Cloud Application Security
This is a guide on cloud application security.
Training and Awareness in Application Security
I want to begin this course on application security, talking about the importance of having training and awareness programs. And obviously, we focus these often on end users. We think about implementing these programs early on in the hiring process for our average, ordinary employee. We don't want to forget how important this is for our developers, and our programmers, and our DevOps people, okay.
And we're talking about application security here, and often we assume because of their, you know, their coding capabilities or coding skills, their development skills that they automatically have a security knowledge. And that's often not the case, okay. So we want to obviously think about what are the greatest threats to our cloud model solution? And we know we have several different models. The most popular model is actually going to introduce the most vulnerability, it's the hybrid model.
And in the hybrid model is actually the most vulnerable model because as a combination of the private, or the on-premise, and the public cloud. So understanding exactly where the data at rest and the data in transit resides, and all of the different entry points. And all of different storage capacities of both the on-premise and the public or community cloud, those are all critical. So think about internal versus external attacks, okay.
Typically, they fall into two categories, there's structured internal, which means they're well planned, an advanced persistent threat are done by crackers, corporate espionage, disgruntled employees, former employees, okay. They're intentional, they're structured, or they're unintentional. Where you just have poorly trained end users, or you have poorly trained developers or programmers. There's no enforcement of the acceptable use policy, there's no secure software development and system development principles or life cycles.
And of course, external attacks, those are the ones that we're the most familiar with, but are often not the most common. We're seeing a lot more internal attacks from privileged insiders. So as far as awareness goes, it is commonly under utilized, okay. So we don't see as much awareness training and awareness programs as we should, but it can be overdone. You overwhelm your employees with different types of awareness training and awareness programs, it can start to fall on deaf ears.
So we want to use a nice blend of the carrot and the stick, incentives for providing a secure environment. We also want to make sure we enforce that AUP and have enforcement mechanisms. So you can use things like ongoing self-paced computer-based training or streaming of training content, videos, DVDs, classroom training. Increase awareness with posters, newsletter articles, e-mail messages, e-mail bulletins, even printed bulletins. And other reminders using, you know, system banners, drink cups that have little statements on them, mouse pads that have reminders of security, notepads and other media to increase and enhance awareness.
And then, of course, training education is for users in sensitive areas especially or with elevated or privileged roles. We want to make sure we start there. You also want to have security training for your new hires. This should be in the first 45 to 90 days. Technical security training for your IT staff members. Advanced ongoing information security training for security practitioners and engineers. And definitely want to add to this list application developers, programmers, and DevOps people. And specialized instructions for your C-suite or your executive management, and other key stakeholders.
[Video description begins] Screen title: Sample Training and Awareness Program [Video description ends]
For example, you may have a seven-step process where you first identify the program scope, goals, and objectives. Basically, the scope could be anybody who interacts with IT system, or your scope maybe simply focusing on developers and programmers, since we're talking about application security. Identify who your training staff is going to be. Will it be internal, or external, or a combination of both? Identify your target audience, not everyone has the same degree of responsibility in their job or their role.
If you're going to identify developers and programmers for our training and awareness, then we'll go that direction. Motivate management and employees, you want to get buy in from your management, especially executive management. And then, of course, step five is administer the program, make sure you have ongoing visibility. That you've chosen the proper training methods and be willing to change those methods if necessary to optimize.
Make sure you have all the topics covered, all the objectives. Using the right materials and that you have solid presentation techniques. Maintain the program. So there should be an iterative, continual improvement here to bring in new technology, to bring in new training methodologies. To improve the training and awareness. And, of course, evaluate your program, ascertain how much information's being retained. And to what extent these procedures or these practices are being followed.
And then, of course, go back to the iterative process of continual improvement. Let's get focused now on enhancing application security. That's really the focus of this entire course. So developers and programmers must also be subject to acceptable use policies, okay, nobody is exempt. If you have many programmers, consider using a single sign-on, maybe your existing directory service like Active Directory. Applications that are running outside of the cloud service provider are going to have to use access keys or they'll need access keys. Often combined with an access key ID. Think of the access key ID as a long pseudo random string or username, and then tied to that is the access key itself.
Keep local access keys secure and if it's possible, consider using a hardware security module, HSM from a company like Gemalto, for example. Do not embed any of the access keys or any credentials into the code, or the scripts, or the API calls. As you access resources in the cloud, consider using a bastion host or a jump host, where you're connecting via Secure Shell or RDP over SSLTLS. And then accessing your resource. If you're using federated access, you might want to consider using different token services provided from the CSP.
Enforce multi-factor authentication, either hardware based with a hardware token or a TOTP compliant, let's say, iPhone. Using, let's say, Google Authenticator, okay, so that you have multi-factor authentication in play. Enforce the least privilege principle and dual operator principles of security. If you have a SaaS solution, let's say Microsoft Office 365, or you're using Workday for your HR solution or Salesforce. Consider using a CASB, a Cloud Access Security Broker. Someone like Fortinet, for example. And finally, key management is critical, okay.
So consider, for example, if it's Amazon Web Services or Google Cloud using their KMS, their Key Management Service. Where they provide you with customer master keys and those keys are encrypting data keys, okay. Use other tools like Secrets Managers and My Security Credentials, both of which you can learn more about at AWS.
Cloud Software Assurance and Validation
In this lesson, I want to talk about cloud software assurance and validation. And most organizations, especially cloud-based organizations, are going to use the REST API or the RESTful Application Programming Interface, which follows the software oriented architecture model. So most web-based services are going to use this, either through XML or through JSON. Especially if you go to Amazon Web Services or Google Cloud.
It allows you to access mobile applications, cloud-based services, partner apps, cloud resources and data, application servers. Even legacy applications. APIs are the best method for organizations to access cloud computing vendor resources. And most consumers of Microsoft Azure, IBM Cloud, Oracle Cloud, Amazon, and Google Cloud are going to use RESTful protocol-based APIs. So it's important that programmers and developers use best practices and standards to properly develop, publish, and consume APIs.
The best practices should be based on basic structures, that are dictated by the programming languages and their software development kits. For example Java, .NET, JSON, XML, and others. The goals of cloud software assurance are to evolve from patch management. So the most logical evolution from a patch management deployment is to move to what's called a software assurance program.
It encourages developers to raise the overall software quality and security. And it's done during the initiation phase of the SDLC, in other words, from the outset. Cloud software assurance emphasizes the usage of tested standard libraries and secure and tested modules. Software assurance will employ industry-accepted approaches. They recognize that software security is fundamentally and basically, a software engineering issue. So it must be addressed systematically, not only early on, but throughout the entire software development life cycle. Regardless of the life cycle or architecture being used.
[Video description begins] Screen title: Software Quality Assurance [Video description ends]
So when we look at software quality, we’re really talking about the evaluation of software based on certain attributes. Now as far as software quality assurance goes, there's really two important approaches that determine quality of software. There's the defect management approach, which is obviously looking for defects or flaws, and the quality attributes approach. First, we're going to test the external quality or we're going to test what's visible. And that's going to be things like reliability.
The capability of software to perform under certain situations for a certain time period. And the efficiency, basing our software on a good architecture, and excellent coding practices, and maintenance cost. And then software quality assurance is going to review the invisible qualities. Those would be things like complexity, the program structure, the flexibility, the readability of the code, the reusability. Or the modular aspect of the code, the testability, and coding practices.
[Video description begins] The screen displays a diagram that reveals progressively. The first box to appear is labeled Text external quality-visible. A unidirectional arrow appears and points to another box containing three labels, namely Reliability, Efficiency, and Maintenance cost. Then, the right side of the screen displays a box labeled Review external quality-invisible. A larger box appears to its left and contains seven labels, namely Complexity, Program structure, Flexibility, Readability, Reusability, Testability, and Coding practices. A unidirectional arrow points from this box to the Review external quality-invisible. [Video description ends]
There's five key aspects to good software assurance and validation. One is to understand the applications, in other words, know the inner workings of your cloud-based application. Second, research your cloud vendor. If using Microsoft Azure or Amazon Web Services, to name a couple. Understand the demarcation point between your responsibility and their responsibility. How managed is the service?
Realize the risks and treatments. Identify high-risk areas. Implement risk assessment. Know your risk treatment. Also know your organizational needs, typically based on your business. Is it an end-user type business? Is it a functional business? Is it service? Is it a product? Also, know the regulatory requirements and governance that you're subject to. And then finally, formulate your action plan. Once you have a clear understanding of your application along with the cloud vendor and your potential risks, start formulating a plan to validate your cloud-based solutions.
Using Verified Secure Software
We're going to start out this particular lesson talking about two methodologies for security testing or application security testing, AST, in your organization.
[Video description begins] Screen title: SAST vs. DAST [Video description ends]
And you may use one or both of these approaches. They're effective at different stages of the software development life cycles regardless of what you're using. And they're actually better at finding different types of vulnerabilities.
So the two options we have are static AST, static application security testing, and dynamic application security testing. So SAST are static. We typically refer to as white box security testing, where the tester has access to the underlying framework, design, and implementation. The application is tested from the inside out. And it represents what's called a developer or programmer approach to security testing. Dynamic AST is typically black box security testing. Where the tester has no knowledge of the technologies or frameworks that the application's built on.
The application's tested from the outside in. And this type of testing represents the hacker or attacker approach. So, for example, static AST will be used to detect critical vulnerabilities like cross-site scripting, XSS, SQL injection or SQLi. And buffer overflow that will occur earlier on in the software development life cycle. Whereas since DAST would use an outside in pen testing approach to find security vulnerabilities while the web applications are running.
With SAST, you're going to require some source code. Doesn't require a deployed application though. It analyzes the source code or binary without executing the app. DAST requires a running application. Doesn't require source code or binaries. It analyzes by executing the application in runtime.
[Video description begins] The screen displays four icons arranged in a two columns, one under the SAST heading and the other under the DAST heading. In the SAST column, the first icon is of an open carton and denotes White box security testing. The main features of this type of testing display in a bulleted list below the label. The second icon in this column is of a document under a magnifying glass and is labeled Requires source code. In the DAST column, the first icon is of a closed carton denoting Black box security testing. The next icon is of a computer system and is labeled Requires a running application. [Video description ends]
SAST, static finds vulnerabilities earlier in the life cycle. So a SAST scan could be executed as soon as the code is deemed feature complete, whereas DAST finds vulnerabilities later in the life cycle. Vulnerabilities can be discovered after the development life cycle is complete. Static AST is less expensive to fix vulnerabilities.
It's easier and faster to remediate vulnerabilities. Findings can often be fixed before the code enters the quality assurance cycle. Typically, dynamic AST is more expensive to fix vulnerabilities. Since vulnerabilities are found toward the end of the life cycle, remediation often gets pushed into the next cycle. In addition, critical vulnerabilities may be fixed as an emergency release when using DAST.
[Video description begins] The screen displays four icons arranged in two columns, one under the SAST heading and the other under the DAST heading. In the SAST column, the first icon is of a green colored magnifying glass and is labeled Finds vulnerabilities earlier in SDLC. The second icon is of a Dollar symbol on a light gray background and is labeled Less expensive to fix vulnerabilities. In the DAST column, the first icon is of a blue colored magnifying glass and is labeled Finds vulnerabilities later in the SDLC. The second icon is of a Dollar symbol on a blue background and is labeled More expensive to fix vulnerabilities. [Video description ends]
Typically, static AST can't discover runtime and environment-related issues. Since the tool scans static code, it doesn't deliver runtime vulnerabilities. Whereas dynamic AST can discover runtime and environment-related issues. Because it's using dynamic analysis on the application during runtime. Static typically supports all kinds of software including web applications, web services, and thick clients. Whereas dynamic AST typically scans only apps like web applications and web services. It's not useful for other types of software.
[Video description begins] The screen displays four icons arranged in two columns, one under the SAST heading and the other under the DAST heading. In the SAST column, the first icon is of a bar graph and is labeled Can't discover runtime and environment-related issues. The second icon is of an open carton and is labeled Typically supports all kind of software.
In the DAST column, the first icon is of a line graph and is labeled Can discover runtime and environment-related issues. The second icon is of a mobile phone and is labeled Typically scans only apps like web applications and web services. [Video description ends]
Let's take a look at some common tools that you want to be aware of. One of the things these tools will test for against your website is if you have extended validation certificates and if they've been signed.
[Video description begins] Screen title: Scenario: EV Certificate Code Signing [Video description ends]
That is one of the counter measures you can implement on your public websites to provide a greater degree of security. So for example, this can be on a certificate. It can be done with an API call, this code signing, it's very important. But for example here, our web application code is going to be run through a hash function. And again, that code in this situation would actually be the certificate that's granted to us by let's say Verisign or Thawte, or Entrust, or GoDaddy, someone like that.
So the actual certificate itself, which is signed by the trusted third party using their secret key or their private key, goes through a hash function. That resulting hash gets encrypted with the private key. The signature's attached to the actual certificate, and then we have a code signed certificate.
Applying the Secure Software Development Life-Cycle
Okay, let's assume that you work for a manufacturing firm, and you brought in some new robotics to automate some of your processes. And you want to develop a front-end software application that can be used not just for the administration of the robotic equipment, but also to help you have a user interface that can more in a more user-friendly way interface with that robotic device.
So let's say that's our application, that's our software, you want to apply a secure software development life cycle. So, obviously the first phase will be called formation. This is where the project gets initiated.
You're going to have a ROM or a Rough Order of Magnitude development estimate for this graphical interface for your robotic tool. In phase 2 is where we have requirements and planning.
This is the requirements definition, so what is the functional requirement of this interface, this software interface as it interacts with the robotic equipment? What are the technical requirements, okay? Are there certain browser limitations?
Are there certain operating system or client-side limitations? If project management's going to be involved, let's say PRINCE2 or PMP, you'll have a project management plan or a charter. And then you'll have a review of the requirements.
There maybe the launching of an SOW, a statement of work. And during this process, any iterative changes, any approval needs to happen. You'll have a change of scope document, and possibly a change control or RFC, request for change, type document. Phase 3, we're ready for design.
The internal design, the external design, review of the design, a detailed project development plan. This is where the change control process kicks in. This is where your real documentation starts to be gathered.
Then we have our construct phase, where you'll build your prototype. At this point, you'll bring in your power users or some of the key personnel who'll ultimately be working with the software and the robotic equipment. Maybe not too many people, maybe just two or three key power users or supervisors. You'll start training them.
Here's where you will have the code review or the static AST will start to be done here. After the prototyping or sandbox testing and code review, we move on to the other testing, system tests, for example, test summary. We're still involved in training at this point.
We're doing a lot of documentation, and we're still working through the change control process. With our change management database, any other workflow processes, any other types of approval methodologies as well.
Finally, we're going to release this product, we'll look for operational acceptance, and then we'll generate an acceptance document. Here's where all of the end users, all of the operators who will interface with the robotic equipment using this software program are going to be trained and actively using this in production.
And then, finally, phase 7 is post implementation. This is where we do our enhancements, our upgrades, our updates, ongoing maintenance, continual improvement. We'll have a final notification of the project implementation, so we can wrap up the project. And we'll also populate our change control log along the way.
And then possibly, an after action report and lessons learned. And use that as part of our knowledge base for the next application we develop in house as part of our DevOps team. So again, an example of applying a secure SDLC, of course, with security being considered all along the way.
In the form of access controls, least privilege principles, dual operator, secure coding practices. All the things to be aware of while developing applications.
Cloud Application Architectures
I want to briefly cover five key steps to building a secure cloud-ready application. First, we want to make sure that we design our application as a collection or a set of services. Cloud applications are best deployed when they're a collection of APIs or cloud services. These can even be serverless like Google Cloud Functions or AWS Lambda, or you could use containers like Dockers or Kubernetes. Basically building up from the data to the services, and then combining those services into composite services or complete composite applications. We call this a service-based or an SOA, Service-Oriented Architecture.
Next, you want to decouple the data whenever possible. If you tightly couple data to the application, it's not going to work well in the cloud. Realize that private clouds and public clouds are complex distributed systems. That actually function better when the application architectures break the processing and the data into separate components. And this really ties into number one for the same reason we build out applications as sets of services. Once we perform this decoupling, we can then store and process the data on basically any public or private cloud instance.
We can store the data as object-oriented or block storage. We can use big data services. We can leverage powerful analytical tools. It becomes much more flexible. For example, for the data that is supporting your web front end, we can much easier use caching services for your content distribution networking. We want to consider the communications between application components. So from an Amazon Web Services standpoint, to accomplish these first three steps.
You might use things like Simple Queuing Services for decoupling the applications. And Simple Notification Services, SNS for providing communication between the modules and the components. If you have application components that are chatty, in other words, they're constantly communicating with each other. This is going to reduce the performance of the overall application. Especially if they're distributed over a network or over the Internet, where latency issues are common.
So we want to focus on designing applications that optimize communications between the components or the modules. For example, combine communications into a single stream of data or a group of messages. Using, for example, AWS SNS as opposed to constantly communicating as if the application components were on a single platform. We also want to plan and design for high performance and the elasticity, so taking advantage of auto-scaling and the elastic load balancing services.
Also understanding how the application's going to scale under an increasing load. Design for performance, so you have to first build a model or a prototype that represents how the application will behave under an increasing load. The good news is, public cloud providers make this much easier than doing this the traditional way in your on-premises data center. This also includes monitoring and visibility tools as well. Then obviously, you want to make security systemic, okay. We want to build security controls and practices into the application life cycle and in the overall product or service.
Security can not be an afterthought. It has to be introduced early on in the initiation phase. And especially hosting applications in the cloud, security should be a top priority. Make sure you pick a security approach and technologies before you build your application. And, of course, remember things like regulations. So if this is going to be used by the healthcare industry, think HIPPA, the financial industry, think Sarbanes-Oxley.
If it's going to be credit card related, PCIDSS. If it's going to be doing business in the EU, GDPR, and so forth. This also means, of course, being highly reliant on secure principles like least privilege, dual operator, mediated access. But also taking advantage of cloud providers, and their identity, and access management services. And whether you're using Microsoft Azure, or AWS, or Google Cloud Platform. They all have robust and powerful identity and access management services. And, of course, the ability to leverage single-sign-on solutions that are already using existing directories. And using services like XAML 2.0 or OpenId Connect, and other federated technologies.
Federation and Single-Sign-On Solutions
Now, we've already talked about the importance of using identity in access management with the different providers. Whether it's Amazon, or Google, or Microsoft Azure.
[Video description begins] The screen displays Authentication Providers page of Amazon Cognito. This page has various tabs, namely Cognito, Amazon, Facebook, Google+, Twitter / Digits, OpenID, SAML, and Custom. The Cognito tab is selected by default. This tab shows two field bars. The top field bar has an option to enter User Pool ID. Below this field bar, there is another field bar to enter App client id. At the bottom-left corner, the page shows the Add Another Provider button. At the bottom-right corner, the page shows two buttons, namely Cancel and Create Pool. [Video description ends]
However, if the users start to get to be, let's say, into the dozens or more of users. You may want to start looking at either single-sign-on solutions or federation. Now federation is the practice of establishing trust between a system that acts as an identity provider and other systems that we call service providers.
So they're going to accept authentication tokens from the provider. So we can use federation to centrally manage access to either multiple accounts, multiple billing accounts, multiple root accounts, multiple subscriptions in Microsoft Azure. Or, you can use this as a method to allow other people to get access to your apps or your services. Using things like their Amazon credentials, Facebook, Twitter, their Gmail account. Or you can use other solutions like OpenID and SAML.
So if it's an Amazon Web Services scenario. You might want to go ahead and choose their SAML 2.0 federation to kind of give you a single-sign-on solution. If it's Azure, Azure is going to use OpenID Connect and OAuth for their authorization. What we see here is actually what's called Amazon Cognito, which integrates multiple authentication methods. So, you could actually create your own user pool in Cognito. You can see that right here, a User Pool ID and an App client id. You can create your own user pool. Or you could go and you could rely upon Amazon, Facebook, or other methodologies.
So, for example, let's say you develop an app and you want to make it available either through, you know, via an app store or through a website. And you've seen this before, you can give people the opportunity to create their own account, their own profile, and add their own information. And if that were the case, that would be populating your Cognito user pool, your own user pool. But you might also give them the choice on the login page or the main portal to use their Facebook account, or their Twitter account. If that's the case, they could also choose that option as well.
So that's what we're talking about here with the flexibility of using something like Cognito as a managed service. Now, Amazon Web Services and Google both provide their own single-sign-on services. So for example, if you have Active Directory already, you can integrate with their own instance of Active Directory up in their cloud. And of course, obviously, Microsoft Azure is going to make this easy, probably the easiest of the three when you're dealing with Active Directory. Okay, so that makes sense with Active Directory integration, Microsoft Azure is going to be the smoothest and the easiest. But the other providers offer these solutions as well.
[Video description begins] Screen title: Federation and Single-Sign-On Solutions [Video description ends]
So, for example, your on-premise identity provider could be Active Directory. It could be some other LDAP-based identity store. But if you're using Amazon Web Services, for example, and you're accessing resources inside of a virtual private cloud. Or maybe other services outside of the virtual cloud.
Let's say, an S3 bucket, then what AWS is going to use is a token service. So in other words, when you deal with the federated solution, you never actually process the actual credentials of the service provider. You have a token that is used in place of those credentials. That's very important to remember, especially when you implement these in the real world. So, if we're using let's say, Cognito and we want to add a user sign up, sign in an access control for, let's say, a web or a mobile app.
We can do it very quickly because it scales to millions of users. It also supports single-sign-in with those providers like Facebook, Google, and Amazon, as well as enterprise identity providers using SAML 2.0. That's what we're seeing right here in this diagram. So it's a fully managed service and user pools can be set up without any, you know, worrying about the server infrastructure.
Okay, so basically it's a Platform as a Service solution. And then the user pools will provide user profiles and authentication tokens for users who sign up directly. And as well for federated users who sign in, let's say, through Facebook or their Amazon account, or what we called an enterprise identity provider.
Advanced Cloud Security Services and Products
Okay, in this lesson, I want to do a web safari. Kind of a demonstration to look at the three main cloud service providers, and the ones you'll most likely be working with. We're going to start with the biggest by far, which is Amazon Web Services. Which is five times bigger than the next competitor, which will be Google Cloud platform.
[Video description begins] The screen displays the AWS Management Console web page. The page contains two tabs, Services and Resource Groups. The left side of the page contains a section labeled AWS services . There is also a search field labeled Find Services. [Video description ends]
At AWS, there's a couple of things you're going to want to do. All of these, by the way, allow you to create an account that gives you up to a year of different types of free access or free credits. So you should go and create an account using an e-mail address.
Or create a new e-mail address with some company like, you know, Gmail, or Zoho, or someone like that. And go up and get a basic account from AWS, Google, and Microsoft Azure. And familiarize yourself, first of all, with all the different services. And realize that there's four main categories of services typically with all of the CSPs, that's the Compute services.
[Video description begins] He clicks the Services tab. Now, the page displays different services organized into categories such as Compute, Storage, Robotics, Analytics, Management & Governance, and so on. The left pane displays a History label and contains a history of recently visited services. At the top of the page is a search bar to find a service. [Video description ends]
Then you have your Storage services. Then you have Database services. And then, technically speaking, Networking & Content Delivery would be that fourth core service.
[Video description begins] He scrolls down the page to highlight different categories of services, such as Compute, Storage, Database, Networking & Content Delivery, and Machine Learning. Each category has different services listed under it. [Video description ends]
Now Google Cloud, they consider Machine Learning, a fifth core service. And so there is some differences here. But the first thing you're going to want to do is to familiarize yourself with those main core services. Compute, Storage, Database, and realize with Storage, we're looking typically at different tiers of object-oriented storage.
Or if it's encrypting file system, for example. It'll be blocked-based storage, so different categories. So under Compute, you'll have server-based computing like spinning up instances, you know, with an EC2. Or spinning up instances in Google Compute of Linux or Windows Services or Servers. But they also have serverless, okay, or Functions as a service. So it's serverless running code in the cloud, like Lambda or Google Functions.
[Video description begins] He hovers the mouse over EC2, Lamba, and Elastic Beanstalk services listed under Compute category. [Video description ends]
And then you'll have some rapid deployment, a kind of managed services from these providers like Elastic Beanstalk from AWS. Storage, like I said, is going to be object-oriented, a block storage. Your Database services are going to fall into the categories of being typically a SQL-type database or a NoSQL document-type database.
Those are the two main categories there. Then a lot of different, you know, managed and semi-managed options. And then of course, at the core of networking is creating your own virtual private cloud or your own virtual private clouds.
[Video description begins] He hovers the mouse over VPC service under the Networking & Content Delivery category. [Video description ends]
And then, of course, Machine Learning is probably the next big category. All the providers are heavily involved in, you know, artificial intelligence, machine learning.
[Video description begins] He hovers the mouse over Amazon Translate services under the Machine Learning category. [Video description ends]
Using these algorithms, for example, for like translation services. So taking every different variant across the planet of the French language. Regardless of whether you're from Montreal, or the Cameroons, or Vietnam, or Belgium, or France.
And take all those different dialects and translate them through machine learning into one language like English or German, for example. And then, of course, understand the different security offerings.
[Video description begins] He hovers the mouse over different services listed under the Security, Identity, & Compliance category such as IAM, Resource Access Manager, Cognito, Secrets Manager, GuardDuty, Inspector, Certificate Manager, Key Management Service, CloudHSM, WAF & Shield, and so on. [Video description ends]
And this is where you can learn so much. They're all going to have an identity and access management service. But they may also offer other types of federated and single-sign-on services, advanced security like GuardDuty and Inspector, certificate management, and Key Management Service. They'll all offer some type of Key Management Service.
They'll all offer some type of application layer gateway or firewall. Here it's called WAF, Web Application Firewall. And other tools, for example, like a cloud-based hardware security module, okay. So that's at AWS. The next largest would be Google Cloud, okay.
[Video description begins] He switches to the web page showing the Google Cloud Platform. The top ribbon section shows a My First Project menu. There are two tabs on the page, DASHBOARD and ACTIVITY. A Navigation menu button is available in the top-left section. In the top-left corner, the page shows Project name, Project ID, and Project number under a Project info section. The middle section shows APIs with a chart of Requests. In the top-right section, the page shows the Google Cloud Platform status. Below the Google Cloud Platform status, a billing section displays. [Video description ends]
So here you can see Google Cloud Platform, My First Project. And if I go up here to the Navigation menu, you can see that they have kind of broken these up again into COMPUTE, into storage, into NETWORKING.
And then here's Stackdrivers, they're tools they use to monitor both AWS and Google, okay. And then you've got some BIG DATA tools down here as well. Their machine learning is in the ARTIFICIAL INTELLIGENCE area.
[Video description begins] He clicks the Navigation menu button and a Navigation Pane opens on the left corner of the page. This pane displays various services under categories such as COMPUTE, STORAGE, NETWORKING, STACKDRIVER, ARTIFICIAL INTELLIGENCE, and so on. He hovers the mouse over services listed under these categories. [Video description ends]
They're all going to offer container services, Dockers and Kubernetes, okay.
[Video description begins] He hovers the mouse over Kubernetes Engine service under the COMPUTE category and a sub-menu opens. This sub-menu shows options such as Clusters, Workloads, Services, Applications, Configuration, and Storage. [Video description ends]
All of them will do that.
[Video description begins] He hovers the mouse over IAM & admin service and a sub-menu opens. This sub-menu shows options such as IAM, Identity & Organization, Organization policies, Quotas, and so on. He clicks the IAM service. The IAM page opens. This page shows a page titled Permissions for project "My First Project." Also, this page has two tabs, namely MEMBERS and ROLES. There are ADD and REMOVE buttons in the top-left section of the page. The MEMBERS tab is activated and it shows Type, Members, and Role of the listed members. [Video description ends]
And then like I said earlier, they're all going to offer some type of identity and access management features. Where you can create your own users and roles and groups, or you can leverage, you know, your Active Directory implementation.
So, familiarize yourself again with the different offerings, the different services, and the different security offerings especially. So we come down here to Security, that they have, you know, Cryptographic Keys manager, they have proxy services.
[Video description begins] He hovers the mouse over Security services and a sub-menu opens. This sub-menu shows options such as Security Command Center, Identity-Aware Proxy, Cryptographic Keys, Binary Authorization, and so on. [Video description ends]
Here's Azure, Azure also has its various services, its icons, okay.
[Video description begins] He switches to the Microsoft Azure web page. This page displays a section of Azure services. Under this section, there are various icons of services such as Virtual machines, App Services, Storage accounts, SQL databases, and so on. He hovers the mouse over different services to highlight them. In the left section, the page has a Navigation Pane with services listed under FAVORITES section. [Video description ends]
Compute services, its App Services, storage, SQL, okay, kind of the same type of thing. They're going to support, you know, PostgreSQL, MySQL, and maybe other variants. They also have their own container-based Kubernetes service. You'll also want to go take a look at their Security Center and be aware of the security services that are offered through this particular CSP.
[Video description begins] He clicks the Security Center service from the left pane. The Security Center - Getting Started page displays. It has its own Navigation Pane on the left side with services listed under different categories, namely GENERAL, POLICY & COMPLIANCE, RESOURCE SECURITY HYGIENE, ADVANCED CLOUD DEFENSE, THREAT PROTECTION, AUTOMATION & ORCHESTRATION, and so on. He scrolls down to highlight different options under these different categories. [Video description ends]
So you can see that they break theirs down here into POLICY & COMPLIANCE. They've got RESOURCE SECURITY HYGIENE providing security for their main core. Compute & Apps, Networking, Data & Storage.
They have their ADVANCED CLOUD DEFENSE solutions, okay, Adaptive application controls, File Integrity Monitoring. They have their THREAT PROTECTION and also their own security AUTOMATION & ORCHESTRATION.
So again, when I stress the importance of just kind of getting your fingers in the pie of the different security solutions to provide technical controls, administrative controls for your IAAS, PAAS, and even your Software as a service solution.
Don't forget that all of these different providers are going to have their own partnerships. Microsoft has a bunch of partners where you can, you know, use their different services. AWS is also going to have their partnerships.
So, if you want to go to, let's say EC2 here, and you want to go look at some managed solutions, you could do that. Okay, you could go look at AMIs that are from the marketplace, okay.
[Video description begins] He switches to the AWS Management Console page. He clicks the EC2 service under the Compute category . The EC2 Management Console page opens. This page displays a Resources section. Also, there is a EC2 Dashboard Navigation Pane on the left section with different options, under various categories such as INSTANCES, IMAGES, ELASTIC BLOCK STORE, and so on. He clicks the AMIs option under the IMAGES category. The AMIs page opens and it shows a search field. There is also a link to find more than 500 AMIs from the AWS Marketplace. He clicks the link. [Video description ends]
So if you go here, you can see the AWS Marketplace.