Cisco CyberOps Short Course

Module 2:
Introduction to Cloud Computing and Security
Cloud Computing
&
Cloud Service Models
Cloud Service Models

• Deployment of cloud solutions for application hosting is on the rise.

Source: https://www.hostingadvice.com/how-to/cloud-hosting-statistics/

• Primarily because organizations are looking to transition from capital

expenditure (CapEx) to operational expenditure (OpEx).

• Most organizations transition to a multi-cloud environment.

• Cloud Security is obviously more important than ever.

Advantages of Cloud Services

• The advantages of cloud-based services are numerous:

• Distributed storage.
• Scalability (vertically & horizontally).
• Resource pooling.
• Accessibility.
• Measured service.
• Automated management.
NIST on Cloud

• NIST Special Publication (SP) 800-145 provides a standardised set of

definitions for all aspects of cloud computing.

• Compares cloud services & deployment models.

• https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.p
df
Cloud Essentials

• NIST state that cloud computing should have the following essential
characteristics:

Source: https://cic.gsa.gov/basics/cloud-basics
 Cloud Deployment Models

Public Cloud Private Cloud Community Cloud Hybrid Cloud

Provisioned for open use by Provisioned for exclusive Provisioned for exclusive A composition of two or
any consumer (e.g., use by a single consumer. use by a specific more distinct cloud
business, academic, The cloud infrastructure community of consumers deployment models (i.e.,
government). The cloud may be owned, managed, from organizations that private, community, public)
infrastructure may be and operated by the have shared concerns (e.g., that remain unique entities,
owned, managed, and consumer, a third party, or mission, security but are bound together by
operated by the consumer, some combination of them, requirements, policy, and standardized or proprietary
a third party, or a and it may exist on or off compliance considerations). technology that enables
combination of them. It premises. The cloud infrastructure data and application
exists on the premises of may be owned, managed, portability (e.g., cloud
the cloud provider. and operated by one or bursting for load balancing
more of the organizations in between clouds).
the community, a third
Source: https://cic.gsa.gov/basics/cloud-basics party, or some combination
of them, and it may exist on
or off premises.
Basic Cloud Service Models

Source: https://cic.gsa.gov/basics/cloud-basics
SaaS

Software as a Service (SaaS)

• The capability provided to the consumer is to use the provider’s

applications running on a cloud infrastructure.
• The applications are accessible from various client devices through either
a thin client interface, such as a web browser (e.g., web-based email), or a
program interface.
• The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, storage, or
even individual application capabilities, with the possible exception of
limited user specific application configuration settings.
PaaS

Platform as a Service (PaaS)

• The capability provided to the consumer is to deploy onto the cloud

infrastructure consumer-created or acquired applications created using
programming languages, libraries, services, and tools supported by the
provider.
• The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, or storage,
but has control over the deployed applications and possibly configuration
settings for the application-hosting environment.
IaaS

Infrastructure as a Service (IaaS)

• The capability provided to the consumer is to provision processing,

storage, networks, and other fundamental computing resources where the
consumer is able to deploy and run arbitrary software, which can include
operating systems and applications.
• The consumer does not manage or control the underlying cloud
infrastructure but has control over operating systems, storage, and
deployed applications; and possibly limited control of select networking
components (e.g., host firewalls).
Cloud Responsibility Models
Responsibility Models

• Cloud Service Providers (CSPs) must take security and compliance very
seriously.

• The responsibility model is dependant on the deployment model use.

• SaaS: most responsibility on the CSP.

• PaaS: Hardware/OS is CSP responsibility; application/data is
customers.
• IaaS: Hardware is CSP responsibility; else is customers.

• Regardless of the model used, cloud security is a shared responsibility.

SaaS

Source: Cisco CyberOps Associate Official Certification

Guide
PaaS

Source: Cisco CyberOps Associate Official Certification

Guide
IaaS

Source: Cisco CyberOps Associate Official Certification

Guide
Patch Management in the Cloud

• This is a shared responsibility in the IaaS and PaaS environments only.

• In the SaaS model the CSP has both software/hardware patching

responsibility.

• In the IaaS the CSP only must patch hypervisors and other supporting
hardware.

• In the PaaS the CSP is responsible for OS and supporting hardware.

Cloud Security Assessment

• When performing penetration testing in the cloud, you must first

understand what you can do and what you cannot do.

• Most CSPs have detailed guidelines on how to perform security

assessments and penetration testing in the cloud.

• Regardless, there are many potential threats when organizations move to

a cloud model.
• For example, although your data is in the cloud, it must reside in a
physical location somewhere.

• Your cloud provider should agree in writing to provide the level of security
required for your customers.
DevOps, CI, CD, DevSecOps
DevOps & Others

• DevOps is composed of many technical, project management, and

management movements.

• Prior to DevOps other models were used, the most popular being:

• Waterfall:
• a software and hardware development and project management
methodology that has at least five to seven phases that follow in strict
linear order.
• Each phase cannot start until the previous phase has been
completed.
DevOps & Others

• Agile:
• is a software development and project management process where a
project is managed by breaking it up into several stages and involving
constant collaboration with stakeholders and continuous improvement
and iteration at every stage.
Back to DevOps

• DevOps is the outcome of many trusted principles—from software

development, manufacturing, and leadership to the information technology
value stream.

• DevOps relies on bodies of knowledge from Lean, Theory of Constraints,

resilience engineering, learning organizations, safety culture, human
factors, and many others.
DevOps

• Today’s technology DevOps value stream includes the following areas:

• Product management.
• Software (or hardware) development.
• Quality assurance (QA).
• IT operations.
• Infosec and cybersecurity practices.
DevOps Methods

There are three general ways (or methods) to DevOps:

1. The first way includes systems and flow. In this way (or method), you make work
visible by reducing the work “batch” sizes, reducing intervals of work, and
preventing defects from being introduced by building in quality and control.

2. The second way includes a feedback loop to prevent problems from happening
again (enabling faster detection and recovery by seeing problems as they occur and
maximizing opportunities to learn and improve).

3. The third way is continuous experimentation and learning. In a true DevOps

environment, you conduct dynamic, disciplined experimentation and take risks. You
also define the time to fix issues and make systems better. The creation of shared
code repositories helps tremendously in achieving this continuous experimentation
and learning process.
Continuous Development (CD)/Continuous Integration
(CI) Pipelines
• CI is a software development practice where programmers merge code
changes in a central repository several times a day.

• CI supports CD which provides a way for automating the total software

release process.

• With CI/CD methodologies, each change in code should trigger an

automated build-and-test sequence which provides feedback to the
programmer.
Stages of CI/CD

Source: Cisco CyberOps Associate Official Certification Guide

Understanding Cloud Security
Threats
Cloud Threats

• Organizations face many potential threats when moving to a cloud model.

• For example, although your data is in the cloud, it must reside in a physical
location somewhere.

• Your cloud provider should agree in writing to provide the level of security
required for your customers.
Questions to ask your CSP

The following are questions to ask a cloud provider before signing a contract
for its services:
Who has access?

• Access control is a key concern because insider attacks are a huge risk.
Anyone who has been approved to access the cloud has the potential of
mishandling or exposing data to unauthorized users, so you want to know
who has access and how they were screened.
• Another example where you want to monitor who has access to what cloud
service is when an employee leaves your organization, and he or she was
the only “administrator,” and then you find out that you don’t have the
password to the cloud service, or the cloud service gets canceled because
maybe the bill didn’t get paid.
• This example seems like an immature way of handling a production
service, but this still happens in today’s environment.
Questions to ask your CSP

What are your regulatory requirements?

• Organizations operating in the United States, Canada, or the European

Union have many regulatory requirements that they must abide by (for
example, ISO/IEC 27002, EU-U.S. Privacy Shield Framework, ITIL,
FedRAMP, and COBIT).
• You must ensure that your cloud provider can meet these requirements
and is willing to undergo certification, accreditation, and review.
Questions to ask your CSP

Do you have the right to audit?

• This particular item is no small matter in that the cloud provider should
agree in writing to the terms of the audit.
• With cloud computing, maintaining compliance could become more difficult
to achieve and even harder to demonstrate to auditors and assessors.
• Of the many regulations touching on information technology, few were
written with cloud computing in mind.
• Auditors and assessors might not be familiar with cloud computing
generally or with a given cloud service in particular.
Questions to ask your CSP

What type of training does the provider offer its employees?

• This is a rather important item to consider because people will always be
the weakest link in security.

What type of data classification system does the provider use?

• Questions you should be concerned with here include what data classified
standard is being used and whether the provider even uses data
classification.

How is your data separated from other users’ data?

• Is the data on a shared server or a dedicated system? A dedicated server
means that your information is the only thing on the server. With a shared
server, the amount of disk space, processing power, bandwidth, and so on
is limited because others are sharing this device. If the server is shared,
the data could potentially become comingled in some way.
Questions to ask your CSP

Is encryption being used?

• Encryption should be discussed. Is it being used while the data is at rest
and in transit? You will also want to know what type of encryption is being
used.

What are the service-level agreement (SLA) terms?

• The SLA serves as a contracted level of guaranteed service between the
cloud provider and the customer that specifies what level of services will be
provided.

What is the long-term viability of the provider?

• How long has the cloud provider been in business, and what is its track
record? If it goes out of business, what happens to your data? Will your
data be returned and, if so, in what format?
Questions to ask your CSP

Will the provider assume liability in the case of a breach?

• If a security incident occurs, what support will you receive from the cloud
provider? While many providers promote their services as being
“unhackable,” cloud-based services are an attractive target to hackers.

What is the disaster recovery/business continuity plan (DR/BCP)?

• Although you might not know the physical location of your services, it is
physically located somewhere. All physical locations face threats such as
fire, storms, natural disasters, and loss of power. In case of any of these
events, how will the cloud provider respond, and what guarantee of
continued services does it promise?
Cloud Computing Attacks

• Because cloud-based services are accessible via the Internet, they are
open to any number of attacks.

• As more companies move to cloud computing, look for hackers to follow.

• Some of the potential attack vectors that criminals might attempt include
the following:
• DoS/DDoS, Session Hijacking, DNS Attacks, XSS, Hypervisor attacks,
Virtual Machine attacks, CSRF, SQL Injection, MiTM, Side-channel
attacks, Authentication attacks, API attacks, Other known vulnerabilities.

• In short…there are many various possible attack vectors!

Learning Tasks
Things to do this week…

• Review the resources on the Course site.

• Complete the Module 2 Quizlet.
Questions?