1 00:00:06,820 --> 00:00:08,940 - So as you know, many organizations are either 2 00:00:08,940 --> 00:00:11,610 moving to the cloud or they already have moved 3 00:00:11,610 --> 00:00:13,780 most of their applications to the cloud. 4 00:00:13,780 --> 00:00:17,290 Or they may be deploying a hybrid solution right, 5 00:00:17,290 --> 00:00:19,250 to host their applications. 6 00:00:19,250 --> 00:00:21,740 Now, organizations moving to the cloud are almost 7 00:00:21,740 --> 00:00:25,050 always looking into transition from CapEx 8 00:00:25,050 --> 00:00:29,520 or capital expenditure to operational expenditure, 9 00:00:29,520 --> 00:00:31,070 what we actually call OpEx. 10 00:00:31,070 --> 00:00:35,290 So most Fortune 500's nowadays are operating 11 00:00:35,290 --> 00:00:37,520 in a multi-cloud environment. 12 00:00:37,520 --> 00:00:40,440 So it is obvious that cloud computing security 13 00:00:40,440 --> 00:00:41,960 is more important than ever, 14 00:00:41,960 --> 00:00:45,800 and is top of mind for many individuals, right. 15 00:00:45,800 --> 00:00:48,270 This dilemma includes not only protecting 16 00:00:48,270 --> 00:00:52,760 critical infrastructure from data theft and exfiltration, 17 00:00:52,760 --> 00:00:54,380 but also privacy, 18 00:00:54,380 --> 00:00:58,150 which is another dilemma that we have nowadays. 19 00:00:58,150 --> 00:01:01,800 Now, the National Institute of Standards and Technology, 20 00:01:01,800 --> 00:01:03,360 so otherwise known as NIST. 21 00:01:03,360 --> 00:01:07,960 They authored a special publication "800-145", 22 00:01:07,960 --> 00:01:10,690 which is the NIST definition of cloud computing. 23 00:01:10,690 --> 00:01:13,330 I strongly suggest for you to become familiar with, 24 00:01:13,330 --> 00:01:17,230 but I'm actually gonna highlight a few of these definitions 25 00:01:17,230 --> 00:01:19,250 here for you, right. 26 00:01:19,250 --> 00:01:20,350 Now, first things first, 27 00:01:20,350 --> 00:01:23,260 let's actually look at the cloud deployment models. 28 00:01:23,260 --> 00:01:26,260 You have public cloud, private clouds, community cloud 29 00:01:26,260 --> 00:01:27,240 and hybrid cloud. 30 00:01:27,240 --> 00:01:29,190 Public cloud is actually the ones 31 00:01:29,190 --> 00:01:31,390 that you are fairly familiar with. 32 00:01:31,390 --> 00:01:33,790 Such as, you know Amazon AWS, 33 00:01:33,790 --> 00:01:35,470 Google Cloud Platform, 34 00:01:35,470 --> 00:01:36,343 Microsoft Azure, 35 00:01:37,200 --> 00:01:39,350 Digital Ocean, and many others. 36 00:01:39,350 --> 00:01:41,130 Then you also have private cloud, 37 00:01:41,130 --> 00:01:44,810 which is used by the organization itself 38 00:01:44,810 --> 00:01:49,810 at an on-premise or at a dedicated area in a cloud provider. 39 00:01:50,210 --> 00:01:51,830 Then you also have community cloud, 40 00:01:51,830 --> 00:01:56,370 and community cloud is shared between several organizations. 41 00:01:56,370 --> 00:01:59,200 And then lastly, you have hybrid cloud 42 00:01:59,200 --> 00:02:03,620 and that's actually composed of two or more cloud services, 43 00:02:03,620 --> 00:02:07,163 including on-premise services and public cloud providers. 44 00:02:08,050 --> 00:02:10,740 Now cloud computing can be broken down 45 00:02:10,740 --> 00:02:13,410 into three basic models. 46 00:02:13,410 --> 00:02:16,240 First, you have infrastructure as a service, 47 00:02:16,240 --> 00:02:19,840 which is basically whenever you rent the infrastructure 48 00:02:19,840 --> 00:02:21,420 of some provider. 49 00:02:21,420 --> 00:02:25,500 Think about model similar to a utility company, 50 00:02:25,500 --> 00:02:27,810 because you actually pay for what you actually use. 51 00:02:27,810 --> 00:02:32,810 And examples of these are Amazon AWS, Microsoft Azure, 52 00:02:33,180 --> 00:02:36,350 Google Cloud Platform, and some others. 53 00:02:36,350 --> 00:02:40,370 Then you also have platform as a service or pass, 54 00:02:40,370 --> 00:02:43,010 and basically pass provides everything 55 00:02:43,010 --> 00:02:44,780 except the applications. 56 00:02:44,780 --> 00:02:46,810 The services provided by this model 57 00:02:46,810 --> 00:02:50,910 include all phases of the system development life cycle, 58 00:02:50,910 --> 00:02:54,850 and can use application programming interfaces or APIs 59 00:02:54,850 --> 00:02:59,120 and web portals and gateway software to be able to, 60 00:02:59,120 --> 00:03:01,220 you know, of course bring or provide you 61 00:03:01,220 --> 00:03:02,900 the services necessary for you 62 00:03:02,900 --> 00:03:05,190 to create your own application. 63 00:03:05,190 --> 00:03:08,030 And then you have software as a service, 64 00:03:08,030 --> 00:03:11,970 and basically software as a service or SaaS is designed 65 00:03:11,970 --> 00:03:15,390 to provide a complete package solution. 66 00:03:15,390 --> 00:03:17,690 So the software itself and the whole solution 67 00:03:17,690 --> 00:03:19,430 is rented out to the user. 68 00:03:19,430 --> 00:03:24,430 So for example, a very popular software as a service, 69 00:03:24,430 --> 00:03:26,310 you know, service is WebEx, right. 70 00:03:26,310 --> 00:03:28,920 So a collaboration service 71 00:03:28,920 --> 00:03:31,090 and not only you can actually communicate 72 00:03:31,090 --> 00:03:32,330 via conference call, 73 00:03:32,330 --> 00:03:33,740 but also you have WebEx teams. 74 00:03:33,740 --> 00:03:36,270 And you can actually communicate and keep in touch 75 00:03:36,270 --> 00:03:37,977 with your coworkers, 76 00:03:37,977 --> 00:03:40,520 and you know, increase productivity. 77 00:03:40,520 --> 00:03:43,610 Another one is of course, email in many different forms 78 00:03:43,610 --> 00:03:48,610 like Microsoft Office 365 and Google G Suite 79 00:03:49,030 --> 00:03:50,690 and many others. 80 00:03:50,690 --> 00:03:54,810 So another NIST special publication that is called 81 00:03:54,810 --> 00:03:57,320 the "Cloud Computing Reference Architecture" 82 00:03:57,320 --> 00:03:59,840 is available for you or another resource 83 00:03:59,840 --> 00:04:02,880 for you to learn more about cloud architectures. 84 00:04:02,880 --> 00:04:07,880 And that is special publication "500-292". 85 00:04:08,240 --> 00:04:11,150 Now, there are many potential threats 86 00:04:11,150 --> 00:04:13,780 when organizations actually move to a cloud model, 87 00:04:13,780 --> 00:04:15,340 regardless of the model. 88 00:04:15,340 --> 00:04:18,420 For example, even though your data is in the cloud, 89 00:04:18,420 --> 00:04:22,090 it must reside on a physical location somewhere. 90 00:04:22,090 --> 00:04:25,710 Your cloud providers should agree in writing 91 00:04:25,710 --> 00:04:28,520 to provide the level of security required 92 00:04:28,520 --> 00:04:30,390 for your customers right, 93 00:04:30,390 --> 00:04:32,630 and for your organization. 94 00:04:32,630 --> 00:04:34,560 Now, the following are a few questions 95 00:04:34,560 --> 00:04:36,570 to ask a cloud provider 96 00:04:36,570 --> 00:04:39,910 before even thinking about using their services. 97 00:04:39,910 --> 00:04:43,020 Like for example, who has access to your data, 98 00:04:43,020 --> 00:04:45,490 access to key critical data 99 00:04:45,490 --> 00:04:48,560 and not only your organization's data 100 00:04:48,560 --> 00:04:51,630 but the data of your customers, perhaps? 101 00:04:51,630 --> 00:04:54,200 Now, what are your regulatory requirements 102 00:04:54,200 --> 00:04:55,520 depending on where you reside, 103 00:04:55,520 --> 00:04:58,450 whether it's in the United States, Canada, Europe 104 00:04:58,450 --> 00:04:59,470 and some other locations, 105 00:04:59,470 --> 00:05:02,268 you may have regulatory requirements 106 00:05:02,268 --> 00:05:05,080 that they must abide by. 107 00:05:05,080 --> 00:05:06,820 And an examples of these are, you know, 108 00:05:06,820 --> 00:05:11,680 like the EU or US Privacy Shield Framework, ITIL, COBIT, 109 00:05:11,680 --> 00:05:15,910 you know, ISO standards like the 27002 standard 110 00:05:15,910 --> 00:05:17,690 and many others. 111 00:05:17,690 --> 00:05:20,660 Now, another question that you must ask is, 112 00:05:20,660 --> 00:05:23,260 do you have the right to audit? 113 00:05:23,260 --> 00:05:25,710 In other words, can you even do an assessment, 114 00:05:25,710 --> 00:05:28,940 a security posture assessment of the underlying 115 00:05:28,940 --> 00:05:32,100 infrastructure or the applications and so on, right? 116 00:05:32,100 --> 00:05:34,840 So, can you do pen testing for example? 117 00:05:34,840 --> 00:05:37,620 Now, what other type of training does this provider 118 00:05:37,620 --> 00:05:39,150 offer to its employee, right? 119 00:05:39,150 --> 00:05:41,680 What are the types of data classifications 120 00:05:41,680 --> 00:05:43,070 that this provider use, you know? 121 00:05:43,070 --> 00:05:47,220 How your data is separated from one user to another one? 122 00:05:47,220 --> 00:05:48,610 Is encryption being used, 123 00:05:48,610 --> 00:05:51,610 not only in transit but also at rest, right? 124 00:05:51,610 --> 00:05:54,960 So, all these are questions that you must ask 125 00:05:54,960 --> 00:05:56,830 when you take in consideration, 126 00:05:56,830 --> 00:05:59,763 between your cloud provider and you, the consumer. 127 00:06:00,750 --> 00:06:03,160 Now, because cloud-based services are accessible 128 00:06:03,160 --> 00:06:04,300 via the internet, 129 00:06:04,300 --> 00:06:07,580 they're open to a number of attacks, right. 130 00:06:07,580 --> 00:06:11,000 Some of the potential attack vectors that criminals 131 00:06:11,000 --> 00:06:15,400 and threat actors may attempt include session hijacking, 132 00:06:15,400 --> 00:06:18,580 which is whenever the attacker can actually sniff 133 00:06:18,580 --> 00:06:22,020 or intercept traffic to take over a legitimate connection 134 00:06:22,020 --> 00:06:23,310 to a cloud service, 135 00:06:23,310 --> 00:06:25,330 or a DNS based attack, 136 00:06:25,330 --> 00:06:27,380 or cross-site scripting, 137 00:06:27,380 --> 00:06:28,480 SQL injection, 138 00:06:28,480 --> 00:06:29,740 session riding, 139 00:06:29,740 --> 00:06:33,630 and many other application based vulnerabilities. 140 00:06:33,630 --> 00:06:35,580 You also have the dilemma of 141 00:06:35,580 --> 00:06:37,280 distributed denial-of-service attacks, 142 00:06:37,280 --> 00:06:39,700 or man-in-the-middle cryptographic attacks. 143 00:06:39,700 --> 00:06:41,930 Also site-channel attacks on where the attacker 144 00:06:41,930 --> 00:06:45,234 could attempt to compromise the cloud service 145 00:06:45,234 --> 00:06:49,770 by placing malicious virtual machines in close proximity 146 00:06:49,770 --> 00:06:52,910 to a target application or to a target cloud server 147 00:06:52,910 --> 00:06:56,260 and so on, and then launching a site channel attack. 148 00:06:56,260 --> 00:06:58,170 Another one is actually authentication attacks 149 00:06:58,170 --> 00:07:00,450 and authorization bypass attacks 150 00:07:00,450 --> 00:07:04,160 and often APIs are configured insecurely. 151 00:07:04,160 --> 00:07:05,750 So an attacker can take advantage 152 00:07:05,750 --> 00:07:10,650 of API misconfigurations to modify, delete, 153 00:07:10,650 --> 00:07:12,920 or append data in applications 154 00:07:12,920 --> 00:07:15,720 or systems in cloud environments. 155 00:07:15,720 --> 00:07:17,760 Now, regardless of the model used, 156 00:07:17,760 --> 00:07:19,670 cloud security is the responsibility 157 00:07:19,670 --> 00:07:23,430 of both the client and the cloud providers. 158 00:07:23,430 --> 00:07:26,460 So, these details will need to be worked out 159 00:07:26,460 --> 00:07:30,140 before the cloud computing contract or whatever, you know 160 00:07:30,140 --> 00:07:32,900 agreement that you have is actually signed 161 00:07:32,900 --> 00:07:35,683 and agree upon, you know, those entities.