Define how security is dealt with using the native AWS cloud services.
- [Instructor] So let's talk about a cloud provider specifically, someone that's able to provide certain type of security. In this case it's gonna be Amazon Web Services, the most popular cloud provider out there. So when we talk about all cloud providers and dealing with security, we have our own customer data that we maintain in the cloud. We have our own platforms we maintain in the cloud, for example, Linux instances or Windows NT instances. We maintain our own network connection with the cloud provider, and they in turn provide services, AWS services such as S3 and EC2, and there's thousands of other potential capabilities that exist, as higher level services that exist in the AWS cloud.
As well as AWS infrastructure, the ability to leverage everything having to deal with storage, compute, networking systems are all part of it. Now what's important to remember here is that, while they're responsible for their cloud and maintaining the services and maintaining the infrastructure to keep things going, you're responsible for security as related to customer data, as related to the platform, as related to the network. So the best analogy that I can make is, the cloud providers are in essence storage locker providers.
In other words, they're going to give you the keys to something that's going to contain your stuff, in this case your data, but you're responsible for putting locks on it, your're responsible for the security of it. While they're responsible for the integrity of the storage system, you're responsible for ensuring that people don't break in and steal it. And so the security configuration that they provide you is just that. So in other words, it's just a way in which you can actually configure your security to make your data secure, and you're gonna be responsible for doing that.
Encryption services, identity access management, all those things are going to be localized to you, not necessarily localized to the cloud provider. So when you hear about breaches, you're gonna hear about single-tenant breaches, where people actually get in and deal with information, or steal information, from a single tenant that may exist on a cloud provider, such as Amazon Web Services. You're typically not gonna hear about multi-tenant attacks, or cross-tenant attacks, where people are able to get into Amazon Web Services and then move from one tenant to another because that's the cloud's responsibility to protect you from the other tenants.
But as far as your responsibility to protect your data from outside hackers onto your single tenant, that's up to you. And so people don't realize that when they move into the cloud, that data security is your responsibility. Maintaining the cloud services is the cloud provider's responsibility. So Amazon provides identity access management capabilities, and in short, this is the ability to deal with some sort of system, that's able to use a directory of identities that it's able to call upon to figure out who's authorized and not authorized to access particular resources.
And those resources could be a database storage system, a record, all these sorts of things are able to be protected at a very configurable and granular level. So in other words, when someone moves into a cloud, they log in, we know who he or she is, and we know through a directory of services, what services they have access to, or authorized to see, and perhaps even what granularity they're able to see those resources upon. Like databases, they may see certain records, but they're not able to see all the records that are in the particular database.
So this is important to know, because identity access management, such as the capabilities that AWS provides, provides the ability for you to configure things to the exact security needs and specifications and business requirements that are there. And that allows you to, in essence, set something up where you can configure and reconfigure, authorize and deauthorize, based on the changing needs of the business. And since they're providing identity based, fine grain access to information and resources, you're able to adjust those levels down to very discreet things.
And so they're allowed to have access to some things, not others, where we're not denying access to the complete system. It's not binary, where we're hiding things behind the user ID and password, but once they get beyond the user ID and password, that allows access to everything. So obviously, if you're thinking about data breaches, this is a fairly strong offering, because ultimately if they're able to figure out an identity access, user ID and password for example, and they're able to get into the system it's typically not gonna give them the keys to the kingdom. It's not gonna give them access to everything that exists within the cloud.
So that's the beauty of identity access management.
- Cloud security on the infrastructure, application, and data levels
- Identity and access management
- Cloud security services: AWS, Microsoft, and third-party solutions
- Cloud encryption
- Cloud compliance services
- Planning cloud security