# Security

## Definitions (not important)

### Computer security

- CIA triangle

### Cloud secirity

- large scale, and complex

### Other areas

- OS
    - Updates
    - Unix access control (protect paths)
- VM
    - insecure VM
    - tampered VM
- Application layer

## Security attacks

### Types of attacks in cloud computing

- Eavesdropping
- Direct access
- Cross site attack
- Denial of service
- Upgrader attack
- Intrusion

### Common examples

- Distributed Denial of Service attack: prevent legitimate cloud users from
  accessing cloud services
- SQL Injection
- Cross site scripting
- Hijacking of account or services

## Enforcing Security

### Types of mitigations

- Preventive: Before attack
- Detective: When attacked
- Corrective: After attacked

### Mitigations

#### Subscriber level

- Access Control list: Deny unauthorized access
- Secure by design
- Firewalls: Web Application Firewall

#### Service level

- CSP (Cloud Service Handler) securely handle sensitive data and its Liabilities
- Rules on governing the ownership of data
- Geographical regions, where data will be stored

## Implementing Cloud security and trust policies

### Fancy words

- Audit trails: monitor the users
    - Trace changes, by using software like AIDE(File changes) and AWS
      CloudTrail(User and API activity)
    - Logs
- Physical security: HW, SW, db should not be physically accessible to
  unauthorized persons
- Application security: Cloud service should be secure
- Identity management: use ACL and SSO to control identity
- Privacy, confidentiality and security: legal obligation
- Data integrity
- Data confidentiality

### Servlet security

#### Definition

- Address the following(CIA)
    - Confidentiality
    - Integrity
    - Authentication and authorization

#### Realm

- Definition: complete file and path, that stores authentication information in
  servlet
- Usually stored in `conf`, named `tomcat-users.xml`
- Example:
    ```xml
      <tomcat-users>
      <role rolename=“Admin” />
      <role rolename=“Guest” />
      <role rolename=“Manager” />
      <role rolename=“Student” />
      <user username=“Lu” password=“mylu” roles=“Guest, Student” />
      <user username=“Mathew” password=“matt” roles=“Admin, Manager” />
      </tomcat-users>
    ```

#### Authentication

- Using password protection in apache servlet:
- example `login-config`:
    ```xml
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
    ```
- possible values:
    - BASIC: plaintext is used and sent, base64 encoded, least secure
    - DIGEST: more secure, still not encrypted
    - CLIENT-CERT: secure, use public key infrastructures(PKI), and encrypted
    - FORM: customized authentication based on vendor, opt in encryption
- The first three use standard browser pop up for authentication
- FORM need to be implemented manually

#### Confidentiality and Integrity

- Using deployment descriptor, which protects data in transit:
- example `deployment descriptor`:
    ```xml
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL>/transport-
        guarantee>
    </user-data-constraint>
    ```
- Possible values:
    - NON: default, plain text, insecure
    - INTEGRAL: Can't be changed
    - CONFIDENTIAL: won't be seen by anyone on the net
- The last two use SSL(Secure Socket Layer) to implement it

## AWS Security

### Stupid fancy words:

- AWS Day One Best Practice
- AWS security and compliance programs
- AWS Shared Responsibility Model
- AWS Identity and Access Management (IAM)
- AWS Trusted Advisor
- AWS CloudTrail
- AWS Config
- AWS Shield
- AWS WAF (Web Application Firewall)
- Constant patching, updates (browsers, antiviruses, etc) and monitoring

### Responsibility

- AWS: Security of the cloud
- Customers: Security in the cloud

### IAM: Identity and Access Management

- Definition: web service that helps you securely control access to AWS
  resources
- Use it to control who can sign in(authentication) and is authorized to use
  stuff
- AWS account root user:
    - When user first sign in to AWS, they have full control over every service
    - Best practice:
        - Use it to create IAM user
        - Lock away the root user credentials
        - Use root only to perform few account and service management services

### IAM MFA

- Definition: Multi factor authentication
- Adds extra security
- Forms:
    - SMS based: send a 6 digit code to user's phone, and user is required to
      type the code

#### Security and trust

- Legal bindings
    - SLA
    - Data sharing, and location
- Hypervisor: created by 3rd party
- Middleware: Security features
- relation:
    - Security is the key to mutual trust

### Trust

#### Conditions for trust

- Risk: because there would be loss, which is important
- Interdependence: The client and provider rely on each other

#### Phases

- Build phase
- Stability phase
- Dissolution phase

## Cryptography

### Pub-key cryptography

- use key pairs, a private key and a public key, asymmetric encryption
- private key is kept safely

### Envelope encryption

- Multi layer encryption
- encrypting plaintext data with data key, then encrypting data key under
  another key
- Can have multiple layers of encryption
- AWS KMS (Key management service) uses this to encrypt user data
    - Use KMS to encrypt the key for other encryption, and store the encrypted
      key

### AWS Security services

#### Encrypting stuff

- KMS: Key management, use HSM(Hardware Security Modules), and integrated to
  CloudTrail to track key usage
- Cloud HSM: Cloud Hardware Security Module
    - To generate, manage and use your own encryption keys.
    - Standard compiant: Can be integrated to JCE, and CryptoNG libraries

#### Managing SSL/TLS certificates

- Certificate manager: deploy, manage and renew SSL/TLS certificates, for AWS
  services or your own
    - Simplify the process of managing the certificates, which is used for web
      traffic

#### DDoS attacks

- AWS Shield to mitigate against it