WIXLIB

Cloud Security BasicsDemoInstructor: In this videoWe're going to take a look atcybersecurity information documentsfrom the National Security Agency. Thefirst one is for Cloud Security Basics.First page here, we just have somebackground information andintroduction to the cloud, things likeinfrastructure as a service, platform asa service, et cetera, that we'vealready seen, but on the next couplepages we get into some of the detailslike shared responsibility model.Cloud services providers areresponsible for physical security ofthe cloud, organizations areresponsible for application-levelsecurity, and it is the organization'sresponsibility to configure theirPage 1 of 8

services according to their securityrequirements. So just little bit of afoot stomp driving that home, whichwe've heard before.Within the threat model, it'simportant to understand that theprimary risks to cloud infrastructureare malicious adversary activity andunintentional configuration flaws.We'll see the configuration one popup over and over again. The federaland DoD requirements. It'simportant to understand that theFederal Risk and AuthorizationManagement Program or FedRAMPone, provides a standardizedframework for assessing andauthorizing cloud services. So withinthe federal government, the DoD,you do have to go through anauthority to operate an authorizationprogram, and includes a number ofthings. You know, evaluate againstFedRAMP compliance at certain levelsis just one of those. Doing a privacyimpact assessment is another one.As far as access controls go, we seehere misconfigured access controls inmajor cloud storage providers haveresulted in exposure of sensitivedata. Again, that goes to what we'veseen as a top threat in thatmisconfiguration of cloud resources.Cloud patching is also a little bittricky. Depends a little bit on yourservice provider and how you havethings configured. Certainly, if you'releveraging infrastructure as a serviceyou'll need to apply patches at theoperating system level. Platform as aPage 2 of 8

service, you'll need to ensure yourapplication updates are appropriate,and software as a service you mightnot have the ability to update any ofthose components.Multitenancy is a consideration. Abig point that's made here is that theservice provider is responsible forimplementing the necessary controlsto keep your data and computeresources isolated. We won't touchupon encryption, because we'regoing to cover that a little bit more inthe next NSA document and it kind ofpresents that in a better way, andthen of course when it comes toutilization, you should take advantageof all of the cloud security servicesthat are available and supplementthem with your on-premise tools. Sothey might not do everything thatyou're looking for or you may alreadyhave an investment in various toolswithin your enterprise. You have toevaluate ways to extend either cloudto the enterprise or enterprise to thecloud to get a consistent andcohesive solution.The last one on our list here withdata spillage. Need to ensure thatthe cloud service provider only storesand manipulates data that they'reaccredited to handle. So that goesback to the FedRAMP level and otherclassification levels that you're usingfor your authority to operate it.Let's take a look at our otherdocument. This one goes into a littlemore depth for mitigating commonvulnerabilities. We still have some ofPage 3 of 8

the background information on cloudcomponents. You see identity andaccess management abbreviated asIDAM. You might see it as IAM. It'sessentially the same thing, and wealso see here compute networkingand storage, and this cloudencryption key management, I saidwe were going to talk about that alittle bit more. Customers can takeadvantage of the cloud serviceprovider's Key Management Servicesthat are designed to integrate withtheir other cloud services, so thatmakes them easy to use. It helpswith backups, recoveries, those typesof things, but there's a little bit of arisk there because the cloud serviceprovider would essentially haveaccess to that. So there's themalicious insider or misuse on thekey--on the service provider side.There's also the advantage of beingable to leverage the hardwaresecurity modules that might beintegrated with the hardwareplatforms underlying in the cloudinfrastructure, and the next one hereis that the cloud service provider mayhave already gone through anaccreditation process for their teammanagement solutions, so if thatprocess, that technology is availableand it can be used in conjunctionwith you bringing your own keys,that might be worth investigating aswell.So there is another comment in herethat I've highlighted, Keepingencryption and key managementoutside the cloud ensures thatPage 4 of 8

customer data is never exposed tocloud administrator. That kind ofgoes to the insider threat thing that Ialluded to before. It also ensuresthat, you know, as they do destroythose drives, that the disks thatmight be supporting the storage ofyour data and your information, ifthat is encrypted and there's no keyto unencrypt it, there is that extralevel of protection.So we also see the sharedresponsibility model detailed withinthis document and a little bit more onsome typical threat actors. One ofthe things I want to point out here isthree of these four, all in withadministrator. So you're eitherlooking at a rogue cloudadministrator, a untrained orneglectful administrator within yourorganization, or, again, somemalicious cloud administrator on yoursite as well. So it's really protectingthose administrative services, whichyou want to do with multi-factorauthentication and ensuring thatthey're properly trained and makingsure that you have logging enabledand that you're monitoring foranomalous or suspicious activitiesand that you've configured theseaccounts with the least amount ofprivilege for what they need to do.So those are the key pieces and theyall really tie to administrators, andthen of course there are bad guysout there, cyber criminals and nationstate actors, and they're going toleverage those weaknesses, butthose weaknesses are usually inPage 5 of 8

architecture or using poorauthentication, not using multi-factorauthentication, leveraging thosecompromise credentials, et cetera,and, you know. So it really ties backto the poor administration that isgoing to lead to these cyber criminalspotentially taking action.So as we move on in the documentwe see some specific threats.Misconfiguration, for example, ishighlighted. Prevalence iswidespread and attackersophistication is low, so this is a neatway to look at these threats. Youknow, it's really easy for a hacker totake advantage of an open-accesscontrol list or a weak password, thattype of thing, and then it goesthrough and provides some examplesof what happened there in the DoDspace and what you can do to helpprotect that, and that really isleveraging encryption and accesscontrol lists, intrusion detectionsystems, web application firewalls, etcetera. Least privilege, which wementioned, enabling defense-indepth is important, whether it's thecloud or otherwise. You want tomake sure you have layered defensesto either stop them at the gate oronce they get in, to prevent pivoting,and just make it as difficult aspossible.Poor access control. Again,prevalence is widespread. It saysModerate here but it's not terriblydifficult to take advantage of this.Some of it is, again, if you're notusing multi-factor authentication youPage 6 of 8

can leverage some social engineeringattacks to try to gain access to thesystem. You're also dealing withfolks that are going to be scanning IPaddresses for open remoteadministration ports, like an SSH oran RDP, right, and trying to accessthose with some group forcingtechniques. So auditing for that typeof activity, alerting on it. Maybeautomatically configuring some denyrules within your firewalls. Those aresome options.Shared tenancy vulnerabilities arelittle more rare, and this is where wetalk about if a hypervisor or anothercustomer is compromised, it ispossible for them to get access to themanagement plans and pivot to othercustomers. It's rare, it's difficult todo. Supply chain vulnerabilities,again, might be difficult to do, so it'sa very sophisticated hacker that'sgoing to pull that off. It doesn'thappen often, but again, when you'redealing with that high level of trust atthat lowest layer in the chips thatyou're integrating into your servers,into your hardware, into yourgraphics processors, whatever,You've got an assumed level of trustthere, and so if your supply chain issomehow compromised and they'reable to embed some code in there totweak the encrypted cipher so they'renot as strong as you think they are ormaybe there's a backdoor key ormaybe they're capturing informationand sending to somewhere else,there's a number of ways that theycan take advantage of that, and youhave a couple of links to somePage 7 of 8

specific incidents and references herewithin the document.And here on the last page, you haveyour conclusions from the NSAregarding cloud vulnerability andmitigation and several of thereferences that they use throughoutfour examples of those compromises.So pretty good document. It's a nice,short version of your best practicesthat you can review quickly and moreeasily and readily digest than themore comprehensive NIST guidesand the Cloud Security Alliance guides.Page 8 of 8

Cloud Security Basics Demo Instructor: In this video We're going to take a look at cybersecurity information documents from the National Security Agency. The first one is for Cloud Security Basics. First page here, we just have some background information and introduction to the cloud