Cloud Security Architecture.pptx

Building secure
Cloud architecture
Moshe Ferber
CCSK, CCSP, CCAK, ACSP
When the winds of change blow, some people
build walls and others build windmills.
- Chinese Proverb

About myself
 Information security professional for over 20 years
 Founder, partner and investor at various cyber initiatives and startups
 Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)
 Co-hosting the Silverlining IL podcast – security engineering
 Founding committee member for ISC2 CCSP , CSA CCSK, ISACA CCAK certifications
 Member of the board at Macshava Tova – Narrowing societal gaps
 Chairman of the Board, Cloud Security Alliance, Israeli Chapter
Cloud Security Course Schedule can be found at:
http://www.onlinecloudsec.com/course-schedule

Cloud characteristics:
• Cloud computing characteristics distinguish
cloud from other forms of compute
(i.e. hosting, outsourcing , static virtualization)
• Mostly relevant for certain regulations
Cloud charatractics

Cloud Services are very different in nature
SaaS
PaaS
IaaS
Private Hybrid Public

The shared responsibility model
Physical Security
Network & Data Center
Security
Hypervisors Security
Virtual Machines & OS
security
Data layer & development
platform
Application
Identity Management
DATA
Audit & Monitoring
IaaS PaaS SaaS
Consumer
responsibility
Provider
responsibility

The CISO Challenge
SaaS
PaaS
IaaS
Gain the
expertise for
building
secure
applications
Evaluate our
providers
correctly
Very hard to
provide best
practices

Terminology
AWS IaaS PaaS
Instance Image Snapshot
ELB
Root
Account
IAM user

Architecting for availability
US WEST
AZ1 AZ2
AZ3 AZ4
Singapore
AZ1 AZ2
AZ3 AZ4
Mumbai
AZ1 AZ2
AZ3 AZ4
Regions vs. Availability Zones

DB
Mumbai AZ-1
DB DB
Internet
Load Balancer
Redundancy in one region
Mumbai AZ-2
WWW
WWW WWW
Mumbai AZ-3

DB
US-EAST1
DB DB
External
CDN
US-EAST2 2nd provider
Redundancy in multiple regions/clouds
WWW
WWW
WWW

C o m p l i a n c e
SOC2 ISO27001
Privacy regulations
• HIPAA
• PCI
• COPPA
Industry
specific
• Fedramp
• BSI
• MTCS
Geographic
location
Advance
certifications
•ISO27017 / 18
•STAR Level 2,3

P r i v a c y b a s i c s
Data Subject
• Owner of the
data
Data controller
• Responsible
for collecting
and securing
the data
Data processor
• Responsible
for storing &
processing
Personal Identifiable Information

• External CDN providers can add resiliency,
flexibility & redundancy
• Look for vendors who can add functionality:
DDOS protection
Web application firewall
Load Balancing
DNS management

Architecting for network separation
Mumbai AZ-2 Mumbai AZ-3
Mumbai AZ-1
DB
WWW WWW
WWW
DB
DB
Understanding VPC (Virtual Private Cloud) / Virtual Network
DB
WWW WWW
WWW
DB
DB
VPC A: Production
VPC B: Test

DB Subnet MNGT subnet
Web SUBNET
WWW
WWW
WWW
Router
DB
DB
DB
MQ
Monitoring
Logs
Production VPC 192.168.0.0
192.168.2.0
192.168.1.0
203.0.115.0
192.168.3.0

• VPC is logical grouping of subnets &
instances, virtualizing physical data
center features
• VPC setting include private & public IP
segments, routing, internet
connectivity, adding external WAF /
Firewall, DHCP , VPN & more
• VPC’s can be used to separate test from
production, application services and
more

Understanding Security groups
Mumbai AZ-2 Mumbai AZ-3
Mumbai AZ-1
WWW WWW
WWW
DB
DB DB
Security Group: web-servers Allow: 80/443
Security Group: DB-servers Allow: 3306 (MYSQL)

The advantages of Micro Segmentation
Traditional Micro segmentation

Additional VPC tools
NAT
Instance
Direct
Connect
Firewall
VPN
Gateway
Network
ACLs
Flow logs

Router
Test VPC
WWW
Application
DB
Production VPC
WWW
Application
DB
NAT
Gatewa
y
Corporate
network
VPN / Dedicated line
Access VPC
Bastion Host / Jump Server
S3 EndPoint
Architecting for IT access
Test VPC

Router
Access VPC
Architecting for users' access (SASE, SDP, ZTA)
Test VPC
Users
controller
IDP
SaaS
Access VM
IaaS/PaaS

Web Application Firewall options
Architecting for application protection
3rd party as a
service
3rd Party as
Proxy
Provider
service
WAF client on
web instances

Limiting blast Radius
Organizations / Subscriptions
Root Account
IAM
Admin
Securi
ty
Audito
r
Billing
Admin
Super Admin
Service
1 Admin
Service
2 Admin
Root Account
IAM
Admin
Securi
ty
Audito
r
Billing
Admin
Super Admin
Service
1 Admin
Service
2 Admin
Root Account
IAM
Admin
Securi
ty
Audito
r
Billing
Admin
Super Admin
Service
1 Admin
Service
2 Admin
OU A OU B OU C

Identity Federation
Identity
Provider
Saas Enterprise
Applications
(SAML)
Integrating social media
accounts
(OpenID)
API / Mobile
Authentication
(OAuth)
MFA,
Conditional access

Secrets management
inside the cloud ,
accessing cloud
services
• Use dynamic token (STS)
Inside the cloud,
access 3rd party
services
• Use Secret store (vault, AWS secret store, Azure
Keyvault)
Outside the cloud,
accessing cloud
services
• Vault or similar solution
• Config file if no choice, stored in a specific location

Containers
Source: https://cloudblogs.microsoft.com/opensource/2019/07/15/how-to-get-started-containers-docker-
kubernetes/

Containers management
Kubernetes (K8s’)
Compute
scheduling
Self-healing
Horizontal
scaling
Volume
management
Service
discovery &
load balancing
Automated
rollouts &
rollbacks
Secret &
configuration
management
Source: https://cloudblogs.microsoft.com/opensource/2019/07/15/how-to-get-started-containers-docker-
kubernetes/

Serverless
Source: Tech Target – what is serverless

Serverless threats
Source: how to design secure servless applications – CSA serverless working group

Architecting for application separation
Source: Cloud Security Alliance CCSK certification

Front End
Back End
Queue
Service

Build application separation
Utilize MQ services to
separate application
components
Use API Gateways &
Endpoints

Understanding storage options
Architecting for data security
Volume Storage
• Attached to a single
instance
• Not shared, accessible
only from the instance
• Useful in storing
instance OS
environment ,
application binaries ,
DB files and anything
instances need to
operate
Object Storage
• Provider managed
• Files are placed in
buckets
• Versioning & meta data
kept for all objects
• Files are accessible by
API or HTTP
• Independent from AZ
or instances
dependencies
• Useful for storing static
applications data,
backups, source code
and config files
Database service
• Provider managed
• Files are accessible by
DB API
• Vary between different
services: (structured,
unstructured and
more)
• Usually, customer has
no access to underlying
DB infrastructure
CDN
• Cloud provider
proprietary service or
external 3rd party
services
• Provide flexibility and
resiliency
• Useful in serving static
content at late latency
• Usually accompanied
by additional services:
WAF, DDOS protection,
Load balancer…

Volume storage
Backups
• Usually snapshots
• Customer
responsibility to keep
snapshots
inaccessible
• Don’t keep
application secrets
on disk
Redundancy
• Not redundant
• Access is made by a
service on the
instance OS (web
service I.e)
• If service fails, no
access
Encryption
• Storage encryption
with provider service
(i.e. AWS KMS, Azure
keyvault)
• Or OS Level
encryption software
(i.e. truecrypt,
bitlocker)

Object storage
Backups
• Keeps versioning
system of files
• External backups
are recommended
(explore provider
services)
Redundancy
• Availability is
responsibility of
the provider
• Increased
availability can be
achieved by
replicating to other
regions
Encryption
• Service side:
Storage encryption
with provider
service (i.e. AWS
KMS, Azure key
vault)
• Or Client side using
provider SDK

Database Storage (Database as a service)
Backups
• Automated backups
are made by provider
• External exports and
backups should be
made periodically,
just as any other
database
Redundancy
• Availability is
responsibility of the
provider but managed
by customer
• Architect multiple AZ
Encryption
• Service side: Storage
encryption with
provider service
usually at the
database level
• TDE can be used here
as well to encrypt at
table/ column level

Encryption
OS
Storage
DB
Application
Encryption Layer
TDE
Storage Encryption
Volume Encryption
Shared KMS
Dedicated
HSM
Virtual
instance
KEYS

A r c h i t e c t i n g f o r C I / C D
Source: CCAK certification, Module 8

A r c h i t e c t i n g f o r C I / C D
• Detecting vulnerable packages
• Licensing and usability
SCA
• Examine the static code
• Whitebox testing
SAST
• Testing the actual runtime
• Blackbox testing
DAST
• misconfiguration
• Application secrets
IaaC
inspection

M o n i t o r i n g To o l s e t
CWPP - Cloud
Workload Protection
Platform
•Protect Workloads
(VM’s, Containers,
serverless
•Traditional end-
point security (AV,
VA )
•Additional features
for containers and
serverless
CSPM Cloud Security
Posture Management
•Protect
management
dashboard
•Monitor for
Compliance breaks,
misconfiguration,
Identity permissions
CIEM - Cloud Identity
& entitlement
management
•Monitor Identity
data
•Identity include
services, machines
CASB - Cloud Access
Security Broker
•Design for SaaS
•Detect threats
•eDiscovery + DLP
•Shadow IT detection
SSPM – SaaS security
posture management
•CASB next
generation
•Evaluating SaaS
providers
•Focus on posture
and compliance
Cloud native application protection
platform (CNAPP)
IaaS/PaaS SaaS

Security
Center
Logs
Posture &
configuration
Workloads
vulnerabilities
Threat
intelligence
Identity data
Monitoring Tool set

A r c h i t e c t i n g f o r L o g M a n a g e m e n t
Portal Logs
• Cover API &
GUI access
Traffic Logs
• Network
traffic )flow
logs format)
Instances Logs
• Extracted
just like
traditional
OS
Unique logs
• K8's logs
• ELB logs
• Object
storage logs

OS Logs
A r c h i t e c t i n g f o r l o g m a n a g e m e n t
Cloud
Trail
S3
SIEM
Agent
Cloud WATCH
(Rules & Alerts)
SNS
(notifications)
VPC Flow
Logs

KEEP IN TOUCH
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule

Cloud Security Architecture.pptx

More Related Content

What's hot

Similar to Cloud Security Architecture.pptx

More from Moshe Ferber

Recently uploaded

Cloud Security Architecture.pptx