CSA CCSK – Protecting data from Un-Authorized Access Part 2

6. Where to check AWS and MS Audit reports

Hello friends. So welcome to this lecture on how to check AWS and Microsoft audit reports. In the last lecture we have already discussed that it is very important to check the effectiveness of the audits. That okay, what kind of audits CSP is doing and is somebody performing the regular audits? What is the frequency? And are different industry specific audit reports being available? Less vendor doing the audit as per the different regulations because different type of customers will be using the clouds like banking would be there and Pharma would be there, ecommerce would be there. So accordingly vendor should be audited for those regulations so that customer can use that particular platform to hold the data or process the data. So in this it would be a kind of a live demo and we’ll see that okay.

How to check for the various audit reports in case of AWS and Ms, see Microsoft and AWS is regularly doing the audit and they are auditing and they submit the self-assessment reports to the third party auditors and assigned third parties. They generally perform the in depth audits of the implementation and what kind of controls they have implemented means in terms of infra, they are saying that okay, they are implemented the high availability, security and all those things.

So those all controls are checked by the third party and depending on the regulation or depending on the controls which are mentioned in that particular law, so they check basically all the security compliance and the privacy controls. So if you’ll talk about the Microsoft so we can use this link like service trust Microsoft. com to see the various kind of reports they have provided and for some of the reports you need to log in and for some of the reports you need to sign NDL. So it might be with the Microsoft that okay, you’ll not be reproducing or sharing the reports with others or modifying the reports without the Microsoft consent.

So let’s see if we can see these reports. Service Trust Microsoft. com just give me a second. So you can see this is the Microsoft link service Microsoft. com. And then if you’ll come down so you can see that ENS audit reports, Fed RAMP reports, there are different kind of reports as per any of the requirements. You can go ahead and choose that. Then the GRC reports are there for Office 365 High Trust report, right? Zero MTCS. So there are different kind of reports.

Then if we’ll talk about the ISO, so there are different reports related to ISO 27,000 and 127 thousand and 1820 7017, right? So you need to carefully understand that okay, what certificate it is, what is the scope of this? Then you can see this for the business continuity, right? So you can see 27,001 and 27,018 assessment report is there, then the certificate is there. For the certificate to view, you need to sign up with the Microsoft link or Microsoft account. So similar to AW so you can see the spec IDSS report is there. In this package you will get all the details about the controls they have implemented.

Then Sock report is there. SoC one, Sock two, right? All these reports are there. Sock One, type two report. Sock Two, type two report. And Sock Two type two report. And then there must be a Sock Three certificate as well. You can see these. Yours are many sock three reports. You can basically scroll these links and then find out the report as per your requirement. And similarly, in case of Microsoft, AWS also has the link through which you can download the report. So if you log into the AWS console, you can search for artifacts, right? So it is about AWS compliance reports and agreements. If you’ll click on that link for this, you need to have an AWS account.

So if you’ll see this is the different kind of reports. AWS is having cloud computing controls. If you’ll, if you’ll come down so you can see that ISO 27 one statement of Applicability. And if I’ll click on that, I’ll get various details about that. This is the agreement which one needs to sign and you can go ahead and check the reports. What is the statement of applicability? What all they have covered in such kind of reports? So there are different reports you can see for 2000 and 718 as well for the you know, for the Pi data we have. And then quality reports are there. So these are the links you can use really to check the different kind of audit and compliance reports. Yes. So this is it friends, in this particular lecture. So thank you for watching this lecture meeting in the next lecture.

7. Key Management in Cloud

Hello friends. So welcome to this lecture on the key management in cloud. Again friends, this is a very important lecture which we need to understand. The reason is that all such data which is sensitive and has a high value. So those needs to be protected with the help of encryption keys, or we generally encrypt those data with the encryption key keys. So if there is no management or there is no protection of the encryption keys, so in that case, someone could be able to access our data or someone could have unauthorized access to the data.

So just to prevent the unauthorized access to the data, we should learn that, okay, how we can manage that in the cloud, how should better manage the keys in cloud C? If it is pretty clear that if we are managing the keys on premise and the data is also on premise, then it is good. And the threat is not in such a great extent, but our data is with the cloud vendor. And then if our keys also with the cloud vendor, then there might be a possibility that people who are working at the cloud CSP and they can have access to their data. So what is the concern that in Kms service is a key management service, we have so in different CSPs, they have different names just to help you out.

So in Azure it is called as your keyword and in AWS it is AWS Kms, which basically protect the encryption keys and secrets like certificates and password. So these Kms services you can use to create the encryption keys and then they can integrate with a different service to protect that or encrypt the data. So all such data which is there in the keywords for which we are using the encryption, this data is case sensitive, like all password, certificates, encryption keys and business critical because we have encrypted the sensitive data. Therefore, the need is always to have a defense in depth mechanism, means we need to have a role based access defined. That okay, which person should be able to access which keys? So this is just a reference for the physical keys. We have a vault. So similarly in Cloud we have the keyword, we have HSM services as well as your keyword, AWS Kms.

So rulebased access needs to be defined for having defense in depth. And then we need to have proper firewall stations so that there should be a defense in depth mechanism to protect such a critical data. Now, the thumb rule is that based on the segregation of duties or at least privileged principle, the key management should be separated from the cloud provider hosting the data. See for example, that already hosted the data in the cloud. And if you’ll hand over the keys as well, that okay, you go ahead and manage my encryption keys or the keys are with the cloud provider, then there might be a possibility that the engineer or analyst who is working at the CSP.

And if he’s having bad intention, he can use the keys and he can expose the organization sensitive data. So as a best principle or on the basis of least privilege or segregation of duties, the key management, it is always recommended that okay, should be separated from the cloud provider who is hosting your data. So there are two ways wherein customer can control the Kms. So one is remote key management and the second is client side key management. So we’ll study both one and in the upcoming lecture. So this is it in this lecture high level overview about key management in cloud. So let’s see how we can use the below two methods to have a better segregation of duties and how we can protect the keys. So this is it, friends in this lecture. Thank you for watching this lecture. Meet you in the next lecture.

8. Remote Key management Service

Hello friends. Also welcome to the selection on remote key management service in cloud. See, we already discussed in the last lecture that ideally the customer should maintain the control of encryption keys as a security best practice. And we discussed that, okay, there are two methods with the help of which we can achieve this. One is remote key management service and one is the client side encryption keys. So in this lecture will cover the remote key management service and how to achieve this. See, one thing we need to understand that customer himself has to choose the approach that, okay, what would be the best approach to match as per their risk tolerance or compliance and what does their regulatory say? What does their regulatory requirements say? In order for the organization to comply and to be successful in the audit, so there must be some mandated requirements which they need to follow.

So on the basis of that only, it would be good for the organizations that they can take the decision because some of these requirements are mandated wherein they want that the customer should have the control of the encryption keys. So in that case, the concern is that just to give you a little background before going into this, that there may be a legal problems wherein cryptography key management is a concern. And when an organization think that, okay, all the encryption keys should be stored within the cloud service provider.

So there may be some issues wherein they may have some Ramifications, wherein using cryptographic keys has a serious legal concerns because those encryption keys which we are used are used for signing the documents and users are required to keep those keys under their soul control. Now, if this encryption keys are with the cloud service provider, it is very difficult for the users to prove that, okay, soul control in a cloud hosted key management solution. So some of the regulations say that, okay, all the keys should be owned with the customer only or within the sole control of the owner. So in that case, it is requirement of certain regulations as well, as well as the kind of business those organizations does. The customer needs to understand that, okay, how they are going to manage the keys.

If it is okay, there is no regulation, you can go ahead and use the cloud provider key management service and they also provide HSM and dedicated HSM. So these services are there in the cloud, but as a thumb rule, we need to understand that, okay, or on a segregation of duties, encryption keys should always be separated from the data. So let’s see what is remote key management service. So remote key management service is basically this is the CSP and on the right hand side and this is on premise. So this is your Kms server which is used to store the encryption key secrets or password. And this is the cloud service provider where your actual application is. So because we have already understood that in the cloud we use the encryption keys to prevent the unauthorized data we want that okay, data should be encrypted at the rest and while it is there in the storage and data when it moves from application, that is data and transit should be encrypted.

Now, for to encrypt data we use keys. So to manage those keys. The first method is remote key management service wherein though to have a remote key management service, there is a hybrid connectivity required between the CSP and the on premise data centers. So here in what happens, enterprises own maintenance support their Kms, they are storing the keys. So the ownership and the control of the keys is with the customer. So if you can see on the left hand side, while the hosting and the processing are outsourced to the cloud service provider so you can see the compute and the storage. I’ll tell you in a bit that when we say that hosting and processing are outsourced to the Cloud provider so think of that, okay? This compute when we say there is an application or there is a virtual machine which has this compute capacity and they are running some application so application which will be there at the Cloud provider end. So with the help of hybrid connectivity, that application can calls to the key management service or HSM, that hardware security module which is there in the client’s control or in the customer control.

The cloud provider can then upload the encrypted content to the cloud storage and later pull that encrypted content for the computation which require access to the on premise keys so that the keys can be retrieved really to encrypt and decrypt the data. So whatever the processing is being done is processing is done at the cloud service provider end. So while such solutions can involve the cloud provider for the encryption and decryption services.

So here what is happening. The customer is having the complete control in the management of the keys while the encryption and decryption happen at the cloud service provider end. So this is about the key management service. So just to give you another concept here also we have one threat because the encryptions encryption is happening at the cloud service provider end. So let’s say all the keys which are being used while they are taken from this on premise solution only on premise HSM or a key management server, but the keys are used to encrypt and decrypt the data. So those keys are there in the virtual instance memory, right? So somebody if has a memory dump or can have some memory level attack, it is that those keys can be compromised. So there is a security concern. Just to give you a higher overview here also, so this is trends in this remote key management service. So, thank you for watching this lecture meeting. In the next lecture.

9. Client-Side Key Management

Hello friends, so welcome to this lecture on client side key management. In the last lecture we have gone through the remote key management service so let’s study what is there in the client side key management. See, client side key management again is a kind of a decentralized approach wherein customer or an organization gets the complete control of the encryption and decryption keys. So again in this case also we need a hybrid connectivity that is between the on premise and the cloud service provider. So if you’ll see in the figure three, like in the last lecture, we have seen that okay, this compute part was at the Cloud Service Provider.

And so if you’ll see in this diagram, almost all the processing is control is done at the customer side or at the organization. And the Cloud Provider does not hold the keys and has very less knowledge about the users and cannot decrypt or encrypt the customer data. What is the difference? Over here is from the last remote key management service in the last lecture. That here that compute is done or the processing is done at the on premise or at the customer end.

But the storage or you can say the storage of the means the storage of data is at the service. Provider end but your Kms or the key management or let’s say it is HTML as well that is provided and run by the Cloud Provider only but it is provided by the Service Provider but resides on the customer side.

So that is the difference. So this equipment, whatever it is done by the key management server that is provided by the cloud service provider but all the processing and everything is done at the customer end and keys are generated and held by the customer only. So here in customer or an organization is having more control generally this type of solutions are used basically for the cloud storage and the service providers wherein they need to encrypt the data. So like we discussed, the customer is in the complete control of the encryption and decryption keys, all processing and control is done on the customer side because there is nothing virtual machines like we discussed, there is an application and that calls the key management service to get the keys.

So here in everything is at the customer end, the cloud provider does not hold the keys, has a minimal knowledge of users and cannot decrypt the data. So what is the difference? I said the Kms is provided and run by the cloud provider but Kms resides on the customer premise and keys are generated and held by the customer. So here in client side key management like the name we as a customer or an organization having the complete control of our encryption keys even through this is given by the CSP. So that is the difference in this client side key management. So this is friends in this lecture, thank you for watching this lecture meeting the next lecture.

10. Multi Tenancy issues and Solution

Hello friends. So welcome to this lecture on multitenancy issues in cloud and their solution. So before digging into the issues, we will try to understand what the multitenancy is. And this lecture is again wherein we are trying to prevent unauthorized access to the data which is there in cloud. So what is multitenancy? Let’s try to understand with the help of an example. So this is a single tenant example. If you will see there is a host hardware or a host machine having hypervisor onto it. It could be a six I s, that is a hypervisor whatever it would be, right? So in that case, if you’ll see there are different VMs installed into VM one, VM two, VM three and VM four. So this is like a single tenant where a single customer is having all the machines installed onto the same hardware. Now, if you’ll see the color combination as well, this green color is for the customer one, means one organization or one customer is having all the machines on a dedicated hardware or hypervisor or a host machine which is there. But if we’ll come to the left, what is multitenant is when the same platform is being used by the number of customers.

So if you’ll see again till hypervisor level everything is same, then VM one is being used by customer one, VM two and VM four or customer two and VM three is for the customer three. So it means the same hypervisor or the same platform when it is shared by the multiple customers. So we usually call it as multitenant. So in cloud this is the model, how it operates because the hypervisor which is there or as a hypervisor in case of AWS, in that case, whenever a customer provisions a VM, he might not be sure that okay, the second VM which is provisioning is on the same hardware or not. So let’s say if there is a VM provision by organization A and the second VM which is present on that particular hypervisor could be the VM of some other organization. So multi tenancy issues if there is no proper security or isolation done. So customer one or a VM one can penetrate and see the data of VM two. So there are a number of attacks like guest hopping, VM escape attack and attacks at the hypervisor level as well. So it is very crucial in case of cloud that we should solve the multitenancy issues.

We should make sure that in case of multitenant environment, the data of one customer should not be visible to the other customer. So in a multitenancy environment, what kind of questions the customers or the organization can ask? That how the customers can be sure that they have virtualization and multi tenancy mechanism which is provided by the cloud vendor who guaranteed the adequate, logical and network separation between the multiple tenants, right? So that malicious customers can use the same hypervisor or can use the same physical computer and they can access the data.

How can customers be sure that some malicious user should not be able to access my data? What kind of segregation is being done? So there are some segregations done at the network level. Isolation is being done by the cloud service providers. But as a customer it is our responsibility to make sure that we have also the appropriate controls present in the environment. Because ultimately security is a kind of a shared responsibility between the cloud service provider and the cloud customer. So how we can resolve the multitenancy issues by having encryption isolation and all those things. So what are the different ways to resolve the multitenancy issue? So remember that defense in depth approach is always the thumb rule that we should have.

Defense in depth means that security should be used at the different level, at the network level, at the application level, and then proper segregation of duties should be there. hacksaw should be provided on the basis of least per village. So the first we’ll try to understand that, okay, we need to make sure that the data is encrypted both at rest and in transit. Like data is present in case of volumes or in case of object storage which is there in the cloud, data which is there in mobile, right? And then file encryption, database encryption which is the examples of the data trust, means the data which is lying there or in the storage. We need to protect that data. Then similarly the data, let’s say which flows between the application or between the database. Like this is the example we have taken it from AWS, this is Memcache database. So the data from the instances when it communicates with the database. So data which is traveling that is in transit.

So we need to make sure that there is SSL encryption being used so that data which is traveling across the network in case of cloud, that is also encrypted. Because our ultimate goal is we are using the multitenant environment. These virtual servers which are provisioned these might be using a shared hardware. So in that case, the other malicious user of some other organization should not be able to see the data. So the idea behind is that, okay, we need to encrypt the data. Then network level isolation should be there. Like for example, we have network security groups in Azure and security groups in case of AWS. So this is nothing but kind of a security rules or a firewall at the instance level or a server level which does this isolation. So this is the example I have taken it from AWS. If you’ll see how AWS provides the isolation, enter the network level.

So you can see this is a physical interface and then this is like hypervisor and virtual environment. Different customers are provisioning the VMs so that now the customer one should not be able to see the data of customer two and so on with the other customers. So they have this logical firewall, if you’ll see at the physical interface level, and that is obtained through the security groups which we created. Similarly in case of NSG in Azure. So if you’ll see this isolation is done at the firewall level so that no one should be able to see data, whatever data is flowing for customer one or customer two. So you’ll create security groups and have appropriate rules or firewall rules created within the security groups. You can see that this customer one is having security group one means this is a firewall which is present at the server level or instance level in case of AWS.

And if security group will be replaced, the name would be NS in case of Azure. So customer two is having the security group two and this isolation is there at the network level, which the CSP has done, the cloud provider has done. So we need to make sure that, okay, appropriate rules are created within the security groups to avoid the data visible to the other user or a malicious user. And the method of least privilege is always good that the one who need access to perform this kind of duties should only be given rather than giving full access. And then the defense in depth is always the good approach to have the security implemented at the different level. So this is it, friends. We have gone through that at what is multitenancy and then what are the different issues and how to resolve the multitenancy issues in case of cloud. So this is it, friends, in this lecture. Thank you for watching this lecture. Meet you in the next lecture.