SlideShare uma empresa Scribd logo

Cloud security introduction

C
Calvin Lee

Did up this set of slides part of my SMU master course requirement. Share for general sharing usage.

Tecnologia
1 de 38
Master of Applied Information Systems Mar 2018 Cloud Security Introduction
SMU Classification: Restricted Agenda • Introduction: What is Cloud computing • Cloud Security incident • Cloud Security challenges • Cloud Standards & Guidelines • Cloud Policy and Planning • Cloud Security Controls • Cloud Architecture and Design • Summary 2
SMU Classification: Restricted Disclaimer • Non-comprehensive • Best effort updated • Cloud fast changing environment 3
SMU Classification: Restricted Cloud computing definition • On-demand self service – Ensure one-sidely provision computing capabilities • Broad network access • Resource pooling • Rapid elasticity • Measured service *Defined by NIST 4
SMU Classification: Restricted NIST Reference Architecture 5 Source: NIST SP500-292 NIST Cloud Computing Reference Architecture
SMU Classification: Restricted Cloud Actors • Consumer: Person or organisation using cloud services from a CSP • Provider (CSP): An entity offering cloud services to consumers • Auditor: An entity that provide objective and independent assessments of cloud services • Broker: Manages use, performance, and/or delivery of cloud services between CSPs and consumers. Often Security-as-a-service (SecaaS) services are “brokering” various types of access or data sent to/from cloud today • Carrier: Some intermediary providing transport and connectivity for cloud service 6
SMU Classification: Restricted Cloud deployment model 7 Source: https://image.slidesharecdn.com/4-theenterprisecloudcomputingparadigm-131130040800-phpapp02/95/cloud- computing-principles-and-paradigms-4-the-enterprise-cloud-computing-paradigm-4-638.jpg
SMU Classification: Restricted Cloud computing key technologies • Virtualisation Types 8 Source: https://image.slidesharecdn.com/1-150328170334-conversion-gate01/95/1introduction-to- virtualization-27-638.jpg
SMU Classification: Restricted Cloud computing key technologies • Containers 9 Source: https://thecustomizewindows.com/2014/ 07/container-based-virtualization
SMU Classification: Restricted Cloud computing key technologies • Software defined networking 10 Source: https://commsbusiness.co.uk/features/software-defined-networking-sdn-explained/
SMU Classification: Restricted Cloud Security Incident Dec 2013 - 40 million credit cards stolen on POS system – Investigation reveals initial malware was introduced by Target’s refrigeration vendor – Criminals used vendor’s credentials to access Target’s cloud infrastructure 11 Use of vendor credentials Boundary defence: Limit network access to vendor portal so anyone who obtained the credentials would not be able to access the vendor portal unless on a network allowed to access the portal Account monitoring and control: Require multi-factor authentication to login vendor portal. Monitor usage of vendor portal login. Profile accounts for normal activities and usage patterns Source: SANS Institute Case Study
SMU Classification: Restricted Docker vulnerability exploitability 12 • Docker is a daemon that runs as root • Older Docker does security by blacklisting kernel calls – What if there are those which is missed out? “Shocker” code exploit • CVE-2014-9357 Privilege escalation during decompression of LZMA (.xz) archives • 100k+ dockers @ Dockers hub – In 2015, 15k+ dockers, 90% of the dockers contain unverified exploitable vulnerabilities Source: Black hat Europe 2015 – Vulnerability exploitation in docker container environment
SMU Classification: Restricted Security responsibility - AWS 13 Source: https://aws.amazon.com/compliance/shared-responsibility-model/
SMU Classification: Restricted Security responsibility - Microsoft 14 Source: https://blogs.msdn.micr osoft.com/azuresecurity /2016/04/18/what-does- shared-responsibility-in- the-cloud-mean/
SMU Classification: Restricted Cloud Providers 15
SMU Classification: Restricted Cloud Security Challenges Traditional security challenges applies but in cloud these considerations are different… • Resource location: Consumer do not know exactly where their data lies • Multi-tenancy issues: How to protect your data/system from shared cloud resource • Authentication, authorisation, information trust: How to ensure your data accessibility & ownership? Identity Access Management (IAM) • System monitoring and logs: Auditability trial • Service Level Agreement (SLA) 16
SMU Classification: Restricted Traditional security challenges 17 • Network security ▪ Firewalls ▪ NIDS/NIPS ▪ Proxies • Host security/ Virtualization ▪ HIDS/HIPS ▪ Configure management ▪ Roles/Privileges • Data security ▪ Encryption rest / transit ▪ Key management • Vulnerability assessment and Penetration testing • Security Policy • Application security ▪ Secure coding ▪ WAFs • Database Security • Data Disposal • Solution architecture Standards & Guidelines
SMU Classification: Restricted Cloud Security Alliance (CSA) 18
SMU Classification: Restricted CSA Reference Architecture 19
SMU Classification: Restricted Other Standards and Guidelines Industry based • NIST (800-144): Guidelines on Security and Privacy in Public Cloud Computing • PCI DSS Cloud computing guidelines Platform specific • Centre of Internet Security (CIS) recommendations for AWS Foundations / Azure / Google cloud Application specific • Open Web Application Security Project (OWASP) 2017 20
SMU Classification: Restricted Cloud Policy and Planning • Business justification for cloud implementation • Data classification • System availability & accountability • Admin & User accessibility • Disaster recovery & Business continuity • Risk assessment, mitigation & acceptance 21
SMU Classification: Restricted Security Principles for Cloud Design • Build in security at every layer • Design for elasticity • Design for failure – “Blast radius” control – System recovery • Use different storage options • Always having “feedback” loops • Focus on CSA: Centralization, Standardization, Automation 22
SMU Classification: Restricted Security at every layer “Stack” layer Controls Application + Presentation WAF, IAM, Scans/Pen test Accesscontrol(IAM) Operating systems Configuration, Vulnerability Scan, Backup, User & Privilege management Data Encryption, Backups, DLP, Authorization Network Access Controls, Firewalls, Routing, DDoS Defences Hypervisor Configuration, access controls, user & Privileges management 23
SMU Classification: Restricted Hypervisor Security Controls • Foundational controls – NTP,SNMP, etc • Local firewall/network access controls • Hardening and configuration • Users and groups • Patching • Logging and Monitoring • SELinux and/or multitenant isolation measures 24
SMU Classification: Restricted Virtualization security – CSP • Assess CSP virtualization platform technology • CSP internal security controls on virtualization (e.g. virtual firewalls or IDS) • CSP ISO certification, 3rd party cyber risk assessment, annual audit • Enquire on CSP’s administrative control of VM environment • Enquire on CSP segregation and separation of VM zones / types • Understand how multi-tenancy and VM isolation are implemented & and alert of isolation breach 25
SMU Classification: Restricted Cloud network security • Most CSP have flat network design • Virtual Private Cloud (Vnet + VPC) 26 Source: https://blogs.msdn.microsoft.com/premier_developer/2017/09/17/differentiating-between-azure-virtual-network- vnet-and-aws-virtual-private-cloud-vpc/
SMU Classification: Restricted Cloud network security • Virtual network appliances – WAF, Load Balancer, Proxies, United Threat management – Vendors like Cisco, F5, Palo Alto, Fortinet, Check point • Data loss prevention (as network) – Commonly offered by CASB 27
SMU Classification: Restricted Host security – OS image • (PaaS/IaaS) Instance / Image security one of the most important consideration • Standard approaches – Patching – Hardening – Version control – Access control – Monitoring – Anti-malware • Cloud platform inventory management tool – Amazon EC2 System manager – AWS Inspector 28
SMU Classification: Restricted Identity Access Management • Main purpose: Authentication, Authorisation & Auditability • Assign to groups, person, process, resource • Federated identities, tokenization • RBAC 29 Source: http://mscerts.wmlcloud.com/program ming/identity%20and%20access%20 management%20%20%20iam%20arc hitecture%20and%20practice.aspx
SMU Classification: Restricted Cloud Access Security Brokers • 3rd party in helping organization govern use and protect sensitive data in the cloud 30Source: http://focus.forsythe.com/_wss/clients/509/assets/CASB%20Functionality%20Areas%20Graphic.png
SMU Classification: Restricted Key Management in Cloud • Who does it? Consumer or CSP? • Key generation • Key storage, backup, recovery • Key distribution • Key destruction • Cryptographic hardware (inbuilt or Hardware security module [HSM]) – Often govern by standards (PCI) 31
SMU Classification: Restricted AWS Key Management 32 Source: https://image.slidesharecdn.com/encryptionkeymanagementbillshin-150410130029-conversion-gate01/95/encryption- and-key-management-in-aws-18-638.jpg?cb=1428688942
SMU Classification: Restricted Azure Key Management 33 Source:https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs .Components.WeblogFiles/00/00/01/03/78/6076.SQLServerConnector.png
SMU Classification: Restricted Cloud Architecture & Design • Depends on – Consumer needs • Security policies and compliance • Services required • Network connectivity – CSP’s offerings – CASB’s offerings – Application dependencies 34
SMU Classification: Restricted AWS VPC model 35 This model have: 1. Public subnet 2. Private subnet 3. Routing 4. NAT gateway 5. Virtual Private Gateway (VPG) 6. IPSec connectivity Able to route private address to VPG Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/images/Case3_Diagram.png
SMU Classification: Restricted Azure Simple DMZ 36 Source: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks- dmz-nsg-fw-udr-asm This DMZ have 3 subnets: - 10.0.0.x (security) - 10.0.1.x (web) - 10.0.2.x (app) DMZ with security in Place “Blast radius” limit
SMU Classification: Restricted Summary • Cloud security considerations – Security policies using cloud – Cloud standards and guidelines – Cloud controls – Cloud architecture and design • Cloud rapidly evolving 37
SMU Classification: Restricted 38 References • SANS Institute Case Study: Critical controls that could have prevented Target breach • SANS SEC545: Cloud Security Architecture and Operations • Beyond lightning: A survey on security challenges in cloud computing, Chunming Rong, Department of Electrical Engineering and Computer Science, University of Stavanger, Normay • Cloud computing: Overview and Research issues, Divya Kapil, School of Computing, Graphic Era Hill University, Dehradun, India • Cloud Security: A comprehensive guide to secure cloud computing, Ronald L. Krutz and Russel Dean Vines • Virtualization: Issues, Security Threats and solutions, Michael Pearce, Ray Hunt, The University of Canterbury

Recomendados

FireWall
FireWallFireWall
FireWallrubal_9
 
What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...Shashi soni
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 
Storage Virtualization
Storage VirtualizationStorage Virtualization
Storage VirtualizationMehul Jariwala
 
Application Virtualization presentation
Application Virtualization presentationApplication Virtualization presentation
Application Virtualization presentationATWIINE Simon Alex
 
4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptxaungyekhant1
 
Utm (unified threat management) security solutions
Utm (unified threat management) security solutionsUtm (unified threat management) security solutions
Utm (unified threat management) security solutionsAnthony Daniel
 
Virtualization 101
Virtualization 101Virtualization 101
Virtualization 101Gaurav Marwaha
 

Recomendados

FireWall
FireWallFireWall
FireWallrubal_9
 
What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...Shashi soni
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 
Storage Virtualization
Storage VirtualizationStorage Virtualization
Storage VirtualizationMehul Jariwala
 
Application Virtualization presentation
Application Virtualization presentationApplication Virtualization presentation
Application Virtualization presentationATWIINE Simon Alex
 
4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptx4_Session 1- Universal ZTNA.pptx
4_Session 1- Universal ZTNA.pptxaungyekhant1
 
Utm (unified threat management) security solutions
Utm (unified threat management) security solutionsUtm (unified threat management) security solutions
Utm (unified threat management) security solutionsAnthony Daniel
 
Virtualization 101
Virtualization 101Virtualization 101
Virtualization 101Gaurav Marwaha
 
Firewall
FirewallFirewall
FirewallSaurabh Chauhan
 
Firewall
FirewallFirewall
FirewallMuhammad Sohaib Afzaal
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYJASHU JASWANTH
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 
What is Virtualization
What is VirtualizationWhat is Virtualization
What is VirtualizationIsrael Marcus
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsüremin_oz
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud AuditingJonathan Sinclair
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefitsAnthony Daniel
 
Virtualization
VirtualizationVirtualization
VirtualizationUtkarsh Soni
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide Protect724manoj
 
Virtualization in cloud
Virtualization in cloudVirtualization in cloud
Virtualization in cloudAshok Kumar
 
Cloud Computing: Virtualization
Cloud Computing: VirtualizationCloud Computing: Virtualization
Cloud Computing: VirtualizationDr.Neeraj Kumar Pandey
 
What is micro segmentation?
What is micro segmentation?What is micro segmentation?
What is micro segmentation?Mir Mustafa Ali
 
Presentation about servers
Presentation about serversPresentation about servers
Presentation about serversSasin Prabu
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate TrainingNCS Computech Ltd.
 
Hypervisor
HypervisorHypervisor
Hypervisorkalpita surve
 
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...EC-Council
 

Mais conteúdo relacionado

Mais procurados

Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challengesKresimir Popovic
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYJASHU JASWANTH
 
What is Virtualization
What is VirtualizationWhat is Virtualization
What is VirtualizationIsrael Marcus
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancerxKinAnx
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsüremin_oz
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefitsAnthony Daniel
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide Protect724manoj
 
Virtualization in cloud
Virtualization in cloudVirtualization in cloud
Virtualization in cloudAshok Kumar
 
What is micro segmentation?
What is micro segmentation?What is micro segmentation?
What is micro segmentation?Mir Mustafa Ali
 
Presentation about servers
Presentation about serversPresentation about servers
Presentation about serversSasin Prabu
 

Mais procurados (20)

Firewall
FirewallFirewall
Firewall
 
Firewall
FirewallFirewall
Firewall
 
Cloud computing security issues and challenges
Cloud computing security issues and challengesCloud computing security issues and challenges
Cloud computing security issues and challenges
 
MOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITYMOBILE PHONE SECURITY./ MOBILE SECURITY
MOBILE PHONE SECURITY./ MOBILE SECURITY
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
 
What is Virtualization
What is VirtualizationWhat is Virtualization
What is Virtualization
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsür
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefits
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide
 
Virtualization in cloud
Virtualization in cloudVirtualization in cloud
Virtualization in cloud
 
Cloud Computing: Virtualization
Cloud Computing: VirtualizationCloud Computing: Virtualization
Cloud Computing: Virtualization
 
What is micro segmentation?
What is micro segmentation?What is micro segmentation?
What is micro segmentation?
 
Presentation about servers
Presentation about serversPresentation about servers
Presentation about servers
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Hypervisor
HypervisorHypervisor
Hypervisor
 

Semelhante a Cloud security introduction

Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...EC-Council
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Unified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureUnified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureMarketingArrowECS_CZ
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Cloud Computing & Business Intelligence
Cloud Computing & Business IntelligenceCloud Computing & Business Intelligence
Cloud Computing & Business IntelligenceSudip Chatterjee
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHansFarroCastillo1
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAmazon Web Services
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersJames Strong
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsViresh Suri
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02abhisheknayak29
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesHyTrust
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPFaiza Mehar
 
Azure reference architectures
Azure reference architecturesAzure reference architectures
Azure reference architecturesMasashi Narumoto
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...Amazon Web Services
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 

Semelhante a Cloud security introduction (20)

Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
Outpost24 webinar: cloud providers ate hosting companies' lunch, what's next?...
 
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...Defending Applications In the Cloud: Architecting Layered Security Solutions ...
Defending Applications In the Cloud: Architecting Layered Security Solutions ...
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Cloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack OverviewCloud Security Alliance's GRC Stack Overview
Cloud Security Alliance's GRC Stack Overview
 
Unified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureUnified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud Infrastructure
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Cloud Computing & Business Intelligence
Cloud Computing & Business IntelligenceCloud Computing & Business Intelligence
Cloud Computing & Business Intelligence
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
Hybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptxHybrid - Seguridad en Contenedores v3.pptx
Hybrid - Seguridad en Contenedores v3.pptx
 
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security OverviewAWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
AWS Canberra WWPS Summit 2013 - AWS Governance and Security Overview
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Cloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentalsCloud computing and Cloud security fundamentals
Cloud computing and Cloud security fundamentals
 
Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02Cloudcomputingoct2009 100301142544-phpapp02
Cloudcomputingoct2009 100301142544-phpapp02
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
4831586.ppt
4831586.ppt4831586.ppt
4831586.ppt
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
 
Multi cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCPMulti cloud governance best practices - AWS, Azure, GCP
Multi cloud governance best practices - AWS, Azure, GCP
 
Azure reference architectures
Azure reference architecturesAzure reference architectures
Azure reference architectures
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 

Último

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Último (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Cloud security introduction

  • 1. Master of Applied Information Systems Mar 2018 Cloud Security Introduction
  • 2. SMU Classification: Restricted Agenda • Introduction: What is Cloud computing • Cloud Security incident • Cloud Security challenges • Cloud Standards & Guidelines • Cloud Policy and Planning • Cloud Security Controls • Cloud Architecture and Design • Summary 2
  • 3. SMU Classification: Restricted Disclaimer • Non-comprehensive • Best effort updated • Cloud fast changing environment 3
  • 4. SMU Classification: Restricted Cloud computing definition • On-demand self service – Ensure one-sidely provision computing capabilities • Broad network access • Resource pooling • Rapid elasticity • Measured service *Defined by NIST 4
  • 5. SMU Classification: Restricted NIST Reference Architecture 5 Source: NIST SP500-292 NIST Cloud Computing Reference Architecture
  • 6. SMU Classification: Restricted Cloud Actors • Consumer: Person or organisation using cloud services from a CSP • Provider (CSP): An entity offering cloud services to consumers • Auditor: An entity that provide objective and independent assessments of cloud services • Broker: Manages use, performance, and/or delivery of cloud services between CSPs and consumers. Often Security-as-a-service (SecaaS) services are “brokering” various types of access or data sent to/from cloud today • Carrier: Some intermediary providing transport and connectivity for cloud service 6
  • 7. SMU Classification: Restricted Cloud deployment model 7 Source: https://image.slidesharecdn.com/4-theenterprisecloudcomputingparadigm-131130040800-phpapp02/95/cloud- computing-principles-and-paradigms-4-the-enterprise-cloud-computing-paradigm-4-638.jpg
  • 8. SMU Classification: Restricted Cloud computing key technologies • Virtualisation Types 8 Source: https://image.slidesharecdn.com/1-150328170334-conversion-gate01/95/1introduction-to- virtualization-27-638.jpg
  • 9. SMU Classification: Restricted Cloud computing key technologies • Containers 9 Source: https://thecustomizewindows.com/2014/ 07/container-based-virtualization
  • 10. SMU Classification: Restricted Cloud computing key technologies • Software defined networking 10 Source: https://commsbusiness.co.uk/features/software-defined-networking-sdn-explained/
  • 11. SMU Classification: Restricted Cloud Security Incident Dec 2013 - 40 million credit cards stolen on POS system – Investigation reveals initial malware was introduced by Target’s refrigeration vendor – Criminals used vendor’s credentials to access Target’s cloud infrastructure 11 Use of vendor credentials Boundary defence: Limit network access to vendor portal so anyone who obtained the credentials would not be able to access the vendor portal unless on a network allowed to access the portal Account monitoring and control: Require multi-factor authentication to login vendor portal. Monitor usage of vendor portal login. Profile accounts for normal activities and usage patterns Source: SANS Institute Case Study
  • 12. SMU Classification: Restricted Docker vulnerability exploitability 12 • Docker is a daemon that runs as root • Older Docker does security by blacklisting kernel calls – What if there are those which is missed out? “Shocker” code exploit • CVE-2014-9357 Privilege escalation during decompression of LZMA (.xz) archives • 100k+ dockers @ Dockers hub – In 2015, 15k+ dockers, 90% of the dockers contain unverified exploitable vulnerabilities Source: Black hat Europe 2015 – Vulnerability exploitation in docker container environment
  • 13. SMU Classification: Restricted Security responsibility - AWS 13 Source: https://aws.amazon.com/compliance/shared-responsibility-model/
  • 14. SMU Classification: Restricted Security responsibility - Microsoft 14 Source: https://blogs.msdn.micr osoft.com/azuresecurity /2016/04/18/what-does- shared-responsibility-in- the-cloud-mean/
  • 16. SMU Classification: Restricted Cloud Security Challenges Traditional security challenges applies but in cloud these considerations are different… • Resource location: Consumer do not know exactly where their data lies • Multi-tenancy issues: How to protect your data/system from shared cloud resource • Authentication, authorisation, information trust: How to ensure your data accessibility & ownership? Identity Access Management (IAM) • System monitoring and logs: Auditability trial • Service Level Agreement (SLA) 16
  • 17. SMU Classification: Restricted Traditional security challenges 17 • Network security ▪ Firewalls ▪ NIDS/NIPS ▪ Proxies • Host security/ Virtualization ▪ HIDS/HIPS ▪ Configure management ▪ Roles/Privileges • Data security ▪ Encryption rest / transit ▪ Key management • Vulnerability assessment and Penetration testing • Security Policy • Application security ▪ Secure coding ▪ WAFs • Database Security • Data Disposal • Solution architecture Standards & Guidelines
  • 18. SMU Classification: Restricted Cloud Security Alliance (CSA) 18
  • 19. SMU Classification: Restricted CSA Reference Architecture 19
  • 20. SMU Classification: Restricted Other Standards and Guidelines Industry based • NIST (800-144): Guidelines on Security and Privacy in Public Cloud Computing • PCI DSS Cloud computing guidelines Platform specific • Centre of Internet Security (CIS) recommendations for AWS Foundations / Azure / Google cloud Application specific • Open Web Application Security Project (OWASP) 2017 20
  • 21. SMU Classification: Restricted Cloud Policy and Planning • Business justification for cloud implementation • Data classification • System availability & accountability • Admin & User accessibility • Disaster recovery & Business continuity • Risk assessment, mitigation & acceptance 21
  • 22. SMU Classification: Restricted Security Principles for Cloud Design • Build in security at every layer • Design for elasticity • Design for failure – “Blast radius” control – System recovery • Use different storage options • Always having “feedback” loops • Focus on CSA: Centralization, Standardization, Automation 22
  • 23. SMU Classification: Restricted Security at every layer “Stack” layer Controls Application + Presentation WAF, IAM, Scans/Pen test Accesscontrol(IAM) Operating systems Configuration, Vulnerability Scan, Backup, User & Privilege management Data Encryption, Backups, DLP, Authorization Network Access Controls, Firewalls, Routing, DDoS Defences Hypervisor Configuration, access controls, user & Privileges management 23
  • 24. SMU Classification: Restricted Hypervisor Security Controls • Foundational controls – NTP,SNMP, etc • Local firewall/network access controls • Hardening and configuration • Users and groups • Patching • Logging and Monitoring • SELinux and/or multitenant isolation measures 24
  • 25. SMU Classification: Restricted Virtualization security – CSP • Assess CSP virtualization platform technology • CSP internal security controls on virtualization (e.g. virtual firewalls or IDS) • CSP ISO certification, 3rd party cyber risk assessment, annual audit • Enquire on CSP’s administrative control of VM environment • Enquire on CSP segregation and separation of VM zones / types • Understand how multi-tenancy and VM isolation are implemented & and alert of isolation breach 25
  • 26. SMU Classification: Restricted Cloud network security • Most CSP have flat network design • Virtual Private Cloud (Vnet + VPC) 26 Source: https://blogs.msdn.microsoft.com/premier_developer/2017/09/17/differentiating-between-azure-virtual-network- vnet-and-aws-virtual-private-cloud-vpc/
  • 27. SMU Classification: Restricted Cloud network security • Virtual network appliances – WAF, Load Balancer, Proxies, United Threat management – Vendors like Cisco, F5, Palo Alto, Fortinet, Check point • Data loss prevention (as network) – Commonly offered by CASB 27
  • 28. SMU Classification: Restricted Host security – OS image • (PaaS/IaaS) Instance / Image security one of the most important consideration • Standard approaches – Patching – Hardening – Version control – Access control – Monitoring – Anti-malware • Cloud platform inventory management tool – Amazon EC2 System manager – AWS Inspector 28
  • 29. SMU Classification: Restricted Identity Access Management • Main purpose: Authentication, Authorisation & Auditability • Assign to groups, person, process, resource • Federated identities, tokenization • RBAC 29 Source: http://mscerts.wmlcloud.com/program ming/identity%20and%20access%20 management%20%20%20iam%20arc hitecture%20and%20practice.aspx
  • 30. SMU Classification: Restricted Cloud Access Security Brokers • 3rd party in helping organization govern use and protect sensitive data in the cloud 30Source: http://focus.forsythe.com/_wss/clients/509/assets/CASB%20Functionality%20Areas%20Graphic.png
  • 31. SMU Classification: Restricted Key Management in Cloud • Who does it? Consumer or CSP? • Key generation • Key storage, backup, recovery • Key distribution • Key destruction • Cryptographic hardware (inbuilt or Hardware security module [HSM]) – Often govern by standards (PCI) 31
  • 32. SMU Classification: Restricted AWS Key Management 32 Source: https://image.slidesharecdn.com/encryptionkeymanagementbillshin-150410130029-conversion-gate01/95/encryption- and-key-management-in-aws-18-638.jpg?cb=1428688942
  • 33. SMU Classification: Restricted Azure Key Management 33 Source:https://msdnshared.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs .Components.WeblogFiles/00/00/01/03/78/6076.SQLServerConnector.png
  • 34. SMU Classification: Restricted Cloud Architecture & Design • Depends on – Consumer needs • Security policies and compliance • Services required • Network connectivity – CSP’s offerings – CASB’s offerings – Application dependencies 34
  • 35. SMU Classification: Restricted AWS VPC model 35 This model have: 1. Public subnet 2. Private subnet 3. Routing 4. NAT gateway 5. Virtual Private Gateway (VPG) 6. IPSec connectivity Able to route private address to VPG Source: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/images/Case3_Diagram.png
  • 36. SMU Classification: Restricted Azure Simple DMZ 36 Source: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks- dmz-nsg-fw-udr-asm This DMZ have 3 subnets: - 10.0.0.x (security) - 10.0.1.x (web) - 10.0.2.x (app) DMZ with security in Place “Blast radius” limit
  • 37. SMU Classification: Restricted Summary • Cloud security considerations – Security policies using cloud – Cloud standards and guidelines – Cloud controls – Cloud architecture and design • Cloud rapidly evolving 37
  • 38. SMU Classification: Restricted 38 References • SANS Institute Case Study: Critical controls that could have prevented Target breach • SANS SEC545: Cloud Security Architecture and Operations • Beyond lightning: A survey on security challenges in cloud computing, Chunming Rong, Department of Electrical Engineering and Computer Science, University of Stavanger, Normay • Cloud computing: Overview and Research issues, Divya Kapil, School of Computing, Graphic Era Hill University, Dehradun, India • Cloud Security: A comprehensive guide to secure cloud computing, Ronald L. Krutz and Russel Dean Vines • Virtualization: Issues, Security Threats and solutions, Michael Pearce, Ray Hunt, The University of Canterbury