SlideShare une entreprise Scribd logo

Cloud security introduction

C
Calvin Lee

Did up this set of slides part of my SMU master course requirement. Share for general sharing usage.

Technologie
1  sur  38
Master of Applied Information Systems Mar 2018 Cloud Security Introduction
SMU Classification: Restricted Agenda • Introduction: What is Cloud computing • Cloud Security incident • Cloud Security challenges • Cloud Standards & Guidelines • Cloud Policy and Planning • Cloud Security Controls • Cloud Architecture and Design • Summary 2
SMU Classification: Restricted Disclaimer • Non-comprehensive • Best effort updated • Cloud fast changing environment 3
SMU Classification: Restricted Cloud computing definition • On-demand self service – Ensure one-sidely provision computing capabilities • Broad network access • Resource pooling • Rapid elasticity • Measured service *Defined by NIST 4
SMU Classification: Restricted NIST Reference Architecture 5 Source: NIST SP500-292 NIST Cloud Computing Reference Architecture
SMU Classification: Restricted Cloud Actors • Consumer: Person or organisation using cloud services from a CSP • Provider (CSP): An entity offering cloud services to consumers • Auditor: An entity that provide objective and independent assessments of cloud services • Broker: Manages use, performance, and/or delivery of cloud services between CSPs and consumers. Often Security-as-a-service (SecaaS) services are “brokering” various types of access or data sent to/from cloud today • Carrier: Some intermediary providing transport and connectivity for cloud service 6
SMU Classification: Restricted Cloud deployment model 7 Source: https://image.slidesharecdn.com/4-theenterprisecloudcomputingparadigm-131130040800-phpapp02/95/cloud- computing-principles-and-paradigms-4-the-enterprise-cloud-computing-paradigm-4-638.jpg
SMU Classification: Restricted Cloud computing key technologies • Virtualisation Types 8 Source: https://image.slidesharecdn.com/1-150328170334-conversion-gate01/95/1introduction-to- virtualization-27-638.jpg
SMU Classification: Restricted Cloud computing key technologies • Containers 9 Source: https://thecustomizewindows.com/2014/ 07/container-based-virtualization
SMU Classification: Restricted Cloud computing key technologies • Software defined networking 10 Source: https://commsbusiness.co.uk/features/software-defined-networking-sdn-explained/
SMU Classification: Restricted Cloud Security Incident Dec 2013 - 40 million credit cards stolen on POS system – Investigation reveals initial malware was introduced by Target’s refrigeration vendor – Criminals used vendor’s credentials to access Target’s cloud infrastructure 11 Use of vendor credentials Boundary defence: Limit network access to vendor portal so anyone who obtained the credentials would not be able to access the vendor portal unless on a network allowed to access the portal Account monitoring and control: Require multi-factor authentication to login vendor portal. Monitor usage of vendor portal login. Profile accounts for normal activities and usage patterns Source: SANS Institute Case Study
SMU Classification: Restricted Docker vulnerability exploitability 12 • Docker is a daemon that runs as root • Older Docker does security by blacklisting kernel calls – What if there are those which is missed out? “Shocker” code exploit • CVE-2014-9357 Privilege escalation during decompression of LZMA (.xz) archives • 100k+ dockers @ Dockers hub – In 2015, 15k+ dockers, 90% of the dockers contain unverified exploitable vulnerabilities Source: Black hat Europe 2015 – Vulnerability exploitation in docker container environment
SMU Classification: Restricted Security responsibility - AWS 13 Source: https://aws.amazon.com/compliance/shared-responsibility-model/
SMU Classification: Restricted Security responsibility - Microsoft 14 Source: https://blogs.msdn.micr osoft.com/azuresecurity /2016/04/18/what-does- shared-responsibility-in- the-cloud-mean/
SMU Classification: Restricted Cloud Providers 15
SMU Classification: Restricted Cloud Security Challenges Traditional security challenges applies but in cloud these considerations are different… • Resource location: Consumer do not know exactly where their data lies • Multi-tenancy issues: How to protect your data/system from shared cloud resource • Authentication, authorisation, information trust: How to ensure your data accessibility & ownership? Identity Access Management (IAM) • System monitoring and logs: Auditability trial • Service Level Agreement (SLA) 16
SMU Classification: Restricted Traditional security challenges 17 • Network security ▪ Firewalls ▪ NIDS/NIPS ▪ Proxies • Host security/ Virtualization ▪ HIDS/HIPS ▪ Configure management ▪ Roles/Privileges • Data security ▪ Encryption rest / transit ▪ Key management • Vulnerability assessment and Penetration testing • Security Policy • Application security ▪ Secure coding ▪ WAFs • Database Security • Data Disposal • Solution architecture Standards & Guidelines
SMU Classification: Restricted Cloud Security Alliance (CSA) 18
SMU Classification: Restricted CSA Reference Architecture 19
SMU Classification: Restricted Other Standards and Guidelines Industry based • NIST (800-144): Guidelines on Security and Privacy in Public Cloud Computing • PCI DSS Cloud computing guidelines Platform specific • Centre of Internet Security (CIS) recommendations for AWS Foundations / Azure / Google cloud Application specific • Open Web Application Security Project (OWASP) 2017 20
SMU Classification: Restricted Cloud Policy and Planning • Business justification for cloud implementation • Data classification • System availability & accountability • Admin & User accessibility • Disaster recovery & Business continuity • Risk assessment, mitigation & acceptance 21
SMU Classification: Restricted Security Principles for Cloud Design • Build in security at every layer • Design for elasticity • Design for failure – “Blast radius” control – System recovery • Use different storage options • Always having “feedback” loops • Focus on CSA: Centralization, Standardization, Automation 22
SMU Classification: Restricted Security at every layer “Stack” layer Controls Application + Presentation WAF, IAM, Scans/Pen test Accesscontrol(IAM) Operating systems Configuration, Vulnerability Scan, Backup, User & Privilege management Data Encryption, Backups, DLP, Authorization Network Access Controls, Firewalls, Routing, DDoS Defences Hypervisor Configuration, access controls, user & Privileges management 23
SMU Classification: Restricted Hypervisor Security Controls • Foundational controls – NTP,SNMP, etc • Local firewall/network access controls • Hardening and configuration • Users and groups • Patching • Logging and Monitoring • SELinux and/or multitenant isolation measures 24
SMU Classification: Restricted Virtualization security – CSP • Assess CSP virtualization platform technology • CSP internal security controls on virtualization (e.g. virtual firewalls or IDS) • CSP ISO certification, 3rd party cyber risk assessment, annual audit • Enquire on CSP’s administrative control of VM environment • Enquire on CSP segregation and separation of VM zones / types • Understand how multi-tenancy and VM isolation are implemented & and alert of isolation breach 25
SMU Classification: Restricted Cloud network security • Most CSP have flat network design • Virtual Private Cloud (Vnet + VPC) 26 Source: https://blogs.msdn.microsoft.com/premier_developer/2017/09/17/differentiating-between-azure-virtual-network- vnet-and-aws-virtual-private-cloud-vpc/
SMU Classification: Restricted Cloud network security • Virtual network appliances – WAF, Load Balancer, Proxies, United Threat management – Vendors like Cisco, F5, Palo Alto, Fortinet, Check point • Data loss prevention (as network) – Commonly offered by CASB 27
SMU Classification: Restricted Host security – OS image • (PaaS/IaaS) Instance / Image security one of the most important consideration • Standard approaches – Patching – Hardening – Version control – Access control – Monitoring – Anti-malware • Cloud platform inventory management tool – Amazon EC2 System manager – AWS Inspector 28
SMU Classification: Restricted Identity Access Management • Main purpose: Authentication, Authorisation & Auditability • Assign to groups, person, process, resource • Federated identities, tokenization • RBAC 29 Source: http://mscerts.wmlcloud.com/program ming/identity%20and%20access%20 management%20%20%20iam%20arc hitecture%20and%20practice.aspx
SMU Classification: Restricted Cloud Access Security Brokers • 3rd party in helping organization govern use and protect sensitive data in the cloud 30Source: http://focus.forsythe.com/_wss/clients/509/assets/CASB%20Functionality%20Areas%20Graphic.png
SMU Classification: Restricted Key Management in Cloud • Who does it? Consumer or CSP? • Key generation • Key storage, backup, recovery • Key distribution • Key destruction • Cryptographic hardware (inbuilt or Hardware security module [HSM]) – Often govern by standards (PCI) 31
SMU Classification: Restricted AWS Key Management 32 Source: https://image.slidesharecdn.com/encryptionkeymanagementbillshin-150410130029-conversion-gate01/95/encryption- and-key-management-in-aws-18-638.jpg?cb=1428688942
SMU Classification: Restricted Azure Key Management 33 Source:https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs .Components.WeblogFiles/00/00/01/03/78/6076.SQLServerConnector.png
SMU Classification: Restricted Cloud Architecture & Design • Depends on – Consumer needs • Security policies and compliance • Services required • Network connectivity – CSP’s offerings – CASB’s offerings – Application dependencies 34
SMU Classification: Restricted AWS VPC model 35 This model have: 1. Public subnet 2. Private subnet 3. Routing 4. NAT gateway 5. Virtual Private Gateway (VPG) 6. IPSec connectivity Able to route private address to VPG Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/images/Case3_Diagram.png
SMU Classification: Restricted Azure Simple DMZ 36 Source: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks- dmz-nsg-fw-udr-asm This DMZ have 3 subnets: - 10.0.0.x (security) - 10.0.1.x (web) - 10.0.2.x (app) DMZ with security in Place “Blast radius” limit
SMU Classification: Restricted Summary • Cloud security considerations – Security policies using cloud – Cloud standards and guidelines – Cloud controls – Cloud architecture and design • Cloud rapidly evolving 37
SMU Classification: Restricted 38 References • SANS Institute Case Study: Critical controls that could have prevented Target breach • SANS SEC545: Cloud Security Architecture and Operations • Beyond lightning: A survey on security challenges in cloud computing, Chunming Rong, Department of Electrical Engineering and Computer Science, University of Stavanger, Normay • Cloud computing: Overview and Research issues, Divya Kapil, School of Computing, Graphic Era Hill University, Dehradun, India • Cloud Security: A comprehensive guide to secure cloud computing, Ronald L. Krutz and Russel Dean Vines • Virtualization: Issues, Security Threats and solutions, Michael Pearce, Ray Hunt, The University of Canterbury

Recommandé

Characteristics of cloud computing
Characteristics of cloud computingCharacteristics of cloud computing
Characteristics of cloud computingGOVERNMENT COLLEGE OF ENGINEERING,TIRUNELVELI
 
SUN Network File system - Design, Implementation and Experience
SUN Network File system - Design, Implementation and Experience SUN Network File system - Design, Implementation and Experience
SUN Network File system - Design, Implementation and Experience aniadkar
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Mobile Computing (Part-2)
Mobile Computing (Part-2)Mobile Computing (Part-2)
Mobile Computing (Part-2)Ankur Kumar
 
Hidden & exposed terminal problem
Hidden & exposed terminal problemHidden & exposed terminal problem
Hidden & exposed terminal problemVirendraKhatarkar
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network VirtualizationKingston Smiler
 
Design Goals of Distributed System
Design Goals of Distributed SystemDesign Goals of Distributed System
Design Goals of Distributed SystemAshish KC
 
Cloud computing legal issues
Cloud computing legal issuesCloud computing legal issues
Cloud computing legal issuesAdv Prashant Mali
 

Recommandé

Characteristics of cloud computing
Characteristics of cloud computingCharacteristics of cloud computing
Characteristics of cloud computingGOVERNMENT COLLEGE OF ENGINEERING,TIRUNELVELI
 
SUN Network File system - Design, Implementation and Experience
SUN Network File system - Design, Implementation and Experience SUN Network File system - Design, Implementation and Experience
SUN Network File system - Design, Implementation and Experience aniadkar
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Mobile Computing (Part-2)
Mobile Computing (Part-2)Mobile Computing (Part-2)
Mobile Computing (Part-2)Ankur Kumar
 
Hidden & exposed terminal problem
Hidden & exposed terminal problemHidden & exposed terminal problem
Hidden & exposed terminal problemVirendraKhatarkar
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network VirtualizationKingston Smiler
 
Design Goals of Distributed System
Design Goals of Distributed SystemDesign Goals of Distributed System
Design Goals of Distributed SystemAshish KC
 
Cloud computing legal issues
Cloud computing legal issuesCloud computing legal issues
Cloud computing legal issuesAdv Prashant Mali
 
Xen & virtualization
Xen & virtualizationXen & virtualization
Xen & virtualizationSusheel Thakur
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science David Sweigert
 
Communications is distributed systems
Communications is distributed systemsCommunications is distributed systems
Communications is distributed systemsSHATHAN
 
Csma
CsmaCsma
Csmamyrajendra
 
Virtualization in Cloud Computing
Virtualization in Cloud ComputingVirtualization in Cloud Computing
Virtualization in Cloud ComputingPyingkodi Maran
 
Wireless sensor network and its application
Wireless sensor network and its applicationWireless sensor network and its application
Wireless sensor network and its applicationRoma Vyas
 
Hadoop Distributed file system.pdf
Hadoop Distributed file system.pdfHadoop Distributed file system.pdf
Hadoop Distributed file system.pdfvishal choudhary
 
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMS
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMSMULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMS
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMSvtunotesbysree
 
Unit 4
Unit 4Unit 4
Unit 4Ravi Kumar
 
RPC: Remote procedure call
RPC: Remote procedure callRPC: Remote procedure call
RPC: Remote procedure callSunita Sahu
 
Multi Tenancy In The Cloud
Multi Tenancy In The CloudMulti Tenancy In The Cloud
Multi Tenancy In The Cloudrohit_ainapure
 
CS8601 MOBILE COMPUTING
CS8601 MOBILE COMPUTING CS8601 MOBILE COMPUTING
CS8601 MOBILE COMPUTING Kathirvel Ayyaswamy
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSKathirvel Ayyaswamy
 
Context-Aware Computing
Context-Aware ComputingContext-Aware Computing
Context-Aware Computinglogus2k
 
Presence cloud
Presence cloudPresence cloud
Presence cloudMonali Akhare
 
Aneka platform
Aneka platformAneka platform
Aneka platformShyam Krishna Khadka
 
Virtualization in cloud computing ppt
Virtualization in cloud computing pptVirtualization in cloud computing ppt
Virtualization in cloud computing pptMehul Patel
 
Server virtualization
Server virtualizationServer virtualization
Server virtualizationKingston Smiler
 
Chapter 6 synchronization
Chapter 6 synchronizationChapter 6 synchronization
Chapter 6 synchronizationAlagappa Government Arts College, Karaikudi
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...EC-Council
 

Contenu connexe

Tendances

DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science David Sweigert
 
Communications is distributed systems
Communications is distributed systemsCommunications is distributed systems
Communications is distributed systemsSHATHAN
 
Virtualization in Cloud Computing
Virtualization in Cloud ComputingVirtualization in Cloud Computing
Virtualization in Cloud ComputingPyingkodi Maran
 
Wireless sensor network and its application
Wireless sensor network and its applicationWireless sensor network and its application
Wireless sensor network and its applicationRoma Vyas
 
Hadoop Distributed file system.pdf
Hadoop Distributed file system.pdfHadoop Distributed file system.pdf
Hadoop Distributed file system.pdfvishal choudhary
 
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMS
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMSMULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMS
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMSvtunotesbysree
 
RPC: Remote procedure call
RPC: Remote procedure callRPC: Remote procedure call
RPC: Remote procedure callSunita Sahu
 
Multi Tenancy In The Cloud
Multi Tenancy In The CloudMulti Tenancy In The Cloud
Multi Tenancy In The Cloudrohit_ainapure
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSKathirvel Ayyaswamy
 
Context-Aware Computing
Context-Aware ComputingContext-Aware Computing
Context-Aware Computinglogus2k
 
Virtualization in cloud computing ppt
Virtualization in cloud computing pptVirtualization in cloud computing ppt
Virtualization in cloud computing pptMehul Patel
 

Tendances (20)

Xen & virtualization
Xen & virtualizationXen & virtualization
Xen & virtualization
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
Cloud Computing Forensic Science
Cloud Computing Forensic Science Cloud Computing Forensic Science
Cloud Computing Forensic Science
 
Communications is distributed systems
Communications is distributed systemsCommunications is distributed systems
Communications is distributed systems
 
Csma
CsmaCsma
Csma
 
Virtualization in Cloud Computing
Virtualization in Cloud ComputingVirtualization in Cloud Computing
Virtualization in Cloud Computing
 
Wireless sensor network and its application
Wireless sensor network and its applicationWireless sensor network and its application
Wireless sensor network and its application
 
Hadoop Distributed file system.pdf
Hadoop Distributed file system.pdfHadoop Distributed file system.pdf
Hadoop Distributed file system.pdf
 
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMS
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMSMULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMS
MULTIPLE CHOICE QUESTIONS WITH ANSWERS ON NETWORK MANAGEMENT SYSTEMS
 
Unit 4
Unit 4Unit 4
Unit 4
 
RPC: Remote procedure call
RPC: Remote procedure callRPC: Remote procedure call
RPC: Remote procedure call
 
Multi Tenancy In The Cloud
Multi Tenancy In The CloudMulti Tenancy In The Cloud
Multi Tenancy In The Cloud
 
CS8601 MOBILE COMPUTING
CS8601 MOBILE COMPUTING CS8601 MOBILE COMPUTING
CS8601 MOBILE COMPUTING
 
CS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMSCS9222 ADVANCED OPERATING SYSTEMS
CS9222 ADVANCED OPERATING SYSTEMS
 
Context-Aware Computing
Context-Aware ComputingContext-Aware Computing
Context-Aware Computing
 
Presence cloud
Presence cloudPresence cloud
Presence cloud
 
Aneka platform
Aneka platformAneka platform
Aneka platform
 
Virtualization in cloud computing ppt
Virtualization in cloud computing pptVirtualization in cloud computing ppt
Virtualization in cloud computing ppt
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
Chapter 6 synchronization
Chapter 6 synchronizationChapter 6 synchronization
Chapter 6 synchronization
 

Similaire à Cloud security introduction

Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...EC-Council
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Unified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureUnified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureMarketingArrowECS_CZ
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Cloud Computing & Business Intelligence
Cloud Computing & Business IntelligenceCloud Computing & Business Intelligence
Cloud Computing & Business IntelligenceSudip Chatterjee
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAmazon Web Services
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02abhisheknayak29
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesHyTrust
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
 
Azure reference architectures
Azure reference architecturesAzure reference architectures
Azure reference architecturesMasashi Narumoto
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...Amazon Web Services
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 

Similaire à Cloud security introduction (20)

Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
Unified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureUnified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud Infrastructure
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Cloud Computing & Business Intelligence
Cloud Computing & Business IntelligenceCloud Computing & Business Intelligence
Cloud Computing & Business Intelligence
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
4831586.ppt
4831586.ppt4831586.ppt
4831586.ppt
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
Azure reference architectures
Azure reference architecturesAzure reference architectures
Azure reference architectures
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 

Dernier

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Dernier (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Cloud security introduction

  • 1. Master of Applied Information Systems Mar 2018 Cloud Security Introduction
  • 2. SMU Classification: Restricted Agenda • Introduction: What is Cloud computing • Cloud Security incident • Cloud Security challenges • Cloud Standards & Guidelines • Cloud Policy and Planning • Cloud Security Controls • Cloud Architecture and Design • Summary 2
  • 3. SMU Classification: Restricted Disclaimer • Non-comprehensive • Best effort updated • Cloud fast changing environment 3
  • 4. SMU Classification: Restricted Cloud computing definition • On-demand self service – Ensure one-sidely provision computing capabilities • Broad network access • Resource pooling • Rapid elasticity • Measured service *Defined by NIST 4
  • 5. SMU Classification: Restricted NIST Reference Architecture 5 Source: NIST SP500-292 NIST Cloud Computing Reference Architecture
  • 6. SMU Classification: Restricted Cloud Actors • Consumer: Person or organisation using cloud services from a CSP • Provider (CSP): An entity offering cloud services to consumers • Auditor: An entity that provide objective and independent assessments of cloud services • Broker: Manages use, performance, and/or delivery of cloud services between CSPs and consumers. Often Security-as-a-service (SecaaS) services are “brokering” various types of access or data sent to/from cloud today • Carrier: Some intermediary providing transport and connectivity for cloud service 6
  • 7. SMU Classification: Restricted Cloud deployment model 7 Source: https://image.slidesharecdn.com/4-theenterprisecloudcomputingparadigm-131130040800-phpapp02/95/cloud- computing-principles-and-paradigms-4-the-enterprise-cloud-computing-paradigm-4-638.jpg
  • 8. SMU Classification: Restricted Cloud computing key technologies • Virtualisation Types 8 Source: https://image.slidesharecdn.com/1-150328170334-conversion-gate01/95/1introduction-to- virtualization-27-638.jpg
  • 9. SMU Classification: Restricted Cloud computing key technologies • Containers 9 Source: https://thecustomizewindows.com/2014/ 07/container-based-virtualization
  • 10. SMU Classification: Restricted Cloud computing key technologies • Software defined networking 10 Source: https://commsbusiness.co.uk/features/software-defined-networking-sdn-explained/
  • 11. SMU Classification: Restricted Cloud Security Incident Dec 2013 - 40 million credit cards stolen on POS system – Investigation reveals initial malware was introduced by Target’s refrigeration vendor – Criminals used vendor’s credentials to access Target’s cloud infrastructure 11 Use of vendor credentials Boundary defence: Limit network access to vendor portal so anyone who obtained the credentials would not be able to access the vendor portal unless on a network allowed to access the portal Account monitoring and control: Require multi-factor authentication to login vendor portal. Monitor usage of vendor portal login. Profile accounts for normal activities and usage patterns Source: SANS Institute Case Study
  • 12. SMU Classification: Restricted Docker vulnerability exploitability 12 • Docker is a daemon that runs as root • Older Docker does security by blacklisting kernel calls – What if there are those which is missed out? “Shocker” code exploit • CVE-2014-9357 Privilege escalation during decompression of LZMA (.xz) archives • 100k+ dockers @ Dockers hub – In 2015, 15k+ dockers, 90% of the dockers contain unverified exploitable vulnerabilities Source: Black hat Europe 2015 – Vulnerability exploitation in docker container environment
  • 13. SMU Classification: Restricted Security responsibility - AWS 13 Source: https://aws.amazon.com/compliance/shared-responsibility-model/
  • 14. SMU Classification: Restricted Security responsibility - Microsoft 14 Source: https://blogs.msdn.micr osoft.com/azuresecurity /2016/04/18/what-does- shared-responsibility-in- the-cloud-mean/
  • 16. SMU Classification: Restricted Cloud Security Challenges Traditional security challenges applies but in cloud these considerations are different… • Resource location: Consumer do not know exactly where their data lies • Multi-tenancy issues: How to protect your data/system from shared cloud resource • Authentication, authorisation, information trust: How to ensure your data accessibility & ownership? Identity Access Management (IAM) • System monitoring and logs: Auditability trial • Service Level Agreement (SLA) 16
  • 17. SMU Classification: Restricted Traditional security challenges 17 • Network security ▪ Firewalls ▪ NIDS/NIPS ▪ Proxies • Host security/ Virtualization ▪ HIDS/HIPS ▪ Configure management ▪ Roles/Privileges • Data security ▪ Encryption rest / transit ▪ Key management • Vulnerability assessment and Penetration testing • Security Policy • Application security ▪ Secure coding ▪ WAFs • Database Security • Data Disposal • Solution architecture Standards & Guidelines
  • 18. SMU Classification: Restricted Cloud Security Alliance (CSA) 18
  • 19. SMU Classification: Restricted CSA Reference Architecture 19
  • 20. SMU Classification: Restricted Other Standards and Guidelines Industry based • NIST (800-144): Guidelines on Security and Privacy in Public Cloud Computing • PCI DSS Cloud computing guidelines Platform specific • Centre of Internet Security (CIS) recommendations for AWS Foundations / Azure / Google cloud Application specific • Open Web Application Security Project (OWASP) 2017 20
  • 21. SMU Classification: Restricted Cloud Policy and Planning • Business justification for cloud implementation • Data classification • System availability & accountability • Admin & User accessibility • Disaster recovery & Business continuity • Risk assessment, mitigation & acceptance 21
  • 22. SMU Classification: Restricted Security Principles for Cloud Design • Build in security at every layer • Design for elasticity • Design for failure – “Blast radius” control – System recovery • Use different storage options • Always having “feedback” loops • Focus on CSA: Centralization, Standardization, Automation 22
  • 23. SMU Classification: Restricted Security at every layer “Stack” layer Controls Application + Presentation WAF, IAM, Scans/Pen test Accesscontrol(IAM) Operating systems Configuration, Vulnerability Scan, Backup, User & Privilege management Data Encryption, Backups, DLP, Authorization Network Access Controls, Firewalls, Routing, DDoS Defences Hypervisor Configuration, access controls, user & Privileges management 23
  • 24. SMU Classification: Restricted Hypervisor Security Controls • Foundational controls – NTP,SNMP, etc • Local firewall/network access controls • Hardening and configuration • Users and groups • Patching • Logging and Monitoring • SELinux and/or multitenant isolation measures 24
  • 25. SMU Classification: Restricted Virtualization security – CSP • Assess CSP virtualization platform technology • CSP internal security controls on virtualization (e.g. virtual firewalls or IDS) • CSP ISO certification, 3rd party cyber risk assessment, annual audit • Enquire on CSP’s administrative control of VM environment • Enquire on CSP segregation and separation of VM zones / types • Understand how multi-tenancy and VM isolation are implemented & and alert of isolation breach 25
  • 26. SMU Classification: Restricted Cloud network security • Most CSP have flat network design • Virtual Private Cloud (Vnet + VPC) 26 Source: https://blogs.msdn.microsoft.com/premier_developer/2017/09/17/differentiating-between-azure-virtual-network- vnet-and-aws-virtual-private-cloud-vpc/
  • 27. SMU Classification: Restricted Cloud network security • Virtual network appliances – WAF, Load Balancer, Proxies, United Threat management – Vendors like Cisco, F5, Palo Alto, Fortinet, Check point • Data loss prevention (as network) – Commonly offered by CASB 27
  • 28. SMU Classification: Restricted Host security – OS image • (PaaS/IaaS) Instance / Image security one of the most important consideration • Standard approaches – Patching – Hardening – Version control – Access control – Monitoring – Anti-malware • Cloud platform inventory management tool – Amazon EC2 System manager – AWS Inspector 28
  • 29. SMU Classification: Restricted Identity Access Management • Main purpose: Authentication, Authorisation & Auditability • Assign to groups, person, process, resource • Federated identities, tokenization • RBAC 29 Source: http://mscerts.wmlcloud.com/program ming/identity%20and%20access%20 management%20%20%20iam%20arc hitecture%20and%20practice.aspx
  • 30. SMU Classification: Restricted Cloud Access Security Brokers • 3rd party in helping organization govern use and protect sensitive data in the cloud 30Source: http://focus.forsythe.com/_wss/clients/509/assets/CASB%20Functionality%20Areas%20Graphic.png
  • 31. SMU Classification: Restricted Key Management in Cloud • Who does it? Consumer or CSP? • Key generation • Key storage, backup, recovery • Key distribution • Key destruction • Cryptographic hardware (inbuilt or Hardware security module [HSM]) – Often govern by standards (PCI) 31
  • 32. SMU Classification: Restricted AWS Key Management 32 Source: https://image.slidesharecdn.com/encryptionkeymanagementbillshin-150410130029-conversion-gate01/95/encryption- and-key-management-in-aws-18-638.jpg?cb=1428688942
  • 33. SMU Classification: Restricted Azure Key Management 33 Source:https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs .Components.WeblogFiles/00/00/01/03/78/6076.SQLServerConnector.png
  • 34. SMU Classification: Restricted Cloud Architecture & Design • Depends on – Consumer needs • Security policies and compliance • Services required • Network connectivity – CSP’s offerings – CASB’s offerings – Application dependencies 34
  • 35. SMU Classification: Restricted AWS VPC model 35 This model have: 1. Public subnet 2. Private subnet 3. Routing 4. NAT gateway 5. Virtual Private Gateway (VPG) 6. IPSec connectivity Able to route private address to VPG Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/images/Case3_Diagram.png
  • 36. SMU Classification: Restricted Azure Simple DMZ 36 Source: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks- dmz-nsg-fw-udr-asm This DMZ have 3 subnets: - 10.0.0.x (security) - 10.0.1.x (web) - 10.0.2.x (app) DMZ with security in Place “Blast radius” limit
  • 37. SMU Classification: Restricted Summary • Cloud security considerations – Security policies using cloud – Cloud standards and guidelines – Cloud controls – Cloud architecture and design • Cloud rapidly evolving 37
  • 38. SMU Classification: Restricted 38 References • SANS Institute Case Study: Critical controls that could have prevented Target breach • SANS SEC545: Cloud Security Architecture and Operations • Beyond lightning: A survey on security challenges in cloud computing, Chunming Rong, Department of Electrical Engineering and Computer Science, University of Stavanger, Normay • Cloud computing: Overview and Research issues, Divya Kapil, School of Computing, Graphic Era Hill University, Dehradun, India • Cloud Security: A comprehensive guide to secure cloud computing, Ronald L. Krutz and Russel Dean Vines • Virtualization: Issues, Security Threats and solutions, Michael Pearce, Ray Hunt, The University of Canterbury