From 92235588b8be6d4e23ba3996f79670aa65bfb578 Mon Sep 17 00:00:00 2001 From: Ryan Date: Sat, 28 Dec 2024 17:08:24 +0800 Subject: [PATCH] 1-5 took 1hr --- 1-5-security.md | 239 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 239 insertions(+) create mode 100644 1-5-security.md diff --git a/1-5-security.md b/1-5-security.md new file mode 100644 index 0000000..7f7faf8 --- /dev/null +++ b/1-5-security.md @@ -0,0 +1,239 @@ +# Security + +## Definitions (not important) + +### Computer security + +- CIA triangle + +### Cloud secirity + +- large scale, and complex + +### Other areas + +- OS + - Updates + - Unix access control (protect paths) +- VM + - insecure VM + - tampered VM +- Application layer + +## Security attacks + +### Types of attacks in cloud computing + +- Eavesdropping +- Direct access +- Cross site attack +- Denial of service +- Upgrader attack +- Intrusion + +### Common examples + +- Distributed Denial of Service attack: prevent legitimate cloud users from + accessing cloud services +- SQL Injection +- Cross site scripting +- Hijacking of account or services + +## Enforcing Security + +### Types of mitigations + +- Preventive: Before attack +- Detective: When attacked +- Corrective: After attacked + +### Mitigations + +#### Subscriber level + +- Access Control list: Deny unauthorized access +- Secure by design +- Firewalls: Web Application Firewall + +#### Service level + +- CSP (Cloud Service Handler) securely handle sensitive data and its Liabilities +- Rules on governing the ownership of data +- Geographical regions, where data will be stored + +## Implementing Cloud security and trust policies + +### Fancy words + +- Audit trails: monitor the users + - Trace changes, by using software like AIDE(File changes) and AWS + CloudTrail(User and API activity) + - Logs +- Physical security: HW, SW, db should not be physically accessible to + unauthorized persons +- Application security: Cloud service should be secure +- Identity management: use ACL and SSO to control identity +- Privacy, confidentiality and security: legal obligation +- Data integrity +- Data confidentiality + +### Servlet security + +#### Definition + +- Address the following(CIA) + - Confidentiality + - Integrity + - Authentication and authorization + +#### Realm + +- Definition: complete file and path, that stores authentication information in + servlet +- Usually stored in `conf`, named `tomcat-users.xml` +- Example: + ```xml + + + + + + + + + ``` + +#### Authentication + +- Using password protection in apache servlet: +- example `login-config`: + ```xml + + BASIC + + ``` +- possible values: + - BASIC: plaintext is used and sent, base64 encoded, least secure + - DIGEST: more secure, still not encrypted + - CLIENT-CERT: secure, use public key infrastructures(PKI), and encrypted + - FORM: customized authentication based on vendor, opt in encryption +- The first three use standard browser pop up for authentication +- FORM need to be implemented manually + +#### Confidentiality and Integrity + +- Using deployment descriptor, which protects data in transit: +- example `deployment descriptor`: + ```xml + + CONFIDENTIAL>/transport- + guarantee> + + ``` +- Possible values: + - NON: default, plain text, insecure + - INTEGRAL: Can't be changed + - CONFIDENTIAL: won't be seen by anyone on the net +- The last two use SSL(Secure Socket Layer) to implement it + +## AWS Security + +### Stupid fancy words: + +- AWS Day One Best Practice +- AWS security and compliance programs +- AWS Shared Responsibility Model +- AWS Identity and Access Management (IAM) +- AWS Trusted Advisor +- AWS CloudTrail +- AWS Config +- AWS Shield +- AWS WAF (Web Application Firewall) +- Constant patching, updates (browsers, antiviruses, etc) and monitoring + +### Responsibility + +- AWS: Security of the cloud +- Customers: Security in the cloud + +### IAM: Identity and Access Management + +- Definition: web service that helps you securely control access to AWS + resources +- Use it to control who can sign in(authentication) and is authorized to use + stuff +- AWS account root user: + - When user first sign in to AWS, they have full control over every service + - Best practice: + - Use it to create IAM user + - Lock away the root user credentials + - Use root only to perform few account and service management services + +### IAM MFA + +- Definition: Multi factor authentication +- Adds extra security +- Forms: + - SMS based: send a 6 digit code to user's phone, and user is required to + type the code + +#### Security and trust + +- Legal bindings + - SLA + - Data sharing, and location +- Hypervisor: created by 3rd party +- Middleware: Security features +- relation: + - Security is the key to mutual trust + +### Trust + +#### Conditions for trust + +- Risk: because there would be loss, which is important +- Interdependence: The client and provider rely on each other + +#### Phases + +- Build phase +- Stability phase +- Dissolution phase + +## Cryptography + +### Pub-key cryptography + +- use key pairs, a private key and a public key, asymmetric encryption +- private key is kept safely + +### Envelope encryption + +- Multi layer encryption +- encrypting plaintext data with data key, then encrypting data key under + another key +- Can have multiple layers of encryption +- AWS KMS (Key management service) uses this to encrypt user data + - Use KMS to encrypt the key for other encryption, and store the encrypted + key + +### AWS Security services + +#### Encrypting stuff + +- KMS: Key management, use HSM(Hardware Security Modules), and integrated to + CloudTrail to track key usage +- Cloud HSM: Cloud Hardware Security Module + - To generate, manage and use your own encryption keys. + - Standard compiant: Can be integrated to JCE, and CryptoNG libraries + +#### Managing SSL/TLS certificates + +- Certificate manager: deploy, manage and renew SSL/TLS certificates, for AWS + services or your own + - Simplify the process of managing the certificates, which is used for web + traffic + +#### DDoS attacks + +- AWS Shield to mitigate against it