Hi. Welcome back to the course. In the last video, we talked about some different cloud based attacks that we can do.
So if you haven't watched a video yet. Go ahead, Paul. Is this one? Because you will need to know that information for a certified ethical hacker examination.
So in this for you, we're gonna wrap up our cloud discussion. We're gonna talk about cloud security, and they're also going to talk a little bit about plowed penetration testing.
So we're gonna start off with our pre assessment again. It's just a couple of questions to test your knowledge on the subject.
So question number one here clad security is only the responsibility of the cloud providers. Who is that true or false?
All right, so we obviously know that's false. There's a thing called shared responsibility. So we as an organization or is an individual, we have a certain level of things that we need to accomplish. And then, of course, the cloud provider is responsible for some of the security and items as well.
So question number two. All of the following of these are examples of cloud security best practices, except which one.
So if you guessed. Answer. D You are correct. So that's just software as a service, which we talked about earlier is basically just a subscription time model.
So end encryption. So from the time I send the data to you, everything's encrypted. I'm also when it's just sitting there, you so the encryption at rest. So when it's just sitting there on the server waiting around, we want to keep that encrypted as well, and then roll based access control. We want to make sure that the Cloud Provider officers features
where we can stipulate what kind of access control we want to give people.
So class security. We've got different layers of class security and then different controls that could be applicable to the that particular layer. So, for example, with applications were getting of SCLC or secure S. T. L. C. So software development Life cycle we can have things like application scanners, Web location, firewalls
for the information layer. We can use controls like database monitoring, encryption. DLP is data loss prevention, and you'll hear that a lot if you start working. And if you're not ended in the industry yet, you'll hear a lot about Deal P depending on what particular vertical urine
management layer. So we basically that's the passion configuration management. So we're keeping things up to date identity and access management. Or I am Virtual Machine Administration
for the network Lair of Claude Security. We've got difficult trolls like firewalls or network intrusion descent detection systems. Deanna Security. We also have trusted computing s O. We are basically having harbor itself for roots of trust and also application programming interfaces,
computer and storage. We're using host based intrusion detection systems, block management files, an encryption and then, of course, physical. That's pretty self explanatory of video monitoring or, like security guards, that sort of stuff.
So share responsibility I touched on had just a little bit ago. So basically, this is from a d o A. W s. So Amazon Web service is their cloud. So they're kind of breaking it down of okay, the customer and in the cloud, you know? So the customer, what they're doing is out of the cloud. They're responsible for this stuff, and then we as 80 of us, you know where the kind of the
you know the of you know, So the infrastructure
for you we're gonna handle all this other stuff here.
So and that's with pretty much every cloud provider. They've got some kind of shared responsibility with the end user or with the end organization.
So some of the security considerations and a lot of this stuff This is not a, ah, full list. And a lot of this stuff is some common sense, right? So we kind of determined, like Is a data critical or not? Is a critical business fund function. And then, you know, if it is like if it's pretending to a critical business function, you know, we need to put some thirst, certain things in place, right? So
you know, the end and encryption. You know, our encryption at rest.
We need to do things to protect that data.
Can I move the data? So there's a club service provider. If I get tired of like Amazon, for example, can I move into Google, Google Cloud or can I move to Microsoft Azure? What can I do with the data? Because my own data, right? I want to keep control over how it moves
availability. What's the up time? Right, and then that's kind of the whole purpose behind the cloud, right, so we can keep a lot of time on the data. But what's the availability for this particular provider? Right is do the guarantee me 99.99999% accuracy and availability. Or is the room for error? They less than other competitors,
you know, because even though there's a cost difference, maybe it's more beneficial. If I need this data all the time,
like a hospital or something like that. Maybe I need to
put that extra money in and invest in the right company
business kind of any planning or disaster recovery planning. So basically, if the cloud service provider has some type of issues, so let's just say, you know, Amazon has different data centers, so let's just say that one of them completely goes off the map because of a hurricane.
So what's the plan there, right? And obviously with Amazon, you can, you know, you get it where they put it in different ones for you. But let's say that that that you just have it in one. So what would your plan be in that situation? Right? And what's the organization? The Cloud service providers plan as well.
Backups. Of course. You wanna consider backing up outside of that Cloud service providers? Let's figure out a way you could do it. Back up his will.
Encryption. We kind of touchdown that with the data loss prevention stuff and also is the data critical stuff. We want to make sure that we encrypt the data
ownership. Who actually owns the data? Right. We want to maintain ownership of our own data. We don't want to give it to this cloth service provider. So you have to read these contracts carefully to make sure you're not just giving away all your critical data.
And then, of course, the vendor. You know what you know. What vendor are they? Do they have a good track record? They have good reviews, that sort of stuff. You know, if there is a breach, you know, or some issue in the cloud do they fix it? You know, do they address it on their systems, or do they just leave it up to the customer to figure that stuff out?
So class security controls, eh? So we basically want to just make sure these match the particular business function, right? So my amendment. I've mentioned encryption a few times here cause is important. So let's just say that I'm, you know, I've got a business and I'm using, like, social media, you know, toe trying to drive more traffic and get better marketing.
So obviously, I I probably don't need to do ended and tend encryption on all my social media posts. It doesn't make any sense, right? But let's say, for example, that that we're talking about a critical business function. Well, yeah, of course. Now I wantto, you know, put encryption on it. Now I wanna monitor attract for changes. You know,
I wanna have you no stronger identity and axis management control. So I want to make sure there's,
you know, multi factor authentication in place. So you got to get that text to your phone and not someone else's, you know? And of course, that stuff could be bypassed a certain extent. But, you know, I want to take all these things into consideration
when I'm trying to figure out what kind of controls I need for these particular business functions that I'm putting up in the cloud.
So some security best practices. Of course. We've mentioned into an encryption, encryption at rest vulnerability and incident response. So we want to see what kind of vulnerability testing we can do with a cloth service provider on our particular systems and then also incident response. If there is some kind of a breach or issue, what's their response to help us like, What are they responsible for?
Data retention policy? So how long do we need? You know, how long do we want it kept? And how long does it cost Service provider? Keep our data, especially if we leave them. You know what's the time period of them to delete it?
Robots ask access control. We want to be able to, like, delineate essentially what each user should have
a virtual private cloud just think of, kind of like a VPN, a virtual private network here that we covered earlier in the course. You know, it's essentially the same thing for the cloud, so you're kind of given a safe tunnel to your data.
And then, of course, we want to make sure the cloth service provider has some type of club compliance certification on, and so that way we can just make sure they're doing everything the exactly they shoot. So a couple examples of like a, uh, some compliance hurts. They're gonna be like PC idea says standard. And so basically,
the organization's gonna undergo detailed audits to ensure
that sensitive data is stored, Transmitted processed all these things in an approved message method. So basically, ah, the PC idea says, is gonna include the requirements for things like security management, different policies and procedures, even the network architecture, and sell for design.
So there's a lot of different examples out there of some some, you know, checklist for you. Cli class security and compliance and that sort of stuff. And this one here is more so on the class security checklist aspect. But basically, you know, we want to make sure that we are doing everything we need to write. So we've got good governance, risk and compliance.
We do want to, you know, audit the different business processes so we can see, like, you know, what do we need And, you know, what do we need to secure
a managing of people rolls and identities? Of course, we want to use identity access management or some other you know, equivalent to be able to say like, Okay, you know, you're in this role. So you're gonna get this, you know? And then, you know, you work in this department, you're gonna get access to this. So it's very important for us to continue that.
And then, of course, you know, forcing hard are different prior privacy policies as well. I'm assessing the security provisions for cloud applications on that also, you know, ensuring that the cloud networks and connections are actually secure. So we don't want to be in the news for an insecure AWS bucket, right? So make sure that we're setting everything up properly.
And then, of course, you know, if we have to manage the security terms in the cloud service agreement, you know, But a lot of that stuff is made before we actually get it.
So class security tools and this not an all encompassing list. I described a couple of tools, so we've got things like net scope, McAfee high sky high. Excuse me. Cipher Cloud, IBM, Klaus, security enforcer, and then a vast club here.
So some considerations again for pen testing in the cloud. And the main consideration here is shared responsibility. So you want you don't want to just, you know, start cracking away at you know, the cloud environment there. Whatever. Because you may get reported for that since you know, they're on the azure cloud or something like that. So
just keep that in mind your shared responsibility, like, know what you're allowed to touch
and you because you go.
And then, of course, the cloud stack. Right? So things like the facility that's Russian testing at the network, you know, solution stack vmc, etcetera, etcetera.
So in this video, we wrapped up our section on the cloud.
Go ahead and download the post assessment to just kind of test your knowledge on the cloud environment again. You're gonna need to know some of the definitions we covered in these videos for the actual sort of unethical hacker examination.
In the next video, we're gonna move into our module on cryptography.