EBU6502_cloud_computing_notes/1-5-security.md

240 lines
5.9 KiB
Markdown
Raw Normal View History

2024-12-28 17:08:24 +08:00
# Security
## Definitions (not important)
### Computer security
- CIA triangle
### Cloud secirity
- large scale, and complex
### Other areas
- OS
- Updates
- Unix access control (protect paths)
- VM
- insecure VM
- tampered VM
- Application layer
## Security attacks
### Types of attacks in cloud computing
- Eavesdropping
- Direct access
- Cross site attack
- Denial of service
- Upgrader attack
- Intrusion
### Common examples
- Distributed Denial of Service attack: prevent legitimate cloud users from
accessing cloud services
- SQL Injection
- Cross site scripting
- Hijacking of account or services
## Enforcing Security
### Types of mitigations
- Preventive: Before attack
- Detective: When attacked
- Corrective: After attacked
### Mitigations
#### Subscriber level
- Access Control list: Deny unauthorized access
- Secure by design
- Firewalls: Web Application Firewall
#### Service level
- CSP (Cloud Service Handler) securely handle sensitive data and its Liabilities
- Rules on governing the ownership of data
- Geographical regions, where data will be stored
## Implementing Cloud security and trust policies
### Fancy words
- Audit trails: monitor the users
- Trace changes, by using software like AIDE(File changes) and AWS
CloudTrail(User and API activity)
- Logs
- Physical security: HW, SW, db should not be physically accessible to
unauthorized persons
- Application security: Cloud service should be secure
- Identity management: use ACL and SSO to control identity
- Privacy, confidentiality and security: legal obligation
- Data integrity
- Data confidentiality
### Servlet security
#### Definition
- Address the following(CIA)
- Confidentiality
- Integrity
- Authentication and authorization
#### Realm
- Definition: complete file and path, that stores authentication information in
servlet
- Usually stored in `conf`, named `tomcat-users.xml`
- Example:
```xml
<tomcat-users>
<role rolename=“Admin” />
<role rolename=“Guest” />
<role rolename=“Manager” />
<role rolename=“Student” />
<user username=“Lu” password=“mylu” roles=“Guest, Student />
<user username=“Mathew” password=“matt” roles=“Admin, Manager />
</tomcat-users>
```
#### Authentication
- Using password protection in apache servlet:
- example `login-config`:
```xml
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
```
- possible values:
- BASIC: plaintext is used and sent, base64 encoded, least secure
- DIGEST: more secure, still not encrypted
- CLIENT-CERT: secure, use public key infrastructures(PKI), and encrypted
- FORM: customized authentication based on vendor, opt in encryption
- The first three use standard browser pop up for authentication
- FORM need to be implemented manually
#### Confidentiality and Integrity
- Using deployment descriptor, which protects data in transit:
- example `deployment descriptor`:
```xml
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL>/transport-
guarantee>
</user-data-constraint>
```
- Possible values:
- NON: default, plain text, insecure
- INTEGRAL: Can't be changed
- CONFIDENTIAL: won't be seen by anyone on the net
- The last two use SSL(Secure Socket Layer) to implement it
## AWS Security
### Stupid fancy words:
- AWS Day One Best Practice
- AWS security and compliance programs
- AWS Shared Responsibility Model
- AWS Identity and Access Management (IAM)
- AWS Trusted Advisor
- AWS CloudTrail
- AWS Config
- AWS Shield
- AWS WAF (Web Application Firewall)
- Constant patching, updates (browsers, antiviruses, etc) and monitoring
### Responsibility
- AWS: Security of the cloud
- Customers: Security in the cloud
### IAM: Identity and Access Management
- Definition: web service that helps you securely control access to AWS
resources
- Use it to control who can sign in(authentication) and is authorized to use
stuff
- AWS account root user:
- When user first sign in to AWS, they have full control over every service
- Best practice:
- Use it to create IAM user
- Lock away the root user credentials
- Use root only to perform few account and service management services
### IAM MFA
- Definition: Multi factor authentication
- Adds extra security
- Forms:
- SMS based: send a 6 digit code to user's phone, and user is required to
type the code
#### Security and trust
- Legal bindings
- SLA
- Data sharing, and location
- Hypervisor: created by 3rd party
- Middleware: Security features
- relation:
- Security is the key to mutual trust
### Trust
#### Conditions for trust
- Risk: because there would be loss, which is important
- Interdependence: The client and provider rely on each other
#### Phases
- Build phase
- Stability phase
- Dissolution phase
## Cryptography
### Pub-key cryptography
- use key pairs, a private key and a public key, asymmetric encryption
- private key is kept safely
### Envelope encryption
- Multi layer encryption
- encrypting plaintext data with data key, then encrypting data key under
another key
- Can have multiple layers of encryption
- AWS KMS (Key management service) uses this to encrypt user data
- Use KMS to encrypt the key for other encryption, and store the encrypted
key
### AWS Security services
#### Encrypting stuff
- KMS: Key management, use HSM(Hardware Security Modules), and integrated to
CloudTrail to track key usage
- Cloud HSM: Cloud Hardware Security Module
- To generate, manage and use your own encryption keys.
- Standard compiant: Can be integrated to JCE, and CryptoNG libraries
#### Managing SSL/TLS certificates
- Certificate manager: deploy, manage and renew SSL/TLS certificates, for AWS
services or your own
- Simplify the process of managing the certificates, which is used for web
traffic
#### DDoS attacks
- AWS Shield to mitigate against it