Category: Avoiding common pitfalls

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Exams of Microsoft, Landing zone concepts

The core components of a landing zone– Cloud Security Fundamentals

The primary goal of a landing zone is to ensure consistent deployment and governance across various environments, such as production (Prod), quality assurance (QA), user acceptance testing (UAT), and development (Dev). Let us understand the core concepts associated with landing zones:

  • Network segmentation: Network segmentation is a critical aspect of a landing zone architecture, and it involves dividing the cloud environment into distinct network segments to ensure isolation and security between different environments and workloads. Each environment (Prod, QA, UAT, and Dev) has a dedicated network segment. These segments are logically separated to prevent unauthorized access between environments. Network segmentation ensures that activities in one environment do not impact others and that sensitive data is adequately protected.
  • Isolation of environments: The network segments for each environment are isolated from each other to minimize the risk of data breaches or unauthorized access. This can be achieved through various means, such as Virtual Private Clouds (VPCs) in AWS, Virtual Networks (VNets) in Azure, or VPCs in GCP.
  • Connectivity between environments: While isolation is crucial, there are specific scenarios where controlled connectivity is required between environments, such as data migration or application integration. This connectivity should be strictly controlled and monitored to avoid security risks.
  • Identity and access management (IAM): IAM policies and roles are implemented to regulate access to cloud resources within each environment. This ensures that only authorized users have access to specific resources based on their roles and responsibilities.
  • Security measures: Each landing zone environment should have security measures, including firewall rules, security groups, network access control lists (NACLs), and other security-related settings. This helps safeguard resources and data from potential threats.
  • Centralized governance: A landing zone architecture also implements centralized governance and monitoring to maintain consistency, compliance, and visibility across all environments. This involves using a central management account or a shared services account for common services.
  • Resource isolation: Within each environment, further resource isolation can be achieved by using resource groups (Azure), projects (GCP), or organizational units (AWS) to logically group resources and manage access control more effectively.
  • Monitoring and auditing: To maintain the health and security of the landing zone, comprehensive monitoring and auditing practices should be implemented. This includes monitoring for suspicious activities, resource utilization, and compliance adherence.

Overall, a landing zone architecture provides a solid foundation for an organization’s cloud deployment by enforcing security, governance, and network segmentation across different environments. This architecture is cloud provider-agnostic and can be adapted to various cloud platforms such as Azure, AWS, and GCP while following their respective best practices and services. To read more about it, you can search for Cloud Adoption Framework, followed by the cloud provider’s name, via your favorite search engine – you will get plenty of resources.

Summary

Cloud security is an interesting topic and fun to learn. I hope you enjoyed it as much as I enjoyed writing some of these fundamental concepts. In this chapter, we introduced you to some important security and compliance concepts. This included shared responsibility in cloud security, encryption and its relevance in a cloud environment, compliance concepts, the Zero Trust model and its foundational pillars, and some of the most important topics related to cryptography. Finally, you were introduced to CAF and landing zones. All the terms and concepts discussed in this chapter will be referred to throughout this book. I encourage you to deep dive into these topics as much as you can.

In the next chapter, we will learn about cloud security posture management (CSPM) and the important concepts around it. Happy learning!

Further reading

To learn more about the topics that were covered in this chapter, look at the following resources:

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts

Cryptography – Cloud Security Fundamentals

In today’s digital world, even with the utmost efforts to safeguard data, there remains a risk of losing control, especially when data is transmitted over the internet. To mitigate this risk, one effective method is encryption. By encrypting data, it becomes incomprehensible and unusable to unauthorized parties who lack the means to decrypt it.

Note

Cryptography is a comprehensive and well-covered subject in numerous cybersecurity books. To maintain a focus on the topics of cloud security, this book will only address its crucial and pertinent aspects in the context of cloud environments.

Cryptography is the science and practice of securing information by converting it into a secret code, making it unreadable and unusable to unauthorized parties. It plays a crucial role in ensuring data confidentiality, integrity, authentication, and non-repudiation, making it a fundamental tool for protecting sensitive information and communication in various digital systems, including computer networks, cloud computing, and online transactions.

Encryption

Encryption is a specific process within the field of cryptography. It is the technique of converting plaintext data into ciphertext using cryptographic algorithms and keys. The purpose of encryption is to protect data during transmission or storage by making it unreadable and unintelligible to unauthorized individuals or entities.

Encryption is pure mathematics. There is a defined complex method/formula to encrypt messages and decrypt those messages; you should have the same method or formula to decrypt them. Over time, encryption has achieved complexity due to attackers continuing to find ways to decrypt messages.

There are two different types of encryption: symmetric and asymmetric.

In symmetric encryption, the same secret key is used for both encrypting and decrypting data. This means that both the sender and the receiver need to possess the same secret key to securely communicate and exchange information:

Figure 1.9 – Symmetric encryption (https://binarycoders.files.wordpress.com/2020/07/01_symetric_encryption.png?w=1024)

Asymmetric encryption, also known as public-key encryption, is a cryptographic technique that uses a pair of keys (public key and private key) for secure communication and data exchange. The public key is used for encryption, while the private key is used for decryption:

Figure 1.10 – Asymmetric encryption (http://www.giuseppeurso.eu/wp-content/uploads/2014/11/giuseppe-urso-asymmetric-key-encryption-in-java-03.png)

Let’s look at how asymmetric encryption works:

  • Key generation: A user generates a key pair consisting of a public key and a corresponding private key. The public key is made openly available, while the private key is kept secret.
  • Encryption: If someone wants to send a confidential message to the key pair owner, they use the recipient’s public key to encrypt the message.
  • Decryption: Only the recipient who possesses the corresponding private key can decrypt the encrypted message that was sent to them using their public key.

The security of asymmetric encryption relies on the mathematical properties that make it computationally infeasible to derive the private key from the public key. As a result, the public key can be freely shared with others for encryption purposes, while the private key remains securely held by its owner for decryption. This makes asymmetric encryption a fundamental component of secure communication, digital signatures, and authentication in various applications, such as secure web browsing (HTTPS), email encryption, and digital certificates. Now that you understand the different types of encryption, let us understand another important concept: encrypting data in different stages.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Division of responsibility

Compliance concepts – Cloud Security Fundamentals

We are in the age of data analytics and data science, where data has become more precious than ever. Organizations, institutions, and businesses now rely on data to function on a day-to-day basis. It has become even more crucial to take extra care when dealing with data when organizations are moving their data to the cloud. To protect personally identifiable information (PII), health-related data, and financial data, government agencies, regulatory authorities, and industry groups have issued regulations to help protect and govern the use of data.

Security and compliance are not the same concepts, even though they are very well interconnected and the line between them is blurred. Security refers to the set of policies, processes, and controls that a company implements to protect its assets, while compliance refers to the meeting that some regulatory body or third party has set as a best practice or legal requirement.

Some of the compliance concepts in cybersecurity include the following:

  • Regulatory compliance: This refers to adherence to legal requirements, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Regulatory compliance involves implementing security measures and protocols to protect sensitive data and ensure that organizations are following established legal requirements.
  • Industry-specific compliance: This refers to adherence to specific security requirements established by particular industries, such as the Payment Card Industry Data Security Standard (PCI DSS) for organizations that handle credit card information. Industry-specific compliance involves implementing security measures and protocols that are specific to the requirements of a particular industry. Another significant example would be the Health Insurance Portability and Accountability Act (HIPAA) as it ensures the protection and confidentiality of individuals’ sensitive health information, providing them with greater control over their medical data and promoting trust in the healthcare system. Its regulations establish standards for securely handling the protected health information of healthcare providers, insurers, and other entities in the United States.
  • Standards compliance: This refers to adherence to established security standards, such as the ISO/IEC 27001 and the National Institute of Standards and Technology (NIST) standards for information security management systems. Standards compliance involves implementing security measures and protocols that meet or exceed established industry standards.
  • Best practices compliance: This refers to adherence to established best practices for cybersecurity, such as the Center for Internet Security (CIS). Best practices compliance involves implementing security measures and protocols that are widely accepted as effective in the cybersecurity community. You can find the latest CIS benchmarks for cloud providers such as Alibaba, AWS, and Azure, as well as various other technologies, at https://www.cisecurity.org/cis-benchmarks.

Here are some important topics associated with data compliance:

  • Data residency: This refers to the physical or geographical location of the data. It sounds normal in the case of on-premises but it’s challenging to achieve when data is stored in the cloud. Some countries have regulations that their data must be stored on a server physically located within the country.
  • Data sovereignty: This refers to the laws and governance structures that data is subject to, due to the geographical location of where it is processed.
  • Data privacy: This refers to providing notice and being transparent about collecting, using, and sharing personal data. These are fundamental principles of laws and regulations.

Compliance in cybersecurity is important because it helps organizations establish a baseline of security measures and protocols that can protect sensitive data and ensure the security of computer systems and networks. Compliance can also be used to demonstrate to stakeholders that an organization is taking the necessary steps to protect data and mitigate cybersecurity risks.

Now, let’s understand another interesting and important topic: cryptography.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Exams of Microsoft

How do organizations ensure confidentiality, integrity, and availability? – Cloud Security Fundamentals

Finding and maintaining the right balance of the CIA triad is challenging due to the diverse threat landscape, competing priorities, the complexity of IT systems, human factors, budget constraints, regulatory compliance, rapid technological advancements, and data sharing complexities. Organizations must proactively assess risks, prioritize assets, implement multi-layered (DiD) security strategies, and adapt to emerging threats. Collaboration among stakeholders is crucial for achieving a robust and effective security posture. It also requires a holistic approach to security and continual efforts to stay ahead of evolving security challenges. Organizations employ a combination of technical, administrative, and physical security measures to strike the right balance. Here are some common practices:

  • Confidentiality:
    • Access controls: Implementing RBAC to ensure that only authorized individuals have access to sensitive data and information.
    • Encryption: Encrypting data during transmission (for example, using SSL/TLS for web traffic) and at rest (for example, encrypting data in databases or on storage devices) to protect against unauthorized access
    • Secure Authentication: Using strong authentication methods such as passwords, MFA, or biometrics to verify the identity of users.
  • Integrity:
    • Data validation: Implementing validation checks to ensure that data is accurate, complete, and free from errors when it is entered into systems.
    • Audit trails: Creating logs and audit trails to track changes made to data and detect any unauthorized modifications.
    • Version control: Using version control mechanisms for critical documents to track changes and prevent unauthorized alterations.
  • Availability:
    • Redundancy: Implementing redundant systems and infrastructure to ensure high availability and fault tolerance. This includes redundant servers, network links, and power sources.
    • Load balancing: Using load balancing techniques to distribute traffic across multiple servers, preventing overload and ensuring continuous service availability.
    • Disaster recovery and business continuity planning: Developing comprehensive plans and procedures to recover from system failures, natural disasters, or other emergencies, thus minimizing downtime and maintaining service availability.

Additionally, organizations can achieve the CIA triad through various administrative practices and security policies:

  • Security awareness training: Conducting regular security awareness training for employees to educate them about security best practices, risks, and the importance of maintaining confidentiality, integrity, and availability
  • Risk assessment and management: Identifying potential security risks and vulnerabilities through risk assessments and implementing measures to mitigate those risks effectively
  • Incident response: Establishing incident response teams and procedures to quickly respond to and mitigate security incidents, ensuring the continuity of operations
  • Regular security audits: Conducting periodic security audits and assessments to evaluate the effectiveness of existing security measures and identify areas for improvement

Achieving the CIA triad is an ongoing process that requires continuous monitoring, updates to security measures, and adaptations to address emerging threats. Organizations must strike a balance between security requirements and business needs and implement appropriate security controls to safeguard their information, systems, and operations effectively.

Now, let us understand another important topic of cybersecurity – the three pillars.

Star Hand Avoiding common pitfalls, AWS Certification Exam

The importance of a landing zone– Cloud Security Fundamentals

Implementing a landing zone is a recommended approach when adopting the cloud and migrating workloads. Here are some of the advantages of implementing a landing zone:

  • Isolation and security: With a landing zone, you can segregate different environments (development, test, staging, production, and so on) into separate accounts or sub-accounts. This isolation helps in containing any security breaches or issues, minimizing the impact on other environments.
  • Scalability and flexibility: A landing zone architecture is designed to be scalable and flexible. It allows you to easily onboard new teams and applications, providing a consistent and well-defined environment for them to work in.
  • Centralized control and monitoring: By using a landing zone, you can establish centralized governance and control over all cloud resources. This ensures that security policies, compliance requirements, and best practices are uniformly enforced across the organization.
  • Resource management: A landing zone often includes resource templates, predefined policies, and automation scripts that simplify resource provisioning, management, and deployment. This streamlines the process of creating and managing cloud resources.
  • Cost management: A well-designed landing zone can include cost management features, helping you track and optimize cloud spending across different accounts and environments.
  • Compliance and auditing: By adopting a landing zone, you can better address compliance requirements and facilitate auditing processes since all resources are organized and managed while following a standardized approach.
  • Risk reduction: Isolating environments and implementing security best practices in a landing zone helps reduce the risk of data breaches, unauthorized access, and other security-related issues.

Overall, a landing zone provides a solid foundation for an organization’s cloud environment, enabling them to deploy workloads in a secure, efficient, and cost-effective manner while ensuring consistency and compliance with organizational policies and standards.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Exams of Microsoft

The six foundational pillars – Cloud Security Fundamentals

The following are the six pillars of the Zero Trust model. They work together to provide overall robust security for your infrastructure:

  • Identities: Identities can refer to users, devices, or applications/services. It is important to verify and secure each identity with strong authentication across your entire digital estate. When an identity (user/device/service) attempts to access a resource, it must be verified with strong authentication and follow the least privilege principle.
  • Endpoints: These are the carriers through which data flows on-premises and in the cloud; hence, they are the reason for creating large attack surfaces in many cases. It is important to have the visibility of devices accessing the network and notice their activities. A device’s security posture and health, from a compliance perspective, is an important aspect of security.
  • Applications: Discovering the shadow IT and in-app permissions is critical because applications are the way organizations’ data is consumed. Not all applications’ access management is managed centrally, so it is important to put a stringent process for access reviews and privileged identity management (PIM) in place.
  • Data: Cloud computing services and offerings have completely changed the way data was managed traditionally, which resulted in perimeter-based whitelisting not being effective anymore in current hybrid/multi-cloud/SaaS-based systems. Many organizations do not have complete visibility of what kind of data they are dealing with, the most critical data, and where it resides in the organization. That is why it is important to discover, classify, label, and encrypt data intelligently based on its attributes. The whole effort is to protect the organization’s critical data and ensure that data is safe from both internal and external threats. This is critical especially when data leaves devices, applications, infrastructure, and the network controlled by the organization.
  • Infrastructure: Threats and attack vectors are very much a reality, whether they are on-premises or in the cloud. You can use intelligence-based telemetries such as JIT access, location, devices, and version to detect anomalies and attacks for ensuring security. This helps allow/block or automatically take action for any risky behavior almost at runtime, such as continuous failed login attempts.
  • Networks: To make this pillar stronger, it is important to ensure that the devices are not trusted by default, even if they are in a trusted network. Implementing end-to-end encryption, reducing the attack surface by policy, network segmentation, in-network micro-segmentation, and real-time threat detection are some of the critical practices to keep in place.

Implementing all six pillars strongly is extremely hard to achieve. It becomes even more challenging when organizations have an enormously complex and hybrid infrastructure where they do not include security as a priority at an early stage. Now, let’s understand the difference between security and compliance.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility

The three pillars of cybersecurity – people, process, and technology – Cloud Security Fundamentals

People, process, and technology are the three most important pillars of cybersecurity that are essential for creating a comprehensive and effective cybersecurity strategy. If any of the people, process, or technology pillars are missing or inadequate in a cybersecurity strategy, it can significantly weaken the overall security posture of an organization and increase the risk of cyber threats. It will be as effective as a two-legged stool, unable to bear the full weight of an organization’s security requirements. The following figure explains how each pillar is crucial for cybersecurity and, if missing, what impact it can bring to defect cybersecurity:

Figure 1.7 – Three pillars of cybersecurity

Let us look at these areas in detail:

  • People: The people pillar refers to the human element of cybersecurity, including employees, contractors, and other stakeholders. People are an important part of any cybersecurity strategy because they can be both the weakest link and the strongest asset. Properly trained and aware employees can help prevent security breaches and quickly respond to incidents, while employees who lack awareness and training can inadvertently create security risks. To ensure the people pillar is strong, organizations should provide cybersecurity training to all employees, implement policies and procedures for cybersecurity best practices, and establish a culture of security awareness.

If the people pillar is missing or inadequate, it can lead to security risks such as human error, insider threats, and social engineering attacks. Employees who lack cybersecurity awareness and training may inadvertently click on phishing emails or download malware, putting sensitive data at risk. Insider threats, where employees intentionally steal or leak data, can also be a significant risk if proper access controls and monitoring are not in place.

  • Process: The process pillar refers to the policies, procedures, and standards that govern an organization’s cybersecurity strategy. Effective processes are important for ensuring that security controls are consistently applied, security incidents are identified and responded to promptly, and risks are managed effectively. To ensure the process pillar is strong, organizations should implement a cybersecurity framework such as NIST or ISO, conduct regular risk assessments, establish incident response plans, and regularly review and update policies and procedures.

If the process pillar is missing or inadequate, it can lead to inconsistent or ineffective security controls and responses to incidents. Without established policies and procedures, organizations may not know how to respond to security incidents, which could result in delays and increased damage. Risk assessments, vulnerability management, and incident response plans are all essential components of a strong process pillar.

  • Technology: The technology pillar refers to the hardware, software, and other technological solutions that are used to protect an organization’s systems and data. Technology is an important part of any cybersecurity strategy because it can help automate security controls and provide real-time threat intelligence. However, technology alone is not enough to ensure security. To ensure the technology pillar is strong, organizations should implement a layered DiD approach, including firewalls, intrusion detection and prevention systems, endpoint protection, encryption, and other security controls.

If the technology pillar is missing or inadequate, it can leave systems and data vulnerable to a wide range of cyber threats. Without proper security controls, such as firewalls, intrusion detection systems, and encryption, cybercriminals may be able to breach systems and steal or damage sensitive data. Additionally, outdated software and systems can leave vulnerabilities open for exploitation.

Overall, by focusing on the three pillars of cybersecurity – people, process, and technology – organizations can create a comprehensive and effective cybersecurity strategy that is designed to protect against a wide range of cyber threats. Weakness in any of these pillars can have significant implications for an organization’s cybersecurity. However, it is easier said than done when it comes to building a well-balanced program between these three pillars. Too often, organizations lack a solid foundation in all three pillars, which makes them vulnerable. In many cases, organizations look for managed service providers (MSPs) to get a more stable cybersecurity platform to protect their critical assets.

Now that you understand the three important pillars of cybersecurity, let us understand another important concept called the Zero Trust model.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Landing zone concepts

Why is it important to maintain confidentiality, integrity, and availability? – Cloud Security Fundamentals

Cybersecurity professionals and cybercriminals work on the same strategy; the former works to develop the strategy to protect the confidentiality, integrity, and availability of a system, while the latter put all their effort to disrupt it. Maintaining the CIA triad is crucial because it serves as a comprehensive framework for addressing and balancing critical aspects of information security. Here is why it is essential to maintain the CIA triad:

  • Comprehensive security: The CIA triad covers three fundamental dimensions of information security. By considering all three aspects, organizations can ensure a holistic approach to protecting their data and systems from a wide range of threats.
  • Risk management: The triad helps organizations identify and prioritize potential risks. By understanding the vulnerabilities associated with confidentiality, integrity, and availability, they can implement appropriate security measures to mitigate these risks effectively.
  • Compliance and regulations: Many laws and industry regulations mandate the protection of sensitive data and information. Adhering to the CIA triad assists organizations in complying with these legal requirements and demonstrating due diligence in safeguarding information.
  • Trust and reputation: Maintaining the CIA triad instills confidence and trust among stakeholders, customers, and partners. Organizations that prioritize security and protect information gain a reputation for being reliable and trustworthy.
  • Business continuity: Ensuring availability through the CIA triad helps organizations maintain operations even in the face of disruptions or attacks, thus safeguarding business continuity and reducing the impact of potential downtime.
  • Intellectual property protection: The triad’s integrity aspect is particularly vital for safeguarding intellectual property, trade secrets, and proprietary information. Maintaining data integrity prevents unauthorized changes or theft of valuable assets.
  • Incident response and recovery: The CIA triad aids in developing effective incident response and recovery plans. Understanding how confidentiality, integrity, and availability may be compromised allows organizations to respond swiftly and appropriately to security incidents.
  • Defense against evolving threats: As cybersecurity threats continue to evolve, the CIA triad remains a fundamental principle for guiding security strategies. By continually assessing and adapting security measures, organizations can stay ahead of emerging threats.
  • Competitive advantage: Demonstrating a strong commitment to the CIA triad can become a competitive advantage. Organizations that effectively protect their data and systems may gain a competitive edge by inspiring trust and attracting security-conscious customers and partners.
  • Proactive security culture: The CIA triad encourages organizations to cultivate a security-focused culture. By embedding security principles into their practices, employees become more aware of their role in protecting information and are better prepared to respond to security challenges.

In short, maintaining the CIA triad is vital for establishing a robust and resilient information security foundation. It helps organizations protect sensitive data, maintain business continuity, comply with regulations, and build trust among stakeholders, ultimately contributing to their overall success and longevity. Now, let us understand how organizations can maintain the CIA triad.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Compliance concepts, Division of responsibility, Landing zone concepts

Security products and strategies at different layers – Cloud Security Fundamentals

Let us take a closer look at what security products and strategies are appropriate and applied at different layers:

  • Physical security: Physical security controls are an important part of DiD as they help protect an organization’s physical assets, such as its buildings, servers, and other infrastructure. Here are some examples of physical security controls that are applied in the same way:
    • Perimeter security: Perimeter security controls are used to control access to the organization’s property. Examples include fences, walls, gates, and barriers.
    • Access control: Access control measures are used to control who has access to the organization’s physical assets. Examples include ID badges, security guards, and biometric authentication systems.
    • Surveillance: Surveillance measures are used to monitor the organization’s physical assets for potential security threats. Examples include CCTV cameras, motion detectors, and security patrols.
    • Environmental controls: Environmental controls are used to protect the organization’s physical assets from damage caused by environmental factors such as fire, water, and temperature. Examples include fire suppression systems, water leak detection systems, and temperature control systems.
    • Redundancy: Redundancy measures are used to ensure that the organization’s physical assets remain operational even in the event of failure. Examples include backup generators, redundant HVAC systems, and redundant network connections.
  • Identity and access: This implements security controls such as MFA, condition-based access, attribute-based access control (ABAC), and role-based access control (RBAC) to protect infrastructure and change control.
  • Perimeter: A protection mechanism that is used across your corporate network to filter large-scale attacks such as DDoS so that the resources are not exhausted, causing a denial of service.
  • Network: Security techniques such as network segmentation and network access control are used to segregate different resources together and to limit communication between resources to prevent lateral movement.
  • Compute: This involves limiting access to VM from limited/whitelisted IPs only and also restricting certain ports and opening only the required ones.
  • Applications: Four primary techniques can be used to secure applications, each with its strengths and weaknesses. Let us take a look:
    • Runtime Application Self-Protection (RASP): RASP is an application security technology that is designed to detect and prevent attacks at runtime. RASP integrates with the application runtime environment and monitors the behavior of the application to identify potential threats. RASP can detect attacks such as SQL injection, cross-site scripting (XSS), and buffer overflow attacks, and can take action to block the attack or alert security personnel.
    • Interactive Application Security Testing (IAST): IAST is an application security testing technique that combines aspects of both SAST and DAST. IAST is a real-time security testing technology that provides feedback on vulnerabilities during the testing process. IAST can detect vulnerabilities such as SQL injection and XSS attacks by monitoring the application during testing.
    • Static Application Security Testing (SAST): SAST is an application security testing technique that analyzes the application’s source code for security vulnerabilities. SAST can identify vulnerabilities such as buffer overflows, SQL injection, and XSS attacks. SAST is typically run during the development process and can help developers identify and fix vulnerabilities before the application is deployed.
    • Dynamic Application Security Testing (DAST): DAST is an application security testing technique that analyzes the application while it is running. DAST can identify vulnerabilities such as SQL injection, XSS attacks, broken authentication, and session management. DAST is typically run after the application is deployed to identify vulnerabilities that may have been missed during the development process.

Overall, these techniques can be used in combination to provide a comprehensive approach to securing applications. Each technique has its strengths and weaknesses, and the choice of which technique to use depends on the specific needs of the organization and the application being secured.

  • Data: RBAC and ABAC are both access control models that are used to enforce data security:
    • In an RBAC model, access to resources is granted based on the user’s role or job function within an organization. This means that users are assigned specific roles, and those roles are granted permission to access specific resources. For example, an administrator role might be granted full access to a system, while a regular user role might only be granted access to certain parts of the system.
    • In an ABAC model, access to resources is granted based on a combination of attributes, such as the user’s job function, location, and time of day. This means that access control policies can be more flexible and granular than in an RBAC model. For example, a policy might be created to grant access to a resource only if the user is accessing it from a specific location and during specific hours.

Both RBAC and ABAC can be used to enforce data security by ensuring that only authorized users are granted access to sensitive data. Which model to use depends on the specific needs of the organization and the level of granularity and flexibility required for access control policies.

At this point, you should have a clear and baseline understanding of DiD. Now, let’s try understanding a benchmark model in information security famously known as the confidentiality, integrity, availability (CIA) triad.

Star Hand Avoiding common pitfalls, AWS Certification Exam, Landing zone concepts

Security concerns with the public cloud – Cloud Security Fundamentals

There are several overriding concerns associated with cloud computing that organizations should be aware of:

  • Unauthorized access: Public cloud services can be vulnerable to unauthorized access, which can lead to data breaches and the exposure of sensitive information.
  • Insider threats: Cloud providers have access to users’ data, which means that insider threats can pose a risk to security.
  • Data loss: Public cloud services can suffer from data loss, which can occur due to hardware failures or other technical issues:

Figure 1.2 – Cloud security concerns

  • Compliance issues: Public cloud services may not always meet regulatory and compliance requirements for data storage and security.
  • Multi-tenancy risks: Public cloud services are often multi-tenant, which means that multiple users share the same physical infrastructure. This can increase the risk of data leakage or unauthorized access if they’re not managed properly.
  • Vulnerabilities in third-party tools: Public cloud services often rely on third-party tools and vendors, which can create vulnerabilities if these vendors are not properly vetted or have weak security measures in place.
  • Lack of control: Public cloud services are managed by the cloud provider, which means that users have limited control over the security measures that are implemented.
  • DDoS attacks: Public cloud services can be vulnerable to distributed denial of service (DDoS) attacks, which can disrupt service availability.
  • Data breaches through APIs: Public cloud services often use APIs to enable integration with other systems, which can create vulnerabilities if these APIs are not secured properly.
  • Data exposure through misconfigured services: Public cloud services can be vulnerable to data exposure if services are misconfigured, or access controls have not been set up properly.

It is important to understand these risks and take appropriate measures to mitigate them, such as implementing strong authentication and access controls, regularly monitoring and auditing activity, and using encryption to protect sensitive data. It is also important to work with reputable cloud providers who have a strong track record for security and compliance, be aware of the overriding concerns, and take steps to mitigate these risks through careful planning, risk assessment, and ongoing monitoring and management.

Now that you understand cloud computing and the security concerns around it, let us learn about the shared responsibility model.