1-5 took 1hr
This commit is contained in:
parent
83b4fa9529
commit
92235588b8
239
1-5-security.md
Normal file
239
1-5-security.md
Normal file
|
@ -0,0 +1,239 @@
|
|||
# Security
|
||||
|
||||
## Definitions (not important)
|
||||
|
||||
### Computer security
|
||||
|
||||
- CIA triangle
|
||||
|
||||
### Cloud secirity
|
||||
|
||||
- large scale, and complex
|
||||
|
||||
### Other areas
|
||||
|
||||
- OS
|
||||
- Updates
|
||||
- Unix access control (protect paths)
|
||||
- VM
|
||||
- insecure VM
|
||||
- tampered VM
|
||||
- Application layer
|
||||
|
||||
## Security attacks
|
||||
|
||||
### Types of attacks in cloud computing
|
||||
|
||||
- Eavesdropping
|
||||
- Direct access
|
||||
- Cross site attack
|
||||
- Denial of service
|
||||
- Upgrader attack
|
||||
- Intrusion
|
||||
|
||||
### Common examples
|
||||
|
||||
- Distributed Denial of Service attack: prevent legitimate cloud users from
|
||||
accessing cloud services
|
||||
- SQL Injection
|
||||
- Cross site scripting
|
||||
- Hijacking of account or services
|
||||
|
||||
## Enforcing Security
|
||||
|
||||
### Types of mitigations
|
||||
|
||||
- Preventive: Before attack
|
||||
- Detective: When attacked
|
||||
- Corrective: After attacked
|
||||
|
||||
### Mitigations
|
||||
|
||||
#### Subscriber level
|
||||
|
||||
- Access Control list: Deny unauthorized access
|
||||
- Secure by design
|
||||
- Firewalls: Web Application Firewall
|
||||
|
||||
#### Service level
|
||||
|
||||
- CSP (Cloud Service Handler) securely handle sensitive data and its Liabilities
|
||||
- Rules on governing the ownership of data
|
||||
- Geographical regions, where data will be stored
|
||||
|
||||
## Implementing Cloud security and trust policies
|
||||
|
||||
### Fancy words
|
||||
|
||||
- Audit trails: monitor the users
|
||||
- Trace changes, by using software like AIDE(File changes) and AWS
|
||||
CloudTrail(User and API activity)
|
||||
- Logs
|
||||
- Physical security: HW, SW, db should not be physically accessible to
|
||||
unauthorized persons
|
||||
- Application security: Cloud service should be secure
|
||||
- Identity management: use ACL and SSO to control identity
|
||||
- Privacy, confidentiality and security: legal obligation
|
||||
- Data integrity
|
||||
- Data confidentiality
|
||||
|
||||
### Servlet security
|
||||
|
||||
#### Definition
|
||||
|
||||
- Address the following(CIA)
|
||||
- Confidentiality
|
||||
- Integrity
|
||||
- Authentication and authorization
|
||||
|
||||
#### Realm
|
||||
|
||||
- Definition: complete file and path, that stores authentication information in
|
||||
servlet
|
||||
- Usually stored in `conf`, named `tomcat-users.xml`
|
||||
- Example:
|
||||
```xml
|
||||
<tomcat-users>
|
||||
<role rolename=“Admin” />
|
||||
<role rolename=“Guest” />
|
||||
<role rolename=“Manager” />
|
||||
<role rolename=“Student” />
|
||||
<user username=“Lu” password=“mylu” roles=“Guest, Student” />
|
||||
<user username=“Mathew” password=“matt” roles=“Admin, Manager” />
|
||||
</tomcat-users>
|
||||
```
|
||||
|
||||
#### Authentication
|
||||
|
||||
- Using password protection in apache servlet:
|
||||
- example `login-config`:
|
||||
```xml
|
||||
<login-config>
|
||||
<auth-method>BASIC</auth-method>
|
||||
</login-config>
|
||||
```
|
||||
- possible values:
|
||||
- BASIC: plaintext is used and sent, base64 encoded, least secure
|
||||
- DIGEST: more secure, still not encrypted
|
||||
- CLIENT-CERT: secure, use public key infrastructures(PKI), and encrypted
|
||||
- FORM: customized authentication based on vendor, opt in encryption
|
||||
- The first three use standard browser pop up for authentication
|
||||
- FORM need to be implemented manually
|
||||
|
||||
#### Confidentiality and Integrity
|
||||
|
||||
- Using deployment descriptor, which protects data in transit:
|
||||
- example `deployment descriptor`:
|
||||
```xml
|
||||
<user-data-constraint>
|
||||
<transport-guarantee>CONFIDENTIAL>/transport-
|
||||
guarantee>
|
||||
</user-data-constraint>
|
||||
```
|
||||
- Possible values:
|
||||
- NON: default, plain text, insecure
|
||||
- INTEGRAL: Can't be changed
|
||||
- CONFIDENTIAL: won't be seen by anyone on the net
|
||||
- The last two use SSL(Secure Socket Layer) to implement it
|
||||
|
||||
## AWS Security
|
||||
|
||||
### Stupid fancy words:
|
||||
|
||||
- AWS Day One Best Practice
|
||||
- AWS security and compliance programs
|
||||
- AWS Shared Responsibility Model
|
||||
- AWS Identity and Access Management (IAM)
|
||||
- AWS Trusted Advisor
|
||||
- AWS CloudTrail
|
||||
- AWS Config
|
||||
- AWS Shield
|
||||
- AWS WAF (Web Application Firewall)
|
||||
- Constant patching, updates (browsers, antiviruses, etc) and monitoring
|
||||
|
||||
### Responsibility
|
||||
|
||||
- AWS: Security of the cloud
|
||||
- Customers: Security in the cloud
|
||||
|
||||
### IAM: Identity and Access Management
|
||||
|
||||
- Definition: web service that helps you securely control access to AWS
|
||||
resources
|
||||
- Use it to control who can sign in(authentication) and is authorized to use
|
||||
stuff
|
||||
- AWS account root user:
|
||||
- When user first sign in to AWS, they have full control over every service
|
||||
- Best practice:
|
||||
- Use it to create IAM user
|
||||
- Lock away the root user credentials
|
||||
- Use root only to perform few account and service management services
|
||||
|
||||
### IAM MFA
|
||||
|
||||
- Definition: Multi factor authentication
|
||||
- Adds extra security
|
||||
- Forms:
|
||||
- SMS based: send a 6 digit code to user's phone, and user is required to
|
||||
type the code
|
||||
|
||||
#### Security and trust
|
||||
|
||||
- Legal bindings
|
||||
- SLA
|
||||
- Data sharing, and location
|
||||
- Hypervisor: created by 3rd party
|
||||
- Middleware: Security features
|
||||
- relation:
|
||||
- Security is the key to mutual trust
|
||||
|
||||
### Trust
|
||||
|
||||
#### Conditions for trust
|
||||
|
||||
- Risk: because there would be loss, which is important
|
||||
- Interdependence: The client and provider rely on each other
|
||||
|
||||
#### Phases
|
||||
|
||||
- Build phase
|
||||
- Stability phase
|
||||
- Dissolution phase
|
||||
|
||||
## Cryptography
|
||||
|
||||
### Pub-key cryptography
|
||||
|
||||
- use key pairs, a private key and a public key, asymmetric encryption
|
||||
- private key is kept safely
|
||||
|
||||
### Envelope encryption
|
||||
|
||||
- Multi layer encryption
|
||||
- encrypting plaintext data with data key, then encrypting data key under
|
||||
another key
|
||||
- Can have multiple layers of encryption
|
||||
- AWS KMS (Key management service) uses this to encrypt user data
|
||||
- Use KMS to encrypt the key for other encryption, and store the encrypted
|
||||
key
|
||||
|
||||
### AWS Security services
|
||||
|
||||
#### Encrypting stuff
|
||||
|
||||
- KMS: Key management, use HSM(Hardware Security Modules), and integrated to
|
||||
CloudTrail to track key usage
|
||||
- Cloud HSM: Cloud Hardware Security Module
|
||||
- To generate, manage and use your own encryption keys.
|
||||
- Standard compiant: Can be integrated to JCE, and CryptoNG libraries
|
||||
|
||||
#### Managing SSL/TLS certificates
|
||||
|
||||
- Certificate manager: deploy, manage and renew SSL/TLS certificates, for AWS
|
||||
services or your own
|
||||
- Simplify the process of managing the certificates, which is used for web
|
||||
traffic
|
||||
|
||||
#### DDoS attacks
|
||||
|
||||
- AWS Shield to mitigate against it
|
Loading…
Reference in a new issue