Cloud Data and Application Security
This is a guide on cloud data and application security.
Isolation and Cloud Storage
In the cloud environment, most of us tend to use the multi-tenant environment where we get to use the shared infrastructure. For instance, we use the same storage space along with the other users. Now, that can cause a lot of problem, because if one user's data is compromised, it is compromised for other users as well. And data for all these users can also be very well-compromised. So, there are two types of storage isolation methods that can be enforced. So, the first one is Separation.
Now, separation requires the data owned by two users with conflict of interest should be physically isolated on different storage devices. Second one is Dedication. When you talk about dedication, it requires a physical storage device that is used for one specific user. Basically, there is a dedicated storage device that is assigned to one particular user. Now, there are different types of isolation methods. So, the first one is Performance isolation. Now, a lot of users use storage. There is a unnoticeable contention of resources and access time delays in the system.
To be able to minimize the impact on the storage and system resources, you need to filter the user request that slow down the storage access for other users as well. So basically, what you're trying to do here is, you're trying to monitor the performance of the storage systems, and you're trying to see which user is causing the performance bottleneck. So, isolate that user so that you can have the performance back on track. Then you're talking about Transactional isolation. Now, when you talk about transactional isolation, it defines how concurrent transactions should access data, and that too without violating the integrity of the data in the storage system. Now, transactional isolation is typically applied in the databases where transactions have four different properties called ACID, which stands for Atomicity, Consistency, Isolation, and Durability.
Now, the final one is Client-centric consistencies, which defines how and in which order that update to the data should be propagated to the servers. So basically in which order should the update happen and how should it happen? And when you're talking about client-centric consistency, this is more applied to the distributed systems where lot of users tend to replicate data across different servers, and updates are applied on to these systems in terms of data updates. And of course, you know that causes slowness, uncertainty of the network delays. And that also means when you're talking about lot of data replications happening between systems, data updates are happening in parallel. So of course, you need to have some kind of consistency to ensure data is not losing its integrity or data is not getting corrupt. So there you apply Client-centric consistencies.
Just to recap, we learnt about the proof of isolation, which were separation and dedication. Then we looked at types of isolation, which is about performance isolation, transactional isolation, and client-centric consistencies.
Microdata Access
When you talk about the data on-premise data center, the data is pretty much still in your control. But what happens when you put the data in the cloud? It is virtually out of your control. So unless or until you know how to manage your data properly, you will not have any control on the data whatsoever. So let's look at how do we apply certain type of access to data? And how do we insure that data retains its integrity and confidentiality even though it is put in the cloud? So we are talking about the Customer-side encryption.
Before you put your data on the cloud, you have to ensure the data is encrypted. Now, this is going to be essential because you don't know who's sitting on the other side of the cloud. If your data is not encrypted, somebody can very well misuse that data. So you have to ensure that the encryption is applied on every single file that you upload in the cloud. Then you're talking about Data privacy and reliability. Now, the privacy of the data can only be maintained if it is secure and it is not given to somebody else. The data privacy can only be maintained if the data that belongs to you is still with you without getting into the hands of the wrong people.
So for instance, if you have uploaded a file that contains your social security number, your telephone number, and your home address. First rule, avoid uploading that kind of information in the cloud itself. Second, if you have to upload that file because that is where you store most of your data, make sure that file is encrypted so that even if somebody gets hold of that file, it is virtually of no use to them. Now, as far as reliability is concerned, that is the responsibility of the cloud service provider. So when you upload your data, you're uploading the data in the cloud for one single reason that you want to access it from anywhere anytime. Now, that reliability has to be provided by the cloud service provider. Then, you're talking about the Privacy of the user. When you're talking about the privacy, it is about ensuring that the details are not revealed to third party, or any kind of insider person, or any kind of attacker or hacker. Now, why would that be critical? Because if somebody's privacy is compromised, then there can lot of things go wrong.
For instance, somebody can simply use the identify-theft method and impersonate that person and do lot of wrong things which are unlawful, which are illegal. So obviously, you need to ensure that the privacy of the users is maintained. And then we are talking about Privacy and integrity of the data storage. Now, when your data is outsourced to an external server in the cloud, which means, server belonging to the cloud service provider, you do not know whether the privacy or integrity of the data storage is going to be maintained. So what you have to do is, you have to take utmost care and ensure you apply specific controls. Like you may want to encrypt that file, you may want to put a password on the file, or you may want to apply proper access control so that the data integrity is still maintained. So now when we are talking about the architecture or application and data access, there are primarily three components. The first component is the Data Edge. Now, this is something that provides the data plane between the user and the application. And it also provides data security, application performance, and optimization components. Then we are talking about the Management Edge.
Now, this Management Edge provides the management logging, reporting, and configuration capabilities. Management Edge along with the Data Edge are based on the secure multi-tenant architecture. Now then comes the Enterprise Connectors. When you're talking about Enterprise Connectors, users connect to the applications through a single sign-on service in most cases. So when they do that, they need to simply provide their user credentials to gain access to the application. Now, when you're talking about the Enterprise Connectors, users connect to the enterprise application using a single sign-on service, which means, multiple applications have been bundled together. Now, when a user enters the credentials and logs on to one particular application in that package, he or she can log on to all the applications that have been bundled together using Enterprise Connectors in that particular package.
So now, just to recap, in this video, we talked about the customer-side encryption. We talked about the data privacy and reliability, privacy of users, privacy and integrity of data storage. Then, we also talked about the architecture of application and data access which had three components, Data Edge, Management Edge, and Enterprise Connectors.
Secure Deployment Practices
When you're building an application, there are certain security aspects that you have to keep in mind. Without keeping these security aspects in mind, you cannot build a secure software. Now we're going to look at some of the key points in this context. So first one is, Handling data. This is one of the critical points. How do you handle data within an application? Now, do you leave the data in cleartext or do you encrypt the data? So this has to be handled very, very efficiently and correctly. Now imagine if you're going to be storing the data in cleartext and the data we are talking about is sensitive data, something like passwords, social security numbers, credit card numbers.
Now this can be one of the biggest problems or the security issue within the application that you're developing. You have to correctly handle this kind of data within your application. Then we are talking about Code practices. How are you coding your application? Is it that you are providing too much information within the code itself? For instance, the error message that are generated give too much information. Now as an attacker, if I get too much information from the error message, I know what to do, and how to break into your application. Similarly, you're not building any kind of credentials within your code. A lot of times, just for the development sake, a lot of developers build hard coded credentials within the application. Now, this is something that you should strictly avoid. Why would you want to do that? Because if the attacker gets hold of the code, he or she will be able to figure out how to get into your application by using the hard coded credentials. So you have to be very cautious in this context. So for instance, now if somebody takes the application and extracts the HTML and Script, now what happens after that?
There is a lot of information this attacker is going to walk out with and then use the same information against you in cracking that particular application. Then comes the language options. You have to be very, very sure of what language you choose when you're developing an application. Now, these languages may have a lot of vulnerabilities. So you don't want to use those kind of languages. For instance, if you talk about C language, it is unable to detect and prevent improper memory allocation which leads to buffer overflow attacks. You don't want to to use this kind of language, if you're building a sensitive application.
Then we are talking about Input validation and content injection. Now let's say there is a form within an application and I am adding something within that particular field within that form. So what do I add is what the application needs to validate. What if I simply add a script into that field? So what happens after that? This means I am able to launch a cross scripting attack within the application. Now we don't want that to be happening. So therefore any input that is being added to the application must be validated.
Then we are talking about the physical security of the system. Now if you're talking about on-premise data centers, the security of the data center, you being the IT professional is your responsibility. Now, we are talking about the cloud system, the physical security is the responsibility of the cloud service provider. But in any case, physical security of the systems is a must in all situations, be it the on-premise or the cloud data center. Because you don't want somebody to just walk out of your data center with a server or a hard drive that contains critical data. So therefore, you have to implement optimal level of physical security. Maybe you can add cameras. Maybe you can add motion sensors or deploy a security guard. It depends what kind of security you want to implement. But whatever you do, make sure your systems are physically secured. Now there are a lot of standards and frameworks that are there for secure cloud software testing.
Some of these are, the International Organization for Standardization, which is known as ISO 9126, that defines a quality model for a software project. Then we come to System Security Engineering Capability Maturity Model which is known as SSE-CMM. Now, this one ensures that you develop secure system based on the software engineering Capability Maturity Model. Then we come to Open Source Security Testing Methodology Manual which is known as OSSTMM. Now, this one provides the guidelines for security auditing methodology which assesses against the regulatory and industry requirements. Now just to recap, we learnt about some of the application security software requirements which includes handling data, code practices, language options and so on.
Then we also looked at some of the key frameworks for secure software cloud testing and these frameworks includes ISO 9126, SSE-CMM and OSSTMM.
Identity Access Control
When you talk about identity management, it deals with two key things. The first one is identifying the individual in a system. And then the second thing is, it controls their access to the resources within that system by associating the user rights and the restrictions. Now, access management deals with Identity management and Access management. And then it also deals with Identity repository and directory services. So when you're talking about access management, it first identifies who you are. And once it identifies you, then it will ask you, what do you have to access?
Once both these things are clear, you are granted access to a particular object in the system. So we are not talking about a single identity here. We are talking about a repository of identities and we are dealing with a repository of identities. So when you talk about the identity repositories, these provide directory services for the administration of user accounts and their attributes. When you're talking about a directory service, something like Active Directory, it is a repository of users and systems. And basically what it does is stores these objects and their attributes. Now, the directory services are customizable. You can customize the attributes of a single or multiple objects. Now, the benefit of directory services is that you get a single point of administration. And using that, you can assign access to resources and services to the users and group. When we are talking about the Federated Identity Management, it provides the policies, the processes, and the methods that can help you manage identity and access to the systems across the organizations.
So when you're talking about federated, it means that the generation of token, which is authentication, is happening in one domain. And the consumption of these tokens, which is authorization on the resources, is happening in another domain. So some of the federation standards are WS-Federation, OpenID Connect, OAuth, and SAML. So you can adopt any of these standards and use federated identity management by adopting any of these given standards. And many of these applications over the Internet, specifically the web applications that I'm referring to, use these kind of federated identity management solutions. And they allow the users to access the resources within their own domain. So this means a user using the Facebook ID or a Google ID can access any of the resources, if the user has the access on those resources within your web application. Now, what is multi-factor authentication? As the multi-factor authentication goes by many different names, it is also called the two-factor authentication. It is also called the strong authentication.
Now, the general principle behind multi-factor authentication is to provide an extra layer of protection. Now, how does that happen? So you have to verify the identity of the user twice, or more than twice. So which means, let's say if I provide the password, then I'm asked to provide One-time Password, which is OTP. Or I could be asked to do finger scanning. Now, these are some of the options. So multi-factor authentication can comprise of different components. One is What you know. Second is What you have. Third is What you are. It could be different things. So what you know is something like a password. What you have is something like a hardware token which generates the passwords. Or what you are could be your biometric, maybe a fingerprint or the retina scan. So there are different contexts that can be combined when it comes to multi-factor authentication.
Now, just to recap, we talked about the identity and access management system and its capabilities. We talked about the federated identity management. And then we also talked about the multi-factor authentication.
IAM in AWS and Azure
To be able to do that, we'll first create a user here. And with that user, then we'll go ahead and configure multi-factor authentication.
[Video description begins] He clicks the Users link, which opens a Users page. This page shows two buttons at the top, Add user and Delete user. In the main pane, this page shows an empty table of users with various columns, such as User name, Groups and so on. [Video description ends]
So let's first create a user. And now once we have created a user, then we'll be assigning the autogenerated password.
[Video description begins] He clicks the Add user button, which opens an Add user page. This page shows a User name field bar and two check boxes for Access type, Programmatic access and AWS Management Console access. [Video description ends]
So let's click on Add user and then define a name for this user.
So let's say howard for this particular user. So once we have defined the name for the user, we can now assign permissions using Programmatic access or AWS Management Console access.
[Video description begins] He clicks the AWS Management Console access option, and various other options appear for Console password and Require password reset. [Video description ends]
We just select Console access and we will leave the password to autogenerated. Now we don't want the user to reset the password at the next login, so we'll just leave that option.
[Video description begins] He clicks a Next: Permissions button at the bottom of the page, which opens a Permissions page. This page shows three options in a Set permissions section, Add user to group, Copy permissions from existing user, and Attach existing policies directly. Below the Set permissions section, there is an Add user to group section, which shows two buttons, Create group and Refresh. In this section, we also have a table, which shows a group. [Video description ends]
Now, lot of people do similar kind of jobs and similar functions. So they can be put together in one particular group. So in one of the previous courses, we had created a user group called Employee_RO.
So we are going to add this particular user to this group and move ahead.
[Video description begins] He selects the Add user to group option and the group from the table, and then he clicks a Next: Tags button at the bottom of the page. This action opens an Add tags page. This page shows two field bars, Key and Value (optional). [Video description ends]
We can also define some tags for this particular user. So let's define the Key as the Name and Value as the user name, which is howard, and then we move on.
[Video description begins] He clicks the Next: Review button at the bottom of the page, which opens a Review page. This page shows all the set options in the previous steps. He clicks a Create user button at the bottom of the page, which in turn shows the newly created user in a table with three columns, User, Password, and Email login instructions. [Video description ends]
Now, let's just review. And once we are satisfied with the review, we can now see that the password is being generated. So to keep to show and hide and copy that particular password, once we will do that, we can go to the user and click on it.
[Video description begins] He copies the password from the table, and then he clicks the Create user button at the bottom of the page, which redirects to the Users page. This page shows the newly created user in the table. [Video description ends]
Now there are certain permissions that you can assign to this particular user.
[Video description begins] In the table, he clicks the user, which opens a Summary page. This page shows various tabs, Permissions, Groups, Tags and so on. Currently, the Permissions tab is open. This tab shows an Add permissions button. [Video description ends]
So for this time, we will just not do that and we will click on the security credentials tab.
[Video description begins] He opens the Security credentials tab, which shows various kinds of information, such as Summary, Console password, Assigned MFA device and so on. [Video description ends]
Notice that there are a lot of configuration that we can do as far as security is concerned. And before we do anything, we'll just go ahead and create a MFA device for this particular user.
[Video description begins] He clicks a Manage link, which is placed right to the Assigned MFA device information. This action opens a Manage MFA device dialog box, which shows three radio buttons, Virtual MFA device, U2F security key, Other hardware MFA device. [Video description ends]
So now, obviously, there is no hardware device that is here. So we are going to use a Virtual MFA device, which is Google Authenticator. So we will select that.
[Video description begins] He clicks the Continue button at the bottom of the dialog box, and a Set up virtual MFA device dialog box opens. This dialog box shows a Show QR code link. Also, there are two field bars, MFA code 1 and MFA code 2. [Video description ends]
Now, there is a QR code that we have to scan with the Google Authenticator app. And there is going to be two MFA codes that are going to get generated, and we'll have to feed in here. Once these codes are recognized by AWS, we'll have to basically go ahead and assign MFA, which is by clicking on the MFA button. Now, once all this is done, two factor authentication will be configured. So it will be prompted to provide a password, which we have generated. And we'll be asked to provide a code, which could be a numeric code generated through the Google Authenticator tab.
In this video, we learned to configure identity and access management. We also added the user to a particular group. And then, towards the end of the video, we also configured a virtual MFA device, which is a virtual multi-factor authentication device. That is Google Authenticator in this particular video.
Life Cycle of Software
When you're developing applications for the cloud environment, there are certain software life cycle standards that you can adhere to. So let's look at some of them. The first one is Distributed Management Task Force. Now, this is an international organization which comprises of the industry members. So, there are a lot of industry members who are already part of this organization.
Now, DMTF or Distributed Management Task Force designs these standards for application development, adoption, promotion of management standards for multi-vendor interoperability. So, which means that applications should be able to work in multi-vendor environment. Then, let's come to the European Telecommunications Standards Institute, ETSI. This particular organization develops global standards for information and communication technology. Now, this is the organization that has been very active in the grid computing standards. Then, we are talking about Open Web Application Security Project known as OWASP. Now, this particular organization is an open- source community, which is dedicated to enhancing application software security. They have a lot of projects that are running in parallel and most of these are designed to support security for the web applications.
So, they have projects that are dedicated to mobile applications and cloud computing and they also have several projects and documents that can be directly applied to the cloud system security. Now, you also have Organization for Advancement of Structured Information Standards or known as OASIS. This particular organization works in the areas of security, e-commerce and web services and they have various standards related to SOA model, security access, data import and export, and identity management. Then we are talking about International Organization for Standardization which is famously known as ISO and they have a lot of standards that deal with security. These standards are primarily ISO 27001, ISO 27002, ISO 27003, ISO 27004, 27005, and 27006, and there are many more. Now, this particular forum provides support for secure business in global open network environment. Now let's look at Cloud Development Life Cycle . So, when you talk about Cloud Development Life Cycle, it is pretty much the same as the software development life cycle except that your main focus is building highly secure and highly quality-based cloud applications. These applications need to be cost-efficient and of course, they need to meet the business objectives.
So CDLC or Cloud Development Life Cycle facilitates continual improvement to ensure cloud applications are always optimized for the cloud environment. There are different phases in the Cloud Development Life Cycle. So the first phase is Ignite. CDLC starts with education, assessment and strategy. Every organization and every application that they require, it is going to be different. So every organization first of all needs to determine what is that they require and how best they can achieve it in the cloud. Then we are talking about Innovate. Once you know what you need, you need to either look at lift and shift of on-premise application to the cloud, which means any existing running application in your data center can be moved to the cloud. Or you can talk about optimizing an application currently running in the cloud, which means there is an existing application in the cloud that you can further optimize to make it better. And the third one is building a cloud native application that takes full advantage of the cloud and its capabilities. It depends which of these models are you going to adopt.
If you have a readily available application in the on-premise data center, you can just pick it up and see if it is going to fit into the cloud environment. If it does well, then good. Otherwise you will have to make the architectural changes or you might have to add or remove features to ensure that it gets fitted into the cloud environment. If it does not work, you may end up creating an application from scratch or you might take a cloud application and see if you can further optimize it. It depends on the what kind of applications you're looking at, it depends on what kind of requirements you have and it also depends on whether the application architecture itself supports the movement into the cloud. Then you're talking about cloud success.
Now, this is the last phase of this CDLC. In this phase, you're talking about using a framework for continuing innovation. Now, this means you keep coming up with new strategies to make your applications better. So, what happens when you keep innovating? So, you obviously get the end result as a success of that particular application. It is the success of the deployment into the cloud. It is the success of the team that developed it. So, now that becomes a win win case. So, if you do not innovate, if you keep using the old methods, remember the technology will continue to change, your old methods will not work as efficiently as they did ten years back.
So, therefore it is essential to innovate. It is essential to take that innovation into building your application and make something better out of it. Just to recap, we looked at some of the software life cycle standards that can be used to develop applications for the cloud environment. We also looked at Cloud Development Life Cycle which is known as CDLC and its phases.
Encryption and Key Management
The cloud Key Management Service or KMS gives you a centralized control over the cryptographic keys, that you can use to protect your data. Now, when you're talking about KMS, this service can be integrated with various cloud services. Therefore, without having to manage keys separately, you can have all these keys stored in a centralized location. Now, there are a couple of benefits that you get. So, the first one is everything is centralized, which means KMS can be used with different services. Second, keys are secured in the particular KMS that you're using, you don't have to individually manage the keys. And third, of course, even the encryption key themselves get a lot of security because they are stored in a centralized location without you having to manage them separately. And of course, you can limit the access to the KMS so that nobody can just abruptly start using your encryption keys.
[Video description begins] The screen displays the Overview page of AWS Key Management Service. This page shows some related information under different headings, such as Overview, Centralized Key Management and so on. [Video description ends]
Now, let's head over to Azure and see how we can work with something similar to KMS which is known as key vault.
[Video description begins] He switches to the home page of Microsoft Azure. This page shows a search bar at the top, and various options in the main pane, such as Virtual machines, App Services and so on. He searches for key vaults in the search bar, and the drop down shows a Key vaults option. [Video description ends]
Now here, if you already have defined a key, you can use that. Otherwise you can click on Create key vault and
[Video description begins] He clicks the Key vaults option, which opens a Key vaults page. This page shows a Create key vault button. [Video description ends]
create a new vault to store your keys. Before you create a key vault, you have to decide how you're going to design your key system. Which means how many users are going to be accessing this particular key vault. Who's going to have access to these keys? So, you have to be very sure of that.
[Video description begins] He clicks the Create key vault button, which opens a Create key vault page. This page shows four tabs, Basics, Access policy, Networking, Tags, and Review + create. Currently, the Basics tab is open. This tab shows various configuration options, such as Subscription, Resource group and so on. [Video description ends]
So, once we start to create the key vault, we have to choose the subscription model. Now, we have to choose a resource group. So now, there is already a resource group that we had created in one of the previous courses.
So, we'll just go ahead and use this. Then you have to define a name for your key vault. And once you do that, if it is unique, it will be checked, okay, you can go ahead. Then you have to select the region, which region should store your key vault. So, I'll just go ahead with the default region. Now moving ahead, there are two pricing options. One is for the standard, and second one is the premium, which uses the hardware security module to store your keys. Now, you can use that, but in this particular video we are just going to go ahead with the standard model. Now, there is something called soft delete. What happens if you accidentally delete your encryption keys from the key vault? You're going to lose your data because you will not be able to decrypt it without the encryption key. So, soft delete will still keep it and you still have the option to recover the keys that you had accidentally deleted.
So that retention period by default is marked as 90 days. But you can range it from anywhere from 7 days to 90 days depending on what is your requirement and what is your organization's mandate. So, you also have Purge protection, which is default 90 days. But you can configure it from somewhere 7 days to 90 days. And once this is set, you cannot change it. So, you have to be very sure what you are doing when you're setting up this particular option. And you can also enable and disable purge protection.
[Video description begins] He clicks the Next: Access policy button, which opens the Access policy tab. This tab shows three check boxes for enabling access, Azure Virtual Machines for deployment, Azure Resource Manager for template deployment, and Azure Disk Encryption for volume encryption. [Video description ends]
So for instance, if you enable it, if anything accidentally gets deleted you can still recover it. Now, how are you going to use these keys? So now, you need to design your access policy because you can map different services with these keys.
So, let's say you know you are going to enable access to virtual machines. You can enable access to Azure Resource Manager or Disk Encryption, which means your data is going to be encrypted.
[Video description begins] He clicks the Next: Networking button, which opens the Networking tab. This tab shows three radio buttons, Public endpoint (all networks), Public endpoint (selected networks), and Private endpoint. [Video description ends]
There is already a root user that has been defined. Now, where should these keys apply? So, there is a public endpoint, which means all network facings towards the Internet. Or you can have a specific and public endpoint which means you will have to add your virtual network. Either you can create it or add a new virtual network. Or you can also add the private network.
So, it depends what is your requirement. Accordingly, you can go ahead. But default section is the public endpoint.
[Video description begins] He clicks the Next: Tags button, which opens the Tags tab. This tab shows two field bars, Name and Value. [Video description ends]
Then you can go ahead and review and create your key vault accordingly. Now, switching over to AWS. [Video description begins] He switches to another tab is the browser, which shows a Key Manager Service page of AWS . This page shows various sections, such as General configuration, Cryptographic configuration and so on. The General configuration section shows various kinds of information, such as Description, Status and so on. [Video description ends]
AWS has Key Management Service that can be used for storing the keys.
[Video description begins] He clicks the AWS logo, which redirects the page to AWS Management Console page. This page shows various available services in an AWS services section, such as Lambda, Batch, S3, Key Management Service and so on. Also, this section has a Find Services search bar. [Video description ends]
So now, this particular service can be used to assign encryption keys to your S3 storage. So, you can click on Key Management Service here. And once you do that, you will see there is already a key that has been assigned.
[Video description begins] He clicks the Key Management Service option, which opens a Customer managed keys page. This page shows a key in a table. [Video description ends]
So, you can take that particular key and assign it to S3 bucket. So, let's head over to S3 now.
[Video description begins] He switches back to the AWS Management Console page. He clicks the S3 option, which opens a Buckets page. This page shows two buckets in a table. [Video description ends]
In this particular S3 module, you will see that there is already a bucket we had created in one of the previous courses. So, we can select this particular bucket.
[Video description begins] He clicks the first bucket in the table, which opens the relevant page for the bucket. This page shows various tabs, such as Overview, Properties and so on. Currently, the Overview tab is open. This tab shows a folder in a table, and various buttons, such as Upload, Create folder and so on. [Video description ends]
And once we get into the bucket, there is a folder that is already there.
[Video description begins] He clicks the Properties tab, which shows various options, such as Object-level logging, Default encryption and so on. [Video description ends]
So, we just go into the Properties tab. Notice that by default there is AWS-KMS data that was configured in one of the previous courses.
[Video description begins] He expands the AWS -KMS option, which shows a Custom KMS ARN drop-down menu. He opens this menu, and selects the MyKey option. [Video description ends]
So, we just select the new key data we had defined and save the configuration. That is what we have to do when we have to define encryption key for a particular bucket in AWS. Now just to recap, we looked at the key vault in Azure and we also looked at KMS in AWS.
SAAS Security
Now if we recall, there are different types of cloud deployment models. One is Infrastructure as a Service, then Platform as a Service, and then Software as a Service. In this video, we will mainly talk about the Software as a Service cloud deployment model. Now in this particular model, everything is controlled by the cloud service provider. You as the end consumer, only gets to work with the application and your own data which you generate within the application. You do not uninstall or install this particular application, but you can only do some level of configuration changes.
[Video description begins] The screen shows a Google Docs page, where two sections are present, Start a new document and Recent documents. In the Start a new document section, there are various document templates, such as Resume Serif, Resume Coral, Letter Spearmint and so on. In the upper right section, there is a button to show various Google apps. He clicks this button and a drop down appears showing different apps, such as Maps, YouTube, Gmail, Translate and so on. [Video description ends]
When we talk about Software as a Service cloud deployment model. So, when you talk about Google Apps, if you look look at there are different applications that are bundled by Google in one single package. So, once you log on to Google, you will be able to access all of these applications. So, it is a single sign-on basically. So, once you log in, you get to access every single application and you do not have to log on to other applications. So, you have Translate, you have Calendar, you have Drive, you have Gmail, you have YouTube, Maps, and then you have Google search. And then you can do your account configuration settings in Account. And basically, all this can be done within Google Apps. So let's see, we are now in Google Docs. So, we can create a particular document, so let's click on Resume. And once this particular application opens, we can make changes to whatever we want.
[Video description begins] He clicks the Resume Coral template, which in turn opens a Resume document in the given template. In the top ribbon, there are various options, such as File, Edit, View, Insert and so on. In the upper right section, there is a Share button. [Video description ends]
We can make changes, and then once these changes are made in this document, it is basically getting edited.
Now anybody who has made changes before you, those changes would be highlighted on top. So, if you see some anonymous person has made the changes, now there are different options you have when you click on the File menu.
[Video description begins] He clicks the File option, which shows a drop-down menu with various options, such as Share, New, Open, Make a copy and so on. [Video description ends]
You can print the document, you can also share this document, right now this document is only with you.
[Video description begins] He goes back to the Google Docs page, which shows the newly opened document in the Recent document section. He clicks this document to open it. [Video description ends]
So ,let's get back, once we go back, then we see whatever documents we access it gets added into the recent documents. So, let's click on one of these documents and see. Here we can make changes. So, let's just type out something random after STREET. So, we just type something and then it gets added. Now, by default, all the changes get saved. So, whatever you add into it, the changes are getting saved on the fly, in real time, in your Google Drive. So, this document is already added to your Google Drive.
[Video description begins] He clicks the Share button, which opens a Share with others dialog box. This dialog box shows a field bar. In the upper right corner, this dialog box shows a Get shareable link option. In the bottom right corner, there is an Advanced option. [Video description ends]
So, you can click Share and now you can share this particular document with specific people. You can also create a shareable link rather than sending the document to specific people. So,k you can click on Advanced, and then you get to see a lot of settings.
[Video description begins] He clicks the Advanced option, which shows a Sharing setting dialog box. This dialog box shows a field bar with the link, and options to change the access. In the bottom, this dialog box shows two check boxes for Owner settings, Prevent editors from changing access and adding new people and Disable options to download, print, and copy for commenters and viewers. [Video description ends]
Basically Google has integrated data loss prevention or DLP into this particular suite of applications they have. Which means, you can prevent users from changing access or printing or downloading this particular file. You can do lot of things which a DLP can do. So this DLP has been integrated into Google Apps by default. So, let's just click on Done and come out of it. So, now we are back on the document, there are a lot of things that can happen to these documents. But remember, it's your data, you have to protect it and nobody else can do.
[Video description begins] He goes back to the Google Docs page. [Video description ends]
Because in the Software as a Service cloud deployment model, the user is responsible for his or her own data. So, whatever data you are generating here, you have to safeguard that data. You have to remember, the cloud service provider will not tell you what to do with this platform. As they have just given you the basic guidance as to how this application works, but whatever data you generate, you have to be responsible for your own data. Now, as far as availability and the functionality of the application is concerned, that is owned by the cloud service provider. Now just to recap, in this video, we looked at an example of Software as a Service cloud deployment model. And this example was the Google Apps.
Business Continuity
Now, when you're dealing with the on-premise data center, it is your responsibility to ensure there is business continuity that has been implemented. So, in case anything happens to your data center or one or more servers, then you are able to get the other servers up and running.
Now, when we are dealing with the cloud, it is entirely a different story. You are mostly dependent on the cloud service provider. In that case, what you have to do is to understand your own responsibilities as a customer or the cloud consumer. And you have to also understand that the cloud service providers role. And what are the responsibility that the cloud service provider owns. Now, when you're talking about the cloud service providers role in the context of business continuity, you need to verify and ensure that the cloud service provider has enough data centers across different regions. If any kind of business continuity that happens, your work or your business does not come to a halt. Because the cloud service provider did not have enough data centers to replicate your data and applications.
So, you have to be very, very sure what role is the cloud service provider playing in the business continuity. You also have to ensure that they have optimal infrastructure. And this has to happen right before you select a particular cloud service provider. You have to study their infrastructure well. Usually, a cloud service provider will put up a lot many technical details and use case studies on their website. So, you have to download them, study them well, and understand what kind of infrastructure does the cloud service provider has. You have to also understand the order of restoration in case anything that goes down. So, what is the priority cloud service provider is going to give? Is it going to be somebody else who's going to get their data up and running? First, and then you come last or how does that happen?
So, this has to be correctly defined in the service-level agreement, that you sign up with the cloud service provider. Then you have to have clear cut communication from the cloud service provider's end. Now, in case any issue happens at the cloud service provider's end, you need to be rightly communicated on time. What if, there are some services become unavailable due to certain reasons. Did you get the communication from the cloud service provider or is it the users from your end who are complaining that the services are no longer working? And then you connect with the cloud service provider to figure out that this particular service has gone down from their end. So, you need to have that kind of expectation from the cloud service provider. That they will inform you as soon as either something goes down, or something that is plan for maintenance.
You have to have that kind of clear-cut communication from their end. Now in the cloud, any cloud service provider that you deal with will also have dependence on third parties. What if the infrastructure or the applications from the third parties stop working? How does the cloud service provider handle that kind of scenario? You have to understand that in detail as well. The second point is whatever you do with the cloud service provider in terms of whatever service you opt for, be it the platform as a service, infrastructure as a service or software as a service. You need to have the service-level agreement clearly defined. Now, how do you ensure that the cloud service provider is meeting the statements mentioned in the service-level agreements? You have to do regular audits. You have to generate the metrics against which you can audit the cloud service provider.
For instance, now if the cloud service provider says they are going to give you uptime of five nines. But their services have been going down, let's say, once in a month. They go down for five minutes every month. So, that means definitely the five nines are not met. So, you have to keep auditing. Keep collecting the metrics against the services that you have opted for. And ensure that these are being met. For instance, when you're talking about, what do I build in the service agreement? Now, you can build a lot of things in the service-level agreement. So for instance, you can talk about penalties and compensation for a loss of service. You can talk about RTOs and RPOs. You can talk about loss of integrity and confidentiality. So what happens? Who compensates?
You can also mention point of contact, and escalation procedure, and the escalation metrics in the service-level agreement. You can talk about clearly defined responsibilities that you own as and the cloud service provider owns. You can also talk about if there are any changes that are happening at the cloud service providers. And they have to be communicated in timely manner. So basically, what we are saying is, there has to be clear communication process put into the place. And that has to be mentioned in the service-level agreement. Now, let's talk about what are the Benefits of Business Continuity. Again, going back to the on-premise data center, when you talk about on-premise data center, you want to build Business Continuity. It is going to be expensive. But when you talk about the cloud, of course, the cost of Business Continuity is much lesser in terms of cost and effort. So, the first one is the Availability. When we are talking about the cloud, the organizations today can avail a cloud-based Business Continuity solution. That can happen because the cloud service providers provide a wide range of services at a very nominal cost. So, you don't have to buy the infrastructure. You don't have to hire the manpower. You can simply opt for the cloud service from the cloud service provider. And link your on-premise data center with it.
So, in case anything happens on the on-premise data centers, your services in the cloud are up and running without a second of delay. Similarly, if you have your infrastructure running in the cloud already, you can have redundancy built to ensure availability of data and services with the same cloud service provider. Or you can also opt for another cloud service provider with the same set of services and data replicated. Then we are talking about Cost effectiveness. I just mentioned, you don't have to put up the entire infrastructure on your own. It is already available in the cloud environment. All you have to do is pay a nominal cost which is typically, pay-per-use model. And avail the services and replicate your infrastructure. Then we are talking about Easy back-ups. You don't have to do much of your back-ups on your own. It can be automated with the services that are provided by the cloud service provider. The back-ups can happen in real time or at scheduled intervals.
Therefore, you don't have to stay up all night and take back-ups. They can be automated without any problems in the cloud environment. And it is Easy to restore from the cloud. Now, in the event of a disaster, the recovery, and restoration functions are easily done. When you have cloud-based Business Continuity, it is very highly reliable than the conventional back-ups that you take in the on-premise data centers. So, you don't have to rely on the tapes, discs or flash drives. Where there could be a lot of things that can happen to any one of them, that tapes get corrupt or the flash drives can get lost. So, when you're talking about the cloud, you're not dealing with any kind of physical back-ups. Everything can be replicated or backed up on to other servers. And that can happen without any physical hardware from your end being involved. Then we come to the point of your applications and the infrastructure that you set up in the cloud environment can be accessed from anywhere. Now, when you have your on-premise data center unless or until you have been given remote access. Nobody can access that particular infrastructure from the outside of the network. It is not possible for you to connect everybody on to your on-premise data center. In case of any disaster, you have to replicate the entire thing on to some other location. Again, you will have to give access to everybody to remotely connect. You may not have that kind of infrastructure in place in the first place. Secondly, managing those users at your end can also be a daunting task. Now what you do is, you configure all this Business Continuity in the cloud without any problems. And the services will continue to run even if there is a disaster.
Users can still access these services from anywhere. Now just to recap, we talked about the Business Continuity Critical Success Factors which were the customers' responsibility or the consumers' responsibility. And the cloud service providers' role, and the clear statements in the SLA document. Then we also talked about the Benefits of Business Continuity. So we have the Availability, Cost effectiveness, Easy back-ups, Easy restore from the cloud. And of course, the application and the infrastructure can be accessed from anywhere.
Supplemental Security Devices
Now, whether it is on-premise data center or your infrastructure in the cloud environment, you would want to have optimal security. To do that you would typically put in a lot of security applications on the device to protect your infrastructure. So for instance, you would have a firewall, you would have intrusion detection system, intrusion prevention system. Or there could be any other device or the application something like data loss prevention or the DLP. You could also have access control lists applied. Up and above that, you could also have a supplement to whatever you have as the security controls. Now, the Web Application Firewall,
[Video description begins] The screen displays the home page of AWS AWF. This page shows related information, such as the pricing, and a Create web ACL button. In the left side, there is a navigation pane with various options, such as Getting started, IP sets and so on. [Video description ends]
or WAF, is one application that you could use as a supplement device. So, it's a Layer 7 firewall, which is meant to protect your web application. So, it filters and monitors the data that flows between the web application and the internet. So, AWS has WAF for Web Application Firewall. Now, WAF or web application firewall works in slightly a different way because it is designed to protect your web application infrastructure. Now, there are certain types of attacks that are meant only for your web application.
So, when I'm talking about certain types of attacks, I'm talking about cross-site forgery, cross-site scripting, file inclusion, SQL injections. That is what WAF is going to protect your web application from. So, basically, it acts like a shield between the web application and the internet. Now in the AWS environment, there are different pricing that you can opt for or you will have to pay. That would also depend on the number of rules that you implement. You could also use that particular pricing. Now, let's create a web ACL on which you could also be paying price.
[Video description begins] He clicks the Create web ACL button, which opens a page for creating the web ACL . This page shows various configuration options, such as a Name field bar, a CloudWatch metric name field bar and so on. [Video description ends]
So, I'll simply name that ACL name. And we basically see what kind of resource we want to associate with that ACL. So by default, it is the regional resource, which are your Application Load Balancers and the API Gateways. And so just to keep that by default, or you could also have cloud front distributions. Then we can choose a region. By default it is US East Ohio, which is the default regional location. Then you could also associate AWS resources. So now, we need to add rules.
[Video description begins] He scrolls down to an Associated AWS resources section. This section shows an Add AWS resources button. [Video description ends]
[Video description begins] He clicks the Next button at the bottom of the page, which opens an Add rules and rule groups page. This page shows a Rules section with an Add rules menu button. He clicks this button, and it shows two options, Add managed rule groups and Add my own rules and rule groups. [Video description ends]
So there are predefined rules, which are called managed rules, or you can create your own rules, and rule groups. So for this particular video, we will go ahead with the managed rules.
[Video description begins] He clicks the Add managed rule groups option, which opens an Add managed rule groups page. This page shows various expandable categories of rules, AWS managed rule groups, Fortinet managed rule groups and so on. [Video description ends]
So there are four categories in the AWS managed rules. There are a lot of different rules that are available within these categories.
[Video description begins] He expands the AWS managed rule groups category, which shows various rules along with their capacities, such as Admin protection, Core rule set and so on. [Video description ends]
So you could use any of these rules depending on the type of infrastructure you set up. Depending on the type of web application you have and what you want to protect it from.
So for instance, the capacity here is about 100, which means 100 rules. And then, we could go to the core rule set and you can apply that. There are about 700 rules. And then we could also have the Linux operating system. Now other than that, we have Cyber Security Cloud. They are managed rules, so, their capacity is about 1,000. So, you will need to subscribe to them. These are the rules from Fortinet. There are about 1,000 rules they have. Then you have rules from GeoGuard which has about 100 rules, but all these are third party rules so you'll have to subscribe to them and pay a fee.
[Video description begins] He clicks the Add rules button at the bottom of the page, and the page shows these added rules in a table. The page shows a section labeled as Default web ACL action for requests that don't match any rules. This section shows two radio buttons, Allow and Block. [Video description ends]
So, we will now click on Add rules. So by default, see whatever you have selected that has been added here. Now, depending on whatever rules you have added, there are certain capacity that you are going to utilize. So, we have already utilized the capacity of 100. Now out of 1,500, we have used 1,000 of them. Now, moving on to the default ACL section. By default it is set to allow when you refer to a firewall rule, by default, it is block.
But when you refer to a web application by default it is allow, because you do not want to block everybody by default. You will just go ahead with the allow rule which is the default and
[Video description begins] He clicks the Next button at the bottom of the page, and a Set rule priority page opens. This page shows the rules. [Video description ends] then we can just go ahead and save whatever rules we have. Then we are done with this particular rule setting in the web application firewall on Amazon AWS.
[Video description begins] He clicks the Next button at the bottom of the page, and a Configure metrics page opens. This page shows the Amazon CloudWatch metrics. [Video description ends]
So, before we finalize the rules, we can simply go ahead and review the configuration and then finalize the rules.
[Video description begins] He clicks the Next button at the bottom of the page, and a Review and create web ACL page opens. This page shows the overall configuration. [Video description ends]
So just to recap, in this particular video, we learned how to configure a web application firewall and add managed rules and we also had a brief look at the third party rules that are available in the AWS environment.
Data Governance
There is a fundamental question, why data governance is required? Now, before we move on to answering this, we need to understand what governance does and what it is. So, governance basically brings together your business goals and visions. There are best practices which are applied to whatever you do and how you do it. And also, it is something that helps you meet your regulatory and legal requirements. When you apply governance, it ensures that whatever you are doing aligns to your business objectives. And also, when you have governance, it just ensures that you know there is accountability.
So, whoever is doing, whatever they are doing, they are accountable for it. So, why data governance is required? It helps you bring out data inconsistencies. It helps you track the low quality of data. Which means that if data is not as per the standards or whatever regulations that you are conforming to, if it is not as per the standards then, of course, governance will help you bring out that particular point and inconsistency. It will also ensure that whatever data access you have provided to the people, it is standardized. You cannot just go ahead and assign access to anybody and everybody. So for example, let's say you have given full control to everyone on a particular folder. It will not happen because if governance is there, somebody is watching over you, and then you are forced to apply standardized policies. Therefore, everybody complies to these policies and the data access is not left too open. Then it also brings out data democratization.
Now, that means it is the self-service across the enterprise. Then you have regulatory compliance requirements. Now, if you are conforming to a particular regulations, let's say PCIDSS or ISO 27001, then you need to have governance in place. Otherwise, you will never be able to judge whether you are meeting to these requirements or not. You will never be able to find out the loopholes that exist within your system. So, somebody needs to apply that data governance and see whether those regulations are being met. Then you also need to have a common data vocabulary for cross-departmental data analysis. Just remember, not everybody's going to be as technical as you are. So, you need to have a common data vocabulary to understand what you're saying so that it is understood same by the other people across departments. And of course, you also need to enhance the organizational metadata. Now, this is going to be critical because if you don't have that then, of course, the governance cannot watch over your data properly. Now, when we talk about successful data governance, it can be achieved with applications that span across on-premise and public cloud resources. But governance must be fundamental part of the design and implementation, and it should not be an afterthought.
So basically, when you are designing your cloud environment, you are extending your on-premise data center to the cloud. You need to ensure that you are applying governance, or you're embedding governance right then and there within the design. So, it should not happen that after implementing everything you think about how to do data governance, and how do I apply governance to the data that exist? You might end up redoing a lot of your implementation or making a lot of changes to the architecture. So, that would require lot of manpower effort, and it would also raise the cost in revamping your architecture. So, let's look at some of these points. So, you have the value. So, when you talk about the value, you need to know what value the data holds in terms of cost. So, if that data is lost, the cost of generation of that particular data and the value derived through analysis, how much it is going to cost to your organization. These metrics would be used to determine the safeguards for protecting the data. Then you have location. You need to know where the data is created and where it is stored.
Now, accordingly, you will have to design your safeguards. So for instance, some of the regulations may apply only in one particular region. Now, if your data is stored in that particular region, you may have to apply that regulation, depending on the type of data you're holding and where you're holding. Then we are talking about risk. You need to know the risk that data poses for your organization. Now this is going to be critical because you can apply security controls or security measures accordingly. Now, if we are talking about high risk data, which could be something like Social Security numbers, address, credit card information, then you need to have more security controls or probably defense in depth in place to ensure that you appropriately safeguard the data. Now vice versa, if you have something like very basic data, somebody is creating school reports. Of course, that may not be at the same risk level as the Social Security numbers or the credit card numbers. You also need to know your decision maker.
When you're talking about a decision maker, you need to know what kind of data access they require, what is the time frame for which they require the data access, and what tools are they going to use to access the data? Now, decision makers will vary from organization to organization. For instance, in some organizations, you might only have the leadership making the data related decisions. In some organizations, you may have the middle level management making data level decisions. It would depend on the culture of your organization and probably also on the size of your organization. And therefore, accordingly, you will have to design your data access.
Then you're talking about the accuracy. How do you clean your incoming data? How do you handle that data? And once you clean out your data, what is the outcome that you are expecting? So, is that outcome as accurate as you are expecting it to be, or it has to be something else? You will have to be thoughtful of that. To get the data accuracy you may have to attach a set of policies to ensure its quality. Just to recap, in this particular video, we talked about data governance and why data governance is required. Then we also looked at the data governance strategy which has various components like value, location, risk, your decision makers, and the accuracy of data.