CompTIA CYSA+ CS0-002 – Cloud and Automation part 1

1. Cloud Models (OBJ 1.6)

Cloud models. These days, cloud computing is such a buzzword and everybody wants to migrate into the cloud. If you’re working as a cybersecurity analyst though, you have to understand the vulnerabilities associated with moving into the cloud. And that’s what we’re going to be focused on here. Now, while there is great savings to be had by moving to the cloud, we have to make sure we understand those security risks. But before we can dive into all those security risks, we really have to to talk about the various cloud computing models that are used within the organizations these days. And as we do that, I will talk about the different risks associated with each one. These different models include things like public clouds, private clouds, community clouds, hybrid clouds, and multicloud setups.

Now, when I talk about a cloud deployment model, what do I really mean? Well, when we talk about a cloud deployment model, we’re talking about classifying the ownership and the management of the cloud as one of these categories. It’s either public, private, community, or hybrid. Now when I talk about the ownership and management, it’s who’s responsible for what, because there is a trade off here. When you move to the cloud, you don’t own everything. There’s certain things you’re going to be responsible for as the consumer and certain things your cloud provider is going to be responsible for. Now these cloud deployment models have various vulnerabilities and threats associated with them depending on which one you choose, as I mentioned before.

So let’s go ahead and look at each of these. First we have the public cloud. Now when we deal with the public cloud, we’re dealing with a service provider making resources available to the end users over the Internet. Now really when we talk about a public cloud, we are talking about things that are being deployed for shared use by multiple independent tenants. Now we talk about a tenant. Just think about that as a customer. It’s somebody who is going to have access to those resources. Now let me give you a great example of this AWS. AWS is a great example of a public cloud. Anybody can go and buy services from AWS. Now when I buy services and I put up a virtual site on a VM, inside one of these cloud centers, I’m sitting on AWS’s hardware.

And that hardware may not just have my servers, it may have your servers and your company servers, and your college’s servers and we’re all sitting on one server. Now there are logical separations there, but we’re all still sitting on the same server. That’s the idea when we start talking about public cloud because we don’t own the resources. They are public. Anybody who pays for it can have access to it. Now, AWS does a really good job with their public cloud by making it available in lots of places. Everywhere you see a blue dot, that’s one of the AWS regions. Everywhere you see an orange dot. That’s a future region that’s coming soon. Now, these data servers are all in these different regions so that way they can have higher redundancy and availability. So if I have my servers in the east coast of the United States over in Virginia, that’s one of those blue dots.

But I might have the same set of servers over in the West Coast over in Washington state and I might have another one over in England. And by having it in those three regions, I can have them all talk to each other. I can have them have data transfer back and forth and being replicated between them. That way if one of those three sites goes down, the other two can carry the load from my customers. This is one of the great things about public clouds because you can have yourself in lots of different places really, really quickly and that gives you great redundancy and great availability. Now when we talk about these clouds though, we have to think about who owns what when we talk about this, think about public clouds.

This way you’re going to have the infrastructure, the application code and the data that’s being hosted within these private instances, but you have no ability to control the physical server. I can’t go to Amazon and say, hey, I want to walk in and touch my server. They’re not going to let me do that. I don’t have physical access, but I do have logical access. And so I might have this private instance of my server inside this virtual thing sitting on their bigger servers, their physical servers. Now this brings up the question on who’s responsible for the security of a public cloud. Well, this is kind of a hard question to answer, right? Because we each have our own responsibilities. If I’m the cloud service provider like Amazon, I have the responsibility for integrity and availability of the platform.

Now, what do I mean by this integrity and availability of the platform? Well, Amazon is responsible for making sure the physical server stays up. It has the right power, it has the right cooling, it has the right bandwidth and it has the right reduction from a physical component. So if they’re going to store something there, they should have it on a rate array, for instance. So if one of the drives fails, the other one picks up. Or if we put on their storage area network, they have it mirrored and backed up to make sure that it’s always up and ready to go. That’s the availability piece. Now the integrity piece is to make sure nobody messes with my data, nobody changes it, modifies it when I write it there, it should stay there and it shouldn’t be modified by their underlying server.

Now, as the consumer though, I have the responsibility to manage the confidentiality of my systems as well as the authorization and the authentication. So if I’m using their service, I’m going to be able to have access to the data, but I’m responsible to make sure that data is properly stored and the right people have access to it by doing authorization and authentication. Now the next area we want to talk about is Private Clouds. Now Private Clouds is where a company creates its own cloud environment that only it can utilize as an internal enterprise resource. So what might this look like? Well, let’s say that I decided to go and buy my own servers. I put them in three different locations around the world. I now have multiple servers sitting in different locations around the world and I tie them all together.

That would be a private cloud. Now what’s great about doing that? Well, I have full control. I control the hardware, I control the software, I control the entire stack. It’s mine because it’s private. My company owns it. Now a private cloud can be hosted both internally or externally. This is really up to you. So I might take my physical server and put it in somebody else’s data farm, but again, I own it and I have access to walk in and touch it anytime I want that’s part of that agreement. Or I can do it internally. Maybe I have three corporate offices around the world and I can put these servers in those three offices in that way, it would be hosted internally. Either way is acceptable.

Let me give you a great example of an externally hosted private cloud. There is something in the United States known as the AWS gov cloud. And as you can guess, AWS means Amazon Web Services. So what this is, is the US government has given a contract to Amazon to stand up their cloud for the government. So these are servers that were bought and paid for under contract for the US government. Nobody else can use it but the US government. So if you work for the Bureau of Indian Affairs, which is one of our departments underneath the US government, they can have access to the gov cloud. If you work for the Department of Defense, you work for the US government, you can have access to the gov cloud. If you work for Social Security Administration, you can have access to the gov cloud.

But Dion training, we don’t work for the government, we cannot have access to the gov cloud. And so these are servers that were stood up specifically for the use by the government. So it is a private cloud. In this case, it’s a contracted private cloud and it’s hosted externally. Now a private cloud should be chosen when you have security as your main concern. If you want more security and you’re not worried about cost, you can move to a private cloud. That’s what the gov cloud is. They want to have more security than just having regular old AWS. So they have their own servers that are hosted by AWS and only used by the government. That way there can’t be commingling of data. This is what we consider a single tenant model. When you’re talking about private clouds, think about this.

It is a single tenant model, one company or one organization being able to use it. In the case of gov cloud, it is multiple smaller organizations, but all those organizations are owned by the US. Government. So it is still one organization, the US. Government. Now, as I said, one of the drawbacks to using a private cloud is private clouds are much more expensive. Why? Because you have to pay for all the hardware and you’re paying for the entire use of the server, whether or not you’re using the entire use of the server. Now, what do I mean by that? Well, let’s say I bought a bunch of servers for this gov cloud and I’m only using 50% of the capacity. Well guess what? I paid for 100% capacity because I bought the hardware, I bought the software, I bought the licenses and whether I’m using it or not, I’m paying for the whole thing.

So it’s more expensive. Now, if I was using a public cloud, I’d only pay for what I’m using because Amazon bought all the service, they bought all the hardware, they bought all the software and they pay for all the infrastructure.And so I’m only paying on a per usage basis under a public cloud model. And so when you use a private cloud, think it’s going to cost more? Again, security is more important than money here. That’s when we go to a private cloud. So as a private cloud administrator, what is your responsibility? Well, if you’re a private cloud administrator, you have to consider the data protection, the compliance and the patch management. Why? Because you own the servers, you own the infrastructure.

All you get is bare metal here and you have to do everything yourself because you’re running your own cloud. And so this is one of the reasons that it costs more as well because you have to pay people to do all of this work and it’s going to have a lot more oversight in terms of the things you have to do from a security standpoint. Now, another type of cloud we have is what’s known as the community cloud. Now, a community cloud uses resources and costs that are shared among several different organizations who have a common service need. Let’s say that I ran a credit union or a bank and you ran a credit union or bank. We both want to set up some kind of a cloud service to store our records to make sure they’re secure and we can have them for all of our regulatory requirements, say four or five or ten years.

Well, we need a cloud to do that. Do we want to put on AWS or Azure and put on the public cloud? Probably not. Do we want to set our own private cloud each because it’d be really expensive. Probably not. So we might get other banks to work with us and we get four or five or six or ten banks and we all form a community. We can share the cost of setting this thing up. Now a community cloud is deployed using what we call a shared use by cooperating tenants. What this means is there’s five or ten different organizations and we all come together, we share the cost, we share the responsibility, we share the security. So we’re a community, we all work together. Now there’s some good things about this and bad things about it.

When everybody in the community helps with designing cloud, we can have really good security or really bad security. It depends on who’s in it. Now when we take the security together and we all work as a community, say that I had really high security needs and you had looked low security needs, do you want to pay for my high security needs? Probably not. And so we’re going to have to have a discussion and we’re going to have to negotiate what those security needs are going to be. And maybe I had a security need of ten, you had a security need of two. And we meet in the middle at say, six. Well if we do that, we have now met the common denominator, which means I brought my level of security down, which is bad for me, and you brought yours up and now paid more for security you really didn’t care about.

And so these are some of the things in the design considerations that you have to think about when you’re working with a community cloud deployment.Now community clouds are secure when the organizations involved have strong interoperability agreements. Remember, we’re all connecting to the same cloud because it’s a community. And so, again, going back to my bank example, if my bank is known as being the most secure out there, and we’re a level ten and you’re a level two, and you connect your network to our new community cloud with your level two security, and I connect my level ten to this cloud. And now I’m connected what to you through that cloud, and so your level two people can break into your network and get into our cloud that way and then go from that cloud into my network.

And so these interoperations are important to think about. And when you have interoperability agreements, you need to make sure you have the right security in place. So everybody’s meeting a baseline level of security that you all can live with. Now the next thing we’re going to talk about is what’s known as a hybrid cloud. Now a hybrid cloud is going to combine different types of clouds like public, private and community clouds as well as on premise infrastructure to meet an organization’s needs. Sometimes just one of these clouds isn’t enough. I may not want to use all as a public cloud because I’m worried about security. But I might not want to use all as a private cloud because I’m worried about cost. I might not want to use all of my systems as a public cloud because I’m worried about security of certain systems.

I might not want to use a private cloud for everything because it costs too much. So I can combine those two together. I can say maybe that all my credit card and financial data will be kept in a private cloud, but all of my customer facing stuff that is supposed to be open to the public will be on the public cloud. And so I can mitigate my risk and mitigate my cost by doing this hybrid approach. Now, what are some of the things you have to consider when dealing with a hybrid cloud? Well, they have greater complexity. Hybrid clouds have to deal with the scripted infrastructure and orchestration tools to be able to spin instances up and tear instances down and make sure that all the connection between them are working. So if I’m going to have to operate both a private and a public cloud and I have to connect them together, that’s more complex than just doing one or the other.

Another thing you need to think about when you’re dealing with public and private clouds is do you have the right data redundancy? You want to make sure to have an absence of data redundancy. Now, what I mean by this is sometimes people have a hybrid environment and they go, well I’m already paying for public and I’m already paying for private, so I must have redundancy. But the public and private are doing two different functions so there really is no redundancy there. So you might have to have a private cloud with full redundancy and a public cloud with full redundancy in addition to the connection between the two. So keep that in mind as well. Another thing that makes it a little bit more difficult when you’re dealing with hybrids is to demonstrate your compliance.

If you’re at a highly litigious area and you have regulations and compliance requirements, moving to a hybrid model can make it harder for you to meet those because now you’re not just dealing with the public cloud, you’re not just dealing with the private cloud, but you’re dealing with both and the interconnection between the two. So again, having that greater complexity makes it harder for you to demonstrate compliance. And finally security management. Now again, you’re not just doing private, you’re not just doing public, you’re doing both. And so you have security management concerns. You need to make sure you have the right authentication and authorization and identity management to work in both the private and the public cloud. You also need to make sure there’s replication between the two of your security infrastructure.

You need to make sure you have communications between the two and those are secure and properly channeled. All of these are things you have to think about when you’re dealing with a hybrid model. The last thing we want to talk about here is what’s known as multicloud. Now, multicloud is just like it sounds. It’s a cloud deployment where the cloud consumer is going to use multiple public cloud services. So if I have an organization and I’m using lots of different things, for instance, I might be using Amazon Web Services to host my website. I’m using slack for communication. I’m using Zoom for live meetings. I’m using Google’s G suite for me be able to do my Docs and my Sheets and my Google Drive. And maybe some of my employees are also using Microsoft 365 for Word and Excel and PowerPoint.

All of these are cloud tools. They’re all public cloud tools. Now, if I’m using all of these, this puts me into what’s known as a multicloud environment, because we’re using lots of different tools in lots of different ways. Anytime you start adding more tools and you start adding more clouds, you are dealing with more complexity. And so using multiple cloud service providers does require additional due diligence and risk assessment effort because you have to think, what is the risk involved? For instance, when the global pandemic with COVID happened, lots of people moved on to using zoom. They didn’t think about the fact that Zoom at the time did not have end to end encryption.

So you could be having a conference and somebody could actually be listening into what you’re saying, or they could actually jump into your Zoom call because they weren’t password protected. These are all things you have to think about from a risk assessment effort. Now, as you’re going through and doing this because you have multiple tools, this is going to become more complicated and more time consuming. Now, that was a ton of information. So let me give you a quick exam tip for the exam. What do you need to know? You need to know the five different types of clouds that we talked about public, private, community, hybrid, and multicloud. You need to know what the benefits and the drawbacks are for each of them in terms of security and cost.

And you should understand when you should use each one. Or if I give you an example of one, you should be able to say based on that example, this sounds like a blank type of cloud. For instance, if I say that your company is using Amazon Web Services to be able to host your infrastructure, is that public or private? That would be public because anyone can sign up for AWS. If you’re using Microsoft Azure or Google Cloud. That again is public. If you decide to set up your own cloud, that would be private. These are the kind of things you have to be able to answer. And also when each one would be appropriate, more security, lean towards private, more openness, and lower cost more towards public. These are the kind of things you need to understand for the exam.