CompTIA Security+ SY0-601 – 3.6 Apply cybersecurity solutions to the cloud

1. Cloud Solutions controls

In this video, we’re going to be talking about some solutions when managing cloud platforms. Let’s get into it. So, a couple of things here. When using cloud platforms in order to host application or data, one of the good things to get is called a CASB, a cloud access security broker. Here’s an example of one. Once in McAfee, a cloud access security broker. Now what this is, a cloud access security broker is basically a middle piece of software that sits between your users and the cloud provider. So think of your users, the CASB and AWS. So this is like the middle software. Why would you want that? You see, what this does is that it will enforce company security policies, help to prevent malware. If you need a certain type of authentication, this will do it. So basically, this is that middle ground. Another thing here that we’re going to talk about is going to be application security.

So depending on the cloud services you’re using different security protocols, different types of controls could be applied here. One other thing I want to mention is going to be a next generation secure web gateway, what is known as SWG. These SWGs are basically software that you’re going to install, you’re basically going to set up in the cloud. And when users go out on the Internet, they go through this particular, quote unquote, firewall. It’s like a firewall. It’s more of like a proxy server. And this here can do things like restrict what websites are users or accessing. This really helps to bring down malware and basically restricting web information from coming into your network. When it comes to selecting a firewall to protect your cloud, you got to worry about the costs of these devices, as they can be from tens of thousands to hundreds of thousands of dollars.

There’s also a need to segment them. So firewalls will create segments you’re going to have to consider, does the firewall support enough segments for my business? Now, most cloud firewalls are going to operate in the application layer of the OSI model, some of them in the transport layer. Also. Also, when managing a cloud provider, you’re going to have cloud what is known as cloud native controls and third party solutions. So you saw how I was using the AWS in other lessons, those are cloud native controls. In other words, I’m using the controls within the cloud. There’s a lot of third party that does a lot of what AWS does that may have more options, maybe make it easier to use. So you do have those options that you have to determine whether you want to go with a third party. You want to stay with the AWS controls. All right, so these are just some of the solutions and things to think about when using cloud compute.

2. Cloud Network and computing

In this video, I’m going to be talking about cloud computing and networking. So once again, I want to emphasize that this is not a full cloud security class or cloud setup class, but we do have some terms that I do need you to understand when it comes to cloud. Now we’re going to be taking a look at cloud networking and how that’s set up, and then we’ll take a look at computing. So let’s take a look at some terms there that we need to review. So on the network inside, they have virtual networks. Now VPCs are virtual private clouds. I’m going to go back here to my AWS console and I’m going to go here to EC Two. So this is going to be my virtual cloud in here.

Now there’s a couple of things. When you go here, this is basically your little virtual network that you have set up. You have dedicated IP addresses for your host, both public and private. And you can see that. So if I go in here to elastic IPS, you notice no elastic IPS found in this region. But I can allocate elastic IP address in Amazon pool of IP version four. And then I can allocate it from here. Now you could do that. And this is going to give you both global IP addresses from the AWS cloud. So you do have that option. Now, if I was to go down into here, my images, my instances, if I go into an instant, maybe I click on this instance. So on these particular instances, these boxes are reachable both externally and internally. So if I go into networking, you’ll notice how it does have an IP version, public IP version for IP address, and it does have an IP version for internal address.

So this is 172, 30, 119. That’s basically going to be what my subnet is on this virtual private network. So we do have virtual networks with private, public and private networks. Now, the good thing is that these things are segmented, which means that if you go set up your AWS account, it’s fully segmented. So you can’t see my machines and I can’t see your machines. So it is fully segmented off. This is called micro segmentations within the cloud. The other thing that we have is API, inspections and integration. So the cloud does have many APIs. Many applications work in the cloud. You’re going to want to make sure that your API is integrated within the cloud systems for them to function correctly. This is something you’re going to talk with your cloud architect, the cloud designers, and the setups. Now when it comes to computing.

Now the EC Three, EC two that I have here is basically what we’re going to be doing when it comes to computing. So this is basically to process resources in it. Now this does have a few things. First of all, you have security groups. So security groups, if I go to security. Notice you have security groups here. So what security groups are, are basically firewalls. They’re like virtual firewalls that determines who or what can access the resources. This particular resource, which is this virtual machine that I have set up in the cloud, the other term that’s mentioned here is going to be dynamic resource allocation. So the cloud does allocate resources as needed. One of the big things about the cloud is that it is elastic, which means it can contract and expand as needed. The instances that we have to be, has to be aware that they’re being run.

Now the VPC endpoint, what this is VPC endpoints are basically little setups within the cloud that you can do to connect to other cloud services and other accounts. So for example, you have your AWS service. I have my AWS service on my instance. You have have on your instance. What we want to do is we want to connect some of these machines so they can talk. Maybe you have a database that I need data from. You would set up an endpoint for that. So a VPC endpoint would give you that. And then of course, you want to make sure that your containers are secure. So there’s a variety of different security protocols for that. Okay, these are just some high level terms and topics you should understand for the cloud. You don’t need to go in depth into them, but you just need to understand some of the high level concepts when it comes to these terms.

3. Cloud Security terms

In this video I’m going to be talking about some cloud security concepts that you need to know for your exam. Now this course does not replace an AWS certification class, which I highly recommend, or cloud security classes, which I also highly recommend. I have 62 certifications. I’m always recommending some certification to someone. So AWS is what we’re going to be using. I’m going to be going through some concepts with you. Now for your exam, you only need to understand these concepts at a high level overview just to understand what they are. Now I am going to be using my AWS account to demonstrate and show you where to find things and how they work. I’m not going to go into the configurations of it. You don’t need to know it for your exam. And this is not an AWS class. What I do recommend for you is to go out and get an AWS account.

AWS is free. It’s free to get, you can get it, enable it, and you can practice a lot of it. In fact, all the instances you see me set up on all the VMs you saw you set up, see me set up, it was all free. I haven’t paid anything for it. And it does allow you to do a lot of free stuff with it, but once you really start using it, they’re going to make you pay for it. So go get an AWS account, set it up. Now remember, we got to cover these things at a high level. We’re not going to go in depth into anything. This section of the course, this cloud security section, could take up two to three different certifications. So let’s just go through the topics that we will need to know. For example, I will be doing a few demonstrations throughout within this section so you can better get an understanding of what they’re talking about. Let’s get started. So here I have my AWS.

We’ll come back here to this talk about. First thing I want to mention is high availability across zones. Now I’ve already explained cloud security to you guys. Cloud setups, platform software, infrastructure service. What we want to talk about is zones and regions. What you need is high availability within the zones. So on cloud services, they have different regions. And let me show you guys what I mean. So if I log in, here’s my AWS account. Notice right now the region I’m in is in the Ohio region. You have north virginia, north california, oregon, africa. You have canada. These are the different regions that AWS is in. So right now I’m in this Ohio region and within there you have zones. So notice the zone status in here. I have my zone status, everything here. I can even enable additional zones if I like. But pretty much I have them all here and it’s telling me the zones.

Now this is going to be high availability within these zones. So that way if there’s any kind of slippage or service going down, they do have additional servers that can keep up the load. The other thing we want to mention is resource Policies. Resource Policies in a cloud basically defines what can access certain instances or who can access certain instances. So here I have a variety of instances that I’m running now. These are going to be instances are going to be virtual machines that I’m hosting up here or different particular types of web servers. So here is an instance. This is a Windows server that I had set up previously in the lab that I can remote desktop to so I can connect to it and I could remote desktop this particular one. But being able to set up an instance and then being able to define who can access it would help with resource policies.

So the other service that we do have here is the Amazon storage for the S Three. In the S Three, this is going to be for storage system storing data. So I did create a bucket here and this is where I’m going to be storing data. And in here I can actually go in there and set the permissions and create policies of resource policies of who can access it and what can access it and so on. The other thing here we want to mention is Secrets Management. Now secrets Management is something you actually have to pay for in AWS. You do have this thing called a Secret Manager. Secret Manager allows you to store username and passwords or database credentials into the AWS. So you can store credentials so you don’t have to keep retyping them. But they do charge for this. It’s about $40. 40 per month per secret. So there is such a thing as a Secrets Manager. Just understand that.

Remember, for your exam, secret Manager in a cloud basically stores credentials in the cloud so you don’t have to keep retying it. Okay? They will have integration. So there’s different forms of integration in the AWS. AWS there’s different kinds of APIs and the way you store this information that you can access it. And then of course there’s audit it so you can see who was accessing certain files and folders. The other thing we want to mention is when it comes to storage on the AWS storage containers, you can set permissions who or what can access. You can encrypt it. And I’ll show you that in a minute. There is replication and high availability available within the zones and regions. That way if their data, if particular servers go down, you’ll have that replication and availability there.

Now if I go in here into Services and I go back to the S Three, actually I have it here already, set up here’s. The s three. Here’s my AWS bucket that I set up here. If I go in here, I’m going to go down here to Properties and in here. You notice how they have default encryption. So right now this is disabled. So I can go in here and I can enable storage encryption so you could set encryption on the storage that you have in the cloud. Now if I go back here, you can set permissions that I just mentioned in here. So these are some of the things that we have available when it comes to the cloud systems. Again, you’re not going to go in depth into to this. A lot of these things can be heavily expanded on. If I was teaching you guys in AWS class and showing you guys how to set this up, this can take hours to do. So just know some of these terms. Know that these things actually exist within the cloud.