Critical Knowledge ™

SUMMARY NOTES

UNIT 3:
NETWORK SECURITY
3.1 Security Components

Firewall Overview

• Definition: A filter process with built-in default protection

• Use: Controls access between less secure and more secure networks
• Access Control List (ACL): Set of rules to allow or deny traffic into/out of firewalls
• Implicit deny rule: built-in rule that automatically denies traffic from less
secure network to more secure network
• Explicit deny rule: custom rule that denies specific traffic from less secure
network to more secure network
• Security Risks: Firewalls will check whether traffic conforms to network standards,
but cannot check for viruses or malware
• Four basic firewall types:
1. Packet Filtering (first-generation firewall)
o Most common and least expensive
o Makes basic yes/no decisions to allow traffic based on information in
the message header
o Operates at Layer 3 of the OSI model
o Has built-in implicit deny rules; can be configured with explicit deny
rules

2. Stateful Packet Inspection (third-generation firewall)

o Includes all capabilities of packet-filtering firewall
o Adds ability to read state of TCP/IP communication
o Knows how TCP/IP communication is supposed to work
o Blocks traffic that does not conform to standards of network traffic
o Operates at Layers 3 and 4 of the OSI model
3. Circuit-Level Gateway (Secure Sockets or “Socks”) (second-generation
firewall)
o Operates at Layer 5 of the OSI model
o Makes decisions based on session circuits
o Efficient firewall, but not advanced at filtering packets
4. Application-Level Gateways (“Proxy”) (second-generation firewall)
o Copies packets from one network to another and changes source and
destination addresses to protect identity of secure network
o Operates at Layer 7 of the OSI model
o Defined for each individual application
o Must have an individual proxy for every application it manages
• Next-Generation Firewalls:
o Perform deep packet inspection, including all layers of the OSI model and
payload itself
o Includes an Intrusion Prevention Systems (IPS)
o Includes a basic artificial intelligence (AI)
• Firewalls should be located at boundary edge between Internet and the network
 • Second-tier firewall should be deployed at DMZ or between an internal network and
secure network
• Network Segmentation:
o Firewalls employed where fine-grained controls are required to control traffic
o One of the most effective preventative controls to protect the CIA of critical
assets

Load Balancer Overview

• Definition: Device or service that sits between the client and the system trying to be
accessed
• Use: Distributes incoming network traffic to a server farm
• Makes decisions based on pre-defined criteria and sends communication between
client and system to a server or a system in server farm or pool
o Used to distribute the load evenly on a system farm or pool
o Used to maintain back-up system in case primary system goes down
o Provides fault tolerance – if a server goes down, other services can handle the
traffic
• Load balancers increase the availability of an asset
• Sends incoming traffic to the chosen server farmer pool based on criteria for both
system traffic and the load balancer’s configuration for fault tolerance
• To choose the right solution, you must clearly define the parameters for your specific
needs

Types of Load Balancers

• Basic Network
o Routes traffic based on source and destination addresses
o Does not balance traffic; only routes traffic based upon addresses
o Operates at Layer 3: Network Layer
o Example: DNS Round-Robin
• Transport
o Operates at Layer 4: Transport Layer on TCP/UDP
o Manages and routes traffic to systems based upon traffic usage
• Application
o Operates at Layer 7: Application Layer
o Built to handle large volumes of traffic with multiple client connections on a
large scale
o HTTP load balancers are capable of handling millions of loads per second

IDS/IPS Overview

• Intrusion Detection System

o Detective control
• Intrusion Prevention System
o Preventative control

Two Types of IDS/IPS Systems

• Host-based

2
 o HIDS
o HIPS
o Individual host reads local files and logs of each host
• Network-based
o NIDS
o NIPS
o Resides on firewalls operating at different layers of the OSI model
• IDS/IPS Operation Methods
o Signature-based
▪ Compares to pre-defined set/if not defined, not detected
o Anomaly-based
▪ Learns what is normal in the system so it can detect anything
abnormal

Proxy Server Overview

• Client connects to proxy server before connecting to target

• Provide access control for clients
• Uses Network Address Translation to obscure client traffic’s origins
• Proxy servers can also create network segments

Network Address Translation (NAT)

• Proxy server changes the source address of the traffic before sending it to the target
• When the information returns from the target, the proxy changes the address back to
the original source (now destination) address

Proxy Server Types

• Anonymous
o Client→Proxy Server→Internet
o Purpose is to hide client identity
• Reverse
o Internet→Proxy Server→Service
o Purpose is to hide the service being accessed
• Transparent
o Does not hide internal address
o Purpose is to cache information and reduce bandwidth
• SSL
o Purpose is to protect data as it moves from point A to B
• FTP (File Transfer Protocol)
o Uses proxy server to transfer files between client and server
• HTTP (Web traffic proxy)
o Most common type of proxy
o HTTPS includes SSL and HTTP
• SOCKS (Secure Sockets)
o Works on TCP/UDP, multiple ports, and more than one layer of the OSI model
o Custom built for the application being protected

Proxy Server Concerns:

• More security/control needed means more money, time, and power used

3
UTM and SIEM Devices

• Unified Threat Management (UTM)

o Multiple protective mechanisms from one product family
o Centralized management interface: see alerts and configure mechanisms
o Includes firewall, IDS, IPS, antivirus, DLP, and web proxies
• Security Information and Event Monitoring System (SIEM)
o Aggregates important log data from various locations
▪ Standardize the presentation of data
▪ Analyze the data
▪ Alert on specific items
o Processes data from system in real time, detects events, and raise alerts
o New generation SIEMS deploy preventative measures; can prevent zero-day
exploits

URL/Website Filtering

• Used to allow or block access to websites by comparing address to pre-defined list

o Whitelisting: allow access to websites
o Blacklisting: deny access to websites

Protocol Analyzer

• Used to analyze signals and data traffic over communications channel

• Record network information
• Decrypt network traffic with network key
• Troubleshoot network traffic issues
• Intelligence gathering

3.2. Data Management and Zoning

IT Data Model Overview

• Data at rest
o Data that is in a static location
o Examples include records in filing cabinet or credit card number in database
o Data present for use, but not in current use
• Data in use
o Data actively used by a person or system process
o Examples include updating HR record and credit card transaction processing
• Data in transit
o Data being moved from the at-rest position to the at-use position
▪ Examples: HR record in filing cabinet moved to user desk or credit card
info being read from database and processed by e-commerce system
▪ Think of money in an armored vehicle being transferred to an ATM

Types of Assets

• Organizational assets are anything that brings value to the organization

4
 o Hardware, software, systems, facilities or intellectual property like cloud-
based systems
o People are the most valuable asset

Data Protection Methods

• Data contains most valuable information, so most security engineering is focused on

protecting it
• Protecting data at rest
o Requires controlling access to data
o Need-to-know and least privilege concepts
o Data backups, encryption, fault tolerance, etc.
• Protecting data in use
o Focuses on all parts of CIA triad
o Includes encryption, access control, and hashing
• Protecting data in transit
o Includes encryption, physical protection, and hashing

Network Segmentation Overview

• Segmentation is splitting networks into subnetworks, which creates zones of

control/trust
• The goal of segmentation is to control interaction between the zones
• Four main methods of network segmentation
o Router
▪ Layer 3 (Logical Addressing)
▪ Makes logical decisions from access control list (ACL) to allow/deny
traffic
• Implicit rule: rule that is already built in
• Explicit rule: specific rule that was written
▪ More advanced router: takes more time, money, and power
o Proxy Server
▪ Two network cards, multi-homed device
▪ One card communicates to one zone (corporate/home network) and
another to a different zone (Internet)
▪ Can also work for internal networks (database to standard network)
o DMZ
▪ Adds a layer of security between the Internet and the internal network
▪ A medium zone of trust where you can make decisions on its traffic
▪ Done in two ways
1. Redirection
▪ Internet tries to access database, but firewall
directs it to DMZ and returns traffic through DMZ
to Internet
2. Screened Subnet
▪ Internet goes through firewall to DMZ, then to
another firewall, then to internal network
▪ Two physical devices allow for more decisions
between zones of trust
o Virtual Local Area Network (VLAN)

5
 ▪ Anything device on the network can communicate with other devices
▪ Segmentation done on switches and routers
▪ Switch with only ports that are tagged to the VLAN are on the network
▪ Router sends traffic out and brings it back to subnetwork under VLAN
▪ Router is also used for different VLANs to communicate between ports
▪ Requires careful and appropriate programming
▪ Zones of trust can be different VLANs
• Additional considerations for segmentation
o Incurs administrative overhead: each network segmentation must be
designed, validated and tested
o Incurs additional business costs
o Very dangerous: any mistake can shut down entire network
o Availability: most important concern is the system being up

Secure Intranet

• Private internal network used to share information services among personnel

• A typical system might include:
o HR system
o Company calendar
o Internal websites
o Internal workflow
o Management system
• Internal only and not available on the Internet

Intranet Security

• NOT immune from attacks

• Attacks are made by getting a foothold in internal private company network and
then exploiting other systems through there
• Prime targets are poorly patched and non-hardened devices
• Because intranets often contain critical data, they need extra protection
• Network segmentation is a way to provide layered defense around assets

6
IPSec
IPSec Overview

• Used by a VPN which allows communicate to corporation in a safe, secure manner

• IETF standard that encrypts everything at Layer 3 of the OSI model and above
• Uses an untrusted network to pass trusted communication
• Layer 2 Tunneling Protocol (L2TP) uses IPSec as security mechanism
• If digital certificates are used, IPSec provides non-repudiation
o User sends private key
o Company decrypts with public key

Main Goals of IPSec

• Confidentiality – uses encryption to keep data secret

• Integrity – uses hashing to make sure data is not altered in transit
• Authentication – responds to ID claim to check approval
• Replay Attack Protection – stores packet sequence numbers to track packets in
traffic, preventing replay attacks (including MiTM)

IPSec Configuration

• Two-phase Communication
o Phase 1 - secures the tunnel with encryption
o Phase 2 – passes traffic back and forth
• Modes: Tunnel and Transport
o Transport Mode
▪ User IP is never the same
▪ Uses digital certificates for encryption
▪ Preferable for allowing remote users to access an organization’s
resources
o Tunnel Mode
▪ Corporation A to corporation B
▪ Uses symmetric encryption (shared secret)
▪ Preferable for allowing two entities to access each other’s resources
securely
• Three Parts of IPSec
o Security Association
o Authentication Header
o Encapsulating Security Payload (ESP)

IPSec Protocols

• Authentication Header (AH) provides authentication by authenticating IP packets

o Provides data integrity through hash functions and shared secret key
o Can provide packet sequence number, which allows IPSec to guard against
replay attacks
o Frequently used in Transport mode
• Encapsulating Security Payload (ESP)
o Provides authenticity through source authentication
o Provides data integrity through hash functions

7
 o Provides confidentiality through encryption
• Security Association (SA) is how configuration of the communication tunnel is
established and functions
o SA is critical to ensuring IPSec goals are met
o ESP encryption algorithm needs to be specified
o Use latest security standards to meet previous goals
o Transport or tunnel mode
▪ Tunnel mode settings must match exactly including shared secret key
▪ Transport mode settings that roaming VPN must support for
connection to be established
o SA includes
▪ IKE exchange type
▪ Encryption algorithm
▪ Hash algorithm
▪ Security lifetime

Transport and Tunnel Modes

Transport mode

• Only encrypts the payload of IP packet is encrypted

• Leaves IP Header information intact so packets can be routed
• Mainly used for remote-access VPNs
• Many IP addresses connect, but the organization’s IP address remains the same
• Requires asymmetric cryptography via digital certificates
• After authentication, a randomly-generated shared secret key is exchanged using
Diffie-Hellman key exchange
• Switches to symmetric encryption for faster data transfer speeds
• Transport mode limitations:
o Requires both certificates and use of VPN clients
o Can only configure one SA for remote-access VPN

Tunnel mode

• Encrypts all information in IP header so no routing can take place

• Routing information is held in the Security Association (SA), not the IP header
• IPSec is the correct standard to make VPN tunnels work
• Tunnel mode Security Association (SA) includes:
o Packet routing information
o All information which is encrypted and sent via SA’s parameters
o Parameters of the tunnel, the Destination IP, and the Shared secret to enable
symmetric encryption
• Works without digital certificates
• Includes information on network hosts and subnets on each side
• Each packet containing the source and destination of the defined subnets in the SA
• Only packets destined for the remote hosts or networks will be encrypted and
passed through the VPN tunnel
• Tunnel mode limitations:
o Both parties must agree on shared secret symmetric key

8
 o Both parties must be stationary
• Tunnel mode advantages:
o Allows individual SA parameters to be defined per tunnel

IPSec in Operations

What companies would need from each other:

• Company B Requirement:
o VPN established between A and B starts out and remains secure
• Information required to set up VPN in tunnel mode
o IKE Phase 1 Section which contains SA information
▪ Company A & B firewall IP addresses
▪ Shared secret symmetric key
▪ IKE encryption algorithm
▪ IKE hashing algorithm
▪ Diffie-Hellman key exchange group
▪ IKE main/aggressive mode
▪ IKE lifetime
o IPSec Phase 2 which contains AH and ESP information
▪ Company A & B network or host address
▪ ESP encryption algorithm
▪ ESP hashing algorithm
▪ IPSec tunnel lifetime
▪ Perfect forward secrecy group (or none)

9
3.4 VLAN / VPN

Virtual Networks

• VPN stands for Virtual Private Network

o Allows secure communication over untrusted networks
• VLAN is a security tool that allows network segmentation
o Creates zones of trust so fine-grained controls can be implemented
o Takes local area network and virtually separates it into zones of trust
• Switches, firewalls, wireless access points, and modern network equipment have
VLAN capabilities
• Adding VLANS incurs more maintenance overhead and complexity
• Security engineers work with network engineers to design and deploy the networks
o Security engineers design network to secure standards
o Network engineers deploy the network and are tasked with changes or
modeled/testing

VLAN Security

• More granular access control can be employed to protect assets and contain less
secure assets
• Must be deployed carefully
• Can be employed in two separate manners
o Without routing
▪ Only devices on VLAN can communicate with each other
o With routing
▪ Has access control list (ACL) to provide granular access control
• VLANs should be hardened to prevent attacks
o Move all network traffic off VLAN 1 and change defaults
o Disable unused ports or assign them to black hole VLAN
o Control which ports are allowed to be used as trunk ports
o Assign specific MAC addresses to specific ports
o Block any traffic without MAC filtering
▪ Assists with MAC flood attacks
o Follow device manufacturer recommendations to harden the system for both
standard and VLAN usage
o Put management traffic on separate VLAN with routing to control who and
what systems can manage the device
• Testing is mandatory to ensure the availability of critical assets in an organization

Network Security

• Basic network security starts with device management

o Change default password
o Device control management
o Turn off unneeded protocols
o Harden network equipment
▪ Turn off unused ports
▪ Create static, assigned ports
o Implement physical security

10
 ▪ Remove console cables shipped with the devices

Personal VPN

• Personal and organizational purposes

• Anonymous browsing
o The IP address is hidden by VPN proxy
• Access home country network from remote location
o Funnels network traffic through home country
• Encryption
o No eavesdropping
• Protect both personal and browsing information
• Essential for overseas travel
o Especially for invasive countries

Personal VPN Setup

• Provider will give configuration instructions to set up personal VPN for individual
devices
o Home router should connect via VPN so entire home network is encrypted
• Potential add-ons for each device
o Install specific software
o Provide digital certificate
o Provide credentials to access
• Must learn how to toggle VPN

11
3.5 Securing Protocols

Secure Connection Protocols

File Transfer Protocol (FTP)

• Operates on TCP port 21 (control) or port 20 (data transfer)

• Works in either active or passive mode
• Active mode
o Client tells server to open random port so client can initiate transfer from port
20 to random port
• Passive mode
o Client picks random port number and tells server to listen to port 20 then
client moves information to the server
• Everything is in plain text and not encrypted; insecure

Telnet

• Used to access remote consoles (firewalls, switches, routers, other networking

equipment)
• Also highly insecure because everything is transferred in plain text

Secure Shell (SSH)

• Combination of several commands are embedded in it

• Runs on TCP port 22
• Encryption options like digital certificates are available
• Includes different utilities
o Secure File Transfer Protocol (SFTP)
▪ Everything goes across port 22 and is encrypted from the beginning
o SSH
▪ Uses variety of encryption algorithms
▪ Allows console work to occur on the actual device
▪ Supports hashing

Secure Transport Protocols

HTTP

• Most common Internet transport protocol

• Runs on TCP port 80
• Clients use a random port to connect the common port
• Client requests information and server gives it (client-server model)
• Unsecure plain text going back and forth
• Uniform Resource Locator (URL) - web address for resource
o DNS lookup converts text to IP address
o IP address is actual resource location

Simple Mail Transfer Protocol (SMTP)

12
 • Second most common Internet transport protocol
• Pushes e-mail around from clients or server
• Works on TCP port 25
• Servers listen on port 25 and whoever initiates picks random port to talk to port 25

X.509 Digital Certificates (Public/Private Key infrastructure) (PKI)

• Built to allow secure communications on Internet

• User has a key to encrypt/decrypt and gives others keys to encrypt/decrypt

SSL/TLS

• Uses digital certificates to encrypt HTTP and SMTP traffic

• Uses asymmetric encryption (certificates) and symmetric encryption (shared secrets)
• Uses unique handshakes to establish connection between client and server
o Provides authentication and confidentiality
o Client talks to server requesting cipher suites and SSL/TLS Versions
o Server responds with cipher suite, SSL/TLS version, and servers certificate
including public key
o Client validates server certificate (PKI) and uses public key to encrypt pre-
master key, and sends to server
o Server receives pre-master key: decrypts message using private key
o Client and server both use pre-master key to generate new shared secret key
o Client uses shared secret to create a symmetric encrypted message and
sends to server for validation along with message encryption going forward
o Server validates shared secret. Responds confirming validation. Uses shared
secret to encrypt future communication
o Both client and server use shared secret for data encryption the rest of the
session
• Handshake establishes:
o What cipher suite and encryption algorithm is going to be used for
confidentiality
o What hashing algorithm to use for integrity
o What version of SSL or TLS
o What shared secret
▪ Asymmetric encryption does not require keys
▪ Symmetric encryption with shared secret is faster

Secure NTP

Network Time Protocol

• Synchronizes clocks between computer systems

• Uses packet switched, variable latency networks
• Uses UDP port 123
• Synchronizes all Computer Networks with UTC
• Uses intersection algorithm to select accurate time servers
• Mitigates effects of variable network latency
• Critical for communications and keeping systems in sync

13
 • How it works:
o Master time servers reach out to Internet atomic time clocks to stay
updated
o Every other system has to sync with the time server(s)
• Foundational protocol of computing systems
• Security concerns:
o Lack of encryption
o Lack of data transfer process integrity
• Immediate solutions available:
o NTP hierarchy, where only a fraction connect to Internet clocks
• Precautions
o Do not allow Internet devices access to internal network for NTP info
o Do not accept time sync messages from server more than 1000
seconds off
▪ If received system should reject message, log it, then raise alert
o If Kiss of death packet received, ensure message has valid origin
timestamp
▪ If client talks too much to NTP server, the NTP server gives
client slower poll time
▪ Attackers can spoof source IP address sent to client and send it
to someone else or non-existent IP address
o Only enable broadcast NTP on internal network
o Force Internet-facing servers to sync with Internet time servers
• NTP v4
o Supports encryption, but unreliable and advised against

Secure LDAP

LDAP Directory Service

• Hierarchical database of objects, such as users, systems, networks, services, and

applications
• Each object in the database has classes and attributes that can be queried and
updated
o Example: user ID and password assigned to user object

Lightweight Directory Access Protocol (LDAP)

• Open, vendor neutral, industry standard protocol for accessing and maintaining
distributed directory information services over an IP network
o Defines how to store and retrieve data from directory
o Shapes how data within directory service is presented to users
o Defines requirements for components used to create data entries within a
directory service
o Outlines how primitive elements are used to compose entries
o Communicates through a series of uniform resource locators (URLs)
• Operates on TCP port 389
• Derived from X.500 standards
• LDAP is not encrypted

14
• Can be secured in two ways:
o LDAPS:// forces SSL TLS to occur on non-standard port 636
o TLS port 443 forces SSL/TLS encryption over port 389
• Critical to encrypt ALL LDAP communications on unsecure networks

15
3.6 Architecture and Deployment Models

Cloud Capabilities

• Clouds are a collection of hardware, software, and networking that delivers a service
over the Internet
o Provide scalability, lower administrative overhead, and platform
standardization
• Four cloud service models
o Private:
▪ Owned, managed and supported by a private entity
▪ Limitation: Organization at 100% exposure for security, availability, and
maintenance
o Public
▪ Owned, managed, and supported by a government or other public
entity
▪ Limitation: Does not offer granular control and logging that meet
specific system requirements
o Hybrid:
▪ Hybrid of private and public cloud
▪ Limitation: Very complex, all parts must work together correctly
o Community
▪ Collaborative effort between organizations that share resources
• All cloud models have limitations that will affect your security program
• Infrastructure as a service (IaaS) gives option to use local or cloud based resources
when building systems

Virtualization Technology

• Virtualization: creation of a virtual resource such as a server, desktop, operating

system, file, storage, or network
o VMs are backbone of cloud systems
• Breaks the hardware down into smaller “virtual” pieces of hardware

Cloud Services

As a service (aaS)

• Software, infrastructure, platforming, network, data science can be purchased from

cloud as a service
• Buy building blocks for system, then assemble

Software as a Service (SaaS)

• Rent software from provider and use it for contract duration

• Extremely common (ex. Adobe Acrobat, electronic health records)
• Easy access, easy licensing structure

16
 • Reliant entirely on Internet connection
o Needs proper security

Infrastructure as a Service (IaaS)

• Organization buys baseline hardware for own software implementation

• Suited for older legacy systems that might require specific hardware
• Provides more granular control to configure towards unique requirements
• Entire responsibility of data is on provider (ex. Amazon Web Services, Microsoft
Azure)

Platform as a Service (PaaS)

• Similar to IaaS (ex. Google App Engine, OpenShift)

• Vendor provides base OS and handles OS maintenance
• Licensing cost issued monthly by provider
• Organizations can acquire hardware and software faster with this model
• Must have security needs met by vendor

Network as a Service (Naas)

• Create networks for various system communications (such as private VPNs)

• Can provide cell phone service with mobile virtual network operators (MVNO)
• MVNO receiving new traffic from old mobile legacy clients
o Only pay for what they use
• Limitations: Security controls like firewalls and DMZs not always allowed (ex.
Perimeter81)

DSaaS (Data Science as a Service)

• Outsources concentrating information (“Big Data”) for corporate clients

o Uses advanced analytic applications
• Costly in-house data scientists can be replaced by DSaaS
• Data at rest, transit, and in use should all be protected

Cloud Deployment Models

Private Cloud

• Organization controls everything

o Owns hardware, software, data center, network, employees/process
• Because an organization has total control, they can customize the security to their
specific needs

Public Cloud

• Vendor controls everything (such as Google and G-Suite)

• No management overhead except for ensuring the service is available
• Security settings and logging turned over to the vendor

Hybrid Cloud

17
 • Combination of public and private clouds
o Example: Office 365 (public) connected to on-premises Active Directory
(private)
• Mixture of where the assets are kept and maintained
• Security requirements could be harder to meet

Community Cloud

• Collaborative effort between organizations within a specific community

o Example: Non-profit organizations, public and scientific research
• Benefit: costs are shared
• Drawback: everyone must agree on how to run the cloud
• Security is complicated due to each organization’s access and needs
• Security goals and requirements must be agreed on and implemented by all parties
• Security requirements, goals, and objectives must be included in the requirements of
the Systems Development Life Cycle (SDLC)

18
3.7. Cloud Security Layers

Cloud Security Layers

• Risk management process

o Identify risks
o Apply risk treatment options
o Mitigate risk

Categories of Security Control

• Physical
o Physically designed to protect assets
o Lighting, door locks, security guards, alarm systems, CCTV, server rooms, fire
suppression systems etc.
o Anything that would deter, deny, detect, or delay attackers
o Private clouds provide Internet services, the organization is responsible for
providing the defense-in-depth
• Administrative
o Focus on personnel and business practices
o Consist of written documentation that governs how organization functions
▪ Policies, procedures, standards, guidelines, baselines, hiring practices,
data labeling etc.
o Directive and Deterrence type of controls
• Technical/Logical
o Consist of hardware and/or software mechanisms/technology
o Used to manage access, provide protection of resources, systems, and assets
▪ Passwords, encryption, IDS/IPS, SIEM, Firewalls, endpoint protection,
network segmentation, access control lists etc.
o Can prevent, detect, correct, deter, recover, and compensate to provide
defense in depth against attackers

Security Controls For Cloud Models

• Infrastructure as a Service (IaaS)

o Organization is responsible for everything but the hardware
o Organization needs to treat infrastructure assets if they’re responsible for
everything
▪ Access policies, background checks, backup policies, processes, and
technology
▪ Amount of physical controls are determined by a vendor by vendor
basis and if hardware is physically accessible by personnel
• Platform as a Service (PaaS)
o Organization is responsible for everything that runs on top of the vendor-
supplied OS
▪ Access policies, backup policies/technologies, background checks etc.
o Physical controls are determined by a vendor by vendor basis and if hardware
is physically accessible by personnel

19
 • Software as a Service (SaaS)
o Organization is just consuming the software, no control of hardware
▪ Gmail and Office 365 are examples
o Access policies, acceptable use policies, email retention policies,
spam/phishing/filter setting adjustments etc. should be considered
o Physical security controls are almost never considered since the organization
has no access to hardware
o Physical security of devices accessing the software should be considered

Cloud Security

• Issues must be confronted in early stages of SDLC

• Public cloud providers limit security controls to consumers
• Most offer different levels of their services
o Security controls can be enabled at more expensive tiers (ex. Office 365
logging)
• Physical controls are typically employed by the cloud providers
• Changes in how security is applied to cloud providers relies on a good vendor
management program
o Review compliance documentation
o Hold them to account for not meeting contractual obligations
• Security professionals must be involved from the earliest stages of discussions about
moving resources into the cloud or purchasing new services from the cloud to ensure
security requirement controls are addressed in the beginning

Cloud Security Controls

Real world scenario objective

• Decide the optimal cloud model

• Address security control categories
• Look at critical asset controls

Scenario

• Start-up company ready to sell widget to public using e-commerce system

• Company uses commerce as a service instead of building or hosting anything
• You as a Security Professional
o Early stage
▪ Identify company PCI-DSS Compliance, various state legal
requirements for credit card information
▪ Backups, login requirements, monitoring requirements, incident
notification time frame, service level agreements
▪ Define specific policies, procedures, standards, guidelines, baselines
o Technical Controls
▪ Load Balancer, Cloud-Based Encryption Backups, Role-Based Access
Control (RBAC), Least Privilege for User Accounts, Network
Segmentation of Database
o Physical Controls
▪ Implement controls on devices with direct access

20
 ▪ Other controls for the system is provided in the annual SOC 2 Type 2
report
• Audited and reviewed including clarification questions and
responses to and from the cloud vendor
o Optimal outcome
▪ Involved from the beginning
▪ Security controls embedded in the process
o Frequent (Subpar) Outcome
▪ Might have to work behind
▪ Period of uncertainty before implementation

21