CSA CCSK – Cloud Assets and Secure Configuration Management

1. Challenges in Cloud Asset Discovery

Hello friends. So welcome to this lecture on challenges in cloud asset discovery. So, in the last section we discussed about cloud service agreement, service level agreement and then acceptable use policy. So this is all about while assessing the cloud service provider and checking the different service provider and looking at, okay, what are the different expectations. Now, once we have moved the data into the cloud, we have provisioned in the servers. Now, the next challenge which comes in terms of in case of cloud is that having the complete visibility of your cloud infrastructure or different services, servers, instances, databases which are there in the cloud.

So it is pretty easy in case of traditional environment. But when it comes to cloud, there are a couple of challenges. Because if you do not have the complete visibility of your assets, then how will you perform the vulnerability scan? How will you make sure that which instances need patches or which instances needs to be updated, which instance needs more security, right? If they are holding the confidential data. So it is a very crucial step when we talk about the cloud security or compliance that to have a complete visibility of your infrastructure within the cloud. So thumb rule or best practices to have an effective cyber security or effective security governance, that there is a complete visibility of your It environment. So that is the foundation.

Because if you are not aware that, okay, what is there within your organization? How will you have a security policy, how will you apply security to the servers or instances where there is a more confidential data or data which needs more protection, more security. So that is why it is the foundation. So in case of traditional environment, so the basic environment was fairly simple because in the traditional environment, the perimeter was well defined and it environments were tightly encapsulated. We were knowing that okay, which are the different edge points and which are the different entry points from where the data was flowing? What are the different branch office, head office, how the data flows, right? But in case of cloud, just think of the different Availability Zones data centers they are having.

And it is very difficult in a cloud to really understand where exactly the data is and in which location the server is. And it requires a proper planning and a complete architecture details one should have in order to really understand that which are the different locations where the data is lying and which all locations are used to serve the sensitive data. So that is a challenge in the cloud currently and important aspect which the cloud customers need to think of so that there is a complete visibility of your environment. The challenges like we discussed in cloud computing, we can think of different things or different sources.

This market is still maturing and new innovations are coming in terms of Internet of things and block chain, artificial intelligence, machine learning, and they have totally changed the way the business runs, right? So the word perimeter, like we have mentioned, is totally disappeared. So it is not longer about protecting your boundaries, it’s about protecting the data. So in cloud, we do not have any kind of boundaries. So if you do not have any kind of boundaries, it is pretty difficult to have a complete visibility of your assets, because if you know that’s at the different assets and what kind of classification data they are holding, so you can have a better visibility and you can have a proper governance on to your cloud assets. So that is the challenges which are there in the cloud asset discovery. So this is it. Friends in this lecture. Will meet you in the next lecture.

2. Complete Asset Discovery in Cloud

Hello friends. So welcome to this lecture on complete asset discovery in cloud. In the last lecture we have already gone through that. What are the different challenges in terms of cloud asset discovery because there is no perimeter in Cloud and different access issues and all those things. So in this lecture we’ll try to understand that, okay, what kind of tools are required, how we can have a complete visibility of the cloud information structure. So we have already discussed in the last lecture that cloud asset discovery or a complete visibility of your It environment is the first crucial step in order to have active governance policies or to have the segregation of data that what kind of security would be provided. So it is a kind of a baseline which should be there.

And thumb rule is that you should have a complete visibility of your devices and where those devices are, and all those details so that you can have better governance. And the question is about the visibility. So when we talk about the visibility, so what does visibility actually means from your organization perspective? You need to think of that, okay, what are the devices in your enterprise, what software they are running, what kind of software has been installed onto that? Is it like the OS is completely updated, how many machines are of Linux, how many of them, and so on, right? So how it is being operated, patched and configured, what kind of patches they have installed, when was the last patch updated so that you can better defend them and you can better harden those machines. That is when we talk about the visibility of the environment so that we have a complete details. Or you can say that the state of your infrastructure that okay.

This is the server, it is having the Linux or this is this application installed. So what is the configuration? So what kind of the patches have been installed? When was the last patch updated? So all these questions when you are able to answer, then it means you have a good inventory and good visibility of your It environment. So let’s say the reason is there is a vulnerability in the wild. In case of Windows that okay, you need to patch all the systems. So think of in case of Cloud you are using five locations or five different regions around the world. So in that case it would be very difficult as a customer to understand that, okay, what are the different Windows servers you are having so that you can patch them? And if there is a vulnerability in the wild, so that is why you should have a complete visibility in terms of operating system, in terms of location. When we talk about the cloud region and availability zones, all those things, details should be there.

And make sure that in Cloud you deploy some kind of automated inventory solutions, which do some kind of automated scans. We’ll see that example, how quiet does that? And you can use the various methods such as it supports the authenticated scans or sbase or agent based scans. You can install agent onto the machines and generally organizations. What they are doing is that during the imaging process as well, they have the agents configured onto the devices so that they can have the complete visibility that when the instance is terminated and all those things when the instance start, so that there is a complete visibility of your cloud infrastructure.

And another thing is, due to the dynamic city of the cloud or the nature of the cloud, there are certain images or certain servers on which you don’t have the access or you are not able to install the agents. Then you need to have different types of scans, an IP based scan or a CADbased scan as well as the agent based scans. Because you can think of marketplace, you can buy the firewalls like open access servers there and you can similarly have a palwell to next generation firewall. So you’ll be able to buy all these you can see images or service from the AWS marketplace or from the similarly we have as your marketplace from where you can buy such products. So the thing is, in such kind of products you or a customer doesn’t have the ability to install any kind of agents. So in such cases to really know the structure or really know what kind of operating system is, what kind of security patches are installed, what is the version and all those things, you make sure that for such kind of devices you have IP based scan enabled.

So that is the thing in case of to get the complete asset discovery in cloud. So what kind of tool can really help to have a complete visibility. So another thing is that whatever the systems you’ll be using for performing automated scan and all those things so like in cloud we can tag the assets depending on the environment and depending on the function. So it should support the tagging of assets. So you can have our labels for example, identify all those assets which fall within the scope of PCI, DSS or any of the classifications or you may need to scan or you may need a list of assets wherein the tagging is dev, let’s say dev environment.

So all those tools which you are planning to use, this should have such kind of capability. Make sure that the automated discovery solutions capture details like operating system specific version, what are the network adapters, open ports, installed patches and drivers, plugins, SR, name, IP addresses, in which geographical location the server or instance is there. So all these settings you can think of that your automated system or a scanner can provide it to you so that you can have a complete visibility. And also it should have a search functionality so that you can turn queries. Let’s say you want to write a script that it should fetch all the Windows servers which are in the different regions within the cloud.

The system should have the capability to link up with your CMDB as well configuration management database so that customer can get always the updated and the latest data. So a very good example is the integration between the service now, which is a service management tool like Remedy we have. And then Qualis is in a kind of a scanner or a vulnerability scanner. So a very good integration is there and a lot of customers are using within the cloud. So whenever the changes are made on the device, so immediately data is transmitted to the Qualis cloud platform or whatever the centralized system they are having and then immediately it is updated in the service now as well.

That okay, whatever the state of that particular system machine is. And Qualifies does have a number of features like you can do a scan on the base of CID, it can have agent based scans wherein if there is a cloud server and you can install that quality agent and do that and it will start giving you the details, details about that particular instance or a particular server. So these are the kind of tools you can these kind of features you can look for whenever you evaluate such kind of tools to have a complete visibility of your It environment so that you can have a better governance. So this is It friends in this lecture. So thank you for watching this lecture. Meet you in the next lecture.

3. DevOps Concept

Hello friends. So welcome to this lecture on why is DevOps needed. So DevOps is a kind of you can see a combined terminology between the development and the operations team. Earlier they used to work in silos. So DevOps is mainly emerging term which is being used in the market and in terms of cloud. And there is one other term we called as devsacops where in a secure is introduced between the development and operations. So in some of the organizations this is a one team only. So first of all before digging into why DevOps is needed we need to understand why actually DevOps matter.

So like we already discussed the way the technology changes and you can see that the software and the internet have already transformed the world and different industries, let’s say from shopping to entertainment to gaming and banking. So software no longer merely supports only a business but you can say integral part of each and every business companies was the organization tracked their customers through the software delivered or through the online services. And some of the organizations they also used software for increasing the operational efficiencies, right?

So when they are using their software for value chain logistics, communication, operations and the customer is also looking for some faster response in such a cutting edge where in such a cutting edge technology or competition is there. So customer also need a faster response. So that is why this DevOps you can say phrase or a technology or I will not say a technology DevOps phrase or if a culture is developed within the organization it really helps in the faster deployment and error free deployment. So let’s see why this DevOps is needed. So before DevOps the development and the operations team they worked in complete isolation. So when we say development and testers it is about the people who develop the software and as for the software development lifecycle and then the It operations team who actually work on that. So right now it is a kind of a DevOps is a kind of agile method wherein they worked in collaboration with each other and sometimes it is one team only in most of the organization that is the practice is being followed.

So testing and development team are isolated activities done after design, build, hence they consumed more than the actual build times because first of all they’ll develop test and then It operations will check that okay, whatever the different functionalities are there. So in DevOps like a pretty you can say agile approach is being used wherein they work in parallel and each and every module when this is developed and tested the same thing operations team can use and check that okay, whatever the functionalities are provided or not, right? So without DevOps the thing is each and every developer or tester they are spending their own time in testing, deploying and designing instead of building the project. DevOps is really provide a kind of improved collaboration between the different people and the people know that is their ownership and accountability.

So it is really they work in a collaborative environment and the other is like the speed or a rapid delivery with the help of which customers can have means the organization can deliver projects to the customer pretty faster and all the bugs and whatever the new features, they can be tested pretty easily in this case. So manual code deployment also leads to the human errors in case of production. So that is why this DevOps is very much helping the organization in terms of reliability, in terms of rapid delivery, speed or security. If we introduce the dev second ops or you can say security within the within this process so that you can have a fine gained controls or a configuration management technique. So this is a trend in this lecture why DevOps is needed. So thank you for watching this lecture. Meet you in the next lecture.

4. DevOps Concept

Hello friends. So welcome to this lecture on SEC DevOps and secure configuration management. So in the last lecture we just had overview that okay, what is DevOps and we also discuss what is SEC DevOps by integrating the security into the development and the It operations or into the complete development method or having a practice of a security is. So again, it is a very important concept in case of cloud because in cloud the most of the stuff which is being deployed is through the Cidcd pipelines, continuous integration or continuous deployment, right? So in this case it is really as a code or different scripts are being used to deploy the different services within the cloud. It is very crucial to understand that whatever the developers are being developers are using or the platform they are using that is secure and that is being monitored, somebody is testing the code, somebody has scanned the code for any kind of security issues.

So and the development activities of the developer activities are logged and so all those things are very much required for a secure configuration. Because let’s suppose that a developer has deployed something or let’s say deployed a simple instance or build a server onto the cloud or application with the help or a database. So in that case if there are some vulnerabilities in the code itself or the code is not secure itself, then whatever has been deployed within the cloud it could lead to exposure of a sensitive data to some third party or to some unauthorized person. So that is why it is very important to have this security into the development process. Like we have the baselines in case of our networks, in case of our systems, in case of OS.

So similarly a minimum baseline should be there in case of the process which is used being by the developers, so that we can have a control on to the whatever the deployments have been done as per the compliance requirements. We need to ensure that, okay, whatever the baselines which have been set, they are integrated into the DevOps process and the pipelines which we call it as continuous integration and deployment, right? So they are integrated into that. We also need to ensure that, okay, baseline which is decided taking into down the real world threats like generally we test the code or done the application security testing from the Ovas perspective.

So. Similarly, whatever the code is being used by the developer, we need to make sure that some scan has happened on the basis of Ovas top ten or so. And since top 25, whatever the vulnerabilities are there or in terms of misconfiguration, in terms of SQL injection, whatever is there in the OS top ten, somebody has tested the code, tested the application from that perspective, so that whatever the deployment has been done is a secure. See, what we are studying is we are studying the different concepts or aspects of cloud security. So since most of the deployment is being or majority of deployments are done through the DevOps or to the different types of code, our cloud is like an infrastructure as a code. So we need to make sure that whatever the code is being written is secured enough and is free from the vulnerabilities.

So that if code is free from the vulnerabilities or from any kind of bugs, we will have a secure deployment automatically. Another thing is keeping the credentials safe. So scanning for the Credential, other sensitive information content and the source file, it is very much necessary during the pre commit as they there should not be any risk of propagating the sensitive information into your CI CD team process. So instead of storing the keys, we should use the tools like HSM hardware security modules which can keep your secrets or keep your encryption keys and monitor the activities. So make sure that whatever the activities are done by the developer committing code changes or whatever, when the commit was done, was that commit successful, failed. So all those events, such events activities are monitored and logs are stored somewhere in a centralized tool like Splunk or maybe some another tool which is through which the help of which you can correlate tomorrow, let’s say there is an incident that okay, what has actually happened? Where was the loophole?

So you can see the diagram that in case of Microsoft Azure, this Visual Studio and then it is a VSTs Agent and through which CICD pipelines are being used to deploy the services within the Azure cloud, microsoft Azure Cloud. You can see the customer can deploy the SQL or a user can deploy SQL web app and similarly different services can be deployed through the help of CI CD pipelines or using the VSTs Visual Studio. So in that case, whatever this Visual Studio because this VSTs agent is being installed on some machine or some server.

So in that case, whatever the changes are being performed by the developer and if the code is not secure enough, our code is not free from the vulnerability. So similar kind of loopholes or bugs would be there in the deployed infrastructure which is there in the cloud. So in order to have a secure infrastructure, we need to make sure that the code is free from the vulnerability scan, or security isn’t reduced into the development process and developer activities are being monitored and sent to some centralized tool.

And whatever the keys are being used, let’s say to deploy the data or let’s say, procure the or to build the database. So make sure that keys are not passed on along with the data. So all these things we need to consider so that we can have a secure configuration management or a secure deployment process or a good secure cloud we have so that there should not be any exposure to the sensitive data. So this is it friends. In this lecture. So thank you for watching this lecture. Meet you in the next lecture.