Up next in 10
Cloud Security Demystified - AMA ft. Vijeta Pai
13K views
Oct 30, 2023
Join us on February 25 with Vijeta Pai on live AMA to know more about the topic " Cloud Security Demystified". ABSTRACT Organizations of all sizes are contemplating moving to the Cloud to reap several benefits including agility, scalability, and cost optimization. However, with great migration comes great responsibility; both for the Cloud provider and the Organization. Join me in this talk, as I discuss security risks, STRIDE threat model, shared responsibility template, and best practices for securing your applications on the Cloud. GUEST SPEAKER Vijeta Pai is a Program Manager and Technical Evangelist with experience implementing strategies and training globally to provide a competitive edge to organizations in diverse, evolving customer environments. Speaker Profile: https://twitter.com/vijetapai C# Corner - Community of Software and Data Developers https://www.c-sharpcorner.com #ama #liveshow #askmeanything #csharpcorner #csharpcornerlive
View Video Transcript
0:00
Thank you
0:29
Hi, everyone. Welcome back to C Sharp Corner Live Show. I'm your host, Stephen Simon, and I am back with another episode of Ask Me Anything Show. And this episode, I'm really excited. We have a really exciting guest coming up today. We're going to talk about a lot of cloud and security. Before we go ahead and do that, if you are someone who are joining us for the very first time, I say we stream at C Sharp Corner like eight days in a week. We do multi streams in a day and almost like all days
0:58
days. So quick, quick, quick reminder that this is the episode number 31 of Ask Me Anything
1:03
We have been doing many other shows. For instance, on Monday, we have Azure AI show
1:08
where we talk about the entire ecosystem of the, and services that Azure has to provide in the AI
1:14
and machine learning. Then on Tuesdays, I forgot to add the panel for Tuesdays, but on Tuesdays
1:21
we have Product Showcase and Coffee with Pros, where we do kind of video podcast, chit chat with
1:26
with tech gigs, talk about their life journey, and it's more like informal chit-chat that
1:31
they do. Then on Wednesday, we have C-Shop Corner MVP show where we feature one of the community
1:36
leaders and talk about their journey in the field of community and followed by technical session
1:41
The other day, we had, actually this morning itself, we had Shweta from Seattle
1:46
She did talk about notification in Microsoft Graph. That video is available on C-Shop Corner
1:51
You can definitely go and watch this. Then on Thursdays, as it is today, okay, so this time is going to change, right
1:58
7.30 p.m. I don't know. You know, the daylight timings, as an Asian forum, it's very challenging to keep up with
2:04
the daylight change timing. They would just change sometimes. So, but the fixed time is 10 in an instant
2:09
On every Thursday, we do Ask Me Anything show where we invite a guest to ask them literally
2:15
anything followed by a technical session too. So, one of my favorite shows
2:19
Then on Fridays, we have Vote Mindset, where that show is hosted by the founder Maheshan
2:26
who talks about that you just don't have to keep on coding your entire life. You want to go ahead and involve in some managerial decisions, be a leader
2:34
That's what that show is about. And another show on Saturday that we do is by David McArthur, who is a 14-times Microsoft MVP
2:43
He invites people from the entire ecosystem of .NET. he has uh interviewed matt stodgerson director scott hunter kendara heavens and many more amazing
2:54
folks in his show apart from that we also have uh conferences that we do and if you want to go
3:00
in ahead and stay updated with anything that's happening on c sharp corner live just visit c
3:05
sharp dot live at their seven destination and you will find us streaming almost every day having
3:11
said that in today's uh uh episode of ask me anything we have vijeta who is a i'm gonna i'm
3:18
gonna read her bio right i usually mess up with the buyers so i'm just gonna read her bio she's
3:23
a program manager and a technical evangelist which means she she would always go ahead and speak in
3:27
many different events and conferences she has experience in implementing strategies and training
3:33
globally to provide a competitive edge to organizations in diverse involving customer
3:37
environments currently she is working on on her passion to distribute to demystify cloud technologies
3:43
using web comics animated videos by harnessing the power of storytelling and ogies uh
3:50
storyteller and a technical enthusiast by heart she want to use her experience to grow give back
3:55
to profession and community and make technology accessible fast scalable and reliable i'm really
4:01
excited to go ahead and host her so without any further ado let me invite our guest which other
4:07
Hi Vijayta, how are you? I'm good. How are you, Stephen? I'm doing great. So Vijayta, thank you so much for accepting the invitation
4:14
We really appreciate your time for all that you do for the community, right
4:18
We really love that. So thank you so much once again for accepting the invitation
4:23
I did read your bio though, it looks really amazing. But would you like to just go ahead and do, as a format of the show, a quick introduction of you
4:30
so that people watching this can kind of get who you are, what you do? Perfect, yeah. So I'm Vijayta, like you just mentioned
4:36
I'm currently following my passion to demystify cloud computing and even emerging technologies for that matter, using the power of storytelling and ogies
4:45
So I'm the creator and writer of cloud demystified.com. And there actually I'm using storytelling and simple ogies, doodles to demystify cloud fundamentals, best practices and just just like I said, anything around cloud technologies
5:05
apart from that I'm also giving a lot of talk shows and presentations academic presentations
5:12
as well just to follow my passion so right now and like I mean people who have visited my website
5:19
know already I have a toddler I have a two-year-old at home so creativity really provides
5:24
me with the fuel to look after her it's exhausting so this is like yeah so that is where I am at
5:31
right now and before this I have worked as a program manager at Akamai Technologies
5:35
and that is where I got introduced to on-premise infrastructure and I because I was just at the
5:41
center stage I could realize how difficult it is to maintain that infrastructure all the things
5:46
associated with it and that's where I started exploring cloud computing and here I am right now
5:51
so that is my brief bio do you need anything else yeah I mean I will go ahead and quickly chat but
5:57
you know you did you did tell that also the title of session says that you are more into this cloud
6:02
right and when i go ahead and check your your blogs and your profile it seems that you are more
6:07
inclined towards google cloud right so so can you kind of so so you know we usually see aws and
6:15
azure coming up uh usually people talk a lot about these so what made you go ahead and and
6:21
move your career into google cloud what was something that you like it was it that a project
6:26
was coming up so that's why you moved or you kind of liked it what so what's the background with that
6:30
Yeah, so very simple background with that is I wanted to learn more about cloud computing. I went to Coursera and the first course that came up when I searched for cloud computing was Google. So just long story short. And other than that, I started exploring it. So I explored AWS, I explored GCP, I explored Azure. I'm not saying one is better than the other, but somewhere GCP stood out more to me. So it spoke well to me. And also, I mean, since it was so new and innovative, it's still a niche market out there
6:58
So because of that, I realized that it has a lot of potential to grow
7:03
I mean, it's not perfect and it's not as widely adopted as AWS, to be frank
7:07
But at the same time, yeah, I think it really spoke well to me and all the AI capabilities it had, the flexible pricing model, just some things
7:17
Yeah. But just long story short, I think it was just sheer luck that I found GCP as a first course for cloud computing when I went to study
7:24
That sounds interesting that you went ahead to go learn something and you found GCP and you felt you fell in love with it i i have to be honest i have not uh interviewed many people who come from
7:35
the gcp background so when you go ahead and get started will be pretty interesting to see you know
7:40
what gcp has to offer and all that because i think uh it's back definitely it's backed by google so
7:45
and google is an amazing company so uh definitely they have an amazing product coming up so uh with
7:51
With me, Chaita, today we're going to talk about cloud security demystified
7:54
So all the people who will be joining us for next 20, 25 minutes and all that, what people
7:59
should we actually expecting that we are going to cover in next 25 minutes
8:04
Yeah, so I'm going to just, I'm just going to scratch the surface of security
8:08
I'm not going to do a lot of deep dive into it. So this is more of an introductory to an intermediate session
8:13
So I'm going to talk about what cloud security means, and I'm going to use a very creative
8:18
approach to explain cloud security. And you'll see that once I start the presentation
8:22
And after that, I'm just going to talk about security threat models, security shared responsibilities, and then open the ground for question and answer
8:30
So like I said, it's going to be very basic. I'm going to scratch the surface, but I'm going to do a little bit of deep dive in between as well
8:36
So this is what we can expect. I'm really excited, Vijay. I mean, you can see I'm really excited
8:42
More on the technical part. I just visited your clouddemystify.com and I see some really amazing content that you have added over this
8:49
I'm really excited for it. You can go ahead and pull your screen, share your screen
8:54
and then I'm going to pull back on the live stream, and then you can go ahead and get started. Perfect
8:58
Thank you so much, Sipan. I will do that. So just wanting to know if my screen is visible
9:08
Yeah, yes, it is there, and I've added it to the stream. Perfect
9:12
So let me start. Yeah. So I'm just going to start with a small presentation now
9:17
and going to start with the process to demystify cloud security. So since organizations host their infrastructure
9:26
applications, and data on the cloud, it is very important to secure them. Now, what is cloud security
9:32
Cloud security consists of technologies, processes, policies, and controls to secure applications on the cloud
9:43
No matter which service is provided by any of the public, private or hybrid cloud providers, it is important to understand the security threats and design
9:51
to design model to mitigate them. There can be security attacks from inside or outside the
9:57
organization and it is helpful to either have clear policies and processes in place to ensure safety
10:03
I'll talk a little bit about these threats and best practices to mitigate them as we go on
10:07
but before that, I want to tell you a story. I'm going to talk about the story of the three little
10:12
pigs who are in the forest to start their own adventure. You may be wondering why I'm going to
10:18
tell you a story, but you'll understand that once I start. So the three little pigs decided to move
10:25
out of their house into the big bad forest filled with animals and predators. The first thing they
10:30
needed to do was build their own houses. The first pig decided to build a house of straw
10:38
The second pig decided to build a house of clay and the third pig decided to build a house of bricks
10:45
Now, it is important to remember this since the stability of these houses reflect on the strength of the security measures
10:53
The straw house being the weakest and the brick house being the strongest. The pigs went about building their houses. They were having a nice time
11:01
So while the pigs were enjoying their freedom, a big bad wolf was spotted lurking around
11:10
The wolf was hungry, obviously, and just wanted to do some mischief. And this helped them
11:15
So the pigs were actively monitoring their surroundings and found the intruder
11:19
They realized that the big bad wolf can't attack them anytime. This helped them get inside the houses on time and lock their doors
11:26
Remember, monitoring is extremely important when it comes to cloud security because it helps organizations prevent any unwanted attacks by strengthening the security measures
11:37
The big bad wolf approached the first pig and asked him to let him in
11:42
The wolf was an outsider and didn't have access to the house. So now see this process of giving proper access to organizations or groups is very important
11:52
because it helps us decide who can access what data and prevents any unnecessary breaches
11:57
or changes. This concept is called identity access management. This I'm going to explain in some time
12:05
So since the wolf didn't get access to the house, he decided to try something else
12:09
He decided to blow it down. The wolf huffed and he puffed and he blew the entire house down
12:15
Now, unfortunately, the first pig left all of his goodies out in the open
12:20
He didn't secure them because of which the wolf got access to all the goodies and he could walk outside with that
12:27
Now, what I told you right now is one important practice that the pig missed
12:32
It's the practice of encryption. The wolf stole all the goodies because the pig did not follow an important security by his practice of encryption
12:40
What is encryption? Encryption simply means protecting the data in a secret code just to hide its true meaning from outsiders
12:49
The wolf was able to get in and steal all of that. Next, the wolf was still hungry
12:55
He decided to go to the next house and he went to the clay house, which was built by the second pig
13:03
The wolf asked the pig to let him in. And as usual, the second pig had also secured the house
13:10
and the wolf did not get access to that. He huffed and he puffed and he blew the house down
13:16
Now, the only thing different here is the second pig thankfully had secured
13:20
all of the belongings in a vault. Even though the wolf could get inside
13:24
he was not able to access the goodies and the belongings. He was dejected and dejected, he went out
13:30
What the second pig did, different from the first pig, was to follow an important practice of encryption
13:37
He encrypted all the goodies or all the data into a vault and secured it. So even if the wolf was able to breach and get inside the system
13:45
he was not able to access the goodies. The wolf was still hungry. He went to the third pig. He
13:51
asked the third pig to let him in. The third pig had also secured the house with a lock and did not
13:56
let the wolf come inside. Again, all the three pigs, if you remember, followed the important
14:01
practice of identity access management. They identified that the wolf was an outsider and
14:05
they did not let the wolf come in. The wolf decided to use the same trick as he did with the first two
14:11
pigs. He huffed and he puffed and he tried to blow the house down. He tried a couple of times but if
14:17
you remember the third pig had built a house made out of bricks and it's not simple to blow a house
14:22
of bricks down. The wolf was dejected. He didn't know what to do. He started just roaming around and
14:29
planning on some other alternative and he realized that the chimney of the house was open
14:34
He went and he jumped inside the house through the chimney. What the wolf here did was he found a vulnerability in a very strong system
14:43
So the entire house was really strong. It was made of bricks, but then it had one vulnerability
14:47
It had an open chimney. The wolf went and he jumped inside the chimney to get access
14:53
This way the wolf was able to get access The third pig had to think on the feet and had to mitigate the security attack The third pig went and he lit the fireplace on fire Because he lit the fireplace on fire there was smoke coming up the chimney and the wolf realized it impossible for him to get in
15:11
He ran away, dejected. And with this story, all the three pigs and the wolf learned an important lesson
15:17
So why did I tell you this story about the three little pigs
15:21
I did this just to explain the entire concept of cloud security
15:26
All the three pigs had three houses. Think of these three houses as three different applications that you want to host on the cloud
15:34
All these applications need to have a really strong foundation and all the security best practices that need to be followed
15:41
The wolf was able to get inside the first house because the structure was weak
15:45
However, he was unable to get access to the goodies. He managed to get inside the second house for the exact same reason, but because the goodies were secure, he was unable to access them
15:55
The third house had a really strong foundation. He was not able to get inside the house, but he found a vulnerability and tried to enter
16:04
The third pig just thawed on his feet and he mitigated that attack by lighting the fireplace on fire
16:10
So this is how the story goes. And now, why did I tell you this story
16:16
because I wanted to use a popular story to remove cloud security out of the realm of abstraction
16:21
and situate it in our day-to-day lives. So did you learn anything with this story or did I just waste your time
16:29
You learned a lot. Let's see what you have learned. So the three little houses, the three houses were all in the public space
16:38
which is rendered open and vulnerable to the big bad wolf and all attacks from predators
16:43
So, even though all the houses had a good system, somewhere in their own ways they were vulnerable
16:52
Since the first pig was actively monitoring the surroundings and had a good lock on the
17:00
straw house door, he was able to keep the wolf out. However, this house had very strong active monitoring and firewalls
17:09
The belongings inside were left open and not secure, and the pig didn't even try to test the strength of the house before
17:16
Just going by this, the first house had really strong monitoring and alerting system because the pig was monitoring outside and saw that the wolf was lurking by
17:26
The second, the first house also had really strong firewalls, as in the wolf could not get inside or see inside, although the pig was able to see outside
17:35
So basically it was a one-way communication which was completely secure. However, what the first house lacked was a really strong security model
17:44
The house was made of sticks so it was easy to blow it down. Very weak encryption
17:49
The goodies were left out in the open and vulnerable. And there was no vulnerability testing
17:54
The pig did not try to test the house before establishing it just to make sure it was safe from any attacks from the wolf
18:01
Because of this reason, the wolf was able to get inside and steal all the goodies
18:06
Let's talk about the second house. The second house also had really strong monitoring and alerting because you saw that the second pig was monitoring and you saw the wolf lurking around
18:16
It had really strong encryption because the second pig had stored all the goodies inside a vault
18:21
So even though the wolf could get in, he was unable to access the goodies. And it had, I mean, really strong firewalls
18:29
The wolf, the pig was able to recognize that the wolf is an outsider and not let him in
18:34
However, just like the first house, it didn't have a vulnerability testing
18:38
The second pig did not test to make sure the house was stable. And it also had a very weak structure
18:43
It is easy to blow down clay houses. The third house was different than these two in that it had a really strong security model
18:52
The foundation was strong. It was made of bricks. So on this, there was a cyclone or there was some natural calamity
18:57
it was not possible to blow it down with a mere half-hand of a puff by a wolf
19:02
It also had strong monitoring and alerting, encryption, as well as it had really strong
19:06
firewalls. However, the wolf was able to get in just because of one vulnerability
19:12
the chimney. So the third pick should have done vulnerability testing to make sure that
19:17
the structure was really rock solid and no one could get inside. So because of this vulnerability
19:24
the wolf was able to get inside. But as we say, the security mitigation is also very important
19:31
lesson when it comes to cloud security. The pig was able to mitigate the attack and there was no
19:36
harm done to him or his friends or the goodies. So I'll just give you a moment to breathe this in
19:41
and then we'll move on. Yeah. So organizations have to host their infrastructure on a shared
19:53
space in the cloud, which is very similar to the houses you saw in the forest. This leaves
19:58
it vulnerable to attacks, attacks by people inside as well as outside the organization
20:02
It is the shared responsibility of the cloud providers and the users of the organization to
20:07
ensure security best practices and compliance with strong regulatory standards. Just because
20:14
your house has a lock doesn't mean that it is safe from the big bad wolf. The wolf can also
20:19
find other ways. He can blow the house down. He can get in through the chimney. Similarly
20:24
attackers can use active as well as passive means to get inside your system and your data can get
20:30
compromised. So let me talk about the kind of attacks now because it's important to understand
20:36
and just think from the mindset of the attacker to understand what are the types of attacks that can
20:40
happen, what is the threat model we have, and what we should do to make sure that doesn't happen
20:45
So, moving on. Broadly classified, there are two types of attacks which we can expect for the data on cloud
20:53
The first attack is called active attack. This is active or direct attack on the data after breaching or making use of any vulnerabilities
21:01
The very foundation of this attack is the method. So, the intruder can get inside
21:07
Wake firewall rules, inconsistent IAM rules. IAM means identity access management rules, or other caps in the structure can provide access
21:16
to the intruders to get to your data. The next type of attack is passive attack
21:25
Using this method, the attacker manipulates the system and gets inside using passive aggressive
21:30
means. So they lurk around, keep a watch, and just watch out for any slippages to get inside the
21:38
data. This kind of attack is extremely dangerous since organizations can miss noticing the intruder
21:44
which may, for example, lead to big data breaches. I'll just give you an example. Someone can
21:51
impersonate you when you're working for a company, pretend to be the employee of a company and get
21:56
access to the data. So this can create havoc because people might not even notice that someone
22:00
else is there accessing the data. So just to address any of these attacks, we need to have
22:06
a really strong foundation. What do I mean by foundation? By this, I mean really strong policies
22:13
processes, and designation of roles and responsibilities. Just think of this as the foundation of the house
22:23
If the foundation is strong heavy rain wind or any other thing won damage it that much So having a strong foundation is extremely important So the second one we have is monitoring
22:35
We need to actively monitor any suspicious activities that is happening from outside
22:41
So this can prevent any attackers from manipulating the system. Think of this as a CCTV, which monitors suspicious people or activities on your property
22:51
just so you can take necessary action before any damage happens. I'll keep mentioning the word shared responsibility again and again and I'm going to mention it once
22:59
more. Security is the responsibility of both the cloud providers and the organizations. Having a
23:06
very strong security system is really important because users need to be vigilant and monitor any
23:12
suspicious activities which might compromise their data. Now let's talk about a security model
23:20
which was created by Microsoft, but it is used extensively in the industry right now to understand
23:26
the types of attacks you can expect on cloud applications. This model is called the STRIDE
23:31
model, where STRIDE is an acronym that stands for spoofing, tampering, repudiation, information
23:38
disclosure, denial of service, and elevation of privilege. The reason why I'm mentioning this
23:44
threat model is because we need to think from the mind of an attacker. What kind of attacks can
23:50
happen because once we do that, we'll be able to mitigate or even prevent those attacks from
23:54
happening in the first place. Now, let's start with the first letter. What is spoofing? Spoofing
24:01
just means using someone's identity or a false identity to gain access into the system
24:07
This attack is a violation of confidentiality since the attacker is using the identity of
24:13
someone else to gain access to the data. For example, an attacker can use the identity of
24:19
company's employee and gain the credentials to gain access to some confidential data
24:25
That is why it is very important to have your username system or even your addresses identity
24:33
secure since anyone can misuse them by pretending to be you. Having a really strong password
24:38
password rotation, key management services, all of this is very important to prevent this kind
24:43
of attack from happening. Now the second letter is T and T stands for tampering. Just as the word
24:51
just what the word says, this means making unauthorized changes to the data whether it is
24:57
in transit or in storage. Simply put, it tampers with the data active or stored and it is a violation
25:03
of integrity as well as availability. Using this, the attackers can make some important data unavailable
25:09
to the users, causing system failures or even causing the entire system to crash. Having really
25:16
strong policies and clearly defined roles can help prevent this kind of attack from happening
25:21
Organizations should provide authority to only a select few to make changes to the data
25:27
Otherwise, anyone can get inside, make changes to the data, and make them unavailable on a very
25:33
important occasion for the users. For example, they can get inside a popular shopping website
25:40
and make it unavailable during Thanksgiving. Now you can imagine the kind of losses that would
25:46
incur. Now, the next letter we have is R, where R stands for repudiation. This means the ability
25:53
of the attacker to deny any activity or action to be performed. The attacker can gain unauthorized
25:59
access and prevent an important action from taking place. This is a violation of confidentiality
26:05
For example, the attackers can stop users from going to the next page of a website or the next
26:11
level of a popular game. What would this do? This would make the users lose trust in the website or
26:16
the organization and also cause a lot of financial loss. This would cause a lot of inconvenience and
26:23
also sometimes loss of revenue. Again, having clearly defined policies and processes can help
26:28
help mitigate this kind of attack. I'm going to move on to the next letter which is I, where I
26:33
stands for information disclosure. This simply means disclosing unauthorized information by the attacker. The attackers can gain access to confidential or private information and distribute
26:45
them to others. This is a violation of confidentiality. For example, the attackers can gain access to a
26:51
confidential document on the website and misuse it to compromise the security of the users
26:56
This attack stems from a weak access process and the confidential information should have multiple layers of security to make sure it is secure
27:05
It is not just going, logging in and using, I mean, and accessing the data, but there needs to be either dual or multiple layers of security to make sure any confidential data or any confidential document is kept secure on the cloud
27:18
Every employee, internal or external, needs to go through a very solid authentication process, whether it is duo or multiple, in order to access confidential data
27:29
Now, the next letter we have is D. This is a very common attack, which all of you might have heard at some point or the other, and it is called denial of service or DOS
27:38
So, basically this simply means overloading a website or application with a lot of traffic
27:45
so it's not able to handle the load and which causes it to go down
27:48
This is a violation of availability. Hackers use bots or online robots to send a huge amount of connection requests or traffic
27:57
bringing down the entire system. Now, having a strong foundation, ability to monitor and prevent accesses to bots can help
28:04
this attack from happening. So the capture numbers or image selection you see while you're trying to access websites
28:10
are just to make sure you're not a robot and you're actually a real person
28:14
This is a very common kind of attack. And like I said, having strong policies and processes is extremely important
28:21
The last letter which I'm going to talk about is E, where E stands for elevation of privilege
28:27
Just as the word means. It means that the attacker can give themselves more access than what was granted to them
28:33
For example, the manager might have given someone a viewer access, but they can change
28:38
that access to editor just to make some unwanted changes. This is a violation of confidentiality, integrity, as well as availability
28:46
Having strong processes around access control and authentication is necessary to prevent
28:51
this attack from happening. This is one of the most dangerous attacks since the attacker or the hacker has unlimited
28:56
access to do any kind of damage they want because it can elevate their privilege to anything
29:02
they want. an owner as well. So this kind of attack is really dangerous. Now, since I've talked about all of
29:10
these threats and attacks, it is very important to understand whose responsibility is it to ensure
29:16
security. Is it the responsibility of the cloud provider? Is it the responsibility of the
29:20
organization? In short, it's the responsibility of both of them. There's a shared security model
29:26
which we need to follow in order to secure the applications on the cloud. I'll just move on
29:32
So talking about shared responsibility, what I'm going to do right now is break this down into services
29:38
The first service is IAAS or infrastructure as a service. The second is platform as a service and the third is software as a service
29:46
This falls under Cloud fundamentals. I'm not going to go too much into detail
29:50
but it basically means getting infrastructure services through the Cloud. The second one would be getting a platform to hold
29:59
your applications where you are responsible for your applications and the data
30:04
And software as a service just means getting a software where the people can go and write their own code
30:09
So all these three models are, these are the three basic models that cloud providers give
30:15
And I'm going to break this down into responsibility of people. By people, I mean people inside and outside the organization
30:22
Data, that is the data that is there in your applications on the cloud
30:27
Third is applications. So these can be applications that you're running on the cloud
30:32
So and the last one is the operating system. So operating system of the applications
30:37
Talking about the shared security responsibility. Each of these offerings have people, data and application and operating systems, like I mentioned, which needs to be kept safe from attackers
30:48
The cloud providers and the users are equally responsible for ensuring the safety depending upon the services which they have chosen
30:54
Let's start with the security model for infrastructure as a service or IIS offerings
30:59
Since IIS are highly customizable in nature, the users are responsible for the software
31:06
and the operating system configuration. The users of the organizations are responsible for ensuring the safety of people, data, applications
31:18
as well as the operating system. So basically, whenever you take infrastructure as a service, since I'm well-equated with a Google Cloud platform, it can be compute engine
31:29
So as soon as you have that in place, you need to make sure that you have kept the people, data applications, and operating systems secure, and it is your responsibility
31:38
Just because it is so highly customizable in nature and not as managed as software as a service or platform as a service, it provides the organizations with flexibility as well as responsibility
31:50
So with responsibility, security is a very important concern. Now, let's move on to platform as a service or PaaS
31:58
This provides organizations with the hardware and the operating system, like I mentioned
32:02
So the operating system falls under the responsibility of the cloud providers, where they have to manage system
32:08
patches, security policies, important security updates. And the organization is responsible for people, data
32:16
and applications. And like I mentioned, the operating system security falls under the cloud provider
32:23
This doesn't mean that you can just wash your hands of security measures. You have to stay on top of what is happening
32:28
It's just that the cloud provider is responsible for the security patches and maintenance of the operating system
32:35
The third model we have is SaaS or software as a service
32:40
This provides organizations with the software and hardware services. and the users just need to go inside and write their code or document
32:50
Because this is such a hands-off offering, cloud providers are responsible for ensuring the security of their applications
32:56
as well as the operating system, and the organization is still in charge of people and data
33:02
So, talking about this, for software as a service, the organization is responsible for ensuring the safety of people
33:09
for the data on the cloud. That is, they need to make sure it is encrypted and it is safe
33:13
even if a predator gets inside. So the organization is responsible for that
33:19
But as far as the application and operating system goes, the cloud provider is responsible for this
33:24
Now, it is important that under no circumstances can organizations wash their hands of security
33:30
They're responsible for ensuring the security of their applications, operating system, and overall, they have to overlook
33:38
whatever is happening on the cloud. So that's why I'm mentioning the word shared responsibility
33:43
as well as active monitoring. The organizations cannot just take it for granted
33:47
that the cloud provider is making sure the application and the operating system is safe
33:51
and not watch out for monitoring services. They have to monitor whatever is happening
33:56
So remember, security is a shared responsibility of both the cloud providers and the organizations
34:02
which follows a mix of strong foundation and active monitoring, like I mentioned before
34:07
Just because you have a house or a brick house with a strong structure doesn't mean that it is safe from big bad wolves
34:14
You need to be careful and vigilant of your belongings. And it is important not to trust anyone
34:19
inside or outside the organization and keep policies and processes equal for everyone
34:24
You cannot have a different set of policies for people inside the organization and a different set of policies for people outside
34:30
Now, take a moment to digest this and then I'll move on to security best practices
34:35
using which you can ensure safety for your data on the cloud
34:39
So take a moment to digest this. Security best practices
34:53
We have almost moved to the end of the presentation. So the first one is identity access management or IAM, which I had mentioned before
35:01
Every internal and external user should only get access to the data they need access to on the cloud
35:08
You're already following this while sharing documents on Google Documents or Office 365
35:15
for example. You give editor access only to people who need to edit the document, right
35:20
This is called the principle of least privilege. You only give your access to people or groups who don need to edit the data in your applications This can ensure that no one tampers with the code Going back to the three little pigs example the three little pigs had policies which allowed their friends to come inside the house
35:39
with a knock just because they had given them insider privilege. But the minute they saw the big bad wolf
35:46
they did not allow the wolf to come inside because they knew the wolf was an intruder
35:51
So having clear policies around identity and access is important to secure your applications on the cloud
35:57
Next, we have is active monitoring or keeping an eye out on any unwanted users
36:03
or malicious activities. I have mentioned this a lot of times during the presentation
36:07
The good news here is that all cloud providers have free monitoring services
36:11
using which you can prepare dashboards and see if anything seems out of place. So why not make best use of that, right
36:17
This can ensure that proactive responses by ensuring the hackers don't do any damage
36:22
Think of this like a CCTV outside your house. You're monitoring to make sure
36:26
there's no malicious activity happening or no one is just trying to get inside your house
36:31
Next, we have data encryption. With this, the data is converted into a secret code
36:36
that hides its true meaning. Have you ever encountered your password getting converted
36:40
into some weird symbols after you type it in a box? That is because it gets encrypted
36:45
This way, attackers or hackers won't be able to understand a word of the data
36:49
even if they somehow managed to get access to it. This is important because encryption needs to be for people inside as well as outside the organizations
36:58
You cannot compromise your users' data or people who trust you with their data by leaving it out in the open
37:04
Going back to the three little pigs example, this is like the goodies for the second pig and the third pig
37:09
They had secured it inside a wall. So even if the wolf got inside, he was unable to access it
37:14
Now, next we have testing. This simply means attacking the code or the application from
37:21
within to test its durability. A team of testers within an organization look for loopholes
37:27
in the code or the user interface before attackers can gain access to them. This way the organization
37:32
can fix any vulnerabilities before an outsider can access them. This is what the three little
37:37
pics were missing. They did not test their own structure. They just took it for granted
37:41
that it was safe because that is how much their knowledge went. If they had someone to
37:46
test the structure, the first pig would have realized that the straw house was so easy
37:50
to blow down. Similarly with the second pig and the third pig would have noticed that
37:54
the chimney has easy access for intruders. So testing is very, very important. You should
38:00
not undermine the value of testers and testing. Next, we have establishing and managing firewalls
38:06
So firewall, like I mentioned, is nothing but a barrier attached to the system, avoiding
38:10
any intruders from getting inside. This blocks any unauthorized access inside the system while
38:15
allowing for outward communication. For example, Amazon lets you publish updates to their shop
38:21
Amazon can publish updates to their shopping website and lets you shop, but you cannot get
38:26
inside their system and make changes. So it is a one-way communication just to make sure that
38:31
there's data going outward, but no one can get inside the system. So having really strong firewall
38:37
rules are very important to secure applications. Now, remember, all of the security best practices
38:44
are to ensure your data is secure on the cloud. Having a zero trust model or simply not trusting
38:51
anyone inside or outside the organization is very important and it is necessary for ensuring a high
38:57
level of security of your data. Anyone can impersonate an employee or gain access to the
39:02
the system right. That is why it is important to do that. Have your policies and authentication
39:07
same for everyone. Define policies well. Keep testing your code from within the organization
39:12
and keep your data in an encrypted format now. I'll move on to the final slide and
39:18
yeah, and I'll give you a little brief about what we talked about now. In conclusion
39:25
cloud providers are either public, private, or hybrid in nature. They provide infrastructure
39:29
platform or software as services. And security is the shared responsibility of the cloud provider
39:35
and the organizations. Understanding the type of cloud provider you have chosen as well as the
39:41
type of service you have chosen is very important to understand your shared security responsibility
39:46
model. So organizations as well as the cloud providers are responsible for ensuring safety
39:53
and it is necessary to establish a really robust security model before moving your data on the cloud
40:00
Security is also a very important part of moving your data on the cloud
40:05
or cloud migration, and it is an ongoing responsibility because we have new policies, new processes that come up
40:11
So staying in touch with all the regulatory and the compliance requirements as well as the new best practices that crop up
40:17
like this is not an exhaustive list. It can keep changing and new things can keep getting added to it
40:21
So that is a responsibility of everyone. So I'll do one thing
40:26
I'll just take you, give you a moment to breathe and process all of this. And then I'll open the floor for questions
40:32
So Stephen, if you want, we'll just open the ground for questions now
40:38
Yeah, that was an amazing session, Avijata. I really enjoyed sitting back and listening to everything
40:46
You covered the entire ecosystem talking about what cloud security is. You covered everything, encryption and all that
40:51
I really I really loved it I think it was very detailed session um quickly quickly I wanted so
40:57
when when you go ahead and edit a slide that had uh cloud service providers and IAS pass application I could what I uh what i could actually feel is that in in the ias it more uh about the person is there more responsibility on
41:13
individual and the organization and as it moved towards uh a pass it we are leaving uh some of
41:18
the responsibilities on the cloud service provider okay so a quick question here is if someone wants
41:23
to go ahead and think of a cloud security uh or which which model should they opt should they go
41:30
for as pass sas uh what do you think should should work best in in any generic environment or situation
41:39
i think it completely depends upon the kind of services the people need so uh cloud providers
41:44
like i said have all of these so if they for example have a developer who just wants to go
41:48
in and write a code uh this sas application is best for them they can just get inside and they
41:53
they can concentrate on their code without having to worry about the underlying infrastructure
41:57
or even maintenance of that. Because security, maintenance, and all the other infrastructure needs are taken care of
42:03
by the cloud provider. With that, of course, the security, a large part of the security is also covered by the
42:09
cloud provider. However, if they want a more customizable model, like if they want to host their own
42:16
website and they want to host their own operating system, I'll give a very simple example
42:20
If you want to go and create a PC game on Google Cloud Platform, you will take the IaaS offering
42:26
because in that you can choose your own operating system and kernel and it is highly customizable
42:31
But with highly customizable, you also have the added responsibility of managing your services on your own
42:39
So that's just long story short. It would depend upon the kind of use case people have
42:44
But with each of these models, the security responsibility also alters. So, yeah
42:49
Yeah, you did mention a couple of times about shared responsibility. It's both the responsibility of the organization and the cloud service provider to go ahead and take care of your data
42:59
And in the beginning and also in the session, you did mention about encryption
43:04
That is how important it is. And I love that comment that you did it
43:08
So what specific data transmissions that are happening should be included? I know APIs needs to be done
43:16
Then HTTP requests should be done. What other kind of data should be encrypted
43:22
Any suggestions on that? Sure. So just in short, any data that is either in transit or at rest should be encrypted
43:30
So even if you have data that you're storing, you should not take it for granted. Even if it is something like a storage bucket that you're not going to access in the next 10 years, you still need to have the data secure
43:40
There are policies around that. So even that data, any data you're storing or any data that is moving through your application needs to be encrypted in the best way possible
43:48
so just yeah that makes sense i mean yeah i mean usually people would just uh uh if they have a hot
43:55
storage and a cold storage they would they would really worry about data that's in hot storage they
43:59
would take care of it but i think even even uh the data that is not in used that's not volatile
44:04
they should also take care of it so so there's so much to to go ahead and take care and this is
44:10
perfect i kind of messed with the background so so uh so there's so much to that to consider about
44:18
the cloud securities right and it may be very challenging to go ahead and while the application
44:22
is in development it's into the production it may be very challenging to have have a look at it so
44:27
is there any tool or something that this cloud service provider provide to go ahead and monitor
44:33
on how well is your application working on security bases or is there any matrices they
44:38
they provide anything like that? Yeah. So each cloud provider has something different
44:42
Like because I'm very acquainted with GCP, so they have monitoring system
44:46
Like you can have monitoring dashboards in that you can see if there is anything suspicious or anything that seems out of place
44:51
So that helps you get the, assess the overall health of not on your applications
44:56
but also the security breaches that might happen or that's about to happen
45:01
So every organization, so every cloud provider has a different one. So definitely they have a lot of tools and services and making use of monitoring and alerting dashboards
45:12
Sometimes you might not be vigilant 24-7, but then you have an alert that's popping up, which makes you realize that something is out of place
45:19
So that is extremely important. Yeah, monitoring is something that I think organizations are using a lot
45:25
And it has grown. It has grown very mature. And, yeah, I think monitoring is something people should look
45:31
So quick, quick, one last question. This is out of my curiosity, right
45:35
so everyone's talking about that hey blockchain is gonna help uh make your system better it's gonna
45:42
look at your transitions and make it more secure so do you think uh blockchain will anyway in the
45:48
near future or maybe in 10-15 years help this cloud security in any way to have the transition
45:54
or something do you think that will happen that's a very loaded question
45:59
so yeah i think it completely depends upon how well it evolves so because yeah both of these
46:08
spaces are extremely vulnerable like i mentioned so even the cloud provider it's a public cloud
46:13
provider so i will always give this simple and i think of it like a house and you are occupying
46:19
that house when you move out someone else occupies that house or it can be even a more shared space
46:24
where a public cloud providers like two people stay inside a pg or a hostel for example
46:29
So it is an open space. You have your own space which you need to secure So and similarly when it comes when we talk about blockchain it has its own um security concerns but at the same time uh yeah like i said we just need to see how it evolves
46:43
it's a very loaded question for me to answer and yes or no right now so yeah i'm just really
46:49
curious because people a lot uh these days do a lot of like forums councils where they talk about
46:54
how a blockchain is going to help in cloud securities your transitions and everything
46:59
on that and also we see bitcoin going over which is not blockchain i know uh just an example for
47:05
blockchain but but uh but that's uh that was pretty great session which is a thank you so much
47:10
uh we really enjoyed it we're gonna put it on archived so that people can come back and watch
47:15
it any any last thing you want to go ahead and say before we just wrap it up i see i'm gonna put your
47:21
cloud demystify.com so that everyone can go ahead and see that any last word you want to say before
47:26
before we close it. So I want to know if there are any questions
47:29
that people want to answer, maybe I'll just give them a moment or two to absorb the entire presentation
47:34
and ask if they have any questions. And yeah, I've given the conclusion and the comments
47:39
So like I said, it is very important to understand the overall structure and the overall foundation of cloud
47:45
before even going into cloud security. Like if you don't know what a cloud provider is
47:49
when it comes to public, private or hybrid cloud providers or even what the services are all about
47:54
So infrastructure or even blockchain as a service, which you talked about right now
47:58
which is also coming into the cloud. So once we understand the entire model behind that
48:02
we have a strong foundation. It is only then that we can secure our data on the cloud
48:07
Just one note here. I've seen many people being apprehensive of the cloud
48:10
They keep telling me it's just shared space. So that means, is it vulnerable to attacks
48:14
Is our data safe and secure? I just want to reiterate out there
48:18
that nothing is secure in this. I mean, if you just look at the broader scheme of things
48:23
whether it is cloud or on-premise. I've seen the kind of trouble
48:27
that comes with on-premise infrastructure as well. So sometimes even something as simple as
48:30
hey, the cable got stolen from the data center. I've heard that also happens
48:35
It is crazy out there. But at the same time, when it comes to cloud
48:40
you have the backing of the cloud provider, their experience and everything that they have dealt with
48:45
But it's also shared responsibility. You cannot wash your hands off irrespective of the security model you choose
48:50
So just one note, not to be afraid of moving to the cloud just because of security concerns
48:55
They have a lot more policies and processes we can think about. They have compliance measures like they have FedRAMP compliance
49:01
PCI compliance, just depending on the type of data you have on the cloud. So, yes, that's just what I want to put
49:08
Yeah, that's great because, you know, we recently moved from Rackspace to Azure
49:13
Like we moved the entire C Sharp corner to Rackspace. I'm going to say it live
49:17
okay so so we we got attacked we got attacked i think maybe rackspace won't just help us
49:25
so uh we had tough time to go ahead and and uh move to azure but yeah we moved in everything to
49:32
azure early we were multi-car we were somewhere on aws google cloud and rackspace now we moved
49:37
everything on action and it's all good it's all smooth uh runs everything well they take care a
49:42
lot of it now they have very secure data centers no one can just step in so that that's the
49:47
cloud is a good space quick last question uh if someone wants to go ahead and learn more about
49:53
this cloud securities what are the resources you would suggest to people to refer uh i have a lot
50:01
of resources out there so um i have mentioned them on my website as well so uh if you go to
50:07
clouddemystify.com and you click on cloud security i have some resources i can just copy paste it
50:13
actually I don't have the resources here right now I'm so sorry but yeah definitely uh going
50:18
through any of the courses like I said Coursera is a great place to do that or um uh just uh going
50:25
all these cloud providers have great documentation as well so they if you go on their website you
50:30
have documentation around security best practices and all the security tools and services available
50:35
so just depending upon the cloud provider because everyone has a different security protocol so
50:40
So it's better to just deep dive and then get an overview
50:44
of what cloud security is all about. So definitely that would be really helpful
50:49
And if the users are interested, I can always write an article with all the resources
50:53
that they would find helpful on cloud security on C Sharp. So they can leverage that as well
50:58
Yeah, that sounds interesting. So thank you so much, Vijayathan. That was an amazing session
51:04
Thank you so much for your time. I, Stephen Simon, on behalf of entire C Sharp Corner
51:08
we'd like to thank you for all that you do for the community. And we would love to have you back when you're available
51:13
Maybe when you move back to India, that would be exciting. We do these offline conferences in Delhi
51:18
So that means you can move there too. So we would love to host you in those offline conferences too
51:23
So thank you so much, Vijayata. And thank you, everyone, who has joined. And we will see you in the next episode of Ask Me Anything
51:29
All right, everyone. Thank you. Thank you. Thank you so much, Jephan. And thanks, everyone. Bye-bye
51:40
Thank you
#Technology News
#Virtual Worlds