1 00:00:07,750 --> 00:00:09,650 - [Presenter] The National Institute of Standards 2 00:00:09,650 --> 00:00:11,730 and Technology, or NIST created 3 00:00:11,730 --> 00:00:15,224 a special publication 800-145, 4 00:00:15,224 --> 00:00:19,690 which is called the NIST Definition of Cloud Computing, 5 00:00:19,690 --> 00:00:22,480 and it provides a standard set of definitions 6 00:00:22,480 --> 00:00:25,580 for the different aspects of cloud computing. 7 00:00:25,580 --> 00:00:27,450 The first thing that I want to actually go over is 8 00:00:27,450 --> 00:00:30,350 the different cloud deployment models, 9 00:00:30,350 --> 00:00:34,360 and that includes public cloud for, open for public use, 10 00:00:34,360 --> 00:00:38,680 things like Google Cloud, Azure from Microsoft, 11 00:00:38,680 --> 00:00:42,650 DigitalOcean the Google Cloud platform, and many others. 12 00:00:42,650 --> 00:00:45,730 You also have private cloud, which is actually used 13 00:00:45,730 --> 00:00:48,250 just by the client organization, either on premise 14 00:00:48,250 --> 00:00:53,090 or on-prem, or at a dedicated area in a cloud provider. 15 00:00:53,090 --> 00:00:55,700 You also have community cloud that is actually 16 00:00:55,700 --> 00:00:57,460 an environment that is shared 17 00:00:57,460 --> 00:01:01,410 between several organizations, and thus the word community. 18 00:01:01,410 --> 00:01:03,560 Then you also have the hybrid cloud, 19 00:01:03,560 --> 00:01:07,070 which is composed of two or more cloud services 20 00:01:07,070 --> 00:01:10,000 including on-prem services as well. 21 00:01:10,000 --> 00:01:12,210 Now, cloud computing can be broken down 22 00:01:12,210 --> 00:01:16,550 into three basic models, infrastructure as a service, 23 00:01:16,550 --> 00:01:18,024 and that's basically a solution 24 00:01:18,024 --> 00:01:20,620 where you're renting the infrastructure. 25 00:01:20,620 --> 00:01:23,930 You purchase the virtual power to actually execute 26 00:01:23,930 --> 00:01:27,650 your software as needed, and you can put your VMs, 27 00:01:27,650 --> 00:01:30,000 or containers in an environment, 28 00:01:30,000 --> 00:01:33,000 and this model is actually similar to a utility company, 29 00:01:33,000 --> 00:01:36,724 because basically, you pay for what you actually use. 30 00:01:36,724 --> 00:01:40,447 Examples of those are again, Amazon AWS, 31 00:01:41,304 --> 00:01:46,190 and also Azure, and Google Lab platform, and many others. 32 00:01:46,190 --> 00:01:49,720 Now, platform as a service basically provides 33 00:01:49,720 --> 00:01:51,670 everything except application. 34 00:01:51,670 --> 00:01:55,440 So the services provided by this model includes all phases 35 00:01:55,440 --> 00:01:57,784 of the system development life cycle, 36 00:01:57,784 --> 00:02:01,990 and can use application programmable interfaces, or APIs. 37 00:02:01,990 --> 00:02:04,300 You also have the ability to use web portals 38 00:02:04,300 --> 00:02:06,670 or gateway software, and then basically, 39 00:02:06,670 --> 00:02:09,210 you just dedicate yourself on creating your application 40 00:02:09,210 --> 00:02:11,160 on top of this system platform, 41 00:02:11,160 --> 00:02:13,880 those that name platform as a service. 42 00:02:13,880 --> 00:02:16,070 Now, these solutions tend to be preparatory, 43 00:02:16,070 --> 00:02:19,283 which can actually cause problems if the customer moves away 44 00:02:19,283 --> 00:02:22,490 from the provider's platform. 45 00:02:22,490 --> 00:02:23,870 So in many cases, actually, 46 00:02:23,870 --> 00:02:27,210 several customers would like to have just their containers 47 00:02:27,210 --> 00:02:29,980 or their VMs actually instantiated 48 00:02:29,980 --> 00:02:32,150 in an infrastructure as a service. 49 00:02:32,150 --> 00:02:34,930 But one of the main benefits of platform as a service is 50 00:02:34,930 --> 00:02:37,540 that you don't have to worry about all that overhead, 51 00:02:37,540 --> 00:02:41,030 and dedicate even people to take care of the infrastructure. 52 00:02:41,030 --> 00:02:45,510 You just dedicate it in there to develop your application. 53 00:02:45,510 --> 00:02:49,070 And the other one is the software as a service or SaaS, 54 00:02:49,070 --> 00:02:53,840 and SaaS is designed to provide a complete package solution. 55 00:02:53,840 --> 00:02:56,270 Take a look, for example, Cisco Webex 56 00:02:56,270 --> 00:02:59,380 on where you actually pay for a service, 57 00:02:59,380 --> 00:03:01,990 where you can actually host your conference calls, 58 00:03:01,990 --> 00:03:05,500 and medical collaboration features that it has, 59 00:03:05,500 --> 00:03:07,680 but you don't have to take care 60 00:03:07,680 --> 00:03:10,170 of the underlying infrastructure or the application. 61 00:03:10,170 --> 00:03:13,160 You know, basically you're using the application directly 62 00:03:13,160 --> 00:03:15,040 from the provider, in this case, Cisco. 63 00:03:15,040 --> 00:03:19,250 Another example is the Office 365 from Microsoft, 64 00:03:19,250 --> 00:03:23,140 or Google Drive, and Google Docs is another example 65 00:03:23,140 --> 00:03:25,310 of a software as a service. 66 00:03:25,310 --> 00:03:28,080 Now NIST also has another special publication 67 00:03:28,080 --> 00:03:31,370 which is the 500-292, 68 00:03:31,370 --> 00:03:34,750 and is the NIST Cloud Computing Reference Architecture, 69 00:03:34,750 --> 00:03:36,780 and is another great resource to learn more 70 00:03:36,780 --> 00:03:39,820 about the cloud architecture as well. 71 00:03:39,820 --> 00:03:43,150 Cloud service providers like Azure, and AWS, 72 00:03:43,150 --> 00:03:46,406 and Google Lab platform have no choice 73 00:03:46,406 --> 00:03:48,560 but take their security 74 00:03:48,560 --> 00:03:51,670 and compliant responsibilities very seriously. 75 00:03:51,670 --> 00:03:55,448 For example, Amazon created a share responsibility model 76 00:03:55,448 --> 00:03:57,850 that is actually used to describe 77 00:03:57,850 --> 00:04:02,090 what are the responsibilities of the AWS customers 78 00:04:02,090 --> 00:04:04,380 and Amazon responsibilities in detail, 79 00:04:04,380 --> 00:04:08,040 and you can access the Amazon share responsibility model 80 00:04:08,040 --> 00:04:10,970 from the link that I'm highlighting in the screen. 81 00:04:10,970 --> 00:04:13,530 Now, the shared responsibility depends on the type 82 00:04:13,530 --> 00:04:16,600 of cloud model whether you actually have software 83 00:04:16,600 --> 00:04:19,550 as a service, platform as a service, 84 00:04:19,550 --> 00:04:21,900 or infrastructure as a service. 85 00:04:21,900 --> 00:04:24,690 So starting with software as a service, 86 00:04:24,690 --> 00:04:28,480 the customer responsibility is basically people and data, 87 00:04:28,480 --> 00:04:31,864 and then the cloud service provider responsibility includes 88 00:04:31,864 --> 00:04:35,293 from the physical network all the way to the application. 89 00:04:36,260 --> 00:04:38,323 Now here, I'm showing the responsibility 90 00:04:38,323 --> 00:04:41,341 of a platform as a service environment 91 00:04:41,341 --> 00:04:44,200 on where the customer responsibility 92 00:04:44,200 --> 00:04:46,530 or the consumer responsibility is people, data, 93 00:04:46,530 --> 00:04:49,510 and applications is basically you're developing applications 94 00:04:49,510 --> 00:04:52,710 on top of their infrastructure and their platform. 95 00:04:52,710 --> 00:04:55,250 And then the cloud provider responsibility includes 96 00:04:55,250 --> 00:04:57,360 from the physical network all the way 97 00:04:57,360 --> 00:05:01,080 to the actual run time, including things like middleware, 98 00:05:01,080 --> 00:05:03,523 the operating system, virtual network, hypervisor, 99 00:05:03,523 --> 00:05:06,453 the actual servers, and the overall infrastructure. 100 00:05:07,290 --> 00:05:10,160 And then finally, I'm showing the infrastructure 101 00:05:10,160 --> 00:05:12,410 as a service responsibility model 102 00:05:12,410 --> 00:05:16,430 on where now you are running virtual networks, 103 00:05:16,430 --> 00:05:19,330 and VMs, and containers, and basically, 104 00:05:19,330 --> 00:05:22,850 the cloud service provider responsibility is the hypervisor, 105 00:05:22,850 --> 00:05:24,860 the servers, the storage, 106 00:05:24,860 --> 00:05:27,040 the physical and underlying network. 107 00:05:27,040 --> 00:05:29,428 And then the customer responsibility includes 108 00:05:29,428 --> 00:05:32,140 from people, data, applications, the run time, 109 00:05:32,140 --> 00:05:36,080 the middleware, operating systems, the virtual networks, 110 00:05:36,080 --> 00:05:39,260 and the virtual appliances that are running 111 00:05:39,260 --> 00:05:41,090 in those environments. 112 00:05:41,090 --> 00:05:43,440 Patch management in the cloud is also 113 00:05:43,440 --> 00:05:47,105 a shared responsibility in infrastructure as a service 114 00:05:47,105 --> 00:05:50,020 and platform as a service environment. 115 00:05:50,020 --> 00:05:51,630 In SaaS environments, 116 00:05:51,630 --> 00:05:53,620 or the software as a service environments, 117 00:05:53,620 --> 00:05:57,260 basically, the cloud service provider is the one responsible 118 00:05:57,260 --> 00:06:01,990 for patching all software and all hardware vulnerabilities. 119 00:06:01,990 --> 00:06:05,487 However, in infrastructure as a service environment, 120 00:06:05,487 --> 00:06:07,770 the cloud service provider is responsible 121 00:06:07,770 --> 00:06:10,640 for only patching the hypervisors 122 00:06:10,640 --> 00:06:14,030 and also the physical compute and storage servers, 123 00:06:14,030 --> 00:06:16,840 including physical network, and so on. 124 00:06:16,840 --> 00:06:20,310 You are the one responsible for patching the applications, 125 00:06:20,310 --> 00:06:23,300 the VMs, and the operating systems running on top 126 00:06:23,300 --> 00:06:27,320 of those VMs, and of course, your containers as well. 127 00:06:27,320 --> 00:06:29,760 And if you deployed any virtual networks, 128 00:06:29,760 --> 00:06:34,290 you also are liable for patching and making sure 129 00:06:34,290 --> 00:06:38,620 that those virtual networks are deployed in a secure manner. 130 00:06:38,620 --> 00:06:41,400 Whenever you perform penetration testing in the cloud, 131 00:06:41,400 --> 00:06:45,760 you must understand what you can 132 00:06:45,760 --> 00:06:48,630 and you cannot do in that cloud environment. 133 00:06:48,630 --> 00:06:51,990 Most of the cloud service providers that are mature, 134 00:06:51,990 --> 00:06:54,390 the biggest one out there have detailed guidelines 135 00:06:54,390 --> 00:06:56,780 on how to perform security assessments 136 00:06:56,780 --> 00:06:58,790 and penetration testing in the cloud. 137 00:06:58,790 --> 00:07:01,790 Now, regardless, there are many potential threats 138 00:07:01,790 --> 00:07:03,921 when organizations move to a cloud model. 139 00:07:03,921 --> 00:07:08,240 For instance, although your data is actually in the cloud, 140 00:07:08,240 --> 00:07:10,550 it actually has to reside somewhere 141 00:07:10,550 --> 00:07:12,640 in a physical location somewhere. 142 00:07:12,640 --> 00:07:15,400 So your cloud provider should agree 143 00:07:15,400 --> 00:07:17,630 in writing to provide the level 144 00:07:17,630 --> 00:07:20,081 of security required for your customers, 145 00:07:20,081 --> 00:07:22,640 and for your organization. 146 00:07:22,640 --> 00:07:26,160 Now, these are a few questions that most people 147 00:07:26,160 --> 00:07:28,780 in the industry ask cloud providers 148 00:07:28,780 --> 00:07:31,470 before they actually sign their contract 149 00:07:31,470 --> 00:07:35,040 and they contract them for their services. 150 00:07:35,040 --> 00:07:38,350 First one is actually, who has access to the data? 151 00:07:38,350 --> 00:07:40,750 Access control is a key concern, 152 00:07:40,750 --> 00:07:44,440 because even insider attacks are actually a huge risk 153 00:07:44,440 --> 00:07:47,130 nowadays, even in the cloud environment. 154 00:07:47,130 --> 00:07:48,170 The other thing is that what are 155 00:07:48,170 --> 00:07:50,880 the provider's regulatory requirement? 156 00:07:50,880 --> 00:07:53,130 And especially organizations operating 157 00:07:53,130 --> 00:07:55,240 in different geographical locations 158 00:07:55,240 --> 00:08:00,240 like the US, Canada, European Union, and Asia must abide 159 00:08:01,090 --> 00:08:03,410 by different regulatory requirements 160 00:08:03,410 --> 00:08:05,970 that may be specific for those areas. 161 00:08:05,970 --> 00:08:08,280 The other question is, do you have the right to audit? 162 00:08:08,280 --> 00:08:10,170 What type of training does the provider offer 163 00:08:10,170 --> 00:08:11,370 to the employee? 164 00:08:11,370 --> 00:08:13,259 What type of data classification system does 165 00:08:13,259 --> 00:08:15,850 the provider use? 166 00:08:15,850 --> 00:08:19,670 You know, how's your data separated from other users' data? 167 00:08:19,670 --> 00:08:24,010 And is the data on a shared server or a dedicated server 168 00:08:24,010 --> 00:08:24,843 that they actually may have? 169 00:08:24,843 --> 00:08:27,078 And of course, if there's a dedicated server, 170 00:08:27,078 --> 00:08:30,994 or a dedicated system, they may actually charge extra, 171 00:08:30,994 --> 00:08:33,090 but those are actually some requirements 172 00:08:33,090 --> 00:08:37,280 that you must explore before you actually sign a contract. 173 00:08:37,280 --> 00:08:39,860 Now, is encryption being used? 174 00:08:39,860 --> 00:08:44,070 Not only encryption during transit, 175 00:08:44,070 --> 00:08:47,960 but also is data encrypted at rest in the cloud? 176 00:08:47,960 --> 00:08:51,900 And also what are the crypto algorithms and implementations 177 00:08:51,900 --> 00:08:54,860 that the cloud provider uses? 178 00:08:54,860 --> 00:08:58,600 Who maintains control of the encryption key? 179 00:08:58,600 --> 00:08:59,900 Is it gonna be your company, 180 00:08:59,900 --> 00:09:01,940 or is it gonna be the cloud provider? 181 00:09:01,940 --> 00:09:06,940 Also, what are the service level agreements or SLA, 182 00:09:07,260 --> 00:09:10,050 different terms that you must abide, 183 00:09:10,050 --> 00:09:13,500 and the cloud provider also should agree and guarantee 184 00:09:13,500 --> 00:09:17,783 the service between them and you as a consumer? 185 00:09:18,860 --> 00:09:23,140 Also, will they assume liability in the case of a breach? 186 00:09:23,140 --> 00:09:24,598 What is the disaster recovery 187 00:09:24,598 --> 00:09:27,250 and business continuity plan 188 00:09:27,250 --> 00:09:29,080 that the cloud provider actually has? 189 00:09:29,080 --> 00:09:32,130 So all those are different questions that you must ask 190 00:09:32,130 --> 00:09:36,290 whenever, not only for performing security assessment, 191 00:09:36,290 --> 00:09:39,710 but overall, how they actually perform 192 00:09:39,710 --> 00:09:42,793 a security assessment in their infrastructure as well.