Hi, I’m Nataraj Nagaratnam and I’m from IBM Cloud. Traditionally when you deploy an application you have the entire data center, the servers that you run – you’re responsible for all of it. In the cloud model that’s a shared responsibility between you and the cloud provider. http://technology
In a shared responsibility model you need to rethink security on what your responsibility is and what the cloud provider’s responsibility is. Let’s take platform-as-a-service (PaaS) as an example. When you look at PaaS, you’re building applications, migrating data to the cloud and building applications running them on the cloud. https://worldgraphics20.com/2020/10/12/11-reasons-to-be-excited-about-the-future-of-technology/
So, you’re responsible for securing the applications, the workload and the data while the cloud provider is responsible for managing the security of the platform. So that it’s compliant, it’s secured from the perspective of network, the platform on down in terms of managing the containers and the runtime and isolation, so that you have your own space within the platform. Cloud Cyber security technology in Under 5 Minutes.
Whereas if you are adopting and migrating workloads to the cloud and you’re using infrastructure-as-a-service (IaaS), then the cloud provider manages hypervisor on down if you are using virtual servers or, if you are using bare metal, then you can completely control everything on up from the operating system, the virtual servers that you run, and the data you bring it on.
So it’s very important to understandthe adoption model whether you’re consuming IaaS or PaaS, or if you’reconsuming SaaS where the cloud provider manages all the applications and thesecurity offered and you worry about the data that you bring in and plan accordingly. Cloud Cyber security technology in Under 5 Minutes.
So that’s a very important thing because it’s part of understanding your responsibility in ultimately managing the risk and compliance of the workloads of the data that you bring to cloud. Now let’s talk about architecture. When you build applications and migrateapplications and modernize your apps – let’s start with data.
With all the risk that you deal with, and the kind of data matters. Is it confidential data, is it public data, or sensitive data that may deal with private information. Consider all those factors and make a secure design around what your data security architecture should be. Cloud Cyber security technology in Under 5 Minutes.
Make sure you have data at rest encryption so that the data is always encrypted whether you use adatabase as a service, object store as a service, or other ways to store datalike block storage. Encryption is for amateurs, and we think about key management for professionals.
So having more control of your keys provide you theability in the context of shared responsibility model that you own yourdata you have complete control of your data. So as you think about keymanagement make sure you have an approach to think about if you arebringing confidential data you want to bring your own keys may be sensitivedata you want to keep your own keys. Cloud Cyber security technology in Under 5 Minutes.
So that how much control of the keys youhave and the hardware security module in which the key processing the encryptiondecryption operations happen more control you have more responsibilitythat you can take on. So encryption at data at rest, data in motion, as itcomes from services to data stores or applications so that as you think aboutdata coming out of the way your requests and API requests coming all the way datain motion.
Cloud Cyber security technology in Under 5 Minutes
And in the new world we need to start thinking about when theapplication is actually processing the data that is going to be data in itsmemory. So you can actually start to protect data using hardware basedtechnologies where you can protect in-memory data as well. So that when itis in use and in memory by the applications you can protect it. Cloud Cyber security technology in Under 5 Minutes.
So takea holistic approach to data protection at rest, in motion, in use with fullcontrol of your keys. It can be bring your own keys, or even better push theboundary with keep your own keys. The application that serves the datait’s not only about which application needs to have access make sure the dataaccess is on an only by need basis.
Do not open up your data services to thewhole world, be it network access or everybody to access the data, make sureyou exactly know which applications need to access or which users need to accessthe data to run your cloud applications. Cloud Cyber security technology in Under 5 Minutes.
From an application viewpoint make surethere are no vulnerabilities in your application so scan your applications, soI have an App SEC application security approach so that you can do dynamicscanning or static scanning of your application before you deploy it intothe production, and in the cloud-native environment you’re deploying containerimages so you can scan your images.
you can scan it for vulnerabilities beforeyou deploy and set your policies so that you only have secured images inproduction any time and if there is any vulnerability in the new world you don’tneed to patch these systems you just spin up a new container and off you go.So that’s the beauty of a cloud-native approach that you have security built inin every step. Cloud Cyber security technology in Under 5 Minutes.
So at a container level and the applications that serves thebusiness logic you can start to protect it. Then when you look at the userscoming in you want to manage access in terms of who the user is and what fromthere they are coming from.
So identity you need to make sure who the user isor which service it is based on the identity of those services or users sothat you can manage access control to your application or data and also from theperspective of network access you want to make sure only authorized users canget in and. Cloud Cyber security technology in Under 5 Minutes.
if there are intruders out there you can make sure you can set itup so that they are prevented from accessing your application and your datain the cloud, be it through Web Application Firewall-ing, network access control or denial-of-service distributed,denial-of-service protection and have intelligence built into these network protection as well.
So both identity and network. In essence, you are protectingyour data, you need to manage access to your apps and the workload on the datathat you have deployed on the cloud. You need to have a continuous securitymonitoring so that you know at any point whether you’re compliant to yourpolicies, you can watch out for threats that you need to manage, having anapproach and set of tools to manage security and complaints posture is veryimportant. Cloud Cyber security technology in Under 5 Minutes.
So gaining insights about your posture, compliance, and threats. So fromyour deployment environment you can garner information, it can be securityevents, audit logs, flow logs from network or system that can be fed in so that youcan figure out what your posture and complaints and threats are, and that is not only important for you to gain insight you need to have actionable intelligenceso that you can start to remediate.
Cloud Cyber security technology in Under 5 Minutes
You may figure out there’s a vulnerability, acontainer image that you have deployed is vulnerable so you can re-spin thecontainer so you can remediate and spin up a new container. There may be aparticular access from a network that seems to be coming in from a suspiciousnetwork IP address so we can block that. Cloud Cyber security technology in Under 5 Minutes.
So the ability to gain visibility andinsights and having that insights and turn it into actionable intelligence andremediate is very important. So let’s talk about DevOps. DevOps is aboutdevelopment and operations. Traditionally we think about okay, there’s anapplication team that is doing the design and architecture, who are buildingcode, and then you throw it over the wall for the enterprise security team tosecure it and manage it.
That should be rethought, fundamentally it’s not justabout Dev and Ops, but security need to be a forethought not an afterthought.So it should become SecDevOps approach to the way youbuild, manage, and run your applications. So you need to embed security into theentire lifecycle. Cloud Cyber security technology in Under 5 Minutes.
what we call shift left, not only you manage security but shiftleft through the entire process you need to have a secure design, so as you planas you design and say what kind of data am I going to put what level ofclassification what kind of applications am I building, is it container based, isit a workload that I’m migrating, take that into account and what integrationsyou need to do so that you can plan it and architect it.
Then as you build itembed security as part of that process. So you have security aware applications, for example you may want to encrypt data of your sensitive data, youmay want to encrypt the data from your applications before you even you storein to a data store. Cloud Cyber security technology in Under 5 Minutes.
So secure build and you manage security as part of SecDevops as you have secure design and architecture you pass on that and buildsecure applications and deploy and manage security in a continuousfashion and then you have a closed loop so that whatever you find you may needto remediate or rearchitect your application or implement certain thingsas threats landscape evolve.
hi and welcome in this video I willdiscuss various concepts related to cloud computing including itscharacteristics, its service models and deployment models and various securityissues related to cloud computing Before moving further please turn on subtitles for this video and do subscribe my channel for similar videos In cloud computing. Cloud Cyber security technology in Under 5 Minutes.
the storage andthe processing is not performed locally on the system rather it is performedover the network therefore cloud computing is also knownas internet based computing or remote virtualization because the actualhardware or infrastructure is virtualized from the user so computingis performed in the cloud therefore the complexity of thiscomputing is isolated from the user In cloud computing.
the cloud serviceprovider (CSP) provides a shared pool of storage, networking and processingresources and this is also known as resource pooling so there are two layersof these shared pool of resources i.e. first layer is the physical orHardware layer i.e. Cloud Cyber security technology in Under 5 Minutes.
the network devices or the physical servers orphysical storage device, then upon this physical layer, there is layer of abstraction for manifestation of this cloud application to the user or to the cloudservice provider, so there is minimum management overheads on the user andthis cloud infrastructure is being managed by the cloud service providerand user has no direct interaction or involvement with the physical hardware.
so this infrastructure remains transparent to the user now this cloud supports/ compatible with broad range of heterogeneousdevices e.g. your desktops your laptop and your mobile phones cloud service provider manages the data centers which are distributed and thesedata centers are available anywhere on the network or over the Internet so thefunctions provided by these data centers are distributed geographically using theedge server and this edge server is also an important concept with regards tocontent distribution or content delivery networks (CDN). Cloud Cyber security technology in Under 5 Minutes.
where the user is providedservices from the server which is located geographically near itslocation now cloud provides services to multi tenants that is multiple customersand one characteristic of cloud is the rapid provisioning of theseservices to the user as per the demand of the user and this demand is scaleableand cloud also provides elasticity it means that you can shut down ahardware.
if it is no longer required and then you can turn it on when it isrequired and cloud computing also supports self-service it means that the customercan provide/allocate resources to itself without theinteraction of the cloud service provider so cloud also provides measured/ metered services. Cloud Cyber security technology in Under 5 Minutes.
it means that you pay as per your use of the cloud resourcesand these measured/ metered services are monitored and reported for transparencyand optimization and this report is available for the user and also for thecloud service provider.
Cloud Cyber security technology in Under 5 Minutes
There are certain issues with the cloud computing and first issue which is the most important issue is the data privacy (data of user) and what user can do is it can perform pre-encryption ofits data before putting it on cloud another aspect is thecompliance to the local policy or the local regulations so before using thecloud service provider.
any organization may investigate the cloud serviceprovider for the compliance to the organization policies or to the locallaws another concern is related to the geographical location of actualcloud hardware which is in the control of third party. Cloud Cyber security technology in Under 5 Minutes.
the user organizationmay perform stringent service level agreements (SLAs) and other contracts with the cloud service provider Another concern is the network connectivity which is MUST for using the cloud service provider services another aspect is the limited customization which is available for the user.
so incontracts, the user organization may define the responsibility matrix,dividing the responsibilities between user organization and the cloud serviceprovider another aspect of concern is the virtual machine escape or VMescape because this is actually advanced form ofvirtualization therefore any virtual machine. Cloud Cyber security technology in Under 5 Minutes.
if it gets compromised and thiscompromise may lead to compromise of other machines another concern that the cloud service provider may go out of business another concern is regarding the disaster recovery mechanisms employed.
the cloud service provider now coming over to the service models, so there are basically three service models and these service models are thesoftware as a service (SAAS) and second one is the platform as a service (PAAS) and third one is the infrastructure as a service (IAAS) In Software as a service (SaaS), the userhas minimum control and therefore minimum operational operations overheads and then in platform as a service (PaaS).
the user has more control over the cloud and therefore more overheads and in infrastructure as ar service (IaaS), the user has maximum control over the cloud infrastructure and therefore maximumoverheads An example of software as a service (SaaS) is that, the user may usethe application which is being provided by the cloud service provider. Cloud Cyber security technology in Under 5 Minutes.
so user is only the user of this application. Terminologies related to Software as a service (SaaS), is Security of a service (SECaaS) where the security is provided assoftware only Security by the cloud service provider e.g.
vulnerability testing, penetration testing, antivirus services Another related concept is the Cloud Access Security Broker(CASB) which is basically a policy enforcer between cloud service provider and theuser organization now the second model is the platform as-a-service (PaaS)an example of this platform as a service is that, you are provided with a platformto deploy a specific application. Cloud Cyber security technology in Under 5 Minutes.
third is the infrastructure as aservice (IaaS), where you can deploy any operating system or any application There are four deployment models i.e. Private Cloud, which is a dedicatedcloud for single organization. Cloud Cyber security technology in Under 5 Minutes.
Community Cloud which is thecloud for similar stakeholders Public cloud which is open forall Hybrid cloud which is combinations of all three above deployment models now first of all, I will go further into the details of these service models so once we talk about software as a Service (SaaS), the user has to just use the application which is provided bythe cloud service provider and user has only control over the user specificconfiguration of this application e.g. this application can beaccessible from thin client interface e.g.
your web browser and usingthis web browser you are accessing this application e.g. emailapplication provided by the Gmail or any other program interface, so there is nolicensing cost over other operational or hardware cost for the user, but there isa subscription cost for using this application, so there is moresubscription cost and less operational and maintenance or upfront cost Platform-as-a-service (PaaS). Cloud Cyber security technology in Under 5 Minutes.
theoperating systems and programming tools are provided by a cloud service providerand user just has to use this software stack and to deploy its own applicationso user can just deploy its application then third is the Infrastructure-as-a-Service (IaaS).
In Infrastructure-as-a-Service (IaaS), the virtualized infrastructure in shape of processing virtual Servers/ memory/ storage is provided to the user and also the network but the actual hardwareis never provided to the user so actual Hardware still remains theresponsibility of cloud service provider once we talk about the further detailsof deployment models. Cloud Cyber security technology in Under 5 Minutes.
then in private cloud, it is deployed forsingle organization and it may be operated by this organization or it maybe operated by the third party or it may be located on the premises of the userorganization and it may be located off the premises and on the premises of thecloud service providers so once it is located on the premises.
the organization then organization has more control but it has more operational andmaintenance overheads and more upfront cost of hardware and licensing cost butthere is no subscription cost and once it is located off the premises of theuser organization but on the premises of the cloud service provider. Cloud Cyber security technology in Under 5 Minutes.
then all theupfront cost and hardware cost and or the licensing cost is bear by thecloud service provider and the user is only responsible for subscription costthat is monthly now once we talk about community cloud so organization with similar/ shared concern or shared policy or security concern can deploy this community cloud and it may be operated by the any member of this.
community or it may beoperated by the third party and it may be located on the premises of any of the organization in the community or it may be located onthe premises of a third party or on the premises of cloud service provider.
3rd deployment model is the public cloud which is all open cloud for use of everyone, maybe on the Internet and it may be owned by the anybusiness/ academia/ government and it is located only on the premisesof the cloud service provider 4th Deployment Model is the hybrid model which is combinations of all above deployment models i.e. Cloud Cyber security technology in Under 5 Minutes.
private cloud, communitycloud and public cloud so in this hybrid cloud, the private cloud operates in adistinct manner as a distinct entity may be from the public cloud e.g.using private cloud for certain critical services and you are using the publiccloud cloud for less critical services or maybe you are using the private cloudand once the load is more on the cloud then you are shifted to the public cloudand this is also called cloud bursting where you shift the loadof the cloud services to maybe the public cloud or other cloud deploymentmodel.