This webinar covers cloud security fundamentals across AWS, Azure, and GCP. It begins with introductions and an overview of the course, which includes cloud security 101, best practices for each cloud provider, and a discussion of current threats. The presentation covers topics such as the shared responsibility model, cloud security risks and governance models, identity and access management, data security, and techniques for mitigating risks in the cloud. It emphasizes the importance of a data-centric approach to security and controlling access according to the principles of least privilege and separation of duties.
2. Webinar Series
WELCOME!
Check that you can "raise your hand" next to your name on the left
When we start I'll ask everyone to raise their hand to verify you can
hear me
To ask a question during the presentation type it in the “Questions”
section and raise your hand to help me notice it
Slides will be available shortly after the presentation
Audio Recording will be published shortly after the presentation
3. Webinar Series
OVERVIEW
Introduction to Speaker
Joe Holbrook
Jacksonville,FL
He also holds Industry leading certifications from Amazon Web
Services, Google Cloud Platform, Brocade, Hitachi Data Systems,
EMC, VMWare, CompTIA, HPE, Cloud Credential Council, Palo Alto
Networks and numerous other organizations
4. Webinar Series
OVERVIEW
Introduction to Course
Cloud Security 101
Cloud Computing Security, Risks, and
Governance
DevOps and Cloud Security
Security Controls in Cloud Computing
Common Cloud Computing Vulnerabilities
5. Webinar Series
OVERVIEW
AWS Security Best Practices, Features
Azure Security Best Practices, Features
GCP Security Best Practices, Features
New Threats =Crypto Currency Mining
Current Threat Landscape
Top Ten Techniques for Cloud Risk Mitigation
Cloud Security Certifications
6. Webinar Series
INTRODUCTION TO COURSE
Course is Three Hours
Cloud Security 101
Cloud Security Best Practices
Demos
Resources
8. Webinar Series
CLOUD SECURITY 101
Cloud Security is essentially a shared
responsibility model. (Provider and Subcriber)
Cloud Computing security is generally viewed as
a complex area but does not have to be.
However, your essentially performing same
functionalities as traditional IT security.
This includes protecting critical information from
theft, data leakage and deletion.
9. Webinar Series
CLOUD SECURITY 101
For Example: AWS applies the Shared
Responsibility Model to distinguish the different
aspects of security management.
AWS owns the infrastructure, physical network
and hypervisor.
The enterprise owns the workload OS, apps,
virtual network, access to its tenant
environment/account and the data.
11. Webinar Series
CLOUD SECURITY 101
Cloud Providers provide
numerous tools to help facilitate
cloud security vulnerability and
threat identification.
E.G – Google Cloud Compute
Engine Security Scanner or
AWS Inspector
13. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
The National Institute of Standards and
Technology (NIST) cloud model provides a
definition of cloud computing and how it can be
used and deployed.
NIST identifies the following characteristics and
models for cloud computing:
Essential characteristics: on-demand self-
service, broad network access, resource
pooling, rapid elasticity, and measured service
14. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
The National Institute of Standards and
Technology (NIST) Cloud Computing Model
You
15. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
The National Institute of Standards and
Technology (NIST) Cloud Computing Model
https://www.nist.gov/publications/nist-cloud-
computing-reference-architecture
The National Institute of Standards and
Technology (NIST) Security Reference Model
https://www.nist.gov/document-4641
16. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
Service Models: software as a service (SaaS),
platform as a service (PaaS), and infrastructure
as a service (IaaS)
Deployment Models: private cloud, community
cloud, public cloud, and hybrid cloud
Cloud Computing Threats, Risks, and
Vulnerabilities
17. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
Cloud Security, the cloud shared security model
articulates the responsibility of the vendor to
secure the cloud and on the other hand, the
customer is responsible for the security of their
applications on the cloud.
Cloud Security is hard, it is multifaceted effort
where control may not be yours.
18. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
In a SaaS-based model, the Cloud Provider is
responsible for Infrastructure, Intermediary
Layer, and partial part of Application Layer;
however, it is the Cloud Consumer who is
responsible for data stored in the Application
and its associated configuration.
Accounts, Permissions
19. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
In a PaaS-based model, the Cloud Provider is
responsible for Infrastructure and certain
aspects of Intermediary Layer, while the Cloud
Consumer is responsible for the Application and
its associated security along with certain aspects
of Intermediary Layer
Runtime Environments, Scanning
20. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
In an IaaS-based model, the Cloud Provider is
responsible for the underlying backend
Infrastructure such as the virtualization layer,
backend switches, hardware, and others while
the Cloud Consumer is responsible for all the
other aspects except server security, firewalls,
and routing configurations
Responsible for VMS, ETC
21. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
https://www.episerver.com/learn/resources/blog/fred-bals/pizza-as-a-service/
23. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
https://maheshkumar.wordpress.com/2015/02/26/pizza-to-
explain-iaas-vs-paas-vs-saas/
24. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
Cloud Governance is a set of rules and policies
through which an organization is directed and
controlled so that it is focused towards its goals.
Not exactly management!
Policy created by governance and enforced by
managment
25. Webinar Series
CLOUD COMPUTING SECURITY, RISKS AND
GOVERNANCE
Cloud Risks are specific to the cloud.
Man in the Middle
API Vulnerabilities
Denial of Service
Spoofing
IP Scans
26. Webinar Series
Incorporating Identity and Access Management in Cloud
Organizations recognize that cloud adoption has already fragmented the identity
infrastructures they have been diligently building and consolidating for the past ten
years.
Today’s identity infrastructures need to cater to:
The extended enterprise of employees as well as business partners for whom the company
may not even manage identities (could include customers as well, in which case the ids
would be managed by the organization).
BYOD and mobility requirements, where securing nonweb APIs and imbuing them with
identity is the norm.
Support of IAM for applications delivered by cloud service providers.
27. Webinar Series
Controlling Access
Authentication and authorization are often confused with each other and their
roles are misunderstood.
Authentication—The act of confirming the truth of an attribute of a single piece
of data (datum) or entity. It is the process of actually confirming that identity.
Authorization—The function of specifying access rights to resources. It is the
process of providing an authenticated user the ability to access an application,
data set, data file, or some other object.
Authentication Authorization
The process of proving the identity
of a user or server.
The action or fact of authorizing or
being authorized.
28. Webinar Series
Types of Security Credentials in Cloud
You use different types of security credentials depending on how you interact with
your cloud computing service. The following list summarizes the different types of
security credentials and when you might use each one within a cloud computing
deployment.
Identity and access management (IAM) (user name and password)—It is used when multiple
individuals or applications require access to your cloud computing account. Create unique
IAM user identities. Each user can use his or her own user name and password to sign in.
Name and password are required to use a service, such as sending email with an email
service in cloud.
Multi-Factor Authentication (MFA)—It provides an extra level of security that you can apply to
your cloud computing environment. With MFA enabled, when you sign into a cloud service,
you are prompted for your user name and password, as well as for an authentication code
from an MFA device. Taken together, these multiple factors provide increased security for
your cloud computing resources.
29. Webinar Series
Types of Security Credentials in Cloud (Contd.)
Additional security credentials used within cloud services are:
Access keys (access key ID and secret access key)—Access keys consist of an access key
ID (AKIAIOSFODNN7EXAMPLE) and a secret access key
(wJalrXUtnFEMI/K7MDENG/bPxRfiCY).
You use access keys to sign programmatic requests that you make to your cloud computing service
REST or Query APIs.
Note that REST APIs use operations and other existing features of the HTTP protocol. For example,
layered proxy and gateway components perform additional functions on the network, such as HTTP
caching and security enforcement.
Access keys are also used with command line interfaces (CLIs). When you use a CLI, the
commands that you issue are signed by your access keys, which you can either pass with the
command or store as configuration settings on your computer.
30. Webinar Series
Federated Identity
Identity federation allows the organization and cloud provider to trust and share
digital identities and attributes across both domains, and to provide a means for
single sign-on.
Cloud
GCP Azure AWS
Storage
Service
Discovery
Service
Scheduling
Service
Monitoring
Service
Plug-in Plug-in Plug-in
(3) (4)
(5)
(6)
(7)
(8)
(7)
(8)(7)
(8)
(9)
(2)On Prem
Apps (10)
(1)
31. Webinar Series
Authoritative Source—Identity Management
Organizations should identify appropriate sources of policy and user profile
information and ensure that the cloud service administrator use only trusted
sources for provisioning.
Authoritative
Source
Authoritative
Source
Authoritative
Source
Authoritative
Source
Identity Management RepositoryIdentity Management Repository
Multiple Authoritative SourceOne Authoritative Source
32. Webinar Series
Federated Identity Technologies
Identity federation can be accomplished in a
number of ways, such as with the Security
Assertion Markup Language (SAML) standard,
OpenID standard, and InfoCard. Additionally
there are additional proprietary standards.
Security Assertion Markup Language
(SAML)
SAML request and response messages are
typically mapped over SOAP,14 which relies
on the eXtensible Markup Language (XML) for
its format. SOAP messages are digitally
signed.
33. Webinar Series
Federated Identity Technologies (Contd.)
OpenID is an open standard that allows
users to be authenticated by certain co-
operating sites (known as Relying
Parties or RP) using a third party
service, eliminating the need for
webmasters to provide their own ad
hoc systems and allowing users to
consolidate their digital identities.
34. Webinar Series
Federated Identity Technologies (Contd.)
Information cards are personal digital identities that people can use online and the
key component of identity metasystems.
There are three participants in digital identity interactions using information cards:
Identity providers—They issue digital identities for you.
Relying parties—They accept identities for you.
Subject is yourself—The party in control of all these interactions.
35. Webinar Series
Security Considerations in Using Federated Identity
Federated identity can offer better service at a lower cost, but it also entails net
new risks for your organizational users.
Federated identity involves crossing security domains: Parties should secure their
communication channels against replay attacks, man-in-the-middle attacks, session
hijacking, and other threats that allow malicious use of user information or Web resources.
User authentication is another weak link in the Web identity chain: Most sites rely on
username/password pairs because this method poses the smallest initial burden for users
and site administrators.
Interoperability is an ongoing challenge for federate identity: SAML and OpenID both address
simplified sign on, but not identically. InfoCard and SAML both offer smart-client solutions,
but optimize them for different purposes. OpenID and InfoCard both claim to offer user-
centric identity, yet the term refers to multiple and sometimes incompatible goals.
36. Webinar Series
****
Multi-Factor Authentication
Multi-factor authentication, also MFA, two-factor authentication, or two-step
verification, is an approach to authentication, which requires the presentation of
two or more of the three authentication factors.
A knowledge factor (something only the user knows)
A possession factor (something only the user has)
An inherence factor (something only the user is)
ATM card:
Something only the
user has
PIN:
Something only
the user knows
37. Webinar Series
Least Privilege Access
The principle of least privilege is also known as the principle of minimal privilege
or the principle of least authority. It requires that in a particular abstraction layer of
a computing environment, every module such as a process, a user, or a program
depending on the subject must be able to access only the information and
resources that are necessary for its legitimate purpose.
Benefits of the principle in cloud include:
Better service stability
Better service security
Ease of deployment
38. Webinar Series
Role Based Access (Security Groups) in Cloud
Security groups are used to collect user accounts, system accounts, and other
group accounts into manageable units. Working with security groups instead of
with individual users helps simplify network maintenance and administration.
A security group acts as a virtual firewall that controls the traffic for one or more services,
instances, and/or applications, which are hosted in cloud.
When you launch a compute instance, data container, or application you associate one or
more security groups with your service based on predefined security groups.
Each security group should be defined based on a ‘least privilege’ concept and only allow
traffic to or from its associated service.
Modify the rules for a security group the same way you would modify security groups within
your internal networks.
Change management processes should be extended to include security group changes in
cloud.
Depending on cloud services being used, new rules should be automatically applied to the
services associated with the security group.
39. Webinar Series
Separation of Duties
Separation of duties (SoD) is the
concept of having more than
one person required to complete
a task (rotation of duties). In
business, the separation by
sharing of more than one
individual in one single task is
an internal control intended to
prevent fraud and error.
40. Webinar Series
Source: Security’s Cloud Revolution Is Upon Us
Forrester Research, Inc., August 2, 2013
“Similar to the need to design secure applications, data security should be a core focus, and it will likely deliver high
business value.
Big data, mobile users, and workloads distributed throughout a variety of infrastructures will mean that protection has to
follow data wherever it goes.
Data security solutions for cloud services must address cloud-specific concerns, including external attacks, malicious
insiders, commingling of data, and even data access by government agencies using various legal channels.”
Data Security
41. Webinar Series
Defining Principle—Data Geo-Location Is Not Security Principle
Traditional data protection is often focused on network-centric and perimeter
security, with devices, such as firewalls and intrusion detection systems.
A data-centric approach must incorporate encryption, key management, strong
access controls, and security intelligence to protect data in the cloud and provide
the requisite level of security.
“It is important to utilize security controls that protect
sensitive data no matter where it lives, as point solutions by
their very nature provide only limited visibility.”
Source: Derek Tumulak, Vormetric
43. Webinar Series
Process integration—Data Protection—in Transit
Transmitting data securely—Is the
secure transfer of data or proprietary
information over a secure channel.
Many secure transmission methods
require a type of encryption.
The most common is email
encryption is called PKI.
In order to open the encrypted file
an exchange of keys is done.
44. Webinar Series
Employees
Table
F_name I_name SS#
1
2
3
4
5
6
7
8
9
Original
Cleartext
(data)
Decryption Process
Cleartext
(data)
Employees
Table
F_name I_name SS#
!
#
@
`
$
&
)
+
/
?
Process Integration—Data Protection—At Rest and in Use
Data must be secured while at rest, in transit, and in use. Access to the data must
be controlled.
Transparent Data
Encryption (TDE) is a
technology employed by
both Microsoft and Oracle
to encrypt database files.
Transparent data
encryption enables simple
and easy encryption for
sensitive data in columns
without requiring users or
applications to manage
the encryption key.
Reference: Oracle and SQL - Transparent Data Encryption Overview
External Security
Module
Encryption Process Employees
Table
F_name I_name SS#
!
#
@
`
$
&
)
+
/
?
Ciphertext
(data)Encryption
Decryption
Keys
Keys
Cleartext
(data)
Employees
Table
F_name I_name SS#
1
2
3
4
5
6
7
8
9
45. Webinar Series
Key Management
Three solutions currently exist for managing encryption keys in the cloud
Legacy hardware security modules (HSM)
Key management services (KMS)
HSM as a Service.
46. Webinar Series
Hardware Security Module (HSM)
A hardware security module (HSM) is a physical computing device that
safeguards and manages digital keys for strong authentication and provides
crypto processing. These modules traditionally come in the form of a plug-in
card or an external device that attaches directly to a computer or network
server.
HSMs can be employed in any application that uses digital keys. Typically
the keys must be of high-value, that is, there would be a significant,
negative impact on the owner of the key if they were compromised.
47. Webinar Series
HSM in Cloud
Hardware security modules can support:
Offloading and accelerate cryptographic operations to a dedicated cryptographic processor
that eliminates bottlenecks and maximizes application performance.
Centralized lifecycle management of cryptographic keys from generation, distribution,
rotation, storage, termination, and archival in a purpose-built, highly secure appliance.
Key benefits:
Secure key storage—As part of the service, you have dedicated access to HSM capabilities
in the cloud.
HSM protects your cryptographic keys with tamper-resistant appliances, which comply with
international (Common Criteria EAL4+) and the US Government (NIST FIPS 140-2) regulatory
standards for cryptographic modules.
48. Webinar Series
HSM in Cloud
Hardware security modules HSM as a Service offers features and functionality
equivalent to a KMS and possesses several additional capabilities to complement
the strengths of cloud providers:
Multicloud and hybrid-cloud capabilities: Consistent, centralized control and management
BYOK Support: Can easily incorporate your existing encryption keys.
Cryptographic protection: Only authorized users have access to encrypted keys.
Certification: Can offer FIPS 140-2 Level 3 validation without the need for HSM appliances.
Cloud-friendly APIs: Provides support for PKCS #11, CNG, JCE, Key Management
Interoperability Protocol (KMIP) and RESTful APIs for application development and
integration. Sample code is also provided.
Security and latency: Keys are stored separate from yet proximate to data to reduce latency
and provide an added level of defense against data breach.
Connectivity: Available via public internet with access to multiple cloud service providers and
network service providers
49. Webinar Series
Monitoring—Cloud Service
Before making decisions about applications that
should be moved to the cloud environment,
organizations should make a calculation about IT
and business benefits that they can achieve from
moving application and services to the cloud.
Moving Applications to the Cloud
A key factor, which can affect and organization moving
applications to the cloud is decreased visibility into the
performance of services being delivered to their end
users.
50. Webinar Series
Legal, Contractual, and Operational Monitoring in Cloud
Monitoring—Providers and Subscribers
Monitor Security and Performance of Applications
Microsoft:
Azure Management Portal
App Dynamics services
Google Apps/Cloud:
Google Apps Status Dashboard
Google Apps Email Audit API
Google Stackdriver
Amazon Web Service (AWS):
Amazon Elastic Compute Cloud-Monitoring
Amazon CloudWatch
Google Stackdriver
51. Webinar Series
Reference: NIST Special Publication 800-137 - Information Security Continuous Monitoring (ISCM)
Tier 1—Organization Business Processes Establish/define risk tolerance of
the organization
Tier 2—ISCM Strategy Create risk mitigation strategy
Tier 3—ISCM Cloud Computing Strategy Implementation Operationalize
Information Security Continuous Monitoring (ISCM)
ISCM begins with development of a strategy that addresses ISCM requirements
and activities at each organizational level
52. Webinar Series
Cloud Continuous Monitoring
The objective of a cloud computing continuous monitoring program is to assist in
documenting and completing the ongoing set of planned, required, and deployed
security controls with a cloud service or inherited by other cloud services to
ensure the continued effectiveness of security over time as inevitable changes
occur.
Continuous monitoring is an important activity for on-going assessment of security impacts of
and in a cloud service resulting from planned and unplanned changes to the hardware,
software, firmware, or environment of operation (including threat space).
Reference: NIST Special Publication 800-137 - Information Security Continuous Monitoring (ISCM)
53. Webinar Series
Traditional operational security
responsibilities Include:
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Operating system
Application
Account management
Areas of Practice—Security Operations in Cloud
Cloud Operation Security
Responsibilities may include:
Operating system
Application
Account management
Security roles
Network configuration
54. Webinar Series
Security Operations Center (SOC)—In Cloud
Cloud providers’ SOCs are intended to be the cloud subscribers’ central resource
for system security monitoring and notification as well as threat prevention.
The SOC service should include:
Monitoring focused on identifying possible security threat to cloud platform
Logging information about the threats
Attempting to stop them, and/or contain the threat during investigations
Reporting them to security administrators
Reporting identified issues or problems with security policies and processes
Documenting threats and to deter security policy violations
Communicating security situations to cloud subscribers as appropriate
55. Webinar Series
Security Operations—A Shared Responsibility
Shared responsibility between the subscriber and provider.
• This shared responsibility can reduce operational burdens as the cloud service provider
operates, manages, and controls the components sub layer services depending on the
service model being used.
The subscriber should document within a interconnected security agreement how
they will respond to:
Network monitoring and intrusion protection alerts.
Notification of security incidents.
Incident response process notifications.
Service outage alerts.
Threats, active, and side channel attacks (for example, Distributed Denial Of Service (DDoS)
Attacks).
Change management notifications.
56. Webinar Series
Concept of Operations—Cloud Service Provider
A concept of operations (CONOP) helps an organization document in plain
language what is required and what should be built for an information system.
Cloud service may or may not have an official CONOPS document. A CONOP
should address any of the following items:
The system’s function in the organization
The stakeholders themselves, who could be users of the system, people developing the
system, or anyone who depends on the system
Statement of the goals and objectives of the cloud service
Strategies, tactics, policies, and constraints affecting the cloud service
Organizations, activities, and interactions among participants and stakeholders
Clear statement of responsibilities and authorities delegated
Specific operational processes for fielding the cloud service
Processes for initiating, developing, maintaining, and retiring the system
57. Webinar Series
Example of Cloud Computing CONOPS—FedRAMP CONOPS
The purpose of FedRAMP is to:
Ensure that cloud based services have adequate information security.
Eliminate duplication of effort and reduce risk management costs.
Enable rapid and cost-effective procurement of information systems/services for federal agencies.
FedRAMP CONOPS
Federal agency customer has a requirement for cloud technology that will be deployed into their
security environment and is responsible for ensuring FISMA compliance.
Cloud service provider (CSP) is willing and able to fulfill agency requirements and to meet security
requirements.
Joint authorization board (JAB) reviews the security package submitted by the CSP and grants a
provisional Authority to Operate (ATO).
Third party assessor (3PAO) validates and attests to the quality and compliance of the CSP provided
security package.
FedRAMP program management office (PMO)
58. Webinar Series
Security Operations—Subscriber Responsibilities
Review your organization’s security, policies, and procedures to determine which
policy elements (for example, roles and responsibilities, risk management, and
monitoring and reporting) apply to your cloud service provider environment.
Organization should ensure their use of the cloud services includes:
Policies and procedures for managing external service providers.
Procedures for on-boarding and communication processes/channels between subscriber and
service provider (for example, incident response, disaster recovery, security notification, and
so on).
Agreements with key performance indicators (KPIs) for service providers to follow and
communicate their alignment with defined security and monitoring expectations.
Escalation agreements, which outline timelines and milestones for escalation (for example,
four hour outage results in escalation to senior management).
59. Webinar Series
Cloud Service and System Hardening
System hardening is a broad subject and is usually specific to a hardware,
operating systems, and/or application as a stand alone process or as part of the
collective deployment.
Patch Management User Privilege (Least Privilege) Service/Demon Hardening
Unnecessary
Packages/Software Remove
Host-Based Firewall Configuration Password Policy Hardening
Network Hardening Auditing/Monitoring Configuration Boot/Start-up Configurations
Access Points Transmission Ingress/Regress Fault-Tolerant Capabilities
Virtual Instance Infrastructure Components Hypervisor
Data Center Elements
60. Webinar Series
Penetration Testing
Security testing is one aspect of a security program which needs to be updated
and aligned within an organizations cloud security strategies.
A penetration test (or simply, pentest) is an active test of your defenses.
Organization usually entrusted 3rd party to attack their network in order to find exploitable
vulnerabilities.
The theory is that it’s better to have someone working with you do this before a malicious
attacker can.
Setting up a pentest within your cloud deployment:
Use a trusted 3rd party to conduct your pentest
Contact your cloud provider and ask for their Rule of Engagement (ROE)
Each provider has a different view
65. Webinar Series
DevOps
DevOps is one aspect of a security program which needs to be addressed
Integrate Security into DevOps, Culture starts at the top.
Take advantage of native cloud security resources
Create custom AMIS (Machine Images)
Deploy with automated Infrastructure as Code Tools (Deployment Manager,
CloudFormation, etc)
Plan your strategy before setting up tools and controls
Your naming security and development convention should be easily
understood across your dev and infrastructure teams.
Keep it Simple Stupid (KISS)
66. Webinar Series
DevOps
Azure DevOps
Azure DevOps is a cloud-hosted application for your development projects,
from planning through deployment.
Based on the capabilities of Team Foundation Server, with additional cloud
services, Azure DevOps manages your source code, work items, builds, tests,
and much more. Azure DevOps uses Azure's Platform as a Service
infrastructure and many of Azure's services, including Azure SQL databases, to
deliver a reliable, globally available service for your development projects.
68. Webinar Series
Security Model
AWS platform security model includes:
All the data stored on EC2 instances is encrypted under 256-bit AES and each
encryption key is also encrypted with a set of regularly changed master keys.
Network firewalls built into Amazon VPC, and web application firewall
capabilities in AWS WAF let you create private networks and control access to
your instances and applications.
AWS Identity and Access Management (IAM), AWS Multi-Factor
Authentication, and AWS Directory Services allow for defining, enforcing, and
managing user access policies.
AWS has audit-friendly service features for PCI, ISO, HIPAA, SOC and other
compliance standards.
69. Webinar Series
Security Policies
In AWS, you create policies that can grant highly specific access (down to
just reading from a single topic in SNS) up to allowing full access to all
resource types (like in the predefined “AdministratorAccess” policy).
When you have either created a custom policy or selected which default
policies you want to use, the policies can be assigned directly to individual
users, groups, or to roles.
A role in AWS is an object that acts as an abstraction layer between policies
and accounts.
Companies may find it easier to group all their policies into roles, and then
assign roles to groups and users as required.
70. Webinar Series
IAM
IAM is handled differently between providers
In AWS, the directory is integrated with their global identity services, and its
“root account” (which is the top-level account for the organization you work
under) can be the same account you use to shop.
Identity federation is simply a service that extends the core directory.
One unique thing about AWS IAM is that accounts created in the
organization (not through federation) can only be used within that
organization.
The second unique element is that every user can have a non-interactive
account by creating and using access keys, an interactive account by
enabling console access, or both.
Differs with Google and Microsoft where every organization is self-
contained. However, users can end up with multiple sets of credentials they
need to manage to access different organizations.
71. Webinar Series
Best Practices
Disable Root Login over SSH
Support SSH Version 2 Only
Disable Password Authentication Over SSH
Configure Password Maximum Age
Configure Password Minimum Length
Configure Password Complexity
Enable ASLR
Enable DEP
Configure Permissions for System Directories
https://docs.aws.amazon.com/inspector/latest/userguide/inspector_security-
best-practices.html
72. Webinar Series
Best Practices Data Services
Ensure that no S3 Buckets are publicly readable/writeable unless required
by the business.
Turn on Redshift audit logging in order to support auditing and post-incident
forensic investigations for a given database.
Encrypt data stored in EBS as an added layer of security.
Encrypt Amazon RDS as an added layer of security.
Enable require_ssl parameter in all Redshift clusters to minimize the risk of
man-in-the-middle attack.
Restrict access to RDS instances to decrease the risk of malicious activities
such as brute force attacks, SQL injections, or DoS attacks.
73. Webinar Series
Best Practices Compliance
CloudTrail is an AWS service that generates log files of all API calls made
within AWS, including the AWS management console, SDKs, command line
tools, etc.
CloudTrail capability allows organizations to continuously monitor activities
in AWS for compliance auditing and post-incident forensic investigations.
The generated log files are stored in an S3 bucket.
For example If a cyber attacker gains access to an AWS account, one of the
first things they’ll do is disable CloudTrail and delete the log files.
75. Webinar Series
Azure Security Model
Azure Security Model incudes
Microsoft Azure runs in datacenters managed and operated by Microsoft.
These geographically dispersed datacenters comply with key industry
standards, such as ISO/IEC 27001:2013 and NIST SP 800-53
Azure AD extends on-premises Active Directory environments into the cloud,
enabling users to use their primary organizational account to sign in not only to
their domain-joined devices and company resources, but also to all the web
and SaaS applications they need for their jobs.
Azure supports various encryption models, including server-side encryption
that uses service-managed keys, customer-managed keys in Key Vault, or
customer-managed keys on customer-controlled hardware.
76. Webinar Series
Security Policies
In Azure identities are similar to Google’s offering (MS Portfolio) including
Office 365.
At Azure’s core is the Azure AD service, which contains both accounts and
application configuration information.
The accounts used by applications and other non-interactive services to
access resources inside Azure are called service principals.
Similar to GCP, Azure allows user accounts to switch between multiple
directories without the need to log back in.
Each directory can have its own subscriptions without having to manage
multiple sets of credentials.
77. Webinar Series
IAM
Azure’s IAM also has a unique model for assigning permissions that falls
somewhere between GCP and AWS in terms of flexibility.
There are quite a few standard roles available within Azure IAM, although in
my experience, contributor and owner are the two most commonly assigned.
Contributor allows anything to be done to the resources within your scope,
and Owner adds the ability to change permissions to those resources.
In Azure, the levels are: the entire subscription, which allows access to all
resource groups; to an individual resource group, or to individual resources.
A resource group is unique to Azure, and is very useful once you get used to
it. All resources deployed in Azure need to be in a resource group.
78. Webinar Series
IAM
A benefit of this is isolating common resources, each resource group tracks
deployments that happen with it and can simply be removed—and all
resources in it are deleted instead of having to remove them individually, as
in other clouds
Enterprise Agreement (EA) with Microsoft. (Microsoft recommends individual
subscriptions be given to groups within the company to provide isolation for
tracking chargebacks and permissions.)
80. Webinar Series
GCP Security Model
Google Cloud security model includes:
All the data stored on persistent disks and is encrypted under 256-bit AES
and each encryption key is also encrypted with a set of regularly changed
master keys. By default.
Commitment to enterprise security certifications (SSAE16, ISO 27017, ISO
27018, PCI, and HIPAA compliance).
Only authenticated and authorized requests from other components that
coming to Google storage stack are required.
Google Cloud Identity and Access Management (Cloud IAM) was launched in
September 2017 to provide predefined roles that give granular access to
specific Google Cloud Platform resources and prevent unwanted access to
other resources.
81. Webinar Series
Security Policies
GCP identities can come from almost anywhere in the Google ecosystem—
from G Suite users to consumer Google accounts to non-interactive service
accounts.
A G Suite user, you have access to federation services.
The functionality to federate with an external authentication provider is
referred to as the Cloud Identity Domain if not a G Suite user.
Each user account in Google’s ecosystem can access multiple projects on
Google Cloud, which makes it easier to manage credentials.
82. Webinar Series
IAM
GCP uses the concept of projects.
Each project has its own billing and its own IAM configuration, and all
permissions apply to all resources within that specific project. (your user
account can be a member of multiple projects and have a different role in
each project.)
An organization will make a GCP project per application or initiative so that
resources are all related, because permissions are assigned at the project
level.
A project contains predefined roles which are reader (read-only), editor
(reader+modify resources), and owner (editor+modify IAM and billing).
You have the ability to create and define custom roles that can be assigned
to users and groups as well.
84. Webinar Series
GOOGLE CLOUD PLATFORM
Google Cloud Platform has a robust security
posture with Security built into the platform
GCP Titan Chip
App Engine Security Scanner
Cloud Identity
Gsuite
85. Webinar Series
GOOGLE CLOUD PLATFORM
Google’s View of the world
The GCP approach to security mirrors the way Google
secures its own products and users.
GCP secures resources by building a security structure
according to its various layers.
Access to the physical locations of Google’s servers is
strictly limited and managed as a critical priority.
GCP ensures communication is secure at the transport
layer, through secure TLS connection management and
front-end controls to prevent DoS attacks
86. Webinar Series
GOOGLE CLOUD PLATFORM
Google owns their network and infrastructure and the
communications is done outside the public internet. This
enables Google to ensure secure delivery of
communications, both in transit and at rest. Note it also
applies to data that is contributed from third-parties.
Google’s Titan chip establishes trust at the hardware
root for all machines and assets in GCP. This is an
additional layer to authenticate access for hardware
handling your data.
87. Webinar Series
GOOGLE CLOUD PLATFORM
Principle of Least Privilege
Always apply the minimal access level required
Use groups
Control who can change policies and group
memberships
Audit policy changes
Audit logs record project-level permission
changes
88. Webinar Series
GOOGLE CLOUD PLATFORM
GCP Has a robust IAM posture with flexible use
cases.
Cloud IAM, you grant access to members.
Google account
Service account
Google group
G Suite domain
Cloud Identity domain
89. Webinar Series
GOOGLE CLOUD PLATFORM
Principle of least privilege
A large number of projects can become
unwieldy to manage at scale.
This is why IAM includes the concept of an
Organization Node.
The Organization Node sits above Projects and
is your company’s root node for Google Cloud
resources.
90. Webinar Series
GOOGLE CLOUD PLATFORM
SSO
Your own authentication mechanism and manage your
own credentials
Federate your identities to Google Cloud Platform
Users do not have to login a second time to access
Revoke access to Cloud Platform using your existing
credential management
Google Apps Directory Sync integrates with LDAP
91. Webinar Series
GOOGLE CLOUD PLATFORM
GCDS
Google Cloud Directory Sync (GCDS), the GSuite Admin
can automatically add, modify, and delete users, groups,
and non employee contacts to synchronize the data in a
GSuite domain with an LDAP directory server or MS
Active Directory.
The data in the LDAP directory server is never modified
or compromised.
GCDS is a secure tool that help keep track of users and
groups.
92. Webinar Series
GOOGLE CLOUD PLATFORM
There are three kinds of roles in Cloud IAM:
Primitive roles: The roles historically available in the Google Cloud
Platform Console will continue to work. These are the Owner, Editor,
and Viewer roles.
Predefined roles: Predefined roles are the Cloud IAM roles that give
finer-grained access control than the primitive roles.
Custom roles: Roles that you create to tailor permissions to the
needs of your organization when predefined roles don't meet your
needs
93. Webinar Series
GOOGLE CLOUD PLATFORM
Service Accounts
A service account is an identity for your programs to use to
authenticate and gain access to Google Cloud Platform APIs.
(Server to Server)
Service accounts authenticate applications running on your virtual
machine instances to other Google Cloud Platform services.
By default, all projects come with the Compute Engine default
service account.
94. Webinar Series
GOOGLE CLOUD PLATFORM
IDaaS
Cloud Identity has two editions.
1. Premium edition
2. Free Edition
Use the link below to compare versions/editions
https://support.google.com/cloudidentity/answer/7431902?hl=en&ref
_topic=7385935
95. Webinar Series
GOOGLE CLOUD PLATFORM
IDaaS
Cloud Identity is an Identity as a Service (IDaaS) solution that allows
you to centrally manage users and groups who can access cloud
resources
If developers in your organization use non-managed consumer
accounts (like personal Gmail accounts) for work purposes, those
accounts are outside of your control.
96. Webinar Series
GOOGLE CLOUD PLATFORM
IDaaS
When you migrate those users to Cloud Identity accounts, you can
manage access and compliance across all users in your domain.
Cloud Identity provides free identity services for users who don't
need G Suite Services like Gmail or Drive. When you migrate to
Cloud Identity, you create a free account for each of your users and
you can manage all users from the Google Admin console.
97. Webinar Series
GOOGLE CLOUD PLATFORM
Other Security Features
Cloud Armor
App Engine Security Scanner
Compute Engine Security Scanner
Cloud Identity Proxy
Numerous other solutions
https://cloud.google.com/security/products/
99. Webinar Series
NEW RISK TO YOUR CLOUD? CRYPTO
CURRENCY
Crypto Currency mining was a large concern.
Mitigated slightly due to market crash
Can Mine for Example Monero on the run of the
mill VM.
Can Run Ether on AWS
Monero on ANY
BTC/LTC requires ASICs.
100. Webinar Series
NEW RISK TO YOUR CLOUD? CRYPTO
CURRENCY
School Principal fired for cryptomining
https://bitcoinist.com/principle-fired-for-mining-
cryptocurrency-at-school/
Russian Scientist arrested for BTC mining
https://www.bbc.com/news/world-europe-
43003740
AWS Cloud Accounts Compromised
https://www.businessinsider.com/hackers-broke-
into-amazon-cloud-to-mine-bitcoin-2017-10
101. Webinar Series
NEW RISK TO YOUR CLOUD? CRYPTO
CURRENCY
School Principal fired for cryptomining
https://bitcoinist.com/principle-fired-for-mining-
cryptocurrency-at-school/
Russian Scientist arrested for BTC mining
https://www.bbc.com/news/world-europe-
43003740
AWS Cloud Accounts Compromised
https://www.businessinsider.com/hackers-broke-
into-amazon-cloud-to-mine-bitcoin-2017-10
102. Webinar Series
NEW RISK TO YOUR CLOUD? CRYPTO
CURRENCY
Run Monero on Google Cloud
Your “Rogue Employee” selects a mining pool
and cost is billed to your enterprise.
Then selects Ubuntu Linux from Compute
Engine
Install and Configure MinerGate-Cli on Linux
Setup and Launch Miner.
(Process under 1 hour)
103. Webinar Series
NEW RISK TO YOUR CLOUD? CRYPTO
CURRENCY
Crypto Currency Mining Options
Hosted mining
Virtual hosted mining
Leased hashing power
105. Webinar Series
CLOUD SECURITY THREATS
As with any technology there
are generally vulnerabilities
and threats that will need to
be assessed and mitigated.
Threats can come from both
internal and external sources.
106. Webinar Series
CLOUD SECURITY THREATS
Compromise of Platforms
Compromise of Credentials
Privilege Escalation
Denial of Service Attacks (DDoS)
Lack of Compliance Implementations
Inadequate Training for Personnel
107. Webinar Series
LETS THINK ABOUT THIS!
“Through 2020, 95% of cloud security failures will
be the customer’s fault.”
—Gartner, “Top Predictions for IT Organizations
and Users for 2016 and Beyond”
109. Webinar Series
LETS GET STARTED.
Did you know that cloud data breaches are
usually a result of improper training?
For example
“Accenture left four S3 buckets open to the public,
exposing 137 gigabytes of customer data,
including customer credentials”. (Contained
Classified information)
111. Webinar Series
LETS GET STARTED.
Did you know that it is estimated that in” 2017
alone, over 99 billion records were exposed
because of data breaches.” Tripwire
With Cloud Computing there are special
considerations for cloud data services that must
be deployed with Application Programming
Interfaces.
112. Webinar Series
LETS GET STARTED.
Did you know that Automated Intelligence is
used more and more to help thwart cloud
attacks?
However, it also being used to perpetrate
attacks as well. Thru entity behavior analytics
(UEBA) these attacks can be initiated.
113. Webinar Series
LETS GET STARTED.
Did you know that insider threats are the cause
of the biggest security breaches out there, and
they are very costly to remediate.
According to a 2017 Insider Threat Report, 53
percent of companies estimate remediation
costs of $100,000 and more, with 12 percent
estimating a cost of more than $1 million
114. Webinar Series
10. Improve your key management. Whether your
using your vendors KMS or a third party consider
the following.
- Delete old IAM accounts.
- Work with HR to remove accounts
- Proactive identification of unused accounts
Cloud Security Top 10 Risk Mitigation Techniques for 2019
115. Webinar Series
9. Enable audit logging. (Stackdriver or CloudTrail)
- Enable logging and back up logs.
- Proactive filtering of logs
- Create alerts that search logs and notify you
- Perform Compliance audit
Cloud Security Top 10 Risk Mitigation Techniques for 2019
116. Webinar Series
8. Lock down protocols.
- Enable a “trickle” not a river..
- Turn off RDP to windows.
- Use centralized SSH bastion host.
- Allow services not people.
Cloud Security Top 10 Risk Mitigation Techniques for 2019
117. Webinar Series
7. Use Principle Least Privilege
- As a best practice use the “principle of least
privilege” by reducing
- Does that DB admin need Admin rights on the
EC2 or GCP VM instances?
- IAM on lockdown. Assign Permissions in a
granular approach and use groups.
Cloud Security Top 10 Risk Mitigation Techniques for 2019
118. Webinar Series
6. Review your DB Services
- Restrict network access to MySQL solely to
trusted devices.
- Review your signatures
- Assign proper roles
Cloud Security Top 10 Risk Mitigation Techniques for 2019
119. Webinar Series
5. Use Multifactor Authentication
- Many companies still use Single Factor
authentication. Why? its easier and no planning
required.
- Enable it. Every vendor supports this.
Cloud Security Top 10 Risk Mitigation Techniques for 2019
120. Webinar Series
4. Encrypt your data.
- Once again , many companies still take the
easy route. Why? its easier and no planning
required.
- Encrypt At Rest or In Flight
- GCP is fully encrypted by default at rest (DEK)
Cloud Security Top 10 Risk Mitigation Techniques for 2019
121. Webinar Series
3. Reference Cloud Provider best practices
- AWS has a robust portfolio of best practices.
GCP has some out there but not as concise as
AWS.
- The vendor is your best source in regards to
how their service works.
- Whitepapers, workflows and techtips.
Cloud Security Top 10 Risk Mitigation Techniques for 2019
122. Webinar Series
2. Build Security into your DEVOPs practices
- Sometimes the best way to mitigate
vulnerabilities is to find them before your in
production.
- Use a CI/CD Pipeline
- Consider A/B testing if needed
Cloud Security Top 10 Risk Mitigation Techniques for 2019
123. Webinar Series
1. Secure your APIS and your Endpoints
- Application Programming Interfaces should be
have a configuration review to ensure all
authentication, authorization, logging and
monitoring controls are aligned to industry
benchmarks.
- API Lifecycle management
- Endpoints are critical. Proxy.
Cloud Security Top 10 Risk Mitigation Techniques for 2019
124. Webinar Series
Consider a Training Plan for your Organization as
well.
- Remember that 95% of cloud security issues are
a result of the customer!
- Mitigation of issues can be understood with a
proper training plan.
Cloud Security Top 10 Risk Mitigation Techniques for 2019
126. Webinar Series
CLOUD SECURITY CERTIFICATIONS
Certificate of Cloud Security Knowledge (CCSK)
Certified Cloud Security Specialist (CCSS)
CCNP Cloud/CCNP Security
(ISC)2 Certified Cloud Security Professional
(CCSP)
Professional Cloud Security Manager (PCSM)
AWS Security Specialty
127. Webinar Series
UPCOMING CLASSES
AZ101 Microsoft Azure Integration and Security
WA2391 AWS for Solution Architects
TP2761 Fundamentals of the Google Cloud
Platform Training
Cloud Security Manager (CSM)