1
00:00:00,000 --> 00:00:01,680
These days, cloud computing seems

2
00:00:01,680 --> 00:00:03,810
to be the big trend within our industry.

3
00:00:03,810 --> 00:00:05,790
With the promise of increased availability,

4
00:00:05,790 --> 00:00:08,520
higher resiliency, and unlimited elasticity,

5
00:00:08,520 --> 00:00:10,800
the cloud definitely can provide our organizations

6
00:00:10,800 --> 00:00:11,970
with a lot of advantages

7
00:00:11,970 --> 00:00:14,040
over traditional network architectures.

8
00:00:14,040 --> 00:00:16,590
But cloud computing can also bring numerous

9
00:00:16,590 --> 00:00:19,140
unique security challenges into our environments

10
00:00:19,140 --> 00:00:20,640
that we must be aware of.

11
00:00:20,640 --> 00:00:22,890
To better understand these, we first have to look at

12
00:00:22,890 --> 00:00:24,480
the different types of cloud solutions

13
00:00:24,480 --> 00:00:26,010
and architectures that are currently

14
00:00:26,010 --> 00:00:27,780
available in the environments.

15
00:00:27,780 --> 00:00:30,630
There are six types of cloud deployment models available,

16
00:00:30,630 --> 00:00:34,650
public, private, hybrid, community, multi-tenancy,

17
00:00:34,650 --> 00:00:36,150
and single tenancy.

18
00:00:36,150 --> 00:00:38,160
The most common type of cloud architecture

19
00:00:38,160 --> 00:00:39,540
is the public cloud.

20
00:00:39,540 --> 00:00:42,090
Under this model, a service provider makes resources

21
00:00:42,090 --> 00:00:44,430
available to end users over the internet.

22
00:00:44,430 --> 00:00:47,010
There are numerous public cloud solutions available today,

23
00:00:47,010 --> 00:00:50,190
including those from Google, Microsoft, and Amazon.

24
00:00:50,190 --> 00:00:53,160
For example, Google Drive is a public cloud service

25
00:00:53,160 --> 00:00:56,580
that's offered both free and on a pay per use model.

26
00:00:56,580 --> 00:00:59,070
Now, public clouds can often be an inexpensive way

27
00:00:59,070 --> 00:01:01,500
for an organization to gain a required service

28
00:01:01,500 --> 00:01:03,600
both quickly and efficiently.

29
00:01:03,600 --> 00:01:05,580
The second option is a private cloud.

30
00:01:05,580 --> 00:01:07,950
This service requires that a company creates its own cloud

31
00:01:07,950 --> 00:01:09,810
environment that only it can utilize

32
00:01:09,810 --> 00:01:12,000
as an internal enterprise resource.

33
00:01:12,000 --> 00:01:14,460
With a private cloud, the organization's responsible

34
00:01:14,460 --> 00:01:16,200
for the design, implementation,

35
00:01:16,200 --> 00:01:18,030
and operation of the cloud resources

36
00:01:18,030 --> 00:01:19,590
and servers that host them.

37
00:01:19,590 --> 00:01:22,290
For example, the United States government runs its own

38
00:01:22,290 --> 00:01:24,330
private cloud known as GovCloud,

39
00:01:24,330 --> 00:01:26,070
and this is used by different organizations

40
00:01:26,070 --> 00:01:29,400
within the government, but your company and my company

41
00:01:29,400 --> 00:01:31,560
can't get access to it and use it like we would

42
00:01:31,560 --> 00:01:34,560
with Google Drive or AWS or Azure.

43
00:01:34,560 --> 00:01:36,660
Generally, a private cloud is going to be chosen

44
00:01:36,660 --> 00:01:39,210
when security is more important to your organization

45
00:01:39,210 --> 00:01:41,160
than having a lower cost.

46
00:01:41,160 --> 00:01:43,410
A hybrid cloud solution can combine the benefits

47
00:01:43,410 --> 00:01:46,020
of both public and private cloud options.

48
00:01:46,020 --> 00:01:47,400
Under this architecture,

49
00:01:47,400 --> 00:01:49,140
some resources are going to be developed

50
00:01:49,140 --> 00:01:51,240
and operated by the organization itself,

51
00:01:51,240 --> 00:01:53,220
much like a private cloud would be,

52
00:01:53,220 --> 00:01:55,920
but the organization can also utilize some publicly

53
00:01:55,920 --> 00:01:58,350
available resources or outsource services

54
00:01:58,350 --> 00:02:01,380
to another service provider, like the public cloud does.

55
00:02:01,380 --> 00:02:03,150
Because of the mixture of public and private

56
00:02:03,150 --> 00:02:05,820
cloud resources, strict rules should be applied

57
00:02:05,820 --> 00:02:07,500
for whatever type of data is being hosted

58
00:02:07,500 --> 00:02:09,600
in each portion of the hybrid cloud.

59
00:02:09,600 --> 00:02:12,720
For example, any confidential information should be hosted

60
00:02:12,720 --> 00:02:15,180
in the organization's private cloud portion.

61
00:02:15,180 --> 00:02:17,610
The fourth option is a community cloud.

62
00:02:17,610 --> 00:02:20,160
Under this model, the resources and costs are shared

63
00:02:20,160 --> 00:02:22,050
among several different organizations

64
00:02:22,050 --> 00:02:24,060
who all have a common service need.

65
00:02:24,060 --> 00:02:26,370
This is similar to taking several private clouds

66
00:02:26,370 --> 00:02:29,070
and connecting them all together to lower the cost.

67
00:02:29,070 --> 00:02:31,410
The security challenges here is going to be that each

68
00:02:31,410 --> 00:02:34,170
organization may have their own security controls,

69
00:02:34,170 --> 00:02:35,490
and we have to mitigate that

70
00:02:35,490 --> 00:02:37,410
as we combine these things together.

71
00:02:37,410 --> 00:02:40,260
Remember, if you connect your network to another network,

72
00:02:40,260 --> 00:02:42,930
you're inheriting their security risks as well.

73
00:02:42,930 --> 00:02:44,700
This doesn't change just because we moved into

74
00:02:44,700 --> 00:02:46,080
the cloud environment.

75
00:02:46,080 --> 00:02:48,510
Now, in addition to the four cloud deployment models,

76
00:02:48,510 --> 00:02:50,520
we also have to look at the other two models

77
00:02:50,520 --> 00:02:51,780
that you need to be aware of.

78
00:02:51,780 --> 00:02:54,420
This is multi-tenancy and single tenancy.

79
00:02:54,420 --> 00:02:56,880
The first one here is multi-tenancy model.

80
00:02:56,880 --> 00:02:59,190
Under this model, the same resources are used

81
00:02:59,190 --> 00:03:00,870
by multiple organizations.

82
00:03:00,870 --> 00:03:03,060
This allows for a large gain in efficiency

83
00:03:03,060 --> 00:03:05,880
because most organizations don't use all the capacity

84
00:03:05,880 --> 00:03:08,040
of a single server or set of servers,

85
00:03:08,040 --> 00:03:10,590
but when two or more organizations are sharing the same

86
00:03:10,590 --> 00:03:12,300
physical resource, you're going to have

87
00:03:12,300 --> 00:03:13,980
some security concerns here.

88
00:03:13,980 --> 00:03:17,010
For example, if your website is hosted on shared server

89
00:03:17,010 --> 00:03:19,530
with 20 other customers, and one of those customers

90
00:03:19,530 --> 00:03:21,570
is the victim of a denial of service attack,

91
00:03:21,570 --> 00:03:24,570
that entire server will be undergoing that same attack,

92
00:03:24,570 --> 00:03:26,820
and this can also make your stuff go offline

93
00:03:26,820 --> 00:03:28,740
as collateral damage during the denial

94
00:03:28,740 --> 00:03:30,990
of service against that other server.

95
00:03:30,990 --> 00:03:32,520
Now, this is just one of the dangers

96
00:03:32,520 --> 00:03:35,280
and risks assumed under a multi-tenancy model.

97
00:03:35,280 --> 00:03:37,920
To combat the risk assumed under a multi-tenancy model,

98
00:03:37,920 --> 00:03:41,340
there's also a single user model known as single tenancy.

99
00:03:41,340 --> 00:03:44,340
Now, under this model, a single organization is assigned

100
00:03:44,340 --> 00:03:46,110
to a particular resource.

101
00:03:46,110 --> 00:03:48,150
Because of this, single tenancy solutions

102
00:03:48,150 --> 00:03:50,850
tend to be less efficient than multi-tenancy solutions,

103
00:03:50,850 --> 00:03:52,770
and they're also more expensive

104
00:03:52,770 --> 00:03:55,140
because it requires more hardware to run it properly.

105
00:03:55,140 --> 00:03:56,850
So which of these six models

106
00:03:56,850 --> 00:03:59,070
or combination of these models is going to be right

107
00:03:59,070 --> 00:04:00,480
for your organization?

108
00:04:00,480 --> 00:04:02,940
Well, that really depends upon your security needs

109
00:04:02,940 --> 00:04:05,670
and your cost restrictions and your risk tolerance.

110
00:04:05,670 --> 00:04:08,670
It is going to be cheapest for you to use a multi-tenancy model

111
00:04:08,670 --> 00:04:11,250
with the public cloud model being combined together,

112
00:04:11,250 --> 00:04:13,200
but this also increases the risk

113
00:04:13,200 --> 00:04:16,290
to your information's confidentiality and availability.

114
00:04:16,290 --> 00:04:18,839
As with many things we consider as security practitioners,

115
00:04:18,839 --> 00:04:20,820
there is no single right answer here.

116
00:04:20,820 --> 00:04:23,190
Instead, it's our job to weigh the benefits

117
00:04:23,190 --> 00:04:25,260
and the drawbacks of each of these models

118
00:04:25,260 --> 00:04:27,180
and then decide which is the right one

119
00:04:27,180 --> 00:04:30,153
based upon our organization's specific needs and concerns.