Module 6: Securing Cloud Resources

CompTIA Cloud+ Guide to Cloud Computing Notes. Module 6: Securing Cloud Resources

Module Overview

Module Objectives

By the end of this module, you should be able to:

• Describe common threats to and configurations for cloud security.

• Secure cloud networks.

• Secure cloud compute resources.

• Secure cloud-hosted data.

• Troubleshoot cloud security issues.

Certification Objectives (1 of 2)

By the end of this module, you should be able to:

• 1.1 Compare and contrast the different types of cloud models.

• 1.3 Explain the importance of high availability and scaling in cloud environments.

• 1.4 Given a scenario, analyze the solution design in support of the business requirements.

• 2.1 Given a scenario, configure identity and access management.

• 2.2 Given a scenario, secure a network in a cloud environment.

• 2.3 Given a scenario, apply the appropriate OS and application security controls.

Certification Objectives (2 of 2)

By the end of this module, you should be able to:

• 2.4 Given a scenario, apply data security and compliance controls in cloud environments.

• 2.5 Given a scenario, implement measures to meet security requirements.

• 3.3 Given a scenario, deploy cloud networking solutions.

• 5.2 Given a scenario, troubleshoot security issues.

• 5.4 Given a scenario, troubleshoot connectivity issues.

Section 6-1: Cloud Security Configurations

• Importance of Security: Security concerns are often the primary reason for hesitating to move to the cloud. This section explores common threats and popular tools used to mitigate risks in cloud environments.

Threats to Cloud Security

• Common Internal and External Threats:

  • Data breaches: Unauthorized access to sensitive data.

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks: Overloading services to disrupt availability.

  • Insecure interfaces: Weak APIs or user interfaces that can be exploited.

  • Advanced Persistent Threats (APTs): Long-term targeted attacks typically aimed at stealing data.

  • Account hijacking and poor account management: Compromised accounts can lead to unauthorized access.

  • User error: Mistakes made by users that can lead to security incidents.

  • Insider threats: Malicious actors within the organization.

  • Data loss without backups: Lost data that isn’t recoverable.

Scanning Tools (1 of 3)

• Definition: Scanning tools are used to improve security by identifying weaknesses in a network.

• Purpose: Point out insecure ports, software, and firmware that need patching, or identify permissions that require restriction.

• Popular Scanning Tools:

  • Nmap: A network scanning tool.

  • Nessus: A vulnerability scanner.

  • Metasploit: A penetration testing framework.

Scanning Tools (2 of 3)

• Example of Tool Usage:

  • Metasploit detected a SOHO router’s administrative username and password.

Scanning Tools (3 of 3)

• Credentialed Scan: Deeper scans that require account credentials for systems on the network.

• Network-based Scans: Applications that scan devices connected to a network to check configurations and identify security gaps.

• Agent-based Scans: Involve agents installed on devices that collect data and send it to a central location.

• Risk Register: A project management tool to document cybersecurity risks, mitigation strategies, and team member responsibilities.

Cloud-Based Approaches to Security

• Shared Responsibility Model: This model dictates that the Cloud Service Provider (CSP) is partially responsible for security, while the customer is responsible for the rest.

• Security Approaches:

  • DevSecOps: A philosophy that emphasizes that security is everyone's responsibility. DevSecOps involves input from all three teams throughout the application’s life cycle.

  • Micro-segmentation: Provides granular security controls for traffic and workflows within the cloud, and helps monitor and restrict communication within and between cloud resources, and applies security measures specifically to workloads, VMs, or network connections.

Supporting Shadow IT

• Definition: Cloud-hosted applications are key components of shadow IT, which refers to IT systems used without organizational approval.

• Management Strategies:

  • Establish clear company security policies to manage shadow IT and educate users.

  • Protect regulated data such as personally identifiable information (PII) by prohibiting its storage through shadow IT.

  • Create an approved application list for reliability.

Allow and Deny Rules (1 of 2)

• Built-in Security: Cloud platforms provide built-in security at the platform level.

• Allow and Deny Rules:

  • Check information like port, protocol, and IP address or CIDR range.

  • Allow List: Let selected traffic through.

  • Deny or block List: Prevents specified traffic.

• Security rules configured in various resources also provide high availability in that you don’t have to manage firewall instances or devices, and provide backups for those firewalls.

Allow and Deny Rules (2 of 2)

•  Firewall rules are checked in order of priority to determine whether a message is allowed to pass.

AWS VPCs and Subnets (1 of 3)

• Network Access Control (NAC): balances the need for network access with the demands of network security by employing a set of network policies that determine the level and type of access granted.

• Network Access Control List (NACL): can limit or allow traffic into and out of a VPC’s subnets.

• Characteristics:

  • NACL Rules either allow or deny traffic.

  • NACL Rules are numbered for priority, starting with the lowest number.

  • NACL rules they are stateless, evaluating inbound and outbound traffic separately.

AWS VPCs and Subnets (2 of 3)

• Security Groups:

  • A security group serves as a virtual firewall at the host level and contains rules that control whether traffic can cross a network interface

  • Unlike NACLs, security groups function on the instances within a subnet, not on the subnet 

  • You can associate five security groups per instance

  • Security group rules only allow traffic

  • Security group rules are stateful

  • Security group rules are evaluated when determining whether to allow traffic to enter an instance’s interface, and the most specific rule to the type of traffic is applied

AWS VPCs and Subnets (3 of 3)

• Flow Logs:

  • VPC flow logs monitor traffic that crosses an individual network interface

  • Log data is directed to the CloudWatch Logs service or to an Amazon S3 storage bucket

• Traffic Mirroring:

  • Traffic mirroring in AWS is similar to the packet capture and analysis functions you can do with Wireshark, and provides deeper insight into captured traffic than what flow logs offer

  • This information can be used to reverse-engineer a network attack and identify vulnerabilities

  • You can also use this information to identify the root cause of a performance issue

Azure Virtual Networks (1 of 5)

• Perimeter Network: Recommended to restrict Internet traffic to protected resources.

• Functions as a screened subnet or DMZ (Demilitarized Zone) between private resources and the Internet.

• Azure offers several security devices you can configure to provide protection on and within your VNets.

Azure Virtual Networks (2 of 5)

• Network Virtual Appliance (NVA): A VM within the perimeter network managing traffic.

  • Can provide features like a firewall, IDS/IPS, and antivirus.

• Third-party NVAs can provide additional security features such as the following:

  • Firewalling

  • IDS/IPA – IDS (intrusion detection system) identifies activity that appears suspicious and reports on that activity, while an IPS (intrusion prevention system) acts to mitigate it

  • Antivirus

• An NVA can manage incoming traffic, outgoing traffic, or both, and can work at the OSI layer 4 or the OSI layer 7.

Azure Virtual Networks (3 of 5)

• Network Security Group (NSG):

  • The Azure NSG provides firewall-style protection at the subnet level

  • Azure creates six default rules for every NSG:  three for inbound traffic and three for outbound traffic

  • These rules cannot be removed or altered, but you can override them by creating higher-priority rules

  • NSG rules are stateful, meaning that once a message is allowed to cross the NSG, later messages in that conversation continue to be allowed

Azure Virtual Networks (4 of 5)

• Return traffic on an existing connection is allowed by the NSG

Azure Virtual Networks (5 of 5)

• Application Security Group (ASG)

  • An ASG is a subgroup of an NSG, allowing for micro-segmentation of your security policies according to application and workload type within the VNet

  • You can associate one or more AGGs to each network interface

• Other Azure security tools include the following:

  • Azure Firewall for highly available threat protection

  • Azure Network Watcher for capturing and monitoring traffic logs

  • MS Defender for Cloud to provide anti-malware for cloud instances

  • VNet TAP (Terminal Access Point) for network capture and analysis

GCP VPCs (1 of 2)

• Virtual Firewall: GCP’s Firewall is set at the network level to manage IPv4 traffic into and out of the VPC

• Rules can be set to target specific protocols, ports, sources, or destinations

• Firewall rules are applied first according to priority and then by how specifically the rule matches the traffic

• VPC Flow Logs: Tracks TCP and UDP traffic at the subnet level.

Securing Hybrid and Multi-Cloud

• Auto-scaling Security: Cloud security techniques must be adaptable, while on-premises security tools should have access connectivity within a network perimeter.

• CASB (Cloud Access Security Broker): Bridges gaps between on-premises and cloud security.

Section 6-3: Compute Security

• Goal: Security measures must be applied to typical cloud compute resources such as instances and applications.

Device Hardening

• Hardened Baseline: Document configuration changes necessary to secure the OS and system.

• Key Techniques:

  • Plan subnet placement

  • Disable unnecessary ports and services

  • Enforce account management policies

  • Install antivirus/anti-malware software and keep it updated

  • Install host-based/software firewalls and IDS/IPS

  • Create single-function resources

Application Security

• Web Application Firewall (WAF): Protects SaaS applications by filtering and monitoring traffic.

• Application Delivery Controller (ADC): Load balancer with traffic filtering, encryption handling, and monitoring capabilities.

Section 6-4: Data Security

• Data States:

  • At Rest: Data in storage (file, block, object).

  • In Use: Data being processed temporarily.

  • In Motion: Data being transported between locations.

• DLP Solutions: Target to protect data in all states.

Encrypting Data (1 of 3)

• Definition: The process uses an algorithm to scramble data, readable only through decryption.

• Deployment Considerations: Work with CSP encryption capabilities, determine key storage, and consider costs.

Encrypting Data (2 of 3)

• To protect data at rest, in use, and in motion, encryption methods are evaluated by three principles that form the standard security model called the CIA triad:

  • Confidentiality: Data viewability only by the intended recipient.

  • Integrity: Data not altered in transit.

  • Availability: Data accessibility when needed.

• Encryption protocols use a mathematical code, called a cipher, to scramble data into a format that can be read only by reversing the cipher.

Encrypting Data (3 of 3)

• The most secure forms of encryption encode the original data bits using a long and complex key to scramble the data and, from it, generate a unique data block called ciphertext

• Key encryption can be divided into two categories:

  • Private Key Encryption: Uses a single key for encryption and decryption.

  • Public Key Encryption: Involves a private key for encryption and a public key for decryption.

Securing Protocols (1 of 4)

• SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are two encryption protocols commonly used to encrypt communications across the Internet

• Each time a client and server establish an SSL/TLS connection, they generate a unique session

  • A session is created by a handshake protocol, which allows the client and server to introduce themselves to each other and establish the terms for how they will securely exchange data

• You can use the CLI utility OpenSSL to troubleshoot issues with SSL/TLS encryption and related certificates

  • The s_client command offers options for testing secure connections, gathering information on security configuration, and managing certificates.

Securing Protocols (2 of 4)

• TLS is acknowledged as a more secure encryption protocol compared to SSL.

Securing Protocols (3 of 4)

• DNS Security:

  • Authentication: DNSSEC secures records through verification using public key cryptography.

  • Encryption Protocols: DNS over TLS (DoT) and DNS over HTTPS (DoH).

Securing Protocols (4 of 4)

• NTP Security: NTP is used for network time synchronization but lacks authentication; however, it can be secured through TLS in NTS (Network Time Security).

Section 6-5: Troubleshooting Cloud Security

• Importance: Proper configurations and maintenance are critical for security. Misconfigurations lead to security issues.

Security Misconfigurations (1 of 3)

• Common Problems:

  • Misconfigured policies in firewalls.

  • Failed security appliances.

  • Incorrectly set micro-segmentation.

Security Misconfigurations (2 of 3)

• Tools for Protection: AWS Trusted Advisor to confirm best security practices in configurations.

Security Misconfigurations (3 of 3)

• Security Weak Spots:

  • Unencrypted data.

  • Weak security technologies.

  • Insufficient controls.

Key Management

• Key Management Service: Store private keys in the cloud or on-prem. Address issues like unavailable keys by checking configurations.

Summary

• Key Takeaways:

  • Understanding of common threats and configurations for cloud security.

  • Knowledge of securing networks, computing resources, and cloud-hosted data.

  • Ability to troubleshoot cloud security issues.