants are limited to members of a specifically designed community with a shared mission Example - HathiTrust digital library, which was formed by a consortium of academic research libraries to provide a collection of books
Cloud Access Security Broker (CASB)
Software tools that serve as intermediaries between cloud service users and cloud service providers, allowing them to monitor user activity and enforce policy requirements
Hardware Security Modules (HSM)
Special purpose computing devices that manage encryption keys and perform cryptographic operations in a highly efficient manner Expensive to purchase and operate, but provide a high level of security when configured properly. They can create and manage encryption keys without human intervention May be used internally by the cloud provider or offered as a service for their customers (which doesn't expose the keys to the provider)
Shared Responsibility in a SaaS environment
The cloud provider takes on almost all security responsibility The customer has responsibility over the data they put into the application and the configuration of access controls
Elasticity
The concept that capacity should expand and contract as needs change to optimize costs Scalability, by contrast, is focused on rapidly increasing capacity
Multitenancy
The fact that many different users share resources in the same cloud infrastructure. All customers operate without any knowledge of or interaction with their fellow customers
Virtual Machine Sprawl
The widespread proliferation of virtual machines without proper oversight or management, leading them to accrue costs and security issues
Fog Computing
Uses IoT devices that are located close to sensors. The sensors don't have processing power, but they send data to their local gateway that performs preprocessing before sending the results to the cloud
Software Defined Networking (SDN)
Using a central control program separate from network devices to manage the flow of data on a network. Allows engineers to interact with and modify cloud resources through their APIs
Shared Responsibility in a PaaS environment
Vendor responsible for OS Customer responsible for the data being placed into the environment and configuring its security Responsibility for the application layer is shared between the service provider and the customer
Cloud Governance Efforts
Vetting vendors Managing vendor relationships Overseeing the organization's portfolio of cloud activities Cloud computing contracts should include language guaranteeing the right of the customer to audit cloud service providers, thereby providing customers with assurance that the provider is operating in a secure manner and meeting contractual data protection obligation
Cloud Bursting
When a company uses its own computing infrastructure for normal usage and accesses the cloud when it needs to scale for peak load requirements Cloud bursting is a form of a hybrid cloud
Shared Responsibility Model
When cloud customers must divide responsibilities between one or more service providers and the customers' own cybersecurity teams
Function as a Service (FaaS)
When cloud providers execute code written by customers on a scheduled basis. Customers are not exposed to the actual server instances executing their code, so FaaS is often known as a serverless computing environment Examples: the AWS Lamda service
Measured Service
When cloud providers measure how much you use and charge you based off of it The amount you use includes amount of processing time, amount of storage, amount of log entries, etc.