Cloud Security Tutorial | Cloud Security Fundamentals | What is Cloud Security | Edureka

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys this is Haman's from 80-acre today in this session we'll be talking about cloud security without making any further ado let's move on to today's agenda to understand what all will be covered in today's session so we'll start off this session by discussing the why and what of cloud security after that we'll be seeing how we can choose between a public a private and a hybrid cloud after that we'll see whether cloud security is really a concern among companies who are planning to make a move on the cloud so once you have established a cloud security is really important we'll see how secure should you make your application after that we'll be looking into the process of troubleshooting a threat in the cloud after that we'll be implementing that process in AWS so guys this is our agenda for today are we clear with it okay I am getting confirmations so Dinesh Shivani Jason the bake has given me a confirmation ok guys since most of you were clear let's move on to the first topic of today's session that why cloud security is important so let's take an example Erin talked of three very popular companies LinkedIn Sony and iCloud so LinkedIn in 2012 experienced a cyber attack where in 6.5 million usernames and passwords were made public by the hackers after that Sony experienced the most aggressive cyber attack in history wherein they're highly confidential files like their financials their upcoming movie projects were made public by the hackers right and this made a huge impact on the business front of Sony iCloud which is a service from Apple also experienced a cyber attack wherein personal or private photos of users were made public by the hackers right so guys now in all these three companies you can see there's a breach in security which needs to be addressed right so cloud security has to be addressed it needs to be there in the cloud computing world so since now we've established that cloud security is really important let's move on to understand what cloud security actually is so what is cloud security so it is a use of latest technologies and techniques and programming to secure your application which is on the cloud or the data which is hosted on the cloud and the infrastructure which is associated with the cloud computing right and the other part of this is that whatever security techniques or whatever techniques or technology that you're using to secure your application should be updated as frequently as possible because every day new threats are coming up right every day there are new workaround to problems right and you should be able to tackle these problems or these workarounds and hence you should upgrade your security as frequently as possible right moving ahead let's understand how we can choose between a public a private and a hybrid cloud so we have understood that what cloud security actually is now let's talk in terms of security and understand how we can choose between a public a private and a hybrid cloud so if you were to choose between these three infrastructures what should be our basis of judging which cloud we should choose right so you would hope for a private cloud when you have highly confidential files there you want to store on the cloud platform right now there are two stories or there are two ways of thinking a private infrastructure you can either offer private servers or private infrastructure on your own premises or you can look up for servers dedicated servers by your crown provider right so that all comes under the private infrastructure then we have the public cloud infrastructure in public cloud infrastructure you would basically use website set up public facing so say if you have a products page where you have application which can be downloaded by the public so that can be hosted on the public cloud because there is nothing that has to be secret over there right so things like websites things like data that is not confidential and you don't mind public seeing it can be hosted on your public cloud the third infrastructure is the most important infrastructure which is the hybrid infrastructure and this is the setup that most companies go for right so what if there's a use case wherein you have private files of highly confidential files and a website as well right so if you have this kind of use case you my go for hybrid infrastructure which is kind of best of both worlds you get the security or the comfort of the private infrastructure and the cost-effectiveness of the public cloud is well right so you your hybrid cloud is basically if you want your highly confidential be stored on your own premises and your website being posted on your public cloud this infrastructure would be hybrid cloud infrastructure so basically you will choose the private cloud if you have a highly confidential files if you choose a public cloud if you have files that are not that important or files that you don't mind people seeing and you would choose a hybrid cloud infrastructure if you want best of both worlds right so this addresses how we can choose between a public private and hybrid cloud moving on let's understand whether cloud security is really a concern so we will discussed that why cloud security is important we have discussed what is cloud security right now let's talk about whether this really makes sense right so if we say that cloud security is really important and there is no one who is actually thinking about it there is no point right so let's see if companies were making a move to the cloud actually think about cloud security so here is a Gardner research on companies who are making a plan to move the cloud or who has not moved to the cloud yet right so what are their concerns why are not their doing so so the topmost reason listed by these companies was security and privacy concerns right so as you can see these companies who want to make a move to the cloud are also worried about this security on the cloud infrastructure and this makes it clear that cloud security is actually very important right now we've understood that cloud security is very important we have understood that companies are looking for cloud security are actually following the practices for cloud security but now how secure should you make your application right what are the extent to which you should make an application secure so let us start with this line so it is said that cloud security is a mixture of art and science right why let's see that so it's a science because obviously you have to come up with new technologies and new techniques to protect your data to protect your application right so it's a science because you have to be prepared with the technical part but it is art as well why because you should create your techniques or you should create your technologies in such a way that your user experience is not hindered let me give you a guys an example suppose you make an application right and for making it secure you think okay after every three or four minutes I'll ask the user for a password right from a security point of view it seems okay but from the users point of view it is actually hindering his user experience right so you should have that artist in you that you should understand when to stop or till where should we extend your security techniques and also you should be creative as to what security techniques can be implemented so that the user experience is not in there for example there is a two-step authentication you get that when you're logging into your gmail account right so if you know your password that is not enough you should have an OTP as well to log into your Gmail account right so this might be hindering with user experience to some extent but it is making your application secure as well right so you should have a balance between your signs and the art path that you are applying on cloud security moving on let's now discuss the process of troubleshooting a threat in the cloud so let's take an example here so like you're using Facebook right and you get a random message from some person saying there is some kind of story like you usually get that really while you're using Facebook right that such and such thing happened and click here to know more right you get that similar kind of message here and by mistake you actually click on that link you didn't know that it's a spam and you click on that link now what happens is all the users that are there or all your friends on the Facebook chart gets that message right and they get furious as to why this kind of spam messages there in their inbox right and you get scared now you get angry as well and you have to bring your frustration out on Facebook so you contact Facebook and you get to know that they already know the problem and they're already working on it and they're near to their solution now how did they come to know that there is this kind of problem and needs to be sewn right so basically cloud security is done in three stages so the identification process or the thread identification process is done in three stages the first stage is monitoring data so you have a I'll go rhythms which know what a normal system behavior is and any deviation from this normal system behavior creates an alarm and this alarm is then monitored by the cloud experts or the cloud security experts sitting over there and there's a thread they see there's a thread they go to the next step which is gaining visibility right so you should understand what caused that problem right and or who caused that problem precisely so your cloud security experts look for tools which give them the ability to look into the data and find or pinpoint that statement or pinpoint that event which causes problem right so that is done using gaining visibility stage and once we have established ok so this is the problem then comes stage 3 which is managing access so what this basically will do is it will give you a list of users in case we are tracking the who it will give you a list of users who have access and we will pinpoint the user who did that right and that user can be wiped out of the fit system using the managing access stage right so these are the stages which are involved in cloud security now if you want to implement these stages in AWS how would we do that let's see that so the first stage was monitoring data right so if you have an application in AWS and you are experiencing this same kind of thing what will you do for monitoring data so you have a service in AWS called AWS cloud watch now what is AWS watch so basically it's a cloud monitoring tool so you can monitor your ec2 and your other AWS resources on cloud watch how you can monitor them you can monitor the network in network out of your resource and you can also monitor the traffic which is coming on to your instance right now you can also create alarms on your cloud watch so if there's deviation from normal system behavior like I said so it will create an alarm for you it will escalate the event and alert you about that thing so that you can go on around and see what that problem actually is right so this is cloud the monitoring tool right so this was about AWS cloud watch let me give you a quick demo of how the AWS cloud watch - or actually looks like ok so this is your AWS dashboard so now for accessing cloud watch you can go under the management tools here is cloud watch you will click on cloud watch now over here you can monitor anything right it will go to metrics and you can see there are three metrics over there you can monitor your EBS you can monitor your ec2 you can monitor your s3 right now suppose I want to monitor my ec2 so as you can see so I have two instances running in my ec2 one is called for batch instance and the other is called a blue PS instance right now these are all the metrics which are there so I can check matrix for my WPS instance for network in I can check the disk read ops so let me select the network out metric and there will be a graph over here so I can see this graph and as you can see between 6:00 o'clock and 6:30 I experienced a surge in my traffic right so basically this is how you monitor your instance in cloud watch and you have all these default metrics to check how your instance is doing and yard it applies all right so this is what cloud watches you can also set alarms here right so if you go to alarms click on create alarm I will go to ec2 and you can select your metric from over here now selectively discreet by it's aware now once I do that it will ask me if there is a time range to which I want to monitor that instance right okay let's not set any time range let's click on next so when you click next you will be prompted with this page so you can set your alarm name you can set your alarm description here and then you can specify that for what readwrite number you should get this alarm fall right so you will be setting that over here after that it will go to actions so once an alarm is triggered where should that alarm go who should that alarm go to right so you can set it over here now whenever the state is alarm right what should we do so when the state is alarm you can send your notification to your SNS topic now what is this ination SNS so basically it's a notification service we'll be discussing what SNS is in the next session don't worry if you don't understand basically for now what you can understand is that SNS is a protocol where a new set if you get a notification what could do with that notification on whom to send to that notification right so if there is a proper called notify me in SNS so in notify me I have configured an email address that is my email address that whenever a notification comes to the SNS service or the notify me topic to be precise it sends an email to me right with that message so I'll get a message with this alarm that such-and-such thing that has happened in club watch now you do whatever is required the other thing that you can do over here is in the same SNS topic you can also configure a lambda function to be executed right now what that lambda function will do so say suppose I configure the metric to be of CPU usage right and I say whenever 40 person metric is crossed create an alarm or like go to an alarm state and it notifies the SNS notify me topic about this in the notify me topic I can configure a lambda function to clear all the background processes in that easy remains right so if I do that the CPU usage will automatically come down right so this becomes a use case that you want to launch a lambda function wherever your CPU is it goes beyond 40 person right and hence this is the way you will do it so this is about cloud boss there is nothing much to it you create alarms and you monitor metrics right moving ahead let's move on to the second process which is gaining visibility so for gaining visibility basically you have to track your whatever activity is happening in your AWS account so this is service in AWS called cloud trail right so the cloud roll service is basically a logging service where in each and every log - each and every API call is made now how is it useful let us talk about the security perspective right so your hacker got access to your system so you should know how he got access to your system so if you have a time frame say he got access to your system or you started to face problem say around four o'clock right so you can set the time between two o'clock and whatever the time is right now and monitor what all has been going around and hence you can identify the place where that hacker got access to your system right now this is the part where you get to know who that person actually is or you can isolate the problem or which caused that so if you take cue from our Facebook example over here you can actually pinpoint who is responsible for those spam messages because you allow have those logs right you see the origin of those messages now once you've done that the next step is managing this guy out of the system or wiping this guy out of the system but before that let me show you guys how cloud trail actually looks like so let's go back to our EWS dashboard and go to our cloud trail service so again another management tools you have the cloud trail service you click on the cloud racers and you will reach this dashboard all right so here you have the logs so as you can see you can set the time range here but I'm not doing that I'm just showing you the logs so even for logging into my console it is showing me that I've logged into my console at this time on this date right so every event is logged guys every event that is happening on your AWS console is being blocked so let's talk about the s3 bucket so somebody deleted a bucket and that has again been locked right so it happened at 7:30 8:00 p.m. on 28th of March 2017 right so any activity any kind of activity which happens in AWS would be logged where okay guys so this was about cloud trails let's go back to our slide and move ahead and create session so like I said so now you've identified who is responsible for your problem right so now the next step is managing access right so now you should be able to throw that person or remove that person from the system so most of the times what happens is like if you take our Facebook use case so basically there was a user who triggered that problem right so the two things that you have to do is first of all you have to remove that spam from a system so you have got to know where it originated so now you start wiping it after that you have to debug that user from doing it again right so from the source you get to know who that user is now using managing access you will actually get access to do all that alright so if you talk about AWS this service is called AWS I am so what AWS I am does is it basically authenticates that particular service now you are root user right so you can do anything but what if you have employees and obviously all employees will not have all the rights right now what if you want to give granular permissions to your employees now for like in our example what if one specific employee is capable to track down this problem right or track down what has to be done so you can give that particular person that writes how using I am right so I am is used to provide granular permissions it actually secures your access to these zero instances by giving you a private file and also it is free to use right so let's see how I am is used so let me go back to my AWS console ok I said this is my AWS dashboard I'll go to the security identity and compliance domain and then click on I am right now over here I'll click on roles now I can see all the roles which are there in my I am right so since I would have identified which role is creating a problem so I'll go to that role so for example I have a problem in say AWS elastic Beanstalk easy to roll right I click on this now once I click I will be getting this screen so now I can see the permissions across relationships that exist advisers and the revoke sessions right so I go to revoke sessions and I click on revoke active sessions and hence I'll be able to wipe out that user from accessing my AWS resources right so this is how you use I am guys and now one more thing that you can do over here is you go back to your dashboard go to roles now I get told you guys you can actually create a role for a person who'd be able to access restricted things on your AWS account right so let me quickly show you how you can do that so you will click on create new role and you'll give you a role some name so let's give it hello over here right click a next step go to role for identity provider access right and now you can select how that user of yours will be accessing your AWS account right so allow users from Amazon kognito Amazon Facebook Google ID alright so let's select this now let us select Facebook and let's give it some random application ID right so anyway is not going to create this role I'm just telling you guys how to do it right so basically you get your application ID by facebook over there you'll be since you are using Facebook to authenticate that guy to your AWS account you'll get an application ID by going on to graph at facebook.com/ you can do all of that over there okay so that is not the concern you will enter the application ID and click on next step right so you get the policy document so whatever you configured in your text boxes has actually been created in a JSON file right so you don't have to edit anything over here click on next step now you have to attach a policy now what is the policy so policy is basically what all permissions you want to grant that user right so if you want to grant them the execution role for lambda you can do that you can grant them the s3 execution role right so whatever policy that you create you can actually create a policy in here I am right I'm not going much in details of this because all of this is covered in your I am but I'm showing you guys because as I just told you guys how this can be done so let me to show you how it can be done right so you'll select whatever policy you want and click on next step and review it and create that rule this is it guys right so you can actually select a policy whatever policy you want that role to have and hence so policy is basically a permission that you want that role to have so if you get the permission to just review your instances he'll be only able to review your instances okay one more thing I want to make clear is that you don't have to give your security credentials to that guy anymore because now you will be specifying that user K will be able to connect to Facebook okay so also you have a part here wherein you can specify what specific user can access it right so I can type in my name here and if I'm being logged in through Facebook if my username is him and Sharma only then I'll be able to connect to my AWS account right now this is ID right I can also set the locale parameter right so ID I think is fine wherein you will be adding the ID of the guy who whom you want this AWS account bxs PI right so you all have Facebook IDs right so you all have to just punch in your Facebook IDs over here click on next step and then you will be able to access this AWS account if I create this role right now with the policies that I will be attaching to your role right so this is how you use I am guys let us go back to our session ok so these are the three services guys so you have I am you have cloud trail and you have cloud watch using which you can control or you can actually see what is going on in your AWS account alright so guys this brings us to the end of our session anything that you're not clear off you can ask me right now ok so after T is clear so is Jason Shivani is clear spell the big Matthew okay guys so since most of you are giving me a go let me wrap up today's session so thank you for attending this session guys I hope you learn something new today I have attached the assignments in your LMS and I expect you guys to complete your assignments in by the next session also the practicals that we have done today I want you to try them on your own I didn't execute them to the fullest that was because of the shortage of time but you do that right if you have any problems you can contact the support team right there always at your disposal 24/7 alright guys so see you in the next session thank you for attending today's session good bye I hope you enjoyed listening to this video please be kind enough to like it and you can comment any of your doubts and queries and we will reply to them at the earliest do look out for more videos in our playlist and subscribe to our Erica channel to learn more happy learning
Info
Channel: edureka!
Views: 127,266
Rating: undefined out of 5
Keywords: yt:cc=on, cloud security, cloud security tutorial, cloud computing security, cloud security fundamentals, cloud security architecture, cloud security training, cloud security challenges, cloud security project, cloud based security, aws cloud security, aws security, aws tutorial, aws training, aws certification, aws edureka, edureka, what is cloud security, cloud security certification
Id: 0lw4KU5wHsk
Channel Id: undefined
Length: 26min 5sec (1565 seconds)
Published: Fri Apr 07 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.