Cloud Security Administraiton
This is a guide on cloud security administration.
Administration Basics
Welcome to Administration Basics. Now, one of the significant developments emerging as a result of cloud computing and software-defined infrastructure is the blend of system administrator and the network administrator roles. If we go back in the traditional infrastructure, we had these two roles.
One person was doing the system administrator role and another person was busy doing the network administrator role. Now when you talk about cloud computing, both these roles have been merged into a single role which is now merged as the cloud administrator role. Now, these cloud administrators, they need to know how to manage the cloud infrastructure, what to deploy, what to monitor, what to update, what to share, what to archive, and what to destroy as data in the cloud computing environment. Now, this is the most sought after role in the recent times as far as cloud computing and software-defined infrastructures are concerned.
So now let's go back. When we had the traditional infrastructure which was the on-premise infrastructure, there were a lot of challenges that the system administrator or network administrator faced. Now the cloud administrators have almost the same types of challenges. These challenges may differ in nature but otherwise, they are still the challenges. There are still difficulties that the cloud administrator has to face. So now, we are going to look at some of these challenges that the cloud administrator may face. So to start with, we have data breaches and downtime. Now, one thing that we have to understand, specifically in the context of the public and the hybrid cloud is that most of the infrastructure, specifically the back end infrastructure, is not in our control. Now, one thing that we have to understand specifically in the context of the public and the hybrid cloud is that the most of the infrastructure, specifically the back end infrastructure that I'm refering to the physical environment or the physical servers are not in the control of the cloud administrator.
Now, I am talking from the perspective of if you are designated as the cloud administrator from your organization, which means you will be managing the cloud infrastructure as the administrator. Now as the cloud administrator, you're going to face these challenges. Now, the data breaches that can be very impactful for your organization and can also lead to downtime. Now, just imagine a scenario. If you have your own infrastructure which is the on-premise infrastructure and the data breach happens, now there is only one set of data of your organization that can be stolen or breached. Now, when you are in the cloud environment, and you're talking about the cloud administration, the things will change, the environment changes. Because the entire infrastructure is not in your control. It is a completely different game altogether. Because the attacker not only can take away your data, but can also take away the data of the other cloud consumers who reside in the same cloud.
So in that context, if we see the cost of data breach on the on-premise infrastructure Is slightly lesser than data breaches that happen in the cloud. Because lots of consumers which are the cloud consumers I'm referring to have the data on the shared infrastructure. Which means if one cloud consumer's data is stolen, there is a high possibility that the data for the other cloud consumers can also be stolen or breached. What does that mean? It means the cost of data breach can be very high or can be very, very significantly high in the cloud. And similarly, if you talk about the downtime, a few servers in the cloud infrastructures go down. Yes, we agree, there is a lot of redundancy that has been built by the cloud service provider. But there might be downtime if one of the data center becomes non-functional. Now that can create a lot of problems for the cloud consumers if they have not configured their cloud environment properly. Which means if they have not configured redundancy or the cloud service provider itself does not have redundancy built in as part of their infrastructure, then it can be a very serious problem.
Then we talk about another challenge which is the lack of transparency. When you talk about the traditional IT infrastructure which is your on-premise infrastructure, you have full control. Now, when you're talking about the cloud infrastructure, there is a little bit of control that you have. But most of the control is still with a cloud service provider. That means what they do in the back end and how they do it is not transparent enough for you to understand. If anything happens, how can you fix it? That means, what they do in the back end and how they do it is not transparent enough for you to understand that if anything happens or any incident that takes place in the cloud environment, how are you going to fix it? It is not going to be in your control completely. You will have a lot of dependency on the cloud service provider. Now, this also means that you do not have the full service description and exactly how the platform in the background works.
So therefore, that is in the control of the cloud service provider to have the full service description and knows exactly how the infrastructure is configured to work. Then we move on to the shared technology vulnerabilities. Now, this is pretty interesting. Because when you're talking about the public and the hybrid cloud, most of the cloud consumers have data stored probably on the same server, or maybe on the same hard drive. Now, this means if there is a data breach that happens, that data not only for one cloud consumer, but as well as for the other cloud consumer is at stake. Similarly, now let's take an example. If there is a data breach that has occurred on one of the servers in the cloud environment, now the law enforcement or the data forensics experts need to take the hard drive of it from the cloud service provider to do the investigation.
Now, what happens? That particular hard drive may have some data stored for the other cloud consumers as well. Which means not only your data which has already been breached but the data for the other cloud consumers is also at stake. Because data forensics experts can actually go through whatever data is stored on that particular hard drive. So this means the data is not secured on that hard drive. Because other people who happen to be either the law enforcement guys, or the forensics experts can actually go through the data and understand what it is. So one thing you have to do is encrypt your data. So even somebody has the hard drive, they cannot understand what the data means. Then we come to another challenge, which is the insecure interfaces in the APIs. Now, a lot of cloud service providers give you APIs that you can use to connect your own infrastructure, which is the on-premise infrastructure with the public cloud and make a hybrid cloud out of it. Because you're connecting your own infrastructure with the public cloud so that creates a hybrid environment.
Now, you may have an application that needs to talk to another application in the cloud. And the first application that I am referring to is from the on-premise infrastructure. Now for this, the cloud service provider gives you an API that you can use to connect your application with the cloud application. Now if that particular API is not totally tested, it is not secure. That means somebody can figure out that it is an insecure API. Somebody can intercept the data that is flowing from one end to the other end by intercepting the data in between. So therefore, that becomes a major issue if those APIs are not secure. Then we are also talking about the compliance complexity. Now, there are sectors like healthcare and finance where you as the consumer has to store the data according to the legislative requirements. You have to ensure whether the data is in the storage or is it in this transit, it is completely encrypted. So if anybody happens to intercept the data or steal the data from the hard drive, cannot decipher the data unless or until that person has the decryption keys.
So you have to be very cautious of the fact that cloud service provider can help you meet these requirements. And these requirements, what I mean to say is the compliance requirements. Then we are talking about another major challenge, which is the lack of visibility and control. Now, again, I'm going back to public and the hybrid cloud where you do not have the overall service visibility. Therefore, the lack of control in such environment will always be a major issue. So these were some of the cloud administration challenges that we have spoken about in this particular video.
Security Baselines
Let's first understand what a security baseline is. A security baseline sets a basic standard to which a system or service should meet. It helps you detect any kind of variations in the system or a service if it is not complying to the security parameters that you have configured in the baseline.
Now, when you're talking about security baseline in the simplest term, it is a minimum level of security for a system, service, or even a network. So you could even have the complete network infrastructure that is aligned to a particular security baseline. Anything that goes out of the way is considered to be a variation from the security baseline. Now, when you use a security baseline, it helps an organization meet a specific level of security. So when you talk about cloud security, before we get to the cloud security, let's talk about the traditional security model which was implemented on the on-premise network. Now in the traditional IT security, it includes policy. It includes security controls, which govern the security of the entire network.
Similarly, if you look at the traditional IT security model, we are implementing virtually the same thing in the cloud security. Now most of these policies, security controls and the compliance frameworks are implemented in the cloud security as well. We are talking about, again, building the perimeter security. We are talking about protecting the endpoint. We are talking about protecting the entire infrastructure in the cloud security as well. So there is nothing different. In fact, the only thing that differs between the traditional ID security which was implemented on the on-premise network versus in the cloud network is the level of control that you may or may not have. For example, you will have a different level of control in the software as a service, cloud deployment model, versus platform as a service cloud deployment model. To expand this example further, you will have lesser control over the physical security in the cloud versus the kind of control that you have in the on-premise network. Then we are talking about protecting the data and its privacy.
So there is nothing new. You wanted to protect data in the on-premise network, and you also want to protect the data in the cloud network as well. So there is nothing different as such. So when you're talking about implementing the data privacy, or you want to protect the data in the cloud, you have to get your cloud architect or the cloud administrator involved. So that they can design the optimum level of security. Now, it could be different roles that may get involved depending on the size of your organization, depending on the kind of cloud-based roles that you have within your organization. So in most cases, it would be your cloud architect or the cloud security architect who would get involved in designing the security. Then you're talking about risk mitigation. So of course, in the on-premise network, you also have the risk mitigation planned. Similarly in the cloud network, you would also want to have your risk mitigation controls implemented. Without which it would not be possible for you to foresee the risks that you are going to come up, and you would not be able to plan the optimum level of risk mitigation. So the risk can be of any type in the cloud as well. It could be something that is intentional, it could be something which is unintentional. So for example, what would you do if somebody accidentally deletes some critical files? So this is a risk. So do you have any kind of risk mitigation plan for it? So if it happens, where do you fall back? Are you going to get that data online from your backup systems? Do you have the data backed up somewhere? Is it replicated somewhere?
So you will have the plan to do this kind of risk mitigation. So when you're talking about cloud security baseline, you have to baseline the complete picture, which means you cannot just say, okay, I have baselined my endpoint, I have baselined my servers. But what happens to the storage? What happens to the firewall? What happens to the router? Everything in the cloud infrastructure needs to be baselined. Why would you want to do that? That is the question. Now the answer to that is because you would be able to look at the variation if it takes place against the baseline. If anything deviates from the standard baseline that you have configured on these devices, or the entire infrastructure, you would be able to find that out using your logs or any other method that you would have implemented. You would be able to compare both the pictures. Which was the baseline system? What is this? What the system is now. If there is a deviation, you can very well imagine that something has gone wrong or something has changed within that system.
So the baseline is the answer for the cloud infrastructure. So when you're talking about the baselines, one of the most important aspect here is to understand that the approaches like baselines, provide the details. And they enable different teams to collaborate effectively. Now there is going to be a user who's going to use a particular system. But then there is going to be a team that is going to implement the baseline on that particular system. So you have to ensure that both of these, the user as well as the implementation team, understand how critical the baseline is. And of course, compliance can be checked against a baseline of a system, or a service or a device, or in fact the entire network. Baseline is important for the complete infrastructure so that tomorrow, if anything changes within the particular baseline, you're able to track that. So security teams, of course they are considered the villains in most cases because kind of security they want to implement, people do not want to comply with that kind of security. Because the goal for the security team is to ensure that they implement the strictest control that is possible in the given infrastructure between the on-premise infrastructure or the cloud infrastructure. But it causes a lot of problems to the users because they may not be used to that kind of security.
So therefore, the security teams are never welcomed by the users. Because they think that these guys are going to create more complexity in the systems or the network that they are using. Now the security team plays a crucial role in setting things in the right direction as far as the security is concerned. So then we are talking about infrastructure baseline. So of course, it is pretty much similar to what the baselining the complete picture is. You don't want to just baseline only a few systems, and say, okay, my system is going to be compliant, or I have the security implemented. No, it can never be that. So you have to completely baseline the entire infrastructure. Be it your storage systems, be it your servers, be it your endpoints, or any kind of device that exists on the network. So for instance, you could baseline your virtual machines. Then you also have to baseline your access control lists, your subnets, your routing tables, your DNS. Everything in the infrastructure needs to be baselined, be it in the cloud or the on-premise infrastructure. Now, if you baseline everything in the cloud environment, so of course, you are only holding a particular portion of the cloud. You do not own the complete cloud.
So whatever you are holding, whatever part of cloud infrastructure you are owning, that becomes your infrastructure. That is what you have to baseline and ensure it meets the required service level. It could be possibility that you have to be compliant to a particular regulation, something like PCI, DSS or HIPAA. Now, because of the requirements stated or mandated by these regulations, you will have to implement certain level of controls and certain types of controls within your infrastructure. Now, if you do not baseline your systems as per the regulatory requirements, things will not work out. And you cannot say your infrastructure is baselined and is compliant to a particular regulation or standards, something like PCI, DSS or HIPAA. So we discussed about cloud security baseline. We also discussed about the importance of baseline in the on-premise and in the cloud infrastructure
Cloud Delivery ModelsĀ
Now let's look at some of the different cloud delivery models that are available in today's time. So when we say cloud delivery model, it means how the services are going to be delivered to the cloud consumers. So you are the cloud consumer if you are accessing a particular cloud service. It is basically a business model that has been provided by the cloud service provider, in which different types of services are given to the cloud consumers.
So each type of cloud delivery model differs in its own ways. And in short, you will look at some of these different models and how they differ from each other. Now, the first one is *-as-a-Service, which denotes anything as a service, so asterisk here is denoting anything. So what are we talking about anything as a service? This is one of the new model that has come up into existence, in which you are virtually offering anything as a service to the cloud consumer. So when we are talking about anything, we are talking about software as a service, we are talking about storage as a service, desktop as a service.
Disaster recovery as a service, network as a service, infrastructure as a service, platform as a service, marketing as a service, healthcare as a service, or security as a service. So virtually, if we are looking at anything, this means everything is being delivered as a service. So this is how future is going to shape up, we are going to get anything and everything as a service on the cloud. Now, then we are talking about some key models, which is infrastructure as a service or known as IaaS. Then we are talking about platform as a service or PaaS, and then we are talking about software as a service, known as SaaS. We are going to be looking at each one of them in detail going forward. So when we are talking about cloud delivery models, here we see four different delivery models.
So one of them is the on premise model. And then there are three key cloud deployment models which are in existence as of now, and they are very popular with the cloud consumer. So when we are talking about the cloud consumer, we are talking about the subscribers, the people or the users who have subscribed to a particular service on any of these given cloud deployment models. Now, these entities, or the users, or the people who have subscribed to the cloud service, are known as the cloud consumers. So now let's talk about on premise model. When we are talking about the on premise model, there is no cloud consumer, there is no subscriber, there are only resource owners.
Now, these are the guys who basically own the infrastructure, which is on the ground infrastructure, which is owned by a particular organization. Now this is basically managed either by the local IT team, or it could be managed by a third party who comes and manages your IT infrastructure. So when you talk about the local IT team, it is the complete owner of the on premise infrastructure. So when you talk about the on premise infrastructure, other than the local IT team or if it is an outsourced entity, they are the only people who are going to be managing the entire infrastructure. They are going to be managing the servers, or the services, or even the desktops that the users are going to be running within the on premise environment. Now let's talk about infrastructure as a service. So when we are looking at infrastructure as a service cloud deployment model, there are two key entities involved.
So going forward, whenever we talk about cloud computing, whether it is infrastructure as a service, platform as a service, software as a service, there are going to be mainly two entities. These are going to be, one, the cloud service provider who provides the services to the consumer. Then the second entity would be the cloud consumers who are going to be consuming these services and using them. Or they would have subscribed to a particular service within the given cloud environment. So when we talk about infrastructure as a service, right from the operating system onwards, what we are talking about is the middleware, runtime, data, applications. Basically everything is owned by the subscriber or the cloud consumer. Now, the cloud consumer is going to be responsible for these particular layers in the cloud computing. Anything below the operating system what we are talking about the virtualization layer, services, storage, or networking, it is owned by the cloud service provider.
So some of the key examples of infrastructure as a service are AWS EC2, you have Rackspace and then you also have the Google Compute Engine. Now, let's move over to platform as a service. Now, in this particular deployment model, we only have the applications and data, which are owned by the subscriber or the cloud consumer. Anything below data is starting from the runtime until networking, is owned by the service provider, which is the cloud service provider. Now, some of the key examples are AWS Beanstalk, Windows, Azure, Force.com, and OpenShift. Now finally, let's now look at software as a service.
In this particular model, everything is owned by the cloud service provider. So one of the major example of software as a service would be Office 365, or Gmail, or Google Docs. These are the examples of software as a service, in which cloud consumer only logs into the application, but everything is controlled or owned by the service provider. Some of the examples are BigCommerce, Google Apps, Salesforce, Dropbox, and of course Office 365, which we already talked about as an example.
So just to recap, we have gone through different cloud deployment models, which are anything as a service, software as a service, infrastructure as a service, and platform as a service.
Architecture of Cloud
Let's now look at the architecture of the cloud. So across the different cloud service providers. You would have pretty much the same level of architecture that is the base architecture that will remain the same. But of course, each cloud service provider will keep on adding more services. Or making it more complex by adding more controls into their environment. But fundamentally, the components of these architecture will still remain the same, which are going to be the host servers.
So the major components in this architecture are the host servers. Which are nothing but the physical devices like the servers, the switches, the routers, the firewall which form the base of the cloud. Then we have the magical software upon which the entire cloud computing is based. It is called the hypervisor, which is nothing but a virtualization software that is installed on the physical server. Lastly, we have an intelligent software engine which we call the cloud software or a cloud operating system. That automates all cloud components that we orchestrate within the cloud environment. So now we will go over the cloud architecture. [Video description begins] Screen title: Structure of Cloud Architecture [Video description ends]
Let's see how cloud architecture looks like. So we have to start with the dashboard service. Now that is the first component in the architecture, and it is browser based. So every cloud deployment model that you look at, if there is a dashboard that you have access to. It is going to be accessed only through the web browser. So you have to access it by logging onto your account and then you get to see your dashboard, so if you have the access to it. So now, if you need to connect to the dashboard service. You need to open the web browser and connect to the browser-based graphical interface to manage the cloud services. Now, the second component is the orchestration service. It is a template-based orchestration engine that automatically creates the resource usage. Moving on, then we have a set of base services.
To start with, we have the networking service, which is a service that connects the interfaces to the cloud. And then moving on, we have the block storage service, that manages the persistent block storage for the virtual machine. Then going ahead, we have a very critical service, which we call the compute service. And it manages and provisions the virtual machines that are going to run on the hypervisor. Next is the image storage service, which is a registry service that stores the resources such as virtual machine images and the volume snapshots. Moving on, then we have object storage service, which is used to retrieve and store files and data in the cloud environment. Finally then, we have the telemetry service that we can use to measure the resource utilization. So this is the service that the cloud service provider will use to see how much resource utilization that you have done. In a particular given month or weeks. So now, with the help of this telemetry service. The cloud service provider will be able to generate the bills based on the usage that is done by the cloud consumers.
So this is how this service will go and sit in your account and it will monitor your account. It will see how much storage you have utilized, how much compute you have utilized. How much overall traffic that has been generated or read-write has happened. To the hard drives that you have configured within your cloud environment. So all that is calculated. And according to that calculation, so the bill is generated by the telemetry service by the cloud provider. So basically here we have looked at the entire architecture of the cloud. So this is what we will call the basic architecture. And of course, you know each individual cloud service provider may add some more services, may remove some services. But in totality, this is the basic architecture that the cloud computing works with. So just to recap, here we have discussed about the basic architecture of the cloud environment. And so we also looked at some of the key components of the cloud computing environment. Which are the host servers, virtualization software, and the cloud software.
Introduction to Compliance
Let's now go through different types of compliance in Azure, Google Cloud, and AWS. When you talk about on-premise infrastructure, it is pretty easy to be compliant. Because you control the entire data center, you control the infrastructure, you control how the traffic flows from one endpoint to the other. Now, when you're talking about the cloud, you have to remember, most of the infrastructure that is running in the background. Which is the storage servers, which is the compute servers, and anything else.
Basically, the physical infrastructure is in control of the cloud service provider. Now, it is not going to be easy to be compliant when you are referring to cloud-based data centers. Which is totally controlled by the cloud service provider. Now you have multiple options, which means depending on the type of compliance you're looking for. These cloud service providers will offer you a method that can be used to be compliant with any of these regulations or these standards. For instance, you might be required to be compliant with PCI DSS. So when you need to be compliant, before you move your infrastructure to the cloud.
You can check out with the cloud service providers if they give you a mechanism or a method to be compliant with PCI DSS. If you talk about the big names like Google Cloud or Azure or AWS, all of them give you a mechanism or the templatized based infrastructure. To be compliant with PCI DSS or any other kind of regulatory requirement. Now, when you talk about a regulation, it could be an international one, it could be a national level, or it could even be a state level regulation. National or state laws or regulations have to be applicable within a specific country. For instance, if you talk about let's say FISMA model, it would be applicable only within the United States of America. But now, if you talk about PCI DSS, that is an international regulation. Any organization in any of the countries can be compliant to PCI DSS if they are catering to any kind of credit card services on the Internet.
[Video description begins] A Microsoft Azure website appears on the screen. The following links display at the top right, namely: Contact Sales, Search, My account. The header contains the following tabs, including: Overview, Solutions, Products, Pricing, Blog. Currently, the "Overview" tab is selected. The windows pane contains the text about "Azure compliance." The: Start free button displays underneath the text. [Video description ends]
So now, let's first look at the compliance offerings from Azure. So they have a lot of different types of compliance offerings.
[Video description begins] He scrolls down the page. The windows pane displays Azure compliance offerings. [Video description ends]
So you have global, you have US government, you have regions, and country-specific compliance offerings. And you also have industry-specific compliance offerings from Azure.
So you can choose depending on what kind of compliance you are looking at. You can choose any of these depending on your requirement. And accordingly, your infrastructure can be configured. For instance, Azure offers you a lot of ISO-based certifications. Now, we have looked at compliance offerings from Azure. We can now switch over to Google Cloud.
[Video description begins] When he selects a next tab in the browser, a page titled: Google Cloud displays. The header contains the following links, namely: Why Google, Solutions, Products, Pricing. The "Contact Sales" and "Get started for free" buttons display on the top right. The windows pane displays some text underneath the heading: ISO/IEC 27017. [Video description ends]
Here you have different regulations like ISO 27017 2015 edition regulation. Which is about information technology and security techniques code of practices. Now this particular one focuses on the security controls and the cloud services. If we go back to Azure now, we will see that this is also offered by Azure. Let's now switch over to AWS and see what kind of offerings do they have.
[Video description begins] When he selects a next tab in the browser, a page titled: Overview displays. The top header contains the following tabs, namely: Products, Solutions, Pricing, Documentation, Learn. The following tabs display in a horizontal bar beneath the top header, including: Security, Compliance Programs, Resources, Latest News. The windows pane displays some text. [Video description ends]
Now in the AWS, you will notice that there are different SOC compliances, which are SOC reports, SOC 2 and SOC3.
[Video description begins] He scrolls down the page. The windows pane displays a table underneath the heading: What information do the AWS SOC Reports provide? [Video description ends]
Now, these are different types of SOC regulations. You can go through the details of each one of them and understand who's the primary audience. And what these SOC reports are supposed to be meaning and what is the outcome of these SOC reports. So now let's switch over to AWS.
[Video description begins] When he selects a next tab in the browser, a page titled: AWS Management Console displays. The screen displays the windows pane area which contains some text. [Video description ends]
Now once we are in the AWS, we can go to security, identity and compliance section. Under security, identity and compliance section on AWS, we have something called guard duty. Which is threat detection and continuous monitoring tool. It can analyze events across several data sources on Amazon. So we click on GuardDuty. Now, once we do that, we will go to the GuardDuty page.
[Video description begins] A page titled: GuardDuty displays. The left navigation pane contains various links, including: Findings, Settings, Lists, Accounts. Currently, the "Findings" link is selected. The windows pane displays its details underneath the heading "Findings." The details are listed in a tabular form with the four column-headers, which are labelled as: Finding type, Resource, Last and Count. The table contains four rows. [Video description ends]
And now here you have something called findings. For compliance purposes, you can go through certain findings and understand what they mean. So when we open a certain finding, we can understand more about an issue that we have faced. And this information can definitely be used in the auditing.
So now, just to recap, we went through different kind of compliance offerings by AWS, Google Cloud, and Azure. So again, just to reiterate, different cloud service providers may offer different kind of compliance options. It is our duty as a cloud consumer to do the due diligence and understand what we need. And accordingly we can opt for the services for a particular cloud service provider.
Solution Design Basics
Previously, we looked at different stack layers in the cloud computing environment. Again, we will look at these stack layers. And we'll also look at the type of security controls that are required to secure each one of these layers in the cloud computing environment. So it all starts with the hypervisor. Now hypervisor is the base layer. So you have to ensure that you provide appropriate security to not only to the hypervisor, but also at each and every layer in the stack. So when you talk about hypervisor, you have to ensure that you have done appropriate configurations. Which means that any misconfiguration can actually lead to a major security attack on the entire cloud infrastructure. So it is critical that hypervisor is thoroughly and properly secured. And to be able to do that, you have to ensure that your hypervisor has appropriate security configurations.
You have to apply appropriate access control and you have to also ensure user privilege management. Because you do not want somebody to log into the virtual machine in the cloud computing environment. And actually drill down into the hypervisor because you have not configured the user privileges properly. Now the next layer is the network layer. Of course networks are prone to different types of attacks. So distributed denial of services, which is DDoS is one of the major attacks that can happen on the networks. So you have to apply appropriate access controls, you have to put in a firewall in place. But not only the firewall, you also have to ensure that there are appropriate firewall rules that have been put into the place. And of course you have to configure proper routing otherwise it just does not work. For instance, if you do not do proper routing, users will not be able to connect to the virtual machines that you have configured for them. Now, the next layer is the data layer. So of course when you talk about data layer, it is one of the most critical layer because it is going to be storing your data. And one of the critical aspect of storing the data is the encryption. If you leave data out in open without encryption, it can be stolen. Not only it can be stolen, but of course its confidentiality and integrity can also be breached.
We have to ensure that not only you're applying encryption. But you are also taking appropriate backups and you have to also ensure that there are no insider attacks. So, for that you can use something like data loss prevention or known as DLP. Then we move on to the next layer which is the operating system layer, you have to ensure proper configuration of the operating system. Of course, you do not want unnecessary services running or unnecessary ports open on the operating system. You have to ensure you have done vulnerability scanning, you have taken backup, you have done appropriate user privilege management. You do not want the users to have administrative privileges if they do not require it. So, you have to ensure that you appropriately assigned privilege to each and every individual users who are going to be accessing your network. Or the services, or the data on the network. Finally, we get to the topmost layer, which is the application logic and the presentation layer. Now, how do you secure this particular layer? So of course, you have applications running. So how do you ensure that there is appropriate security for this application?
Now for the operating system and the network, you have the firewalls. But when you talk about the applications you want certain types of attacks to be prevented on the applications. So for that, you can put something called WAF or Web Application Firewall. And then on this layer, we can also implement the identity and application management. That you can use to keep a tight control over the identities that are going to be accessing your network. You can also have appropriate scanning. And you can also do penetration testing within your environment to ensure that there are no security loopholes that go undetected. Then you can try to break through those security loopholes that you discover.
Basically the idea is to understand how a hacker can break through the vulnerabilities that exist within your network. So just to recap, we looked at different stack layers in the cloud computing. And we also looked at different types of security controls that can be configured at each one of these layers.
Compliance Strategy
When the data moves from the on-premise data center to the cloud, it has to be handled differently. The reason is when you're talking about the on-premise data center, you know the location. Accordingly, you can make your infrastructure and data compliant to a specific regulation. Now, when we are talking about the data on the cloud, it has to be compliant to a specific regulation, if required. And that regulation might be a region dependent.
So, for instance, if your data is lying in the data center which is in the US region, you may have to ensure that your data is complying to those particular regulations, if required. So when you're talking about the data in the cloud, the first thing you need to know is where your data is located. Wherever it is located, then it has to be compliant in one way or the other for that particular region. Let's now go to the AWS Management Console.
[Video description begins] An "AWS Management Console" window displays. The tabs: Services and Resource Groups display towards the left in the header. The: Notifications, Profile, Region and Support tabs display towards the right in the header. The windows pane displays a section labelled as: AWS services which contains a search bar labelled as: Find Services. The remaining windows pane displays the list of various services. [Video description ends]
Now if we look at it, we are in the Ohio region. So from here, if we click the drop down, we see there are multiple regions. So there are many regions in the Asia Pacific, then you have a lot of regions in the Europe. And there is one data center in the Ireland. And then there is one in Frankfurt, London, Paris, Stockholm, and in the Middle East, you have Bahrain.
So there are a lot of data centers that you might have to put up in a particular region because of certain compliance issues. So now, depending on where your data is located you have to be compliant to that particular country's guidelines or regulations. Or it could be an international regulation like PCI DSS, it depends on what kind of regulation you are opting for.
[Video description begins] He scrolls down in the windows pane. [Video description ends]
So now first, in the security identity and compliance section, we will click on IAM, which is identity and access management.
[Video description begins] A page titled "IAM Management Console" displays. The windows pane contains two sections, namely: IAM Resources, Security Status. The first section is divided into the following sub sections, namely: Users, Groups, Roles, Identity Providers. The second section displays the security status information. The navigation pane contains "Dashboard", which divided into two sections: Access management and Access reports. The "Access management" section contains the following options. namely: Groups, Users, Roles. The "Access reports" section contains the following options, namely: Access analyzer, Credential report. [Video description ends]
Now, in this if you notice, when we come to the IAM resources section, there are roles, policies, and of course, you have the option of activating your MFA account.
[Video description begins] He explains the fields present inside the "Security Status". [Video description ends]
You can create individual IAM users. And now if we go back to AWS, then there is a lot of other modules that are available for compliance.
[Video description begins] He scrolls down in the windows pane. [Video description ends]
Which means you can use several different modules within the AWS environment to ensure compliance.
So you also have something called Resource Access Manager. Then you have something called Secrets Manager. Now let's click on this particular option which is Secrets Manager.
[Video description begins] When he selects the option: Secrets Manager. A page titled: AWS Secrets Manager displays. The windows pane displays some text underneath the two headings, namely: How it Works and Benefits and Features. The following three cards displays towards the right in the windows pane, namely: Get Started, Pricing, Additional Information. [Video description ends]
Now Secrets Manager is nothing but a password repository. So what it does is you can keep your passwords in this particular vault. Let's go back to the console, and we can find various other options. Something like we also have the firewall manager here. We have the Certificate Manager. So we click on this particular option. In the Certificate Manager, you can keep your certificates that could be either public, private or internal.
[Video description begins] When he selects the option: Certificate Manager. A page titled: AWS Certificate Manager displays. The windows pane displays some text underneath the two headings, namely: Provision certificates and Private certificate authority. [Video description ends]
So now let's go back to the AWS Console. Now, when we are back at the AWS Console, you will again see there
[Video description begins] He scrolls down in the windows pane. [Video description ends]
are different options like Directory Services, you have Application Firewall, you have various other options that you can use for compliance purposes. Again, just to map, we looked at different tools that are available within the AWS environment that can help you comply to your compliance strategy.
Cloud Security and Services
Now in this video we will learn about some of the basic concepts of cloud security. Wherein we will discuss the boundaries inside a cloud to see how they are secured, and what are the basic aspects. So one of the basic aspects of AWS as a cloud is the VPC or known as virtual private cloud.
So when we say VPC, it is just a boundary that provides you basic security. In which you can create multiple objects or assign certain objects such as subnet routing tables, Egress and Ingress gateways, NAT gateways. And security groups.
[Video description begins] A page titled: VPC Management Console displays. The navigation pane contains a section: Virtual Private Cloud. This section contains the following links, namely: Your VPCs, Subnets, Route Tables, Internet Gateways. The windows pane displays two buttons at the top, which are labelled as: Launch VPC Wizard, Launch EC2 Instances. The section: Resource by Region displays underneath the buttons which contains multiple tabs. The following sections display towards the right in the windows pane, namely: Service Health, Account Attributes, Additional Information. [Video description ends]
So let's start with the VPC by clicking on the launch VPC wizard button. So when we click on this button, we get into a page that is called select a VPC configuration. Now notice that there are four different options available. So the first option is VPC with a single subnet. So you have Amazon VPC cloud. Within that you have a public subnet which is connecting to different services like S3 storage, Dynamo DB, SNS, SQS, and the Internet. So this is one typical deployment model for VPC which is widely used.
Now the second one is VPC with public and private subnet. Third one is VPC with public and private subnet and connecting to your corporate data center. And fourth one is a VPC with private subnet only and the connection to your corporate data center using a VPN connection. Now let's go back.
[Video description begins] He clicks the back button in the browser window and goes back to the: AWS Management Console page. He selects the link: VPC in the windows pane. [Video description ends]
When we click on VPC, we come to resources by region page. Now here we have something called network ACLs. We click on that. Then we move on to a page which shows us the network ACL that has already been defined.
[Video description begins] A page titled: Network ACLs displays. The navigation pane contains a search bar to Select a VPC. A section titled: Virtual Private Cloud displays underneath the search bar. The following two buttons display at the top in the windows pane, namely: Create network ACL and Actions. The windows pane is further divided into two sections. The first section contains a table with the following six column headers that are labelled as: Name, Network ACL ID, Associated with, Default, VPC, Owner. The second section titled: Network ACL, which contains the following tabs, that are labelled as: Details, Inbound Rules, Outbound Rules, Subnet associations, Tags. [Video description ends]
So there are inbound rules. So when we click on this Inbound Rules tab,
[Video description begins] When he selects the: Inbound Rules tab, a button titled: Edit Inbound rules displays. A drop down, that is labelled as: View displays underneath the button. A table with the following six column headers displays underneath the drop down, namely: Rule #, Type, Protocol, Port Range, Source, Allow / Deny. [Video description ends]
we will see there are some inbound rules that are already defined. We click on Outbound Rules tab and Subnet associations.
[Video description begins] When he selects the: Outbound Rules tab, a button titled: Edit outbound rules displays. A drop down, that is labelled as: View displays underneath the button. A table with the following six column headers displays underneath the drop down, namely: Rule #, Type, Protocol, Port Range, Destination, Allow / Deny. [Video description ends]
[Video description begins] When he selects the: Subnet associations tab, a button titled: Edit subnet associations displays. A search bar to: filter by tags and attributes or by keyword displays underneath the button. A table with the following three column headers displays underneath the search bar, namely: Subnet ID, IPv4 CIDR, IPv6 CIDR. [Video description ends]
So there are different configurations that are already defined. So we can go through and review each one of these. Now let's go back to the AWS main homepage. So once we go there, we need to now click on VPC. We are back on the resources region page. So here now we need to define a security group. So we will just click on the security groups link.
[Video description begins] The: Security Groups link is present in the section: Resource by Region. When he clicks the: Security Groups link, a page titled: Security Groups displays. The windows pane displays two buttons at the top, titled: Create security group and Actions. A search bar to filter by tags, attributes and keywords displays underneath the two buttons. A table with the following seven column headers is present underneath the search bar, that are labelled as: Name, Group ID, Group Name, VPC ID, Type, Description, Owner. The table contains six rows. The left navigation pane displays the following links, namely: Subnets, Internet Gateways, Route Tables. [Video description ends]
Once we come to this particular point, we have several security groups that are already defined. So we can select one of these security groups and see the Inbound Rules.
[Video description begins] When he selects a row from the table. The following four tabs appears underneath the table, namely: Description, Inbound Rules, Outbound Rules, Tags. Currently, the: Description tab is selected, which displays information adjacent to the following fields, namely: Group ID, VPC ID, Group Name, Description. [Video description ends]
[Video description begins] When he selects the tab: Inbound Rules, a button titled: Edit rules displays. A table with the following column headers displays underneath the button, namely: Type, Protocol, Port Range, Source, Description. [Video description ends]
To be able to do that, we can scroll down and see there are various inbound rules that are defined. And then, scrolling up, we can again click on Outbound Rules and
[Video description begins] When he selects the tab: Outbound Rules, a button titled: Edit rules displays. A table with the following column headers displays underneath the button, namely: Type, Protocol, Port Range, Destination, Description. [Video description ends]
we will see that there is one particular outbound rule defined. Again, back on the Inbound Rules tab, there are certain inbound rules that are already defined. Let's go back to the AWS homepage by clicking on AWS.
[Video description begins] He clicks the AWS logo present in the top left corner of the screen. [Video description ends]
Now here we can scroll down and click on identity and access management, which is IAM link. After clicking this link we will be navigated to Welcome to Identity and Access Management page.
Video description begins] The left navigation pane displays the following links, namely: Groups, Users, Roles, Policies, Access analyzer. The windows pane displays two sections, titled: IAM Resources and Security Status. [Video description ends]
Now in the left panel we click on the Users link, and
[Video description begins] The windows pane displays two buttons at the top, that are labelled as: Add user, Delete user. A search bar to: Find users by username or access key displays beneath the buttons. A table with the following six column-headers display beneath the search bar that are labelled as: User name, Groups, Access key age, Password age, Last activity, MFA. [Video description ends]
then we click on the Add Users option in the right pane. So once we do that, we will get a page to create a new user account. So let's click on the Add User button.
[Video description begins] A page titled: Add user displays. It displays the step one to add user. The windows pane is divided into two sections, namely: Set user details, Select AWS access type. The first section contains a text box that is labelled as: User name. The second section contains a field titled: Access type which contains two check boxes which are labelled as: Programmatic access and AWS Management Console access. [Video description ends]
So once we click on the Add Users button, we get the option to create the user account. So first, we define the user name as hardy, and then we will need to assign an access to hardy. So either we can assign the access using access ID and secret keys through AWS API command line. Or software development kit, which is SDK, or we can give access using the AWS Management Console.
[Video description begins] When he selects the: AWS Management Console access checkbox, two new fields titled: Console password and Require password reset appears. The first field contains two radio buttons that are labelled as: Autogenerated password, Custom password. A blank text box displays beneath the: Custom password radio button. The second field contains a check box that is labelled as: User must create a new password at next sign-in, that is currently selected. [Video description ends]
So for this video, we will go ahead with the AWS management console to assign the access. We can then have the autogenerated password or we can create a custom password. But let's for the time being, we'll just go ahead with the autogenerated password.
Now, once we move ahead, should we require the user to change the password on the next logon? Yes, we should do that and therefore we will need to keep this option selected.
[Video description begins] The second step to Add user displays. It contains two sections titled: Set permissions, Set permissions boundary. The first section contains the following three tabs, namely: Add user to group, Copy permissions from existing user, Attach existing policies directly. Currently, Add user to group tab is selected, which contains a button: Create group. [Video description ends]
Now we can add the user to a particular group. So we do this by clicking on the create user group button.
[Video description begins] A dialog box titled: Create group displays. It contains a text box, which is labelled as: Group name. Two buttons display beneath the text box, that are labelled as: Create policy and Refresh. A search bar to Filter policies display beneath the buttons. The table with the following column headers display beneath the search bar, which are labelled as: Policy name, Type, Used as, Description. The "Cancel" and "Create group" buttons display at the bottom right of the dialog box. [Video description ends]
So here we define a new name for the group that we are creating. Now the group name is equal to Employee_RO, and then we filter the policies as read only. So we will scroll down through various set of policies and see if there is any relevant policy that we want to assign. There are a lot of policies that are filtered out based on the read only keyword. Now we can select any of these policies for the time being, or we can simply go ahead and create the group without assigning the policy. Policies can always be assigned later on. So we keep scrolling down if we don't find any policy or we simply go ahead, create the group. Now the Employee_RO group has been created.
[Video description begins] The page with the heading "Add user" displays. The section: Add user to group now displays two buttons, namely: Create group and Refresh. A table displays beneath the buttons which contains two column headers that are labelled as: Group and Attached policies. The table displays a row with the "Group"value: Employee_RO . [Video description ends]
So we can also change the permission type.
[Video description begins] He selects the tab: Copy permissions from existing user. A wizard titled: Change permission type displays. The "Cancel" and "Change type" buttons display at the bottom right of the wizard. [Video description ends]
But for the time being, we'll just continue without changing the permission type.
Now we can attach any existing policies after the group has been created.
[Video description begins] He selects the tab: Attach existing policies directly. A button titled: Create policy displays beneath the tabs. A search bar to Filter policies display beneath the button. A table with the following three column headers display beneath the search bar, namely: Policy name, Type, Used as. [Video description ends]
So here we search for read only. And the filtering has been applied. We get the policies that match the keyword, which is ReadOnly. So now we scroll down and select various policies. So here we are selecting EC2 read only access, and then we select more policies depending on our requirement. So we'll just go in and select one more policy and finalize the user.
[Video description begins] He selects a row from the table. [Video description ends]
So we also have the option to add tags.
[Video description begins] The third step to: Add user displays. It contains a section titled: Add tags. A table with the following three column headers displays, namely: Key, Value, Remove. The "Key" and "Value" can be entered through a text box. [Video description ends]
So we are going to add a tag here. Key is name and the value we can define as ReadOnly. And then we proceed to the review of the existing configuration that we are assigning to the particular user. [Video description begins] The fourth step to: Add user displays. It displays a section titled: Review. The windows pane displays the details under various sections. [Video description ends]
So here, we have assigned three policies in total to the particular user, and now the user is created.
[Video description begins] The fifth step to: Add user displays. The screen displays a success message. A button titled: Download.csv displays beneath the message. The table with the following three column headers display beneath the button, namely: User, Password, Email login instructions. A newly created User: hardy displays in the table. [Video description ends]
We click on the show, and we can see the password for that particular user. Now this particular URL can be used to connect to the AWS Amazon console.
[Video description begins] He moves back to the: IAM Management Console page. The "Users" tab is selected in the navigation pane. The windows pane displays the recently created new user with: User name: hardy. [Video description ends]
Now click on user hardy, we can see there are certain configurations that have been assigned for this particular user.
[Video description begins] The windows pane displays a section titled: Summary. It contains three fields that are labelled as: User ARN, Path, Creation time. The following tabs display beneath the fields, namely: Permissions, Groups, Tags, Security credentials and Access Advisor. Currently, the "Permissions" tab is selected. The "Permissions" tab contains a section labelled as: Permissions policies. The "Add permissions" button displays beneath the heading. The table with the following two column headers displays beneath the button, namely: Policy name, Policy type. [Video description ends]
We can also assign a multifactor authentication for this particular user.
[Video description begins] He selects the "Security credentials" tab. It displays two sections which are titled as: Sign-in credentials and Access keys. The first section contains the following three fields, namely: Summary, Console password, Assigned MFA device, Signing certificates. The second section displays a button: Create access key. [Video description ends]
To do that, we click on the Manage link and Virtual MFA device is already
[Video description begins] The "Manage" link is present against the field: Assigned MFA device. When he clicks the "Manage" link, a wizard titled: Manage MFA device appears. It contains three radio buttons, which are labelled as: Virtual MFA device, U2F security key, Other hardware MFA device. The "Cancel" and "Continue" buttons display at the bottom of the wizard. [Video description ends]
selected by default so I'll just click on the Continue button here.
[Video description begins] A wizard titled: Set up virtual MFA device displays. It contains a three step process. Number one is to: Install a compatible app on your device or computer. Number two is: Use your virtual MFA app and your device's cameras to scan the QR code. Number three is: Type two consecutive MFA codes below in a text box, that is labelled as: MFA code 1. The "Cancel", "Previous" and "Assign MFA" buttons display at the bottom right of the wizard. He clicks the "Assign MFA" button. [Video description ends]
We can show the QR code, which we can scan through Google Authenticator. So for the time being, we will just cancel that out. Now we have just seen the process of creating a user and creating certain identity access management permissions. We can also assign certain rules and policies to this particular user account named hardy. So now, just to recap, we did learn about creating a user, we learned about assigning a user to the particular group. We also learned about assigning identity and access management permissions and rules.
Building Blocks of Cloud Security
Let's now learn about the building blocks of cloud security. There are different building blocks in the cloud security. First one is datacenter building block. Now the industry is moving to a software-defined everything model where networking, storage. And in fact the entire data center moves to the cloud. Which means that on-premise data center are reducing. And the cloud-based data centers, which could be in the form of software as a service. Or it could be a platform as a service or infrastructure as a service.
Now, everybody's basically moving to one of these platform. Then we have the hardware building block. Remember in the on-premise infrastructure, we had complicated hardware, complicated setups. And there were a lot of hardware devices. Now, when we are talking about cloud computing, all these complicated infrastructure is now moving to the cloud. Which means it is taking the shape of a software. And being delivered as software-based services. Then, we are talking about software building block in which everything is being delivered as a software.
So now we have healthcare as a service. We have security as a service. We have mobile as a service. Everything is being delivered as a service. So, of course, to deliver everything as a service, you need to have that kind of software infrastructure put into the place. There are complicated applications that have been installed on your own. Or depending on the cloud deployment model that you're using. Now, basically, there are three building blocks of cloud security. Now, you have these three building blocks. You have to put in a security process or a software. Or a module that can secure these building blocks. Remember, any of these building blocks, if it is not secured, you can have serious data breaches. Which could start from your hypervisor and it could go on to the applications and of course. So anybody who gets into any of these building blocks, you will have a lot of data loss.
You will have data breaches. And of course, there could be a lot more complications which could lead to lawsuits. And non-compliance with certain regulations like PCI-DSS, or HIPAA, or maybe ISO. So you ought to make sure that all these three building blocks are pretty much secured. And there could be different types of security controls that you will have to put into place to secure each one of these building blocks. So for instance, now if you talk about datacenter building block, it involves physical security. So you would have to put physical security controls like cameras. You could also have motion sensors. You could also have security guards outside the building and within the building.
So there are different types of security controls that you can implement. Similarly, for the software building block, you could have web application firewalls or WAF. It depends which building blocks you are dealing with. And how you want to secure it. You would also accordingly have to put on those kind of security controls to ensure the optimum level of security. Now going ahead, let's now look at each one of these in detail. The first factor which we are going to talk about is the data center. There are certain factors that we have to consider when we are selecting a data center. So the data center location is very, very critical. Why would that be? Because you want to ensure that location is secure.
Secondly, you would also want to ensure business and consumer proximity when you are selecting a location. Because if you have a huge set of customers within a particular location. Of course, you don't want to put the data center some 2,000 miles away from them. And why would you not want to do that? Because, of course, then the latency and the speed would be a concern to the consumers. Now, if you have that huge set of consumers in one particular location. And you put the data center in the same location. And of course, then the latency and the speed will not be an issue for the consumers. So we already talked about the business and the consumer proximity. Now, because a consumer or an individual customer or an individual business house or organization. Speed and latency would definitely be a concern. And therefore, you have to ensure the business and the consumer proximity. Now, let's take an example. If there is an organization that is into the business of real time streaming, for them, latency and speed would be a critical concern. So therefore, you have to ensure that the data center is in the proximity of the consumers. So you would want to put the data center somewhere near to them.
Now, the next factor is the climate. This is one of the major obvious factors when you are locating your data center in a particular location. Of course, you do not want to put your data center in a location where there are hurricanes happening. There are floods, of course, your data center will not be functional most of the days in the year. Therefore, you have to be very particular about the climate in which you are putting up your data center. Then, you have to also look at the geographic stability and extreme weather events. Now, it should not happen that the location where you are putting up your data center is prone to hurricanes. For instance, you know hurricanes are likely to happen every other month. There is one hurricane hitting that particular location or floods are frequent events. So, of course, you want to look at that kind of condition. But of course, you also want to look at the conditions where you know. You do not put your data center in a location which has got very hot and humid weather. That is going to play, again, a very critical role into how much power and cooling you would require for that data center.
So you would have to watch out for all these kind of requirements. And ensure that you evaluate everything before deciding a particular location. Then moving on, we are talking about the power. It is a major cost in the data center. So the cost of a service provider. The power pieces will be affected depending on how much power is available in that particular location and the cost of power. So for instance, in some states you would find the cost of power is a little bit higher than the other states. So you do not want to put your data center into a state where the cost of power is higher. And of course, you want to look at the state where the cost of power is a little lower than the higher state. So you would have to look into this particular factor as well. Let's now move on to hardware building blocks.
So when you're talking about a data center, the hardware building blocks are the most important factor when you have a data center. Because if you do not have the physical servers, you cannot run the data center. So similarly, in the cloud computing environment, if you do not have the physical servers, you cannot run your cloud computing environment. Of course, you need something physical to build your infrastructure on. And therefore, they are one of the most critical factors in the cloud computing environment as well. So they form the base of any cloud computing data center. Now, the first one is the compute servers, which are the hardware servers either running Windows. Or they could be running any kind of hypervisor such as ESXI from VMware. It depends which service provider you have opted for and which hypervisor they are using. So these are the hypervisor that would be running on the physical servers. The hypervisors are required to run the virtual machines which could, in turn, run different types of operating systems. Which could be Windows or any Linux operating system. Then, you have the storage servers. Of course, you have something that is going to give you the power to run the operating system. But then you need something which is going to store the cloud consumer's data.
Now, what would that be? That would be the storage servers. Then you have the hyperconverged servers. These are harvestable servers because they are running Windows servers. They are running Linux. And they can function as a complete box because they have the compute power. They have the storage function built into a single server. So these servers are configured both with the hypervisor as well as these storage spaces. Now, next we are looking at the physical network. So, of course, cloud computing cannot run in the air. It needs a physical network to run on. So it could be the physical switches. It could be the routers which are going to route the traffic from one location to another. Now, of course, we have virtual machines and virtual routers that play a key role in cloud computing. But anything other than that, you would need the physical infrastructure to be in place for the entire cloud computing to run. And this is the reason why most of the cloud service providers have data centers that are huge in terms of capacity that they can run.
So therefore, the physical networks are going to be required as the backbone of the cloud computing environment. Then we are talking about the software building blocks. Which are the application workloads that run inside the virtual machines. And they provide services to the end users. You know the application workloads need to be protected. Then, we are talking about virtual appliances, which are nothing but pre-configured virtual machines. They are portable. That means you can take them from one hypervisor and start running on the another hypervisor. Most of the cloud service providers and the organizations deliver open source virtual machines. Which means you can run them as you want, wherever you want. And you can, of course, reconfigure them as per your requirement. And, of course, you will be able to get the code of these applications that are running within the appliances because they are open source. Now, these are pre-configured, as I said earlier. And these pre-configured appliances can act as anything.
So for instance, a virtual machine can act as a hardware appliance. For instance, it could act as a firewall. It could also act as a storage system. Or it could also act as a development environment. Which means when a user's installs the virtual appliances, it already has the development tools for the developer to start coding. Then, we are looking at platform as a service infrastructure. Now remember, when you're talking about the platform as a service infrastructure. Most of the infrastructure is being controlled by the cloud service provider. As a cloud consumer, you only have control over the application and its data. Then, some of the examples that we earlier discussed were AWS, Elastic Beanstalk, Windows Azure, force.com and OpenShift. Then we are talking about virtualization software. Now, this is the software that will run on the physical infrastructure. And it has the capability of running virtual machines, the virtual storage, even the virtual network. Just to recap, we talked about different building blocks of cloud security. So these building blocks were data center building block, hardware building block and the software building block.