CompTIA CYSA+ CS0-002 – Cloud and Automation part 2

2. Service Models (OBJ 1.6)

Service models. In this lesson, we’re going to dig into the different type of cloud service models. When I’m talking about cloud service models, I’m talking about classifying the provision of cloud services and the limit of the cloud service provider’s responsibility as either software, platform, infrastructure, or some other thing. Essentially, when we talk about something as a service, this is what we’re talking about. What type of cloud service model are you using? Usually when we talk about cloud services, we talk about them as software, as a service, platform, as a service, infrastructure as a service. And so we need to understand what each of these are and what they do for us and what kind of security risk they have. The first one we’re going to talk about is software as a service, also known as SAS.

Now, SAS is going to provide all the hardware, the operating systems, the software, the applications, everything you need for a complete application service to be delivered to your end user. For example, if you use something like Slack or Freshdesk or QuickBooks Online, these are all software as a service. This happens when the cloud service provider is responsible for the security of the platform and the infrastructure because they’re providing you everything from the application layer all the way down. What are you responsible for as a consumer? Well, as a consumer you’re responsible for application security, account provisioning and authorizations. So in my company, for instance, we use G Suite. When we use G Suite and I hire a new employee, I’m responsible for creating their account.

That also gives them authorizations to what they’re able to access within our portfolio and we control the application security that way. Now, if you think about Office 365, this is another great example of a SAS product. Who is responsible for what? Well, if someone’s able to perform a cross site scripting attack or an SQL injection or something like that on the application, this would be Microsoft’s fault because they wrote the application, they host the application. They do everything with the code on down. They as a SaaS provider are responsible for securing the infrastructure and the platform and the code. Now if somebody in my organization lost their username and password and somebody else logged in to exfiltrate that data, whose fault is this? It’s not Microsoft’s, it’s not the service providers.

It’s ours, the consumer of the application because it happened either on our client computer because they had malware or a key logger, or our employee was just negligent and wrote down their username and password. This is the idea when you’re dealing with SAS, who’s responsible for what? The responsibility for the data and for the authorization is that of the consumer. Everything else from the software on down is the problem of the service provider. The next one we’re going to talk about is infrastructure as a service or IaaS. Now we talk about infrastructure as a service. This is going to provide all the hardware, the operating system and the back end software needed to develop software or services. Now notice the difference here. I talked about the back end software and you’re using this to develop your own software or services.

So when you go to my website, for instance, that’s actually running on an infrastructure as a service product. The reason is that service provider is giving me the load balancers, the servers, the storage area networks, the database servers, all of that stuff they give us and they give us the basic operating system. Now once they do that, we have to end up doing everything on top of that. We made the website, we made the exams, we made all that software that provides you access to what you see when you go to our website. Now this allows me, instead of having to buy all the hardware, I can just call up my IaaS provider, somebody like Amazon Web Services, Microsoft Azure, Google Cloud or somebody like that. And I say, hey, I need a new website, go ahead and spin me up a new virtual machine.

And now I can build on top of that what I exactly want. They give me everything from the hardware down and they will give me the basic operating system. But then I take it over from there and I’m responsible from the operating system up. Now, infrastructure as a service is going to place the responsibility on the consumer, in this case me, for the security of the platform and the applications. When I talk about the platform, I’m talking about things like the operating system and up. Now when we talk about cloud service providers, their job here is to make sure they have confidentiality, integrity and availability of the hardware within the resource pool. What does that mean when we talk about the resource pool, let’s say I’m using Amazon Web Services.

That’s their servers. When I say I want to spin up a new virtual machine, they’re going to go ahead and figure out where in their pool of all of their servers they’re going to install my virtual machine on. Now for that hardware pool, they’re going to provide confidentiality, integrity and availability for my instance, my virtual machine. They’re not going to do anything inside of that. That’s on me as the service consumer. That’s where that line and differentiation is. Now when we talk about infrastructure as a service, one of the things you have to keep in mind is you have to have good organizational governance to control how those VMs and those containers are being provisioned and deprovisioned. If you don’t have good organizational governance on this, you can have problems like VM sprawl and huge cost overruns.

If anyone can spin up a VM and anyone can set it to whatever limit they want, they can use up tons of resources and you can get a huge bill. So keep that in mind when you’re using infrastructure as a service. The third one we’re going to talk about is Platform as a Service. Now Platform as a Service or PaaS is where it provides your organization with the hardware and the software needed for a specific service to operate. Now this one often gets students confused because it sounds kind of like software as a service and kind of like infrastructure as a service. And the reason for that is it kind of sits right between the two of them. So the best way I know to explain Platform as a Service to you is by doing it graphically.

Let’s say I have infrastructure as a service. Now Infrastructure as a Service is the lowest of these three. When I look at infrastructure as a service, I’m going to get the networking from the vendor, I’m going to get the storage from the vendor, I’m going to get the server from the vendor, I’m going to get the virtual from the vendor, and I’m even going to get the operating system installed by the vendor. But then I have to support it from there. Now any kind of middleware, I need, any kind of runtime, I need any kind of data, I need any kind of applications, I need, that’s all on me as the consumer. That’s where that dividing line is. It’s from the operating system and you can see it there as it’s split between the vendor and the customer. Now if you go to Paz, you’re going to go a little bit higher with the past.

They’re going to provide you with the operating system and they’re going to patch it and maintain it and do the security of it. They’re going to provide the middleware and the runtime, but they’re not going to provide the data and they’re not going to provide the application. That’s for you to develop. Then when we go to Software as a Service, the vendor is going to give you everything all the way up from the application on down. So let’s take an example like QuickBooks, which is a piece of accounting software. There is QuickBooks Online, which is a SaaS product. When you use it, they provide you everything. They built the application. All you have to do is log in and do your own data entry.

You’re going to put in what you spent and what you took in and you’ll be able to run through that program that way. Now if I wanted to make my own QuickBooks, I wouldn’t do a SaaS solution. I might use a platform as a service solution instead. In this case I can go to somebody like Amazon and say, hey, I’m going to make a web application. I need you to give me a Linux server that’s updated and patched and running and everything’s perfect and it has these programming languages that are supported. Maybe I’m going to write it in Python or PHP or whatever it is. And I need these type of databases and all these things I need, they can give me that platform. All I would do is actually code my application. That’s the application and data piece. Now on the other hand, if I go all the way down to IAAF infrastructure as a service.

I would go to Amazon and say hey, I need a server that has this much memory and this much storage and I want you to install it with Windows or Linux. They would do that and hand it over to me and then I would install whatever programming languages I need. I would install the databases, I would install an Apache server or an IIS server and then I can code and develop my application. So that’s the difference here. When you go to SAS, it’s a completely done product. When you go to IAS, it’s pretty much just the vehicle and you have to do everything yourself. With Pass it’s somewhere in between. Essentially you have an operating system that’s well maintained for you. They do the security patches and everything, but everything on top of the operating system and on top of the programming languages that’s going to be on you to code your specific application.

So when you’re dealing with platform as a service, what kind of things do you need to consider from security? Well, you need to think about access control, you need to think about load balancing, you need to think about failover and privacy and protection of your data. All of these things are things you have to think about because you’re designing the application. And so if you’re going to have redundancy and failover you’re going to program that into your application so it knows which servers to point to. That’s the idea with Pass there is some of that that you’re responsible for the hardware underneath it you’re not, but you do have to do the coding to make sure it knows which hardware to go to. Now another thing to think about when you’re dealing with Pass is you should always encrypt your data.

A lot of past solutions are third party. So for instance, if you’re going to make a website and you decide you’re going to run it on WordPress, you can go to a managed WordPress solution. That means you can go to a provider third party Pass solution and they’re going to give you a server with WordPress installed and configured and they’ll make sure it’s always up to date. But then you can put your system on top of that WordPress by designing your own web apps when you do that, always encrypt that data because it’s being stored in this third party Pass solution that may be in a database that they’re not encrypting because you don’t have control of the underlying operating system.

Now the last thing I want to talk about is the fact that there are many other as a services. Now for the Cysaplus exam you only need to know the three we just talked about. But I think it’s also important to talk about security as a service. This provides your organization with various types of security services without the need to maintain a cybersecurity staff. Now, why is it that I’m bringing up security as a service? Well, you’re getting certified to be a cybersecurity analyst. Where might you work? One day? You might work for security as a service. Now, security as a service can cover a lot of different things. It can do anything that really protects the network. It can include encryption services, incident response services, antispam services, antimalware services, and many other things.

When we talk about security as a service, one of the first places it was used was really with anti malware solutions. They were one of the first security as a service products. Now, as somebody who’s going to be in this field, it’s important for you to understand what providers do security as a service. Why? Because if you look around and find the different providers who are doing security as a service, that’s good places to check if they have job openings and see if you can get position there. Because they’re always looking for cybersecurity analysts there’s. A lot of places do instant response as a service. They do monitoring as a service, logging as a service. And all of this falls under security as a service. So if you work for one of these companies, you can use your newfound skills as a cybersecurity analyst.

3. Cloud-based Infrastructure (OBJ 2.1)

Cloudbased infrastructure. Now most organizations see their future in the cloud but it’s actually a riskier choice than traditional client server applications running on a local network. In most cases, if you don’t configure the cloud properly you can have a lot of danger. Now you can configure your cloud to provide just as great security as your traditional client server applications, but it does take some knowledge. This is what we talk about when we talk about cloud infrastructure. We need to make sure that we’re doing our infrastructure management properly and configuring it to the same level of security as a local solution. Now one of the biggest places that we have to think about when we do this is Virtual Private Clouds or VPCs.

Just like you can use your virtual private networks to connect your home users back to your corporate network and give them those protections underneath that corporate umbrella, virtual Private Clouds can be configured as a private network segment made available to single cloud consumers within a public cloud. This is a way that we give security. VPC is considered an infrastructure as a service product. So if you’re using something like AWS, they have a virtual private cloud service. If using you’re Azure they have their Virtual private cloud service. And Virtual Private Cloud Services let you provision virtual servers and appliances within a virtual network that’s hosted on a public cloud. So we can try to get some of that security of a private cloud without all that extra expense.

Now is this as secure as a private cloud? No, because we’re still using shared hardware and there could be issues like data remnants being left behind on a server from being provisioned or deprovisioned. But from a networking perspective and a privacy perspective, you can get equivalent levels of protection using VPC. Now as a consumer you’re responsible for configuring the IP address space and routing within that cloud. When you do Virtual Private Clouds you’re going to handle all the administration and all the security aspects of running the network just as if it was your own. You’re going to have to do all the software installation, all the patching, all the account management, all the load balancing, all the disaster recovery, all the security monitoring, all the backups, all of that has to be configured because when you’re doing a virtual private cloud it’s essentially like you own these servers.

The only difference is you don’t actually own the servers and you don’t have access to the physical hardware. Instead you’re going to be able to use these different servers and spin them up and spin them down whenever you need to, meaning provisioning them or deprovisioning them. Now when we talk about a virtual private network, it’s hosted on publicly available cloud services. This is things like Amazon Web services microsoft Azure, Google Cloud. But you’re going to be isolated from other customers instances using technologies such as Virtual Lans or VLANs. And you can also use other things like this as you’re building out your virtual private cloud. Now like I said, a virtual private cloud doesn’t give you the exact same level of security as a private cloud, but it doesn’t come with the high cost either.

By using a virtual private cloud it’s going to be less expensive than using a private cloud and you’re not going to have to own and operate the entire cloud service or the hardware underneath it. So you’re getting some of those security benefits, but not all the security benefits when we talk about a virtual private cloud. A virtual private cloud is typically going to be used to provision internet accessible, customer facing applications or corporate applications that need to be accessed from geographically remote sites. If you’re thinking of something that might be a good place inside a DMZ, a virtual private cloud might be a good place to put it as well. Now the last thing we need to think about when we talk about cloud based infrastructure is cloud versus on premise.

Now what is the difference? Well, when you deal with the cloud, you’re putting it in somebody else’s data center. You’re putting it someplace where you’re just seeing it as a virtual instance. Someplace on the internet. You don’t actually get to go touch that thing. You don’t know if it’s in Virginia or London or Washington or even really care a lot of times because you just care that you have access to it. That’s the benefit of having the cloud. It’s everywhere you want to be. Now when you deal with on premise, this means it’s something in your own data center. You can walk down the hall and you can touch those servers. A lot of the places I’ve worked over the years, we’ve run our own data centers. Now these days we’re starting to use more and more cloud resources.

But for the last 20 years I have spent a lot of time and a lot of organizations spending tons and tons of money, millions and millions and millions of dollars building out data centers and running our own servers. Now there is some benefits to having cloud and there’s some benefits of having on premise. When you deal with on premise solutions you’re going to maintain your servers locally within your network. That means you’re going to be able to touch them. It also means you’re responsible for when they break. That means when a server goes down, you’re going to be the one way waking up at two in the morning to go replace that hard drive. When you’re dealing with an on premise solution, you own the entire thing from software all the way down to nuts and bolts of the hardware.

That is a good thing in some cases because you can own the whole thing and configure it however you want. It’s also bad because it’s a major support headache and a huge capital expense for your organization. Now a lot of security products that you have out there can be used as either cloud based or on premise. And we’ve already talked about a lot of the benefits of the cloud, right? They’re infinitely expandable, there’s lots of storage out there, there’s ultimate bandwidth and you only pay for what you use. Well, with a lot of these security products you have a cloud based version or an on premise version and you have to decide which one you want to use. Now which one is right? Well, that depends on what you want to do.

Some of these have some real benefits by doing cloud based, they might be more cost effective, they might be cheaper, you don’t have to have dedicated hardware, dedicated local processing, dedicated local storage, all of those things add cost. And so you can offload all that to the cloud and just basically point your things to that cloud server and let it do all of the work for you. Now, why might you want to use on premise? Well, maybe you’re worried about the security of that data and you don’t want that data being outside your corporate network. That would be a reason for using on premise. Now one of the big reasons that a lot of these security softwares are starting to move to cloudbased solutions is you can do better use of AI and machine learning. Why? Because AI and machine learning takes huge amounts of processing and huge amounts of banks of resources and most people don’t have that as a part of their onpremise solution.

So instead, by moving this all to the cloud, it makes it easier to integrate with artificial intelligence and machine learning to do deeper data integration and automated analysis. Now, if you’re going to move to the cloud, what do you need to consider? Well, you need to consider any compliance and regulatory limitations. Sometimes you’re going to have limitations of storing data in a cloud based security system. Depending on the rules, you may have to have an on premise solution. Now, in addition to this, there are other issues you have to consider as well. For example, if you move to a cloud based solution instead of an on premise solution, you may be subject to vendor lock in. I’ve seen this with some companies, they’ve moved to something where it’s based on the amount of terabytes that you store inside.

Their server and it can start adding up to be really, really expensive really quickly. And so that can now get you locked into that vendor because they have all your data. And to get out, it’s going to cost you hundreds of thousands of dollars in bandwidth and usage fees to move it from this cloud to your on premise, or this cloud to that cloud. And so you can get this vendor lock in problem. That can happen and it’s very real. So when you’re designing your cloudbased infrastructure, always think what’s going to be best for me today? And what’s going to happen down the road because a lot of services will give you a very low upfront cost, but then they’ll get you on the backside when you try to move to another provider.

4. CASB (OBJ 2.1)

Cloud access security broker. What is a cloud access security broker, also known as a CASB? Well, this is an enterprise management software designed to mediate access to cloud services by users across all types of devices. Essentially, it’s going to be a middleman that helps you with your authentication and ensure that people are using the services they’re supposed to use. Now, there are many different vendors who sell this this type of product. They include people like Semantic, which uses the Blue Croat proxy, which I’ve personally used in a lot of my organizations. There’s sky high networks which is made by McAfee. There’s Forcepoint. There’s Microsoft’s Cloud App Security, which is their version. And Cisco has their version called Cloud Lock. All of these are different cloud access security brokers.

And the key term here is security. By being a broker, they’re going to make sure that your device is connecting to the right device using the right security. Now, what are some benefits of using these cloud access security brokers? Well, they can enable single sign on authentication and enforce access controls and authorizations across your entire enterprise network all the way from your enterprise network up to the cloud provider. They also can help you scan for malware and rogue devices and be able to find any of these devices that might be on your network. They also can help monitor and audit user and resource activity to know exactly what your users are doing on your network at any time. And finally, they can help you mitigate data exfiltration by performing functions like a data loss prevention system would.

Now, when you talk about a cloud access service broker, I want you to remember that they provide visibility into how your clients and other network nodes are using your cloud services. When you start moving everything out to the cloud, you have to think about how are my users using those things? How much time are they spending? Are they using it the right way? Are they taking data and putting it where it shouldn’t be? And to do that, we have three different things. We can set it up as either a forward proxy, a reverse proxy, or using API access. Now, when we talk about a forward proxy in terms of a cloud access security broker, we’re essentially going to set up a security appliance or host that’s positioned at the client network edge and then it’s going to forward the user traffic to the cloud network if the contents of that traffic comply with policy.

For example, in my home network, I have my kids set up to use a forward proxy.Now this means that I went to their browser and I configured it so they had to go and connect to my proxy server before they went out to the Internet. This way I could see what they’re doing, how much time they were spending on sites, and if I needed to block certain things. Now, as my kids got older, my son got smart, and he realized what a proxy server was. And so he wanted to prevent the use of this forward proxy. So what did he do? Well, he evaded the proxy and connected directly to the sites he wanted to. And the way he did that was bypassing the proxy. And so this is something you have to be concerned with when you’re dealing with a forward proxy.

Now, if I wanted to prevent that, I might go to the second method, which is a reverse proxy. Now, a reverse proxy is an appliances position at the cloud network edge and directs the traffic to the cloud services if the contents of that traffic comply with the policy. So instead of having to go through the proxy to leave the network, you can leave the network, but you can’t get into the cloud network until you hit the proxy. That’s the idea of the reverse proxy. Now, the big problem with this is it only works if the cloud application you’re trying to connect to supports proxies. If they don’t have proxy support, you can’t do a reverse proxy.

And so this brings us to our third method, which is an application programming interface, or API. This is a method that uses the brokers connections between the cloud service and the cloud consumer to make changes. Now, essentially, when we’re using the application programming interface, we’re sending data between the cloud service and the cloud consumer. And what we’re doing here is we’re being able to send information about those users. So if I had a user account that’s now been disabled or authorization has been revoked from the local network because they were doing bad things, I can send that using the cloud broker over the API to the cloud service and say, hey, don’t let Jason in.

We just fired that guy and his account has been disabled. And so they can now know not to give him access. Now, the problem with this, the big warning here, is that it’s dependent on the API supporting the functions your policies demand. So as you start thinking about your policies and you start saying, well, I want people, people to be denied or allowed access to everything, that’s probably going to be supported. But if you start having very detailed requirements, those things may not be supported depending on the service that you’re using. And if they don’t support those policies, the API doesn’t have them and you’re not going to be able to use this method.