WEBVTT

1
00:00:00.270 --> 00:00:01.950
In this section of the course,

2
00:00:01.950 --> 00:00:04.920
we are going to discuss cloud security.

3
00:00:04.920 --> 00:00:06.330
The cloud security section

4
00:00:06.330 --> 00:00:10.530
of the course focuses on Domain 2: Security Architecture,

5
00:00:10.530 --> 00:00:13.950
specifically objective 2.5, which states

6
00:00:13.950 --> 00:00:16.590
that given a scenario, you must be able

7
00:00:16.590 --> 00:00:19.170
to securely implement cloud capabilities

8
00:00:19.170 --> 00:00:21.120
in an enterprise environment.

9
00:00:21.120 --> 00:00:24.270
Securing cloud environments requires a comprehensive

10
00:00:24.270 --> 00:00:28.110
approach that addresses the challenges of implementation,

11
00:00:28.110 --> 00:00:30.900
ongoing management, and seamless integration

12
00:00:30.900 --> 00:00:33.150
between various cloud services

13
00:00:33.150 --> 00:00:37.140
to protect sensitive data and maintain system integrity.

14
00:00:37.140 --> 00:00:40.320
Additionally, security must be prioritized throughout

15
00:00:40.320 --> 00:00:42.450
the development and deployment process

16
00:00:42.450 --> 00:00:45.660
with careful attention to emerging technologies

17
00:00:45.660 --> 00:00:47.160
and best practices.

18
00:00:47.160 --> 00:00:50.610
By embedding strong security measures at every stage,

19
00:00:50.610 --> 00:00:53.910
organizations can build a resilient cloud infrastructure

20
00:00:53.910 --> 00:00:56.220
that effectively supports their needs.

21
00:00:56.220 --> 00:00:57.990
As we go through this section,

22
00:00:57.990 --> 00:01:01.320
we will cover many topics related to cloud security,

23
00:01:01.320 --> 00:01:05.370
including cloud implementation, cloud management,

24
00:01:05.370 --> 00:01:09.630
connectivity and integration, cloud security considerations,

25
00:01:09.630 --> 00:01:12.600
application programming interface security,

26
00:01:12.600 --> 00:01:14.730
Cloud Access Security Broker,

27
00:01:14.730 --> 00:01:17.820
development and deployment, continuous integration,

28
00:01:17.820 --> 00:01:21.270
continuous deployment pipeline, container management,

29
00:01:21.270 --> 00:01:23.370
and serverless computing.

30
00:01:23.370 --> 00:01:26.610
First, we will look at cloud implementation.

31
00:01:26.610 --> 00:01:29.760
Cloud implementation is the process of deploying

32
00:01:29.760 --> 00:01:32.040
and configuring cloud services

33
00:01:32.040 --> 00:01:35.130
with security measures in place to protect data

34
00:01:35.130 --> 00:01:36.720
and ensure compliance.

35
00:01:36.720 --> 00:01:40.469
Cloud implementation concepts include cloud service adoption

36
00:01:40.469 --> 00:01:43.380
and the use of preventive, detective,

37
00:01:43.380 --> 00:01:46.080
and proactive cloud control strategies.

38
00:01:46.080 --> 00:01:49.980
Cloud service adoption involves integrating cloud platforms

39
00:01:49.980 --> 00:01:54.210
and services into an organization's existing infrastructure.

40
00:01:54.210 --> 00:01:58.590
Next cloud control strategies include preventative controls,

41
00:01:58.590 --> 00:02:01.140
which are designed to stop security incidents

42
00:02:01.140 --> 00:02:02.790
before they occur.

43
00:02:02.790 --> 00:02:05.700
Detective controls, which monitor systems

44
00:02:05.700 --> 00:02:07.590
to detect security breaches

45
00:02:07.590 --> 00:02:09.210
and proactive controls,

46
00:02:09.210 --> 00:02:12.600
which anticipate potential security threats and address them

47
00:02:12.600 --> 00:02:14.250
before they appear.

48
00:02:14.250 --> 00:02:18.570
For example, an organization adopting a new cloud service

49
00:02:18.570 --> 00:02:22.110
might implement encryption as a preventative control.

50
00:02:22.110 --> 00:02:25.890
Use real-time monitoring tools to detect unauthorized access

51
00:02:25.890 --> 00:02:27.630
as a detective control

52
00:02:27.630 --> 00:02:30.780
and conduct regular security assessments to identify

53
00:02:30.780 --> 00:02:34.830
and mitigate emerging threats as a proactive control.

54
00:02:34.830 --> 00:02:37.620
Next, we will explore cloud management.

55
00:02:37.620 --> 00:02:41.280
Cloud management is overseeing and securing cloud resources

56
00:02:41.280 --> 00:02:44.250
and services while ensuring that cloud provider

57
00:02:44.250 --> 00:02:47.310
and customer responsibilities are clearly defined

58
00:02:47.310 --> 00:02:49.320
and properly executed.

59
00:02:49.320 --> 00:02:53.040
Cloud management concepts include the shared responsibility

60
00:02:53.040 --> 00:02:56.040
model as well as the management of encryption keys

61
00:02:56.040 --> 00:02:58.680
and licenses, both in cloud

62
00:02:58.680 --> 00:03:01.170
and customer managed environments.

63
00:03:01.170 --> 00:03:04.230
The shared responsibility model outlines the division

64
00:03:04.230 --> 00:03:06.060
of security responsibilities

65
00:03:06.060 --> 00:03:09.450
between the cloud service provider and the customer.

66
00:03:09.450 --> 00:03:11.910
The cloud service provider typically handles

67
00:03:11.910 --> 00:03:15.450
the infrastructure and physical security of the cloud,

68
00:03:15.450 --> 00:03:18.750
and the customer handles the responsibility in the cloud.

69
00:03:18.750 --> 00:03:20.910
This means the customer takes actions

70
00:03:20.910 --> 00:03:24.810
to secure data applications and access controls.

71
00:03:24.810 --> 00:03:27.420
This distinction of responsibilities extends

72
00:03:27.420 --> 00:03:30.210
to cloud managed and customer managed actions,

73
00:03:30.210 --> 00:03:34.170
such as securing encryption keys and monitoring licenses.

74
00:03:34.170 --> 00:03:37.680
In some cases, the cloud provider manages these elements;

75
00:03:37.680 --> 00:03:39.990
while in others the customer does.

76
00:03:39.990 --> 00:03:43.530
Negotiating clear lines of responsibility is critical.

77
00:03:43.530 --> 00:03:46.560
For example, while a cloud provider may secure

78
00:03:46.560 --> 00:03:49.740
the underlying infrastructure, the customer may manage

79
00:03:49.740 --> 00:03:51.750
and safeguard their own encryption keys

80
00:03:51.750 --> 00:03:55.118
and licenses, ensuring that sensitive data remains protected

81
00:03:55.118 --> 00:03:58.020
in the shared cloud environment.

82
00:03:58.020 --> 00:04:01.620
After that, we will look at connectivity and integration.

83
00:04:01.620 --> 00:04:04.140
Connectivity and integration ensures secure

84
00:04:04.140 --> 00:04:07.260
and seamless connections between customer systems

85
00:04:07.260 --> 00:04:08.940
and cloud services.

86
00:04:08.940 --> 00:04:12.300
Connectivity and integration concepts include customer

87
00:04:12.300 --> 00:04:15.750
to cloud connectivity, cloud service integration,

88
00:04:15.750 --> 00:04:18.030
and shadow IT detection.

89
00:04:18.030 --> 00:04:20.580
Customer-to-cloud connectivity refers

90
00:04:20.580 --> 00:04:22.650
to the secure connection established

91
00:04:22.650 --> 00:04:25.890
between a customer's network and the cloud provider.

92
00:04:25.890 --> 00:04:29.340
This connection is crucial for protecting data in transit

93
00:04:29.340 --> 00:04:32.550
and maintaining a trusted communication channel.

94
00:04:32.550 --> 00:04:36.450
Next, cloud service integration involves securely linking

95
00:04:36.450 --> 00:04:39.840
different cloud services and platforms to work together.

96
00:04:39.840 --> 00:04:42.960
This integration ensures that data flows securely

97
00:04:42.960 --> 00:04:45.124
and efficiently across environments without

98
00:04:45.124 --> 00:04:47.250
introducing vulnerabilities.

99
00:04:47.250 --> 00:04:51.660
Finally, shadow IT detection is the process of identifying

100
00:04:51.660 --> 00:04:54.540
and managing unauthorized cloud services

101
00:04:54.540 --> 00:04:57.450
or applications that employees may install

102
00:04:57.450 --> 00:05:00.300
and use without the IT team's knowledge.

103
00:05:00.300 --> 00:05:03.420
Shadow IT can pose significant security risks,

104
00:05:03.420 --> 00:05:06.180
if not properly identified and controlled.

105
00:05:06.180 --> 00:05:08.130
Bringing all of these concepts together,

106
00:05:08.130 --> 00:05:11.940
a company might establish a secure Virtual Private Network

107
00:05:11.940 --> 00:05:14.130
for customer-to-cloud connectivity,

108
00:05:14.130 --> 00:05:16.140
integrate multiple cloud services

109
00:05:16.140 --> 00:05:19.020
through secure Application Programming Interfaces,

110
00:05:19.020 --> 00:05:21.450
and use monitoring tools to detect

111
00:05:21.450 --> 00:05:24.240
and manage any unauthorized cloud services

112
00:05:24.240 --> 00:05:26.610
to identify shadow IT.

113
00:05:26.610 --> 00:05:30.630
Next, we will explore cloud security considerations.

114
00:05:30.630 --> 00:05:34.260
Cloud security considerations involve addressing potential

115
00:05:34.260 --> 00:05:36.930
risks and vulnerabilities to protect data

116
00:05:36.930 --> 00:05:39.870
and resources within cloud environments.

117
00:05:39.870 --> 00:05:43.680
Cloud security considerations include unsecured storage

118
00:05:43.680 --> 00:05:48.680
resources, data exposure, data leakage, and data remnants.

119
00:05:48.720 --> 00:05:51.647
Unsecured storage resources refer to cloud storage

120
00:05:51.647 --> 00:05:54.840
that lacks proper security configurations,

121
00:05:54.840 --> 00:05:57.930
such as encryption or access controls.

122
00:05:57.930 --> 00:06:01.470
Data exposure occurs when sensitive information is

123
00:06:01.470 --> 00:06:05.040
unintentionally made accessible to unauthorized users.

124
00:06:05.040 --> 00:06:07.410
It is often due to misconfigurations

125
00:06:07.410 --> 00:06:09.720
or inadequate security measures.

126
00:06:09.720 --> 00:06:12.720
Data leakage refers to the unauthorized transmission

127
00:06:12.720 --> 00:06:15.450
of data from within the cloud environment

128
00:06:15.450 --> 00:06:17.730
to external parties, which can happen

129
00:06:17.730 --> 00:06:21.090
through insecure channels or compromised accounts.

130
00:06:21.090 --> 00:06:23.400
Data remnants is the residual data

131
00:06:23.400 --> 00:06:26.580
that remains on storage devices after deletion,

132
00:06:26.580 --> 00:06:28.590
which can be maliciously recovered

133
00:06:28.590 --> 00:06:30.720
if not properly sanitized.

134
00:06:30.720 --> 00:06:33.870
Following that, we will look at Application Programming

135
00:06:33.870 --> 00:06:36.660
Interface or API security.

136
00:06:36.660 --> 00:06:39.270
Application Programming Interface Security

137
00:06:39.270 --> 00:06:42.270
protects Application Programming Interfaces

138
00:06:42.270 --> 00:06:46.050
from unauthorized access, misuse, and attacks

139
00:06:46.050 --> 00:06:48.030
to ensure secure interactions

140
00:06:48.030 --> 00:06:50.820
between applications and cloud services.

141
00:06:50.820 --> 00:06:53.910
Application Programming Interface Security concepts

142
00:06:53.910 --> 00:06:57.810
include authorization, rate limiting, and logging.

143
00:06:57.810 --> 00:07:01.530
Authorization ensures that only authenticated users

144
00:07:01.530 --> 00:07:04.200
and applications are granted access

145
00:07:04.200 --> 00:07:08.310
to specific application programming interface endpoints.

146
00:07:08.310 --> 00:07:12.840
Authorization prevents unauthorized actions or data access.

147
00:07:12.840 --> 00:07:16.740
Rate limiting controls the number of application programming

148
00:07:16.740 --> 00:07:19.650
interface requests a user or application

149
00:07:19.650 --> 00:07:21.960
can make within a given time.

150
00:07:21.960 --> 00:07:24.990
Rate Limiting helps denial of service attacks.

151
00:07:24.990 --> 00:07:28.170
Logging involves recording application programming,

152
00:07:28.170 --> 00:07:32.400
interface interactions to monitor usage, detect anomalies

153
00:07:32.400 --> 00:07:33.840
and troubleshoot issues.

154
00:07:33.840 --> 00:07:38.040
Logging provides a clear audit trail for security analysis.

155
00:07:38.040 --> 00:07:41.910
Then, we will explore Cloud Access Security Brokers.

156
00:07:41.910 --> 00:07:45.210
A Cloud Access Security Broker or CASB

157
00:07:45.210 --> 00:07:48.240
is a security solution that acts as a control point

158
00:07:48.240 --> 00:07:51.540
between cloud service users and cloud application.

159
00:07:51.540 --> 00:07:55.320
Cloud Access Security Brokers enforce security policies

160
00:07:55.320 --> 00:07:58.140
and protect data across cloud environments.

161
00:07:58.140 --> 00:08:01.760
Cloud Access Security Broker implementation concepts include

162
00:08:01.760 --> 00:08:04.461
Application Programming Interface based

163
00:08:04.461 --> 00:08:09.150
and proxy-based Cloud Access Security Broker solutions

164
00:08:09.150 --> 00:08:12.330
An Application Programming Interface based Cloud Access

165
00:08:12.330 --> 00:08:16.320
Security Broker integrates directly with cloud services

166
00:08:16.320 --> 00:08:20.040
and uses Application Programming Interfaces to monitor

167
00:08:20.040 --> 00:08:23.610
and control data flow, enforce security policies,

168
00:08:23.610 --> 00:08:26.520
and provide visibility into cloud usage

169
00:08:26.520 --> 00:08:29.280
without affecting user experience.

170
00:08:29.280 --> 00:08:32.010
Proxy-based Cloud Access Security Brokers,

171
00:08:32.010 --> 00:08:34.440
on the other hand, route cloud traffic

172
00:08:34.440 --> 00:08:37.950
through a proxy server, allowing real-time inspection,

173
00:08:37.950 --> 00:08:41.520
threat prevention and enforcement of security policies

174
00:08:41.520 --> 00:08:44.940
by sitting between the user and the cloud service.

175
00:08:44.940 --> 00:08:47.880
In application, an organization might use

176
00:08:47.880 --> 00:08:50.430
an Application Programming Interface based

177
00:08:50.430 --> 00:08:53.370
Cloud Access Security Broker to monitor

178
00:08:53.370 --> 00:08:56.550
and control data access within its cloud applications,

179
00:08:56.550 --> 00:09:00.540
while employing a proxy-based Cloud Access Security Broker

180
00:09:00.540 --> 00:09:04.140
to actively inspect and secure all data traffic

181
00:09:04.140 --> 00:09:06.300
between its users and the cloud.

182
00:09:06.300 --> 00:09:10.020
Next, we will explore cloud development and deployment.

183
00:09:10.020 --> 00:09:13.860
Development and deployment involves creating, configuring,

184
00:09:13.860 --> 00:09:17.340
and releasing cloud-based applications and infrastructure.

185
00:09:17.340 --> 00:09:19.140
Development and deployment should ensure

186
00:09:19.140 --> 00:09:21.840
that security best practices are integrated

187
00:09:21.840 --> 00:09:23.940
throughout the entire process.

188
00:09:23.940 --> 00:09:27.785
Development and deployment includes tools such as Terraform

189
00:09:27.785 --> 00:09:32.100
and Ansible, as well as concepts such as package monitoring.

190
00:09:32.100 --> 00:09:36.870
Terraform is an Infrastructure as Code or IaC tool.

191
00:09:36.870 --> 00:09:39.870
Infrastructure as Code automates the provisioning

192
00:09:39.870 --> 00:09:41.430
of cloud infrastructure.

193
00:09:41.430 --> 00:09:44.640
Terraform enables consistent and repeatable

194
00:09:44.640 --> 00:09:46.950
Infrastructure as Code deployments,

195
00:09:46.950 --> 00:09:48.750
which help in maintaining security

196
00:09:48.750 --> 00:09:51.240
configurations across environments.

197
00:09:51.240 --> 00:09:53.760
Ansible is another automation tool

198
00:09:53.760 --> 00:09:56.580
that focuses on configuration management,

199
00:09:56.580 --> 00:09:59.760
application deployment, and task automation.

200
00:09:59.760 --> 00:10:01.710
Ansible ensures secure

201
00:10:01.710 --> 00:10:04.470
and consistent management of cloud environments.

202
00:10:04.470 --> 00:10:07.530
Finally, package monitoring involves tracking

203
00:10:07.530 --> 00:10:09.150
and analyzing the security

204
00:10:09.150 --> 00:10:11.190
and integrity of software packages

205
00:10:11.190 --> 00:10:13.620
and dependencies used in development

206
00:10:13.620 --> 00:10:15.810
to prevent vulnerabilities from being

207
00:10:15.810 --> 00:10:17.910
introduced during deployment.

208
00:10:17.910 --> 00:10:21.060
For example, an organization may use Terraform

209
00:10:21.060 --> 00:10:23.520
to provision a network infrastructure

210
00:10:23.520 --> 00:10:27.630
with predefined security settings, followed by using Ansible

211
00:10:27.630 --> 00:10:30.000
to configure applications securely,

212
00:10:30.000 --> 00:10:32.760
and then implementing package monitoring

213
00:10:32.760 --> 00:10:35.280
to ensure all deployed software is free

214
00:10:35.280 --> 00:10:37.020
from known vulnerabilities.

215
00:10:37.020 --> 00:10:39.780
Then we will look at the continuous integration,

216
00:10:39.780 --> 00:10:41.700
continuous deployment pipeline.

217
00:10:41.700 --> 00:10:42.990
The continuous integration,

218
00:10:42.990 --> 00:10:46.320
continuous deployment pipeline is the automated process

219
00:10:46.320 --> 00:10:48.510
of integrating, testing, and deploying

220
00:10:48.510 --> 00:10:52.050
code changes in a secure and efficient manner to ensure

221
00:10:52.050 --> 00:10:54.780
that security measures are consistently applied throughout

222
00:10:54.780 --> 00:10:56.760
the software development lifecycle.

223
00:10:56.760 --> 00:11:00.420
Continuous integration involves regularly merging code

224
00:11:00.420 --> 00:11:04.440
changes into a shared repository where automated tests

225
00:11:04.440 --> 00:11:06.900
and security scans are run to detect

226
00:11:06.900 --> 00:11:08.550
and address vulnerabilities

227
00:11:08.550 --> 00:11:10.650
early in the development process.

228
00:11:10.650 --> 00:11:14.460
Continuous deployment automatically deploys tested code

229
00:11:14.460 --> 00:11:16.200
to a production environment.

230
00:11:16.200 --> 00:11:18.570
In practice, continuous integration

231
00:11:18.570 --> 00:11:22.140
and continuous deployment pipelines might automatically scan

232
00:11:22.140 --> 00:11:24.240
code for vulnerabilities

233
00:11:24.240 --> 00:11:26.850
during the continuous integration phase

234
00:11:26.850 --> 00:11:30.750
and then securely deploy the application to the cloud

235
00:11:30.750 --> 00:11:34.050
with all necessary configurations in place

236
00:11:34.050 --> 00:11:36.480
during the continuous deployment phase.

237
00:11:36.480 --> 00:11:39.900
Following that, we will explore container management.

238
00:11:39.900 --> 00:11:43.380
Container management oversees the deployment operation

239
00:11:43.380 --> 00:11:45.539
and security of containers to ensure

240
00:11:45.539 --> 00:11:48.090
that applications run securely

241
00:11:48.090 --> 00:11:50.970
and efficiently across cloud environment.

242
00:11:50.970 --> 00:11:54.720
Container management concepts include container security

243
00:11:54.720 --> 00:11:56.550
and container orchestration.

244
00:11:56.550 --> 00:12:00.300
Container security focuses on protecting the containerized

245
00:12:00.300 --> 00:12:03.150
applications and their underlying infrastructure

246
00:12:03.150 --> 00:12:04.530
from vulnerabilities.

247
00:12:04.530 --> 00:12:08.310
Protecting containers involves securing container images,

248
00:12:08.310 --> 00:12:10.230
managing access controls,

249
00:12:10.230 --> 00:12:12.720
and monitoring containers for threats.

250
00:12:12.720 --> 00:12:16.560
Container orchestration automates the deployment, scaling,

251
00:12:16.560 --> 00:12:19.950
and management of containers across multiple hosts.

252
00:12:19.950 --> 00:12:21.780
Container orchestration ensures

253
00:12:21.780 --> 00:12:25.140
that security policies are consistently applied across

254
00:12:25.140 --> 00:12:27.870
the entire containerized environment.

255
00:12:27.870 --> 00:12:31.380
For example, an organization may use a container

256
00:12:31.380 --> 00:12:34.950
orchestration tool like Kubernetes to manage the deployment

257
00:12:34.950 --> 00:12:38.610
of containers with predefined security configurations,

258
00:12:38.610 --> 00:12:42.150
while utilizing container security practices to ensure

259
00:12:42.150 --> 00:12:45.750
that containers are protected from potential threats.

260
00:12:45.750 --> 00:12:48.900
Finally, we will explore serverless computing.

261
00:12:48.900 --> 00:12:52.320
Serverless computing is running application code without

262
00:12:52.320 --> 00:12:54.840
managing the underlying infrastructure.

263
00:12:54.840 --> 00:12:56.280
In serverless computing,

264
00:12:56.280 --> 00:12:59.040
the cloud provider rather than the client,

265
00:12:59.040 --> 00:13:01.320
handles the execution environment.

266
00:13:01.320 --> 00:13:04.170
Serverless computing concepts include workloads,

267
00:13:04.170 --> 00:13:06.360
functions, and resources.

268
00:13:06.360 --> 00:13:08.460
Workloads in serverless computing

269
00:13:08.460 --> 00:13:10.320
refer to the specific tasks

270
00:13:10.320 --> 00:13:13.710
or operations that the serverless functions execute.

271
00:13:13.710 --> 00:13:16.410
Functions are the individual units of work

272
00:13:16.410 --> 00:13:18.210
in a serverless architecture,

273
00:13:18.210 --> 00:13:21.660
where each function performs a specific task,

274
00:13:21.660 --> 00:13:23.790
resources in serverless computing

275
00:13:23.790 --> 00:13:26.400
include the underlying compute, storage,

276
00:13:26.400 --> 00:13:30.420
and networking components that the cloud provider manages.

277
00:13:30.420 --> 00:13:33.570
For example, when deploying a serverless function

278
00:13:33.570 --> 00:13:35.670
to handle user authentication,

279
00:13:35.670 --> 00:13:38.160
the function must be securely coded,

280
00:13:38.160 --> 00:13:40.740
assigned minimum necessary permissions,

281
00:13:40.740 --> 00:13:43.020
and run within a protected environment,

282
00:13:43.020 --> 00:13:46.290
where the cloud provider securely manages the resources

283
00:13:46.290 --> 00:13:48.900
ensuring end-to-end security.

284
00:13:48.900 --> 00:13:51.870
To finish things off, we'll take a short quiz to see

285
00:13:51.870 --> 00:13:54.300
what you learned during this section of the course,

286
00:13:54.300 --> 00:13:56.910
and we will review each of those quiz questions

287
00:13:56.910 --> 00:13:59.880
to fully ensure you can explain why the right answers were

288
00:13:59.880 --> 00:14:02.280
right and the wrong answers were wrong.

289
00:14:02.280 --> 00:14:03.660
So let's get ready

290
00:14:03.660 --> 00:14:07.203
to dive into cloud security in this section of the course.