Understand how to secure interfaces that exist in the cloud.
- [Voiceover] Let's talk about user interface level cloud security, or user cloud security. We have to give logons to users, people who leverage the applications, and leverage the databases that we created and migrated to the cloud. So what we're doing is basically setting up best practices, where we're setting up groups, as well as users, and applying the meaningful protections to ensure that they're able to leverage this system, but do so in the context of very valid security. Permissions allow you to grant privileges within the system, so who can access what piece of information, what file, what object, what database, things like that.
And we can allow people to access any number of things, and disallow them to access any number of things. So the idea is, in essence, to manage permissions, with policies that we set up, where we're able to allow them access to things they need to do their jobs, and disallow them access to things they don't need to do their jobs. This is a lot of work for security administrators, however, it does protect the system, and if someone was able to access the system, and hack into the system, they don't have the necessary permissions, and they're not going to be able to effect any kind of damage.
The ability to manage policies, basically custom, and AWS policies, allows us to put in written things that allow and disallow access to certain resources that exist within the system. This means that instead of permissions that are really at the user level, at the user i.d. level, we're managing policies as a whole. So in other words accessing resources such as storage, compute system services, things like that, are going to go against a governance system, which is in essence, going to look up a policy, and make sure that people are allowed to access it, that the access is logged, they have the proper authentication, things like that.
Best practices, password, configure a strong password policy. We all know this by using the web, some systems will not allow us to have a-b-c-d-e-f-g, or our dog's name, or counting counting 1-2-3-4-5, because those are weak passwords. The ability to configure a strong password policy, meaning that the users are going to leverage passwords that are difficult to guess, is going to be a huge protection of the system. If you have random password generators, things like that, they can break into older, obscure systems pretty quickly, that do not enforce strong password policies in the existing stuff.
But this means that we're going to have an initial fence that disallows people from trying to guess their way into the system. So enable MFA for privileged users. So, make sure we're managing keys, multi-factor authentication within those systems so that if we're allowing people in there, that we have an extra layer of authentication that occurs as they try to access the information. Roles, use identity access management roles for EC2 instances.
Identity access management is absolutely an imperative for leveraging cloud-based systems, because it allows you to assign privileges and access policies to particular identities that exist within the system. It could be humans, it could be machines, it could be resources such as disk storage, things like that. And we allow us to do sharing, or using identity access management roles to share access. So we're able to assign roles, assign identities, assign access rights, and we're able to configure and reconfigure them, however we need to support our security policies or security structure.
Rotate security credentials regularly. Can't state this enough. So we have to change passwords, change keys, change multi-factor authentication approaches, things like that. We can't do the same thing all the time and expect to have security that is unpenetrable. So, changing security credentials is absolutely imperative. Restrict privileged access further with conditions. So what are the conditions under that people can access the system. Root, reduce, remove use of root. The ability to get access to everything in the system is extremely dangerous for anybody to have.
Accidental deletions can occur, and you'll be in big trouble if someone does that. Audit logging, enable CloudTrail and Config within AWS, and make sure that we turn in audit logging, and we understand exactly what's going on within the system. We talked about that in a previous video, the ability to monitor and proactively look at what's occurring in the environment, both at the application level, the data level, and in the infrastructure level, is determined through logs. We're basically recording everything that we're doing, and we can see patterns of attack that are emerging in the audit logs, in the information that we're logging.
- Cloud security on the infrastructure, application, and data levels
- Identity and access management
- Cloud security services: AWS, Microsoft, and third-party solutions
- Cloud encryption
- Cloud compliance services
- Planning cloud security