History

History

Personal
Mainframes ARPANET
computer

• Large • First wide area • Personal use

• Expensive network • Smaller and
• Powerful • Communication, cheaper
government, and • Client-server
academic
institution
History (cont.)

Cloud
Web 1.0 Web 2.0
computing

• Static • Dynamic • Salesforce.com

• Basic information • Interactive • Amazon Simple
sharing • Google
• Microsoft
Cloud Computing Definition

• What is cloud computing?

• Following the U.S. government’s National Institute of Standards and Technology (NIST)
cloud framework
• NIST definition of cloud computing
• Cloud computing is a model for enabling convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal management effort or
service provider interaction.
Cloud Computing Definition (cont.)

• Definition from Wikipedia

• Cloud computing is internet-based computing, whereby shared resources, software, and
information are provided to computers and other devices on demand, like the electricity grid.
• Cloud computing is a style of computing in which dynamically scalable and often virtualised
resources are provided as a service over the Internet.
Use Cases

• Netflix is one of the largest video streaming services world-wide. It uses

Amazon Web Services (AWS) to run its media streaming services.
• Mercedes-Benz is one of the most famous automotive brands. It uses
Azure to run its research and development.
• Home Depot is the largest home improvement retailer in the U.S. It uses
Google Cloud to run its online stores.
Cloud Basics
Cloud Impacts

Pros Cons
• Scalability • Security
• Cost savings • Internet necessity
• Accessibility • Limited customisation
• Collaboration • Data portability
Cloud Actors

• Cloud consumer: uses services offered by cloud providers

• Cloud provider: offers various services to cloud consumers
• Cloud auditor: conducts independent assessments of cloud services,
operations, performance, and security
• Cloud broker: manages and negotiates relationships between cloud
providers and cloud consumers
• Cloud carrier: provides connectivity and transport from cloud providers to
cloud consumers
Deployment Models

• Public cloud: The infrastructure is owned and managed by the service

provider and is located in the provider’s facilities. It provides services to the
public.
• Private cloud: It is dedicated entirely for a single organisation. It resides in
the organisation’s facilities or hosted and managed by a third‐party provider.
• Community cloud: Multiple organisations share resources and services
based on common requirements.
• Hybrid cloud: This is a combination of the private, public, or community
clouds.
Virtualisation

• Virtualisation allows multiple virtual machines (VMs) to run on a single

physical machine by partitioning the resources of the physical machine into
multiple virtual environments
• Components include:
• Hypervisor
• Guest OS
• Host OS
• Virtual network
• Virtual storage
Types of Virtualisation

Source: Cloud Computing: Concepts, Technology & Architecture

Type 1 vs. Type 2

Type 1 virtualisation Type 2 virtualisation

Also known as “bare-metal” virtualisation Also known as “hosted” virtualisation
Hypervisor is installed directly on the host Hypervisor runs on top of a host operating
machine’s hardware system
Offers better performance and security since it Has more overhead since it runs on top of a
has direct access to hardware resources host operating system
More complex to set up and manage but more Easier to set up and manage but less efficient
efficient for large-scale virtualisation for large-scale virtualisation
Examples include VMware ESXi, Microsoft Examples include Oracle VirtualBox, VMware
Hyper-V, Citrix XenServer Workstation, Parallels Desktop
Cloud Service Models
Cloud Security
Cloud Challenges

• Security and privacy

• Breach incidents
• Facebook: over 530 million users’ personal data were stolen and posted to a public
database
• LinkedIn: affecting 700 million LinkedIn profiles, the information was primarily public
• Accenture: 6TB worth of data
• Hotmail: accounts were hacked due to technical flaws
• Amazon: customer data were stolen; services were unavailable for multiple days
Cloud Security Levels
Identity Security

• Ensures the integrity and confidentiality

• Strong authentication
• Multi-factor authentication (MFA)
• Long and complex passwords
• Granular authorisation
• Role-based access control
• Attribute-based access control
Information Security

• Confidentiality
• Multitenancy
• Data remanence
• Integrity
• Data integrity, software integrity, application programming interface (API)
• Availability
• Data, software, and hardware
• Accountability
• Nonrepudiation
Security Standards

• Payment Card Industry Data Security Standard (PCI DSS): robust

payment card data security process
• Health Insurance Portability and Accountability Act (HIPAA): handles
protected health care information (PHI)
• NIST Cybersecurity Framework: developed by the National Institute of
Standards and Technology (NIST), this framework provides a set of
guidelines for managing and reducing cybersecurity risk
• International Organisation for Standardisation (ISO)—27001/27002:
27001 is the standard information security; 27002 guides how the
information security controls can be implemented
Shared Responsibility
AWS Shared Responsibility Model
Azure Shared Responsibility Model
GCP Shared Responsibility Model
Command-Line Tools (CLI)

• Programs that allow users to interact with a system and execute commands
through a text-based interface rather than a graphical user interface (GUI)
• Advantages
• Efficiency
• Flexibility
• Portability
• Debugging
Security
Concepts Review
Introductory Security Concepts

• Shared responsibility model

• Data encryption
• Identity and access management (IAM)
• Security groups/access control lists (ACL)
• Compliance
• Disaster recovery planning (DRP)
• Audits
• Incident response
Symmetric vs. Asymmetric Encryption
Data Importance
and Life Cycle
 • Financial loss
Why • Personal harm
Protecting • Regulatory consequences

Data •
•
Business disruption
Loss of Intellectual Property (IP) data
Privacy vs. Cost

• On premises or in cloud?
• How safe are my data in the cloud?
• Multitenancy
• Hypervisor attack
• Data remanence
• Physical/administration access
Asset Classification

• Everything owned or controlled by the organisation can be considered an

asset
• Data classification must be conducted
• Public
• Confidential
• Restricted
• The classification is dictated by:
• Sensitivity
• Value
• Regulations
Tagging Cloud Resources

• Labels that can be attached to cloud resources such as virtual machines,

storage buckets, load balancers, and databases
• A tag is usually a combination of a name (or “key”) and a value
• Key of PII-data and a value of yes
• They can be used for various purposes
• Cost management
• Access control
• Compliance
• Resource management
Data Life Cycle

Source: CCSP Official Guide

Data in the Cloud
Cloud Storage Architectures

File storage Block storage Object-based storage

Hierarchal files and folders Split into blocks Data and metadata
Cloud Data Security Foundational Strategies: Encryption

• Protect data in rest, transit, and use

• Stage encryption: encryption at the cryptographic service provider (CSP) side
• End-end encryption: encryption at the client/tenant side
• Encryption keys management (HSM and KMS)
• Data encryption vs. key encryption
• Key recovery
• Key revocation
• Key escrow
Trusted Decrypter

Source: Security, Privacy, and Digital Forensics in the Cloud

Cloud Data Security
Foundational Strategies: Data Obfuscation

• Randomisation: data replacement

• Hashing: one way
• Shuffling: shuffles same dataset
• Masking: hides data with useless characters
Case Studies • Test environment
for Data • Least privilege
Obfuscation • Secure remote access
Cloud Data Security Foundational
Strategies: Obscure Data and Tokenisation

Source: CCSP Official Guide

Security
• Centralise collection of log data
Information
• Enhanced analysis capabilities
and Event • Dashboarding
Management • Automated response
(SIEM)
Data Loss Prevention (DLP)

• Techniques, tools, and processes that are designed to identify, monitor, and
protect sensitive data from unauthorised access, use, disclosure, or theft
• Why is needed?
• Security
• Policy enforcement
• Regulatory compliance
Azure and
AWS Examples
Azure Encryption at Rest
Azure Encryption at Rest VM

• Azure disk encryption

• Bitlocker for Windows
• DM-Crypt for Linux
• Supported Windows operating systems (Oss)
• Windows client: Windows 8 and later
• Windows server: Windows Server 2008 R2 and later
• Windows 10 Enterprise multi-session and later
• Double level encryption
• Soft encryption
• Purge enabled
Azure Example
Azure Example (cont.)
Amazon Key Management
Amazon S3 Storage

• Buckets and objects used for storage in S3

• Server-side encryption (SSE) enabled
• Key type
• Amazon S3 key (SSE-S3)
• AWS key management service key (SSE-KMS)
AWS Encryption
AWS Bucket