27. Security Controls Module Introduction
We certainly understood before even enrolling in this course that there were many potential security attackers and many potential security attacks that we might encounter with any IT environment, never mind the cloud. Well, in this important module we’re gonna discuss some, just some, of the many powerful security controls we can use to keep the attackers out.
28. OS and App Security Policies
Now we have to remember, when it comes to security in our cloud infrastructures and with our cloud solutions, it really would serve us well to remember that there is that shared security model. That’s just not something that we like to talk about at parties, that is a very real thing. That is something that we need to be concerned about. Let’s just see what it would be like to secure a solution that is cloud-based. As you’re gonna see, it’s gonna be just a real mix of new and old technologies that we have to take advantage of. It’ll be easier for me to show you this than it is to talk about. Let’s take a look now.
So, to demonstrate this, let’s take a look at Microsoft Azure. And inside of Azure here, we’re gonna go to this client one resource that I have created. Yes, this is a virtual machine and this is an interesting story actually. This is the Windows 11 Pro, and I wanted to take a look at this. I wanted to research the Pro version of Windows 11. I’m running Home pretty much everywhere, and so I wanted to take a look and do some testing of some software with this Pro version. So what’s better way to do my experimentation than with the cloud? Keep in mind that one of the challenges with Windows 11 is Microsoft’s requirements when it comes to security capabilities of your underlying hardware. They want a very specific CPU, they want a very-very specific TPM chip to be in place and all this stuff. And so it can be a little tough to find the client software or the hardware that’s gonna run this properly. So, the cloud was a perfect way for me to access this resource, I thought. Now notice, in order to connect, we’re gonna be using the remote desktop protocol (RDP). So, the first bit of security we have to talk about here is the RDP. And RDP is a secure protocol, thank goodness.
So, what I need to do is I need to go find the download that is the RDP shortcut. I downloaded it yesterday when I pulled this up for the first time, and we need to sign in as anthonys, and the password that we set when we created this virtual machine, which I’m gonna go ahead and type in there. And look at this, we are now in that virtual machine. How wonderful. And this is a nice shiny new copy of none other than Windows 11 Pro. Look at that. We’ve got our icons there in the center of the task bar as you can see, the giveaway that we are dealing with Windows 11. Here’s our new Start button in Windows 11. And notice now, when it comes to securing this, we are now gonna be dealing with the security of the operating systems, and the applications within this VM, and nothing has changed now with that. So, for instance, one of the things I might do from an advanced security perspective is I might bring up my group policy editor. As some of you know, if you are very familiar with Windows technology, one of the sophisticated ways that we control the security posture of a virtual machine like this is to use group policy.
So, here is my group policy editor and sure enough, if we come over here and we see that there’s these settings for the computer configuration, notice there are these administrative templates. Oh my gosh, if I go into the system, look at all that we can control with this group policy, controlling security for the operating system through policy or even applications that are running on the system through policy type of manipulations.
Notice for instance, there’s a file system category, and in there there’s NTFS. And here’s something that I have enabled and I turned this on because I want this on. I enabled the feature where we cannot compress any of these NTFS volumes. So, now there’s a feature of the operating system that we have just disabled through this group policy. This is the type of things that you are still going to be working with inside of your cloud-based systems.
Look at this, this is PIN complexity settings. So, we could go in and we could say that, all right, if they’re gonna be using a PIN code in order to access this machine, if we’re allowing PIN code access, then I can go in and say, all right, well, they’re gonna have to supply digits as part of the pin. So, if we enable this policy setting, Windows requires the user to include at least one digit in their PIN code. So, I turned that on and now that is going to be a new requirement from the security settings of this Windows 11 Pro system that is running in the cloud. So, notice, sure, Azure has a ton of responsibilities. They themselves have these responsibilities when it comes to keeping our cloud environment secure, but we are still going to have our responsibilities when it comes to keeping this secure.
And speaking of keeping it secure, notice what I’m doing now. I’m gonna do a graceful shutdown of that system. And so, now if we come in here and we refresh our console view, we’re gonna see that this device, this virtual machine that we were just accessing, it is not in the running state any longer. And by the way, remember this bell notification up here is gonna give you status messages. So, that’s always great. Notice here was us starting that virtual machine at the beginning of this demonstration. Let me refresh the whole page and let’s see if we get any further notifications about this thing being stopped. And nope, we didn’t get a notification about it being stopped, and you know why? Because we stopped it in the VM itself. Isn’t that interesting? So there was no notification. But let’s refresh the status of this VM one more time because, yeah, look at this, we have the Start button active now, and that’s because, what is the current status? Well, as you can see right here, the current status is Stopped. So, this virtual machine is now in a stopped state just as I would want it.
All right, so let’s go ahead now. And I wanna talk to you about the security that we just did inside a virtual machine, for instance, as our portion of the shared security responsibility model. But understand that there are gonna be security settings, of course, that we are going to wanna explore for the cloud-based nature of this virtual machine. So, notice there is going to be tools inside your public cloud that are going to be able to give you recommendations on your security posture. And sometimes these are free, sometimes you’ll have to pay for these. But typically we can get at least minimum reports of any kind of security alerts that might exist in our system given tools like this. And I know one thing right off the bat that would be problematic for this virtual machine. Let me show you that.
It is the settings that I have on this virtual machine for access. Let’s look at this. If I look inside this configuration kind of glimpse of what we have set up here, let’s go to, the security type is set to Standard, that’s fine. But what we’re looking for is we’re looking for the firewall settings that I have on this device. What traffic is allowed in and out of this device? Well, let’s find that. We’re looking for the security settings that are on this device from a firewall perspective. And I just remembered where that is located. When you work with AWS, Google Cloud Platform and Azure as much as I do, one of the challenges is, when you’re switching platforms, you have to remember where did they tuck stuff? And the firewall settings for this virtual machine in Azure are gonna be located under the Network settings. Here you can see the inbound port rules. And do you see the problem? Yeah, notice the exclamation point that is on this RDP firewall entry right here. Why that exclamation point is there is, I am doing something that is very foolish. I have this resource open to anyone coming in with RDP. I should certainly lock that down to the subnet that I am located in so that that’s further great security on that RDP connection. Let me go ahead and make this security improvement.
Can we edit that existing rule? Let’s see. Yes, we can. By clicking on it, we can edit it. And we’re not gonna do this any source range. Instead, I am going to go ahead and drop in my… It’s gonna be any port. That’s fine. What we need is the source IP address. And we’re gonna lock this down to the source IP address that is my exact IP address. There we go. How do we save these changes? Let’s see. We’re gonna click the Save button right up at the top, and we don’t need any here, I think we need asterisk and that will allow us to save. There we go. So now, look what we’re saying. The source IP address must be my IP address, and now this is going to be much stronger security.
And let me refresh this page because I do think we’re gonna see that flag go away that was telling us, yeah, look at that, that our security is at risk. So, now the SSH into this box must be from my exact IP address. And, of course, you could modify that rule, and in fact, I think I will modify the rule right now because might I always be in that exact IP? No, I’ll be in one of these subnets. So notice, I can go in and I can doctor that up so that when I do get a slightly different IP from my service provider, it will still allow me to access this device. All right, well, with that change made, I’m sure you want to see this still work with these much stronger security policies in place, so let’s go ahead and make sure this still works. My existing RDP shortcut still should be fine. So, we’re gonna double click that. We’ve done nothing that would impact that. And we’re gonna log in with my anthonys account. And by the way, it might help to start the virtual machine. So, there we go. That would definitely help. It’s been scientifically proven, if your virtual machine is not running, you’re not gonna have any success connecting to it with RDP. And I might be being a little bit aggressive here on how quickly I’m trying to connect to it, but after all, Azure did tell me that my access would be real speedy to this great resource. Well, so much for that. Took a little bit of time obviously to get it started, but I bet you, this third time trying it is going to be the charm. And yes it is. There we go. Let me put in my password. And we are in.
Look at that. Now we are into our system, our Windows 11 Pro system, and we’re in in a much more secure manner. Yes, we are using the remote desktop protocol once again in order to access that shiny new desktop, but this time there’s additional security in place because the RDP session would’ve been rejected if it was not coming from an IP address in my subnet. Nice added security there. And remember, the security that you would do on the VM itself. Boy, we only scratched the surface of that. I told you about the local security policy we could manipulate, and we saw group policy manipulations, but we can’t forget there’s a whole dedicated area now to security. And sorry, I’m resizing the windows foolishly here. There we go. You can see that better. Let me actually show you this entire window sized properly. Doing demonstrations like this in virtual machines and only having so much real estate to do demos gets a little tricky, thank you for bearing with me on that. But there you can see the new Windows Security Center and it’s in Windows 11. It looks a lot like the version that’s in Windows 10, so don’t have big concerns about that. If you are moving from Windows 10 to 11, the Security Center looks pretty much the same, but these are great security features that notice, we can go in and we can enable, even though we are in a virtual machine environment. So we’re gonna be doing security as we always did inside of these virtual resources. Thank you so much for watching.
29. Encryption
Now, when it comes to security in the cloud, we just cannot omit discussing encryption, compliance, and some other key security controls that we are gonna be able to take advantage of, most likely in cloud environments.
So here we are in AWS and this will be a perfect place for me to talk to you about these types of security enhancements that we can make. So, notice we have our cloud_plus_test machine here and our cloud_plus_test virtual machine has some various security settings associated with it, of course. Notice there is no IAM role associated with this virtual machine. Now, what does that mean? It means that this virtual machine cannot call upon an object in AWS that we call a role to access other objects. So, this is something to keep in mind. We might need this cloud_plus_test machine, for example, to access files that we have in AWS S3. Well, if this virtual machine is gonna be able to reach into AWS’s S3 bucket service and grab some objects, it’s gonna need a role associated with it in order to do that.
So, sure enough, in AWS there is the identity and access management service, and we could go into the IAM service and we could create a role that would be appropriate for that virtual machine to use in accessing AWS S3. In fact, notice with the roles, you can type in S3 and I can see any of my roles that are designed to give EC2 access to S3.
Look at this, I created this one 256 days ago and this role is to allow EC2 to write to S3. So notice, in fact, it gives AWS S3 full access. So it’s more than just writing to S3, it would have full access of the S3 bucket. Now notice, these roles can then easily be attached to virtual machines to allow that type of access. So, this is great advanced security manipulations that we have right inside of AWS.
But wait a minute here, let’s go back into our EC2 service because one of the things that we discussed was encryption. Yeah, let’s take a look at the settings on our cloud_plus_test system and let’s scrutinize the storage of data. So we remember that this is built on an eight gig volume, so it is an eight gig volume and notice that the disc is not encrypted. Ooh. So, the elastic block storage disc is not encrypted. Now notice the volume ID, it ends in three, two, one.
If we go to our disc volumes right here in the elastic block store, we should be able to find the volume that goes with that cloud_plus_test, and there it is, notice the six, three, two, one and it even has the name of cloud_plus_test, that is great. There is the volume that is attached to our Linux virtual machine. So notice, not encrypted. Well, can we go ahead and encrypt this volume after the fact? Well, let’s see. So here, modify volume. Hmm, this seems like it might help. Notice this is nice. I can bump it up to the general purpose SSD storage. Let me go ahead and make that modification, by the way. That’s cool, so we just told AWS, “Go ahead and move this from that low performance magnetic storage that you had been using and bump it up to an SDD. So we just took care of that manipulation feature. But what about the encryption? Can we encrypt it? Hmm. It’s not looking good, let’s keep trying, let’s dig into the volume itself and let’s see if they’re going to allow us to add encryption at this point. How about if we detach the volume? All right, let’s detach the volume from the virtual machine. All right, now that it is detached, what can we do? Let’s go back to our look at the overall volumes. Let’s click on this one. Let’s go to our actions menu. Boy oh boy, I think we might be in some trouble here attempting to now encrypt this volume after the fact. So, it just goes to show you, this is definitely something we would wanna think about as we are creating the virtual machine, for sure. So, my goodness, is it possible? Well, the answer is, it is. But again, definitely something we would’ve wanted to really design right upfront, because this is a little bit challenging.
What we have to do is we have to create a snapshot of the volume. So, this is my ‘Snapshot of volume to encrypt.’ All right. So, notice what we are gonna do is we’re gonna create this snapshot of that volume. So, now I’m gonna go and I am going to make sure I’m looking at my snapshots. There we go, here’s now a snapshot view that we’re having, and notice that is pending to be created. What we’re gonna end up doing is we’re gonna copy this snapshot and we are going to encrypt the copy. And then you guessed it, we’re going to be attaching that encrypted copy of the snapshot to the volume, to the virtual machine that we are running. So, notice, yes, we can go and encrypt a volume that is unencrypted that is being used to host a VM, but notice I’m being forced to go through some steps here, including waiting for this initial snapshot to take place. All right. And by the way, that has completed, let me go ahead and say this is the cloud_plus_snap, right. Let’s give that a label while we’re there, so we know what that is, very important.
Okay, now let’s go ahead and let’s copy our snapshot. And we are going to encrypt this copy. So, we’re gonna go ahead and copy the snapshot. And notice we are using the default KMS key. Now, this key is the default key managed by AWS. Understand that you could go in and you could provide your own keying information. So yes, this is going to be encrypted now, this disc, which is gonna give us that great underlying security of the entire virtual machine volume, how cool? And we are opting for AWS to manage the encryption. See that? And keep in mind, that is another great advantage of the cloud, isn’t it? Because we are now having the flexibility of managing our own passwords, otherwise known as encryption keys, and we have that option of having AWS do it for us or have us do it.
All right, well, I just copied the snapshot and let me go ahead and give this a name. Notice, it’s still in pending state, but I’ll say ‘cloud_plus_new_encrypt_volume’, something like that, right. I’ll just say ‘vol’ before a name gets way too long. All right, so, now I know exactly what that component is, and let’s refresh because we want that, oh, and notice this copy is taking a little bit of time and that is because, of course, we are encrypting that entire eight gig volume. So, I’ll pause the video here as we wait for the encryption to complete. And then as you can guess, we have one more step, we better attach this new encrypted snapshot to the disc, to the virtual machine that is, so that it’s functioning again. Wow. Notice what steps we might have to go to achieve compliance with security recommendations if we didn’t design it that way right upfront as we should have. So, yeah, I’ll pause the video as we wait for this encrypted disc to be created.
All right, that process has completed. Notice how I am not, when I do demonstrations as you know, one of the things that I really strive to do is make sure that you are not experiencing anything that’s amiss, right, like no steps left unturned, right. I can’t stand that when someone doesn’t show you all the steps of how to do something, it makes it really difficult for you to replicate that. All right, so here is, let’s slide this over, here is the new encrypted volume. I could probably give that a little better name. All right. Anyways, I get myself a little too crazy, I mean, my goodness, Anthony, relax, this is just a demonstration.
All right, now under my actions menu, can I attach that snapshot? No. Doesn’t look like I can attach it right from there. Hmm. Let me go back to my EC2 dashboard. Let me go to my instances. We should have in here a cloud_plus_test instance that is not attached to any volume. It does not have a volume attached to it. So, let’s go to instant settings and let’s see, how are we gonna get a volume attached to this device? This is all about the networking. How about images and templates? Look at that. We could create a nice template from this image, that is so cool, or we could create, burn a new image basically of this. Hmm. Where are we going to attach a volume? I know one thing, if we go to spin this thing up right now, it’s certainly not going to work. And that’s because of course, there is no volume attached to this device. Hmm. Well, guess what? I think we must be missing a step.
If we go back into snapshots and we look at this snapshot that we created, under the actions menu, notice there was “Create volume from snapshot”. Oh my goodness, we have to go through this step. And guess what? The resulting volume that can be attached to our device will be encrypted. Wow. So I’m gonna go ahead and create this volume from our snapshot. Now, if we go back into the volumes area, we should see that we are creating this new volume, and that new volume is based off of the encrypted snapshot that we just took. And now we wanna take this volume and we want to attach it.
There we go, attach. And we want to attach it to our cloud_plus_test. And right here, we need to use the device name. ‘Newer Linux kernels may rename your devices to xvdf through xvdp. And so let’s just make sure we give the correct name that it was looking for. So let me, I’m going to actually open this. Let me duplicate this tab, that’ll be great. This is an example of where, see, I wanna stay on this screen, but I need to check something else. So, the quick tip on that is you go in and you just go ahead and fire up a new tab with your AWS so you can go and explore the additional settings you need to explore. All right. So watch what I’m gonna do, I’m gonna go ahead and try and run this thing again. And the reason why I’m gonna run it again is I wanna see this name right here because that’s the device name that we need to use obviously, that’s what it’s looking for. So I’m gonna drop that device name in with a little copy and paste magic. I’m gonna attach the volume. And now I do think we are gonna finally meet with success here. We’ve done it, we should have an instance that now is backed by none other than an encrypted EBS volume. We’re pretending we’re having to meet some compliance, right?
I’m gonna go ahead and start that instance and look at that, it successfully starts, but I know you don’t trust me, we need to make sure we can access this resource. I don’t trust myself, I wanna make sure we can access this resource. So it is in the stop state. Oh, let’s, wait a minute here, it says it successfully started. So I think we’re dealing with some stale display here. Let me refresh. It’s pending state right now. Hmm. Come on now, let’s select it. And we still don’t have the ability to connect. So, this first boot with that new encrypted volume seems to be taking a little bit longer, but I suppose that is to be expected after all those changes we just made.
All right, now I can connect to it. So, I’m gonna choose Connect. I’m gonna get this connection string right here and we are gonna connect to that cloud resource using SSH.
All right, so I’m gonna bring up my dialogue here and I am going to change directories to the download directory because that’s where I have the public and private key pair that I need or the public key that I need to make access. So, there’s my .pem file and it’s in the Downloads location. So, we are going to connect to this device and look at that. We are in. And by the way, we made some really nice improvements, oh, there’s nothing in my home folder, that’s sad. But if I go to the root and I do a listing, you can see all of the wonderful Linux directories that exist there. And boy oh boy, did we really do something on this device that was really beneficial? Ah, what’s the shutdown command I need to use here? Let’s see. shutdown -h. That might do it. Must be root. Okay, sudo shutdown -h. Yep, all right, so that’s how I can gracefully shut down that Linux machine and that way I know that machine will be shut down. But boy oh boy, what improvements we made to that system, right? We took this cloud_plus_test system and we not only moved it to SSD storage from the cold type of mechanical hard disc drive storage it was on, but we also encrypted the underlying disc. And now remember that in this case, AWS is in charge of those encryption keys. We could have put ourselves in charge of the encryption keys if we had wanted to. Well, thank you so much for watching, I hope you found this video interesting, illuminating. And we also learned there that we’ll wanna do these designs of these cloud resources properly upfront so we don’t have to worry with all of those disk manipulation you saw us have to make.
30. Other Security Controls
At the risk of being overly dramatic, we really need to keep in mind that security is a huge concern when it comes to moving to the cloud. But the irony of this is that there are plenty of great reasons to move to the cloud from a security perspective. Let’s talk about that in this video.
So, what you will discover is that oftentimes your move to cloud technology is going to open up new security technologies you might not have been able to implement before. For instance, intrusion prevention systems (IPS) are certainly one of these. Now notice there are intrusion detection systems (IDS) and their very word, detect, means that they are only going to be able to alert you that there is some type of a security problem. But in contrast to this, an intrusion prevention system, it can indeed prevent access to systems by attackers. And it does this by yes, blocking traffic. So, we might be able to suddenly take advantage of IPS type devices when we move to the cloud environment, if we weren’t able to achieve such devices in our on-prem environment. Another big thing about the cloud is being able to take advantage of things like web application firewalls (WAP), firewalls that are gonna be designed to sit right outside of your worldwide web server and go ahead and protect that traffic that is being served up to your clients. Other things like advanced denial or distributed denial of service (DDoS) protections exist and you start taking advantage of those in a public cloud environment. In fact, AWS does this by default, and if you want advanced denial of service protection, well then, you can pay for that from them. And that even includes insurance against a denial of service attack. So, in other words, if you are subject to a distributed denial of service attack, and then you get a bill from Amazon, and that bill is for tens of thousands of dollars, and, of course, all of that resource consumption was done as part of that distributed denial of service attack. So, it would be a crying shame if you were the one that had to pay that bill. Well, of course, when you do the advanced distributed denial of service protection, you have an automated insurance about that situation and you never get hit with those charges. So, there are many advanced security services for many organizations that become available thanks to their cloud move. Thus, the cloud in all actuality really does serve to improve their overall security posture. And boy, I don’t know about you but this is just a great thing about moving to the cloud.
By the way, let’s not forget the fact, before we wrap up, that all of these clouds now have marketplaces. And so that means that it is, the sky is the limit. I mean, there is Palo Alto Security Devices that you can spin up. There is Fortinet security devices that you can spin up. There’s Barracuda, I mean, you name it. Any of these security vendors that are out there they are making Azure, AWS, Google Cloud platform versions of their hardware and software, virtualized appliances, and those are available for you in the cloud. In fact, that’s one of my favorite tips to give eager students in information technology, is that one of the reasons they want to become well versed in the cloud is so that they can spin up virtualized appliances from these different vendors and they can learn those technologies so that they can implement those technologies for organizations. What a great tip that is, right? The ability to spin up evaluation copies of, let’s say, Palo Alto software so you can become expert in it, and not be charged for the learning process. And of course, these vendors are well aware that you’re doing this and they love it. Palo Alto would love for you to learn their software for free via the cloud and then go teach people how to use it because it promotes, of course, their software. Well, thank you so much for watching. That’s all I’ve got to say about this topic, I promise.