Chapter 9: Securing the Cloud PDF

Summary

This document is a chapter on securing the cloud, covering topics such as cloud service models, security responsibilities in different cloud environments, and various Cisco security solutions. It also includes a quiz to assess prior knowledge.

Full Transcript

# Chapter 9: Securing the Cloud

This chapter covers the following topics:

* What is Cloud and What Are the Cloud Service Models?
* DevOps Continuous Integration(CI) Continuous Delivery(CD) and DevSecOps
* Describing the Customer vs Provider Security Responsibility for the Different Cloud Service Models
* Cisco Umbrella
* Cisco Secure Email Threat Defense
* Cisco Attack Surface Management (Formerly Cisco Secure Cloud Insights)
* Cisco Secure Cloud Analytics
* AppDynamics Cloud Monitoring
* Cisco Secure Workload
* Cisco XDR

## Domain 3.0 Securing the Cloud

* **3.1** Identify security solutions for cloud environments
* 3.1.a Public, private, hybrid, and community clouds
* 3.1.b Cloud service models: SaaS, PaaS, IaaS (NIST 800-145)
* **3.2** Compare the customer vs. provider security responsibility for the different cloud service models
* 3.2.a Patch management in the cloud
* 3.2.b Security assessment in the cloud
* 3.2.c Cloud-delivered security solutions such as firewall, management, proxy, security intelligence, and CASB
* **3.3** Describe the concept of DevSecOps (CI/CD pipeline, container orchestration, and security)
* **3.4** Implement application and data security in cloud environments
* **3.5** Identify security capabilities, deployment models, and policy management to secure the cloud
* **3.6** Configure cloud logging and monitoring methodologies
* **3.7** Describe application and workload security concepts

## "Do I Know This Already?" Quiz

The "Do I Know This Already?" quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the "Exam Preparation Tasks" section. If you are in doubt about your answers to these questions or your own assessment your knowledge of the topics, read the entire chapter. Table 9-1 lists the major headings in this chapter.

| Foundation Topics Section | Questions |
| ---- | ---- |
| What is Cloud and What Are the Cloud Service Models? | 1 |
| DevOps, Continuous Integration (CI), Continuous Delivery (CD), and DevSecOps | 2-3 |
| Describing the Customer vs. Provider Security Responsibility for the Different Cloud Service Models | 4 |
| Cisco Umbrella | 5 |
| Cisco Secure Email Threat Defense | 6 |
| Cisco Attack Surface Management (Formerly Cisco Secure Cloud Insights) | 7 |
| Cisco Secure Cloud Analytics | 8 |
| AppDynamics Cloud Monitoring | 9 |
| Cisco Secure Workload | 10 |
| Cisco XDR | 11-12 |

**Which of the following is a cloud computing model that provides everything except applications? Services provided by this model include all phases of the system development cycle (SDLC) and can use application programming interfaces (APIs), website portals, or software. These solutions tend to be proprietary, which can cause problems if the customer moves away from the provider's platform.**

* a. IaaS
* b. PaaS
* c. SaaS
* d. Hybrid clouds

## Foundation Topics

## What Is Cloud and What Are the Cloud Service Models?

In Chapter 1, "Cybersecurity Fundamentals," you learned that the National Institute of Standards and Technology (NIST) created Special Publication (SP) 800-145, "The NIST Definition of Cloud Computing," to provide a standard set of definitions for the different aspects of cloud computing. The SP 800-145 document also compares the different cloud services and deployment strategies. In short, the advantages of using a cloud-based service include the use of distributed storage, scalability, resource pooling, access to applications and resources from any location, and automated management.

According to NIST, the essential characteristics of cloud computing include the following:

* On-demand self-service
* Broad network access
* Resource pooling
* Rapid elasticity
* Measured service

Cloud deployment models include the following:

* **Public cloud:** Open for public use.
* **Private cloud:** Used just by the client organization on-premises (on -prem) or at a dedicated area in a cloud provider.
* **Community cloud:** Shared between several organizations
* **Hybrid cloud:** Composed of two or more clouds (including on premises services)

Cloud computing can be broken into the following three basic models:

* **Infrastructure as a Service (IaaS):** IaaS describes a cloud solution where you are renting infrastructure. You purchase virtual power to execute your software as needed. This is much like running a virtual sever on your own equipment, expect you are now running a virtual server on a virtual disk. This model is similar to a utility company model, because you pay for what you use.
* **Platform as a Service (PaaS):** PaaS provides everything except applications. Services provider by this model includes all phases of the system development life cycle (SDLC) and can use application programming interfaces (APIs), website portals, or gateway software. These solutions tend to be proprietary, which can cause problem if the customer moves away from the provider's platform.
* **Software as a Service (SaaS):** SaaS is designed to provide a complete packaged solution. The software is rented out to the user. The service is usually provided through some type of front end, or web portal. While the end user is free to use the service from anywhere, the company pays a per-use fee.

## DevOps, Continuous Integration (CI), Continuous Delivery (CD), and DevSecOps

Devops (including the underlying technical, architectural, and cultural practices), characterizes a convergence of many technical, project management, and management movements.

### The Waterfall Development Methodology

The waterfall model is software and hardware development and project management methodology that has at least five to seven phases that follow in strict linear order. Each phase cannot start until the previous phase has been completed.

**Figure 9-1** The Typical Phases of the Waterfall Development Methodology
<br>
- Requirements: All requirements are gathered at the beginning of the project, allowing every other phase to be planned without further customer involvement until the product is complete.
<br>
- Design: Typically divided up into logical design and physical design subphases.
<br>
- Implementation: The implementation phase is when software developers embrace previous phases and produce actual code.
<br>
- Verification: The "customer" reviews the product to make sure that it meets the requirements laid out at the beginning of the project.
<br>
- Maintenance: Bugs, inadequate features, and other errors that occurred during production are discovered.

### The Agile Methodology

Agile is a software development and project management process where a project is managed by breaking it up into several stages and involving constant collaboration with stakeholders and continuous improvement and iteration at every stage. The Agile methodology begins with end customers describing how the finals product will be used and clearly articulating what problem it will solve.

**Figure 9-2** The Agile Methodology's Four Main Values
<br>
- Individuals and interactions over processes and tools
<br>
- Customer collaboration over contract negotiation
<br>
- Working software over comprehensive documentation
<br>
- Responding to change over following a plan

**Figure 9-3** The Agile Methodology's General Steps
<br>

- Plan
- Design
- Develop
- Test
- Deploy
- Review
- Launch

**Figure 9-4** The Scrum Framework and Sprints
<br>

- Sprint Retrospective Meeting
- Project Release Vision Planning
- Planning
- Sprint Planning
- Sprint
- Daily Scrum
- Deployment

## Cisco Secure Email Threat Defense

* **Geolocation-based filtering:** This feature swiftly controls email content based on the sender's location, providing protection against sophisticated spear phishing attempts.
* **Cisco Context Adaptive Scanning Engine (CASE):** With CASE, the system achieves a spam capture rate exceeding 99 percent and an exceptionally low false positive rate of less than on in one million.
* **Advanced Outbreak Filters:** These filters conduct thorough inspections of URLs, continuously analyzing them in real time. They promptly block websites that exhibit a shift from benign to malicious behavior.
* **Cisco Secure Email Malware Defense:** This feature ensures continuous protection against URL-based threats by subjecting potentially malicious links to real-time analysis.
* **Leveraging Talos Monitoring and Cisco Threat Grid Intelligence:** Malware Defence utilizes real-time monitoring and analytics from Talos and Threat Grid to identify previously unknown threats and sudden changes in file behavior.
* **Remediation and Visibility:** Malware Defense takes proactive steps to remediate issues by automatically triggering dynamic reputation analysis. It provides visibility into the origin of malware, the impacted systems, and the activities carried out by the malware.

## Cisco Attack Surface Management (Formerly Cisco Secure Cloud Insights)

Cisco Attack Surface Management (formerly Cisco Secure Cloud Insights) is a cloud-native security platform designed to bridge the gaps between disparate security tools. It offers seamless visibility into security risk across your entire cyber asset ecosystem. By connecting various data sources and deciphering complex relationships, this flexible platform provides comprehensive visibility in your environment, infrastructure, and operations.

## Cisco Secure Cloud Analytics

Cisco Secure Cloud Analytics is a SaaS (Software as a Service) offering that enables the identification of both internal and external threats across on-premises, Public, and hybrid cloud environments. It boasts simplicity in terms of usage, procurement, and maintenance. Minimal additional configuration or device categorization is required when data is received. The analysis process is fully automated, and the integration between the SecureX platform and Secure Cloud Analytics, along with eXtended Detection and Response (XDR) capabilities, is seamless.

## AppDynamics Cloud Monitoring

AppDynamics is another company acquired by Cisco, AppDynamics (AppD for short) provides end-to-end visibility of applications and can provide insights about application performance. AppD id able to automatically discover the flow of all traffic requests in your environment by creating a dynamic topology map of all your applications.. AppD also provides cloud monitoring and supports the following platforms:

* AWS Monitoring
* Microsoft Azure
* Pivotal Cloud Foundry Monitoring
* Cloud Foundry Foundation
* Rackspace Monitoring
* Kubernetes Monitoring
* OpenShift Monitoring
* HP Cloud Monitoring
* Citrix Monitoring
* OpenStack Monitoring
* IBM Monitoring
* Docker Monitoring
* AWS Lambda Monitoring

## Cisco Secure Workload

Cisco Secure Workload (formerly known as Tetration) is a solution created by Cisco that utilizes rich traffic flow telemetry to address critical Data Center operationality use cases. It uses both hardware and software agents as telemetry sources and performs advanced analytics in the collected data. To access the information, Cisco Secure Workload provides a scalable point-and-click Web UI to search information using visual queries and visualizes statistics using a variety of charts and tables. In addition, all the administrative functions and cluster monitoring can be done through the same web UI. Cisco Secure Workload supports both on-premises and Public Cloud workloads.

## Cisco XDR

As the complexity and sophistication of threats escalate, traditional security approaches based on individual, self-sufficient solutions are proving to be inadequate. Organizations have tried using Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) systems to integrate disconnected security environments and minimize alerts, but these efforts fall short of fully addressing the issue. Current security teams require a tool that efficiently processes information from a variety of sources into dependable alerts and insights, enabling swift, informed action.

Over recent years, the rise of eXtended Detection and Response (XDR) as an up-and-coming technology has been promising, offering a broad and integrated method for the rapid and effective prevention, detection, and resolution of threats.

## Exploring the Cisco XDR Solution

Leveraging sophisticated analytics and correlation techniques, Cisco XDR possesses the ability to transform raw telemetry data into significant security events. This process entails ingesting vast amounts of unprocessed data from various sources, examining and relating this data using advanced detection logic, and subsequently generating valuable and pertinent security events. In doing so, it turns the typically scattered and disparate data into structured, analyzable information that can then be utilized to improve the organization's overall security posture. This capacity for processing and analysis greatly enhances threat detection capabilities, enabling organizations to respond more swiftly and effectively threat.

## Cisco Secure Internet Gateway

When Cisco Umbrella servers receive a DNS request, they first identify which end customer the request came from, and which policy to apply. Next, Cisco Umbrella determines whether the request is safe or whitelisted, malicious or blacklisted, or “risky”. Safe requests are allowed to be routed as usual, and malicious requests are routed to a block page. Risky requests can be routed to the cloud-based proxy for deeper inspection.

## Review All Key Topics

| Key Topic Element | Description | Page Number |
| ---- | ---- | ---- |
| List | Identifying the essential characteristics of cloud computing | 582 |
| List | Understanding the different cloud deployment models | 582 |
| List | Identifying the different cloud service models | 582 |
| Paragraph | Understanding what is DevOps | 583 |
| Section | The Agile Methodology | 583 |
| Section | DevOps | 586 |
| Section | CI/CD Pipelines | 588 |
| Section | The Serverless Buzzword | 589 |
| Section | Container Orchestration | 592 |
| Section | A Quick Introduction to Containers and Docker | 592 |
| Section | Kubernetes | 597 |
| Section | Microservices and Micro-Segmentation | 602 |
| Section | DevSecOps | 603 |
| Section | Describing the Customer vs Provider Security Responsibility for the Different Cloud Service Models | 605 |
| Section | Patch Management in the Cloud | 607 |
| Section | Security Assessment in the Cloud and Questions to Ask Your Cloud Service Provider | 607 |
| Section | Cisco Umbrella | 608 |
| Section | The Cisco Umbrella Architecture | 609 |
| Section | Secure Internet Gateway | 610 |
| Section | Cisco Umbrella Investigate | 612 |
| Section | Cisco Secure Email Threat Defense in the Cloud | 614 |
| Section | Forged Email Detection | 614 |
| Section | Sender Policy Framework | 615 |
| Section | Email Encryption | 615 |
| Section | Cisco Secure Email Threat Defense for Office 365 | 615 |
| Section | Cisco Attack Surface Management (Formerly Cisco Secure Cloud Insights) | 616 |
| Section | Cisco Secure Cloud Analytics | 618 |
| Section | AppDynamics Cloud Monitoring | 619 |
| Section | Cisco Secure Workload | 622 |
| Section | Cisco XDR | 627 |

## Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

* Continuous Integration (CI)
* Continuous Delivery (CD)
* DevOps
* DevSecOps
* Kubernetes (k8s)
* Nomad
* Apache Mesos
* Docker Swarm

## Review Questions

1. **What is Extreme Programming (EP)?**
* a. A software development methodology designed to improve quality and for teams to adapt to the changing needs of the end customer
* b. A DevSecOps concept to provide better SAST and DAST solutions in a DevOps environment
* c. A software development methodology designed to provide cloud providers with the ability to scale and deploy more applications per workload
* d. None of these answers are correct.
2. **Which of the following is a framework that helps organizations work together because it encourages teams to learn through experiences, self-organize while working on a solution, and reflect on their wins and losses to continuously improve?**
* a. DevSecOps
* b. Scrum
* c. Waterfall
* d. None of these answers are correct.
3. **Which of the following is the CI/CD pipeline stage that includes the compilation of programs written in languages such as Java, C/C++, and Go?**
* a. Develop
* b. Build
* c. Deploy
* d. Package and Compile
4. **Which of the following is a Kubernetes component that is a group of one or more containers with shared storage and networking, including a specification for how to run the containers?**
* a. Pod
* b. k8s node
* c. kubectl
* d. kubeadm
5. **Which of the following is a technique that can be used to find software errors (or bugs) and security vulnerabilities in applications, operating systems, infrastructure devices, IoT devices, and other computing devices? This technique involves sending random data to the unit being tested in order to find input validation issues, program failures, buffer overflows, and other flaws.**
* a. Scanning
* b. DAST
* c. Fuzzing
* d. SAST
5. **Which of the following is a Cisco Umbrella component that provides organizations access to global intelligence that can be used to enrich security data and events or help with incident response? It also provides the most complete view of an attacker's infrastructure and enables security teams to discover malicious domains, IP addresses, and file hashes and even predict emergent threats.**
* a. Investigate
* b. Internet Security Gateway
* c. Cloudlock
* d. CASB
6. **Cisco Cloud Email Security supports which of the following techniques to create the multiple layers of security needed to defend against?**
* a. Geolocation-based filtering
* b. The Cisco Content Adaptive Scanning Engine (CASE)
* c. Cisco Secure Malware Defense
* d. All of these answers are correct.
6. **Which of the following statements are true about the Cisco Secure Email Threat Defense solution?**
* a. The Sender Policy Framework (SPF) used for sender authentication.
* b. DomainKeys Identified Mail (DKIM) is used for domain authentication.
* c. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is used for domain authentication.
* d. All of these answers are correct.
7. **What is the function of the Inventory tab under the Devices section in Cisco XDR?**
* a. It limits the visibility of assets to a single device.
* b. It provides a holistic asset inventory for attack surface reduction.
* c. It merges data from a single source to create asset records.
* d. It hides asset data during investigations.
8. **What one of the main advantages of implementing an XDR solution?**
* a. It allows organizations to rely solely on a single vendor for all security needs.
* b. It reduces the need for any cybersecurity measures due to its standalone effectiveness.
* c. It aggregates and analyzes data from multiple security tools into a centralized location.
* d. It limits threat detection to specific, preselected sources.
9. **In the context of XDR, what does a risk-centric solution enable?**
* a. It disregards the severity of threats and treats all incidents equally.
* b. It focuses only on global threat intelligence, ignoring local context.
* c. It quickly quantifies, verifies, and prioritizes threats based on the likelihood of substantial risk.
* d, It slows down the response time to threats to ensure accuracy.
10. **How does XDR improve the work of security analysts?**
* a. It focuses on generating as many alerts as possible.
* b. It simplifies their tasks focusing only on threat detection, ignoring response and prevention.
* c. It allows analysts, regardless of their level, to focus on comprehensive threat detection, prioritized risk-based incident response, and productivity improvement.
* d. It limits the sources from which data is collected, reducing the information security analysts have to deal with.