WEBVTT 1 00:00:00.300 --> 00:00:01.740 These days, cloud computing 2 00:00:01.740 --> 00:00:04.110 seems to be the big trend within our industry. 3 00:00:04.110 --> 00:00:06.090 With the promise of increased availability, 4 00:00:06.090 --> 00:00:08.820 higher resiliency, and unlimited elasticity, 5 00:00:08.820 --> 00:00:11.070 the cloud definitely can provide our organizations 6 00:00:11.070 --> 00:00:12.240 with a lot of advantages 7 00:00:12.240 --> 00:00:14.340 over traditional network architectures. 8 00:00:14.340 --> 00:00:16.890 But cloud computing can also bring numerous 9 00:00:16.890 --> 00:00:18.390 unique security challenges 10 00:00:18.390 --> 00:00:20.910 into our environments that we must be aware of. 11 00:00:20.910 --> 00:00:22.200 To better understand these, 12 00:00:22.200 --> 00:00:23.790 we first have to look at the different types 13 00:00:23.790 --> 00:00:25.710 of cloud solutions and architectures 14 00:00:25.710 --> 00:00:28.050 that are currently available in the environments. 15 00:00:28.050 --> 00:00:30.900 There are six types of cloud deployment models available, 16 00:00:30.900 --> 00:00:31.733 public, 17 00:00:31.733 --> 00:00:32.566 private, 18 00:00:32.566 --> 00:00:33.399 hybrid, 19 00:00:33.399 --> 00:00:34.232 community, 20 00:00:34.232 --> 00:00:35.065 multitenancy, 21 00:00:35.065 --> 00:00:36.450 and single tendency. 22 00:00:36.450 --> 00:00:38.460 The most common type of cloud architecture 23 00:00:38.460 --> 00:00:39.840 is the public cloud. 24 00:00:39.840 --> 00:00:40.860 Under this model, 25 00:00:40.860 --> 00:00:42.720 a service provider makes resources available 26 00:00:42.720 --> 00:00:44.730 to end users over the internet. 27 00:00:44.730 --> 00:00:47.310 There are numerous public cloud solutions available today 28 00:00:47.310 --> 00:00:50.460 including those from Google, Microsoft, and Amazon. 29 00:00:50.460 --> 00:00:53.430 For example, Google Drive is a public cloud service 30 00:00:53.430 --> 00:00:56.880 that's offered both free and on a pay per use model. 31 00:00:56.880 --> 00:00:59.340 Now public clouds can often be an inexpensive way 32 00:00:59.340 --> 00:01:01.770 for an organization to gain a required service 33 00:01:01.770 --> 00:01:03.870 both quickly and efficiently. 34 00:01:03.870 --> 00:01:05.880 The second option is a private cloud. 35 00:01:05.880 --> 00:01:06.840 This service requires 36 00:01:06.840 --> 00:01:08.850 that a company creates its own cloud environment 37 00:01:08.850 --> 00:01:12.300 that only it can utilize as an internal enterprise resource. 38 00:01:12.300 --> 00:01:13.380 With a private cloud, 39 00:01:13.380 --> 00:01:15.720 the organization's responsible for the design, 40 00:01:15.720 --> 00:01:18.330 implementation, and operation of the cloud resources 41 00:01:18.330 --> 00:01:19.890 and servers that host them. 42 00:01:19.890 --> 00:01:21.870 For example, the United States government 43 00:01:21.870 --> 00:01:24.600 runs its own private cloud known as GovCloud. 44 00:01:24.600 --> 00:01:26.340 And this is used by different organizations 45 00:01:26.340 --> 00:01:27.510 within the government. 46 00:01:27.510 --> 00:01:30.990 But your company and my company can't get access to it 47 00:01:30.990 --> 00:01:34.830 and use it like we would with Google Drive or AWS or Azure. 48 00:01:34.830 --> 00:01:36.960 Generally, a private cloud is going to be chosen 49 00:01:36.960 --> 00:01:39.510 with security is more important to your organization 50 00:01:39.510 --> 00:01:41.460 than having a lower cost. 51 00:01:41.460 --> 00:01:43.710 A hybrid cloud solution can combine the benefits 52 00:01:43.710 --> 00:01:46.290 of both public and private cloud options. 53 00:01:46.290 --> 00:01:47.670 Under this architecture, 54 00:01:47.670 --> 00:01:49.920 some resources are going to be developed and operated 55 00:01:49.920 --> 00:01:51.510 by the organization itself, 56 00:01:51.510 --> 00:01:53.490 much like a private cloud would be, 57 00:01:53.490 --> 00:01:55.650 but the organization can also utilize 58 00:01:55.650 --> 00:01:57.330 some publicly available resources 59 00:01:57.330 --> 00:01:59.970 or outsource services to another service provider, 60 00:01:59.970 --> 00:02:01.680 like the public cloud does. 61 00:02:01.680 --> 00:02:03.060 Because of the mixture of public 62 00:02:03.060 --> 00:02:04.500 and private cloud resources, 63 00:02:04.500 --> 00:02:06.090 strict rules should be applied 64 00:02:06.090 --> 00:02:07.800 for whatever type of data is being hosted 65 00:02:07.800 --> 00:02:09.900 in each portion of the hybrid cloud. 66 00:02:09.900 --> 00:02:13.020 For example, any confidential information should be hosted 67 00:02:13.020 --> 00:02:15.480 in the organization's private cloud portion. 68 00:02:15.480 --> 00:02:17.910 The fourth option is a community cloud. 69 00:02:17.910 --> 00:02:20.070 Under this model, the resources and costs 70 00:02:20.070 --> 00:02:22.320 are shared among several different organizations 71 00:02:22.320 --> 00:02:24.360 who all have a common service need. 72 00:02:24.360 --> 00:02:26.670 This is similar to taking several private clouds 73 00:02:26.670 --> 00:02:29.340 and connecting them all together to lower the cost. 74 00:02:29.340 --> 00:02:30.810 The security challenges here 75 00:02:30.810 --> 00:02:32.580 is going to be that each organization 76 00:02:32.580 --> 00:02:34.440 may have their own security controls 77 00:02:34.440 --> 00:02:35.790 and we have to mitigate that 78 00:02:35.790 --> 00:02:37.710 as we combine these things together. 79 00:02:37.710 --> 00:02:40.560 Remember, if you connect your network to another network, 80 00:02:40.560 --> 00:02:43.230 you're inheriting their security risks as well. 81 00:02:43.230 --> 00:02:44.850 This doesn't change just because we moved 82 00:02:44.850 --> 00:02:46.350 into the cloud environment. 83 00:02:46.350 --> 00:02:48.810 Now, in addition to the four cloud deployment models, 84 00:02:48.810 --> 00:02:50.820 we also have to look at the other two models 85 00:02:50.820 --> 00:02:52.080 that you need to be aware of. 86 00:02:52.080 --> 00:02:54.690 This is multitenancy and single tendency. 87 00:02:54.690 --> 00:02:57.180 The first one here is multitenancy model. 88 00:02:57.180 --> 00:02:59.490 Under this model, the same resources are used 89 00:02:59.490 --> 00:03:01.170 by multiple organizations. 90 00:03:01.170 --> 00:03:03.330 This allows for a large gain in efficiency 91 00:03:03.330 --> 00:03:06.150 because most organizations don't use all the capacity 92 00:03:06.150 --> 00:03:08.340 of a single server or set of servers. 93 00:03:08.340 --> 00:03:10.140 But when two or more organizations 94 00:03:10.140 --> 00:03:12.030 are sharing the same physical resource, 95 00:03:12.030 --> 00:03:14.250 you're going to have some security concerns here. 96 00:03:14.250 --> 00:03:17.310 For example, if your website is hosted on a shared server 97 00:03:17.310 --> 00:03:18.750 with 20 other customers, 98 00:03:18.750 --> 00:03:20.310 and one of those customers is the victim 99 00:03:20.310 --> 00:03:21.870 of a denial service attack, 100 00:03:21.870 --> 00:03:24.840 that entire server will be undergoing that same attack. 101 00:03:24.840 --> 00:03:27.120 And this can also make your stuff go offline 102 00:03:27.120 --> 00:03:28.350 as collateral damage 103 00:03:28.350 --> 00:03:31.260 during the denial service against that other server. 104 00:03:31.260 --> 00:03:33.180 Now, this is just one of the dangers and risks 105 00:03:33.180 --> 00:03:35.580 assumed under a multitenancy model. 106 00:03:35.580 --> 00:03:38.190 To combat the risk assumed under a multitenancy model, 107 00:03:38.190 --> 00:03:41.640 there's also a single user model known as single tenancy. 108 00:03:41.640 --> 00:03:44.610 Now under this model, a single organization is assigned 109 00:03:44.610 --> 00:03:46.410 to a particular resource. 110 00:03:46.410 --> 00:03:47.243 Because of this, 111 00:03:47.243 --> 00:03:49.530 single tenancy solutions tend to be less efficient 112 00:03:49.530 --> 00:03:51.150 than multitenancy solutions. 113 00:03:51.150 --> 00:03:53.040 And they're also more expensive 114 00:03:53.040 --> 00:03:55.440 because it requires more hardware to run it properly. 115 00:03:55.440 --> 00:03:58.530 So which of these six models or combination of these models 116 00:03:58.530 --> 00:04:00.750 is going to be right for your organization? 117 00:04:00.750 --> 00:04:03.240 Well, that really depends upon your security needs 118 00:04:03.240 --> 00:04:05.940 and your cost restrictions and your risk tolerance. 119 00:04:05.940 --> 00:04:08.970 It is going to be cheapest for you to use a multitenancy model 120 00:04:08.970 --> 00:04:11.520 with the public cloud model being combined together. 121 00:04:11.520 --> 00:04:13.470 But this also increases the risk 122 00:04:13.470 --> 00:04:16.560 to your information's confidentiality and availability. 123 00:04:16.560 --> 00:04:19.140 As with many things we consider as security practitioners, 124 00:04:19.140 --> 00:04:21.090 there is no single right answer here, 125 00:04:21.090 --> 00:04:23.490 instead, it's our job to weigh the benefits 126 00:04:23.490 --> 00:04:25.530 and the drawbacks of each of these models 127 00:04:25.530 --> 00:04:27.450 and then decide which is the right one 128 00:04:27.450 --> 00:04:30.453 based upon our organization's specific needs and concerns.