Security Considerations
Home » Courses » Networking in Public Cloud Deployments » Security Considerations
Security Considerations
Just because you moved your applications into a public cloud doesn't mean that you don't have to worry about security - it becomes even more critical to protect your applications with the plethora of tools made available by public cloud providers.
This module describes the security basics of public cloud deployments and focuses on network security mechanisms.
1:13:20 Cloud Security Basics |
||
|
The most important aspect of public cloud security is the split responsibility model: the cloud provider is responsible for infrastructure security, but you're still responsible for securing your deployment. This section describes the basics of public cloud security, how you could evaluate the security posture of your public cloud provider, and concludes with an overview of what you could do to secure your public cloud environment. |
||
| Cloud 101 | 18:39 | 2019-06-07 |
| Cloud Security 101 | 16:01 | 2019-06-07 |
| Cloud Provider Evaluation | 27:18 | 2019-06-07 |
| Protecting Your Cloud Environment | 7:56 | 2019-06-07 |
| Summary | 3:26 | 2019-06-07 |
| Slide Deck | 6.1M | 2019-04-08 |
More Information |
||
| Cloud Service Provider Security Mistakes | ||
1:20:02 Identity and Access Management |
||
|
In this section you'll learn how to set up your public cloud platform accounts and how to protect them. In addition, Cloud IAM solutions offer the possibility to use the platform accounts for your application stack as well - and we will explore security challenges and opportunities of this approach. |
||
| Section Introduction | 5:51 | 2020-02-22 |
| Definitions and Terms | 10:02 | 2020-02-22 |
| Identity and Access Management | 28:04 | 2020-02-22 |
| Deep Down the IAM Rabbit Holes | 19:26 | 2020-02-22 |
| Protecting API Keys | 7:57 | 2020-02-22 |
| IAM Engineering | 8:42 | 2020-02-22 |
| Slide Deck | 15M | 2019-12-18 |
1:01:46 Logging and Monitoring |
||
|
Cloud environments offer new logging mechanisms which differ from traditional technologies. We will explore how you could use cloud storage to save the logs, and analyze them using additional cloud services, or how you could send the cloud events to external services for further analysis. |
||
| Section Introduction | 3:30 | 2020-02-29 |
| Definitions and Terms | 5:21 | 2020-02-29 |
| Logging of Cloud Events | 13:34 | 2020-02-29 |
| Cloud-based Log Storage and Analysis | 15:46 | 2020-02-29 |
| Demos and Conclusions | 23:35 | 2020-02-29 |
| Slide Deck | 16M | 2020-01-15 |
1:20:22 Automation and Testing |
||
|
One of the biggest advantage of public cloud environments is their capability to modify any object via an API call or use infrastructure-as-code templates to deploy, modify or destroy whole application stacks, as well as monitor the compliance of actual deployment with desired state specified in the template. This section describes how you can leverage this capability to increase the security of your deployments, and how the modern IaC and CI/CD methodologies affects traditional security testing approaches. |
||
| Section Introduction | 2:39 | 2020-03-06 |
| Terms and Motivation | 15:53 | 2020-03-06 |
| Automation Security Benefits | 19:14 | 2020-03-06 |
| Tools and Lab | 28:13 | 2020-03-06 |
| Testing and Verification | 11:09 | 2020-03-06 |
| Conclusions | 3:14 | 2020-03-06 |
| Automation and Testing Demos | 7.3K | 2020-01-24 |
| Slide Deck | 29M | 2020-01-24 |
2:16:13 Public Cloud Security Considerations |
||
|
In this section Matthias Luft reviewed the public cloud security groundwork detailed in Cloud Security webinar, and then dived into details needed to develop cloud security, establish zero-trust model, and interact with a cloud-native security team. |
||
| Cloud Security Recapitulation | 26:10 | 2020-04-22 |
| Cloud Security Caveats | 12:24 | 2020-04-22 |
| Cloud-Native Security Teams | 20:09 | 2020-04-22 |
| Cloud Network Security Models | 23:04 | 2020-04-22 |
| Zero-Trust Model | 14:54 | 2020-04-22 |
| Network Security versus Virtual Appliances | 32:23 | 2020-04-22 |
| Conclusions | 7:09 | 2020-04-22 |
| Public Cloud Security Considerations Slide Deck | 79M | 2020-04-21 |
List of Crypto Resources Mentioned in the Videos |
||
| NIST recommendations for key management | ||
| Applied Crypto Hardening | ||
| Cryptographic Key Length Recommendation | ||
| SSL Configuration Generator | ||
Securing Your Public Cloud Deployment |
||
| You will probably want to focus your work on either AWS or Azure. Please watch the materials describing the public cloud provider you want to use during the course. | ||
58:42 AWS Intra-VPC Network Security Mechanisms |
||
|
AWS offeres several layers of network security within a VPC:
All these mechanisms (and the logging and mirroring functionality available with flow logs and VPC traffic mirroring) are described in this section. |
||
| Network Security | 11:19 | 2019-06-14 |
| Security Groups | 12:53 | 2019-06-14 |
| Managed Prefix Lists | 8:54 | 2021-10-11 |
| Network ACLs | 8:41 | 2019-06-14 |
| VPC Flow Logs | 2:45 | 2019-06-14 |
| VPC Traffic Mirroring | 9:49 | 2020-12-18 |
| Security Summary | 4:21 | 2019-06-14 |
Related AWS Documentation |
||
| Working with Security Groups | ||
| Use Prefix Lists to Simplify Configuration of Security Groups | ||
| Working with Network ACLs | ||
| Example: Controlling Access to Instances in a Subnet | ||
| Working with Flow Logs | ||
| VPC Traffic Mirroring | ||
More Information |
||
| The Security Design of the AWS Nitro System | ||
1:29:13 Securing External AWS Traffic |
||
|
When you want to secure traffic entering or leaving a VPC, you could use a number of AWS services, including:
|
||
| Web Application Firewall | 13:58 | 2020-12-18 |
| AWS Shield | 4:31 | 2020-12-18 |
1:10:44 AWS Network Firewall |
||
| AWS Network Firewall Overview | 22:04 | 2023-11-27 |
| Configuring Network Firewall | 12:49 | 2021-04-27 |
| Complex Intra-VPC Network Firewall Deployments | 21:18 | 2023-11-27 |
| Complex Network Firewall Deployments | 14:33 | 2021-04-27 |
Automation Examples |
||
| Web Application Firewall Example | ||
New AWS Features |
||
| AWS Network Firewall now supports IPv6-only subnets | ||
| Ingress TLS inspection on AWS Network Firewall | ||
| Tag-based resource groups on AWS Network Firewall | ||
| AWS WAF increases web ACL capacity units limits | ||
| AWS Network Firewall adds reject action for TCP traffic | ||
| AWS Network Firewall now supports VPC prefix lists | ||
| AWS Network Firewall now supports AWS Managed Rules | ||
| AWS Shield Advanced now supports Application Load Balancer for automatic application layer DDoS mitigation | ||
| AWS Shield Advanced introduces automatic application-layer DDoS mitigation | ||
1:04:08 Azure Network Security Mechanisms |
||
|
Azure offers numerous network security mechanisms. This section covers intra-VNet mechanisms including:
Azure Firewall is described in a separate section. |
||
| Azure Network Security Mechanisms | 7:47 | 2020-01-04 |
| Network Security Groups | 10:03 | 2020-01-04 |
| Network Security Group Examples | 9:13 | 2020-01-04 |
| Application Security Groups | 7:02 | 2020-01-04 |
| Network Security Monitoring and Troubleshooting | 7:18 | 2020-01-04 |
22:45 Hands-on Demos |
||
| Network Security Groups | 14:29 | 2019-08-24 |
| Application Security Groups | 8:16 | 2019-08-24 |
Hands-On Exercises |
||
Secure Your Public Cloud Deployment |
||
|
In this assignment you'll implement traffic filters, add web application firewall to protect your web server, log SSH traffic to your SSH bastion host and create multiple users with different privilege levels. |
||
| Hands-on assignment: Secure Your Public Cloud Deployment | 2.3K | 2020-04-22 |
| Submit your homework | ||
| Overview: Submitting Hands-On Exercise Solutions | ||
More Information |
||
Related Presentations |
||
| Continuous Cloud Security Monitoring | ||