CompTIA CASP+ CAS-004 – Chapter 05 – Implementing Security for Cloud and Virtualization Technologies Part 2
- Security Considerations
All right, so there are security considerations. We’ve already alluded to some of them. When you’re moving from placement of resources in an on premise environment into a hosted environment, then we’ve got some issues because on prem, these resources are deployed in our data center, they’re on our network. And a hosted environment, it’s managed by a third party, it’s deployed on their resources. And so there just have to be security implications of those two models in addition to the single tenant versus multitenant. So let’s talk about those first.
Multitenancy can lead to potential issues. The cloud could allow one tenant to see another tenant’s data or an attacker to see another tenant’s data. We could have residual data from old tenants that could be exposed in storage because it was not wiped clean. The mechanisms for authentication and authorization may be improper, not effectively authenticating people permissions, not set up and working the correct way, users could lose access due to inadequate, redundant and fault tolerance measures. With some of these, they’re always implications.
Okay, but we have come a long way with the cloud. I guess that’s why I’m pausing, because, yes, these are all potential issues and historically they’ve been potential issues. But I do think there’s a big difference between you using Microsoft and you using Bob’s cloud storage. And I don’t say that because I have anything against Bob, but you get what I’m saying. When we start going to the lower players, then we have to be a little bit more careful.
We need to make sure that these people know what they’re doing. We need to make sure that our resources are available. At this point with Google, IBM, AWS, Microsoft, we don’t really have to worry about that. I’ll just use Microsoft as an example because it’s the one I have the most familiarity with. Microsoft has data centers around the world. Microsoft has ten regions in the US alone, not even including the rest of the world. When you have machines you can set up, I mean, you have to pay for it. But if you’re paying for high availability, then you have replication outside of your regional data center automatically automatic failover. I mean, the likelihood that these resources would be unavailable at this point is extremely minimal with the big players because of all the availability that’s built into them. Okay, early on they maybe had some problems. I noticed many years ago Office 365 had some issues here and there, but they have really perfected this and those things have kind of gone behind by the wayside. So you may have individual services or some function that’s not available for a period of time, but if you use the big players, then you’re not going to lose access to your resources. But if you use the small ones to save a buck, then this is definitely something you need to look into.
Right? What do they have in the area of agreements to ensure that this won’t happen. How can they assure you that shared ownership of data with the customer is not going to have a problem? You can limit the legal liability of the provider. How are they going to assure you that they’re not going to use the data improperly? Like, for example, using data mining? And then you also need to think about data jurisdiction. Where does the data actually reside? In what country are there certain laws that affect it based on its location, et cetera?
So in a lot of cases, the customer is depending on the provider to prevent these issues. And that’s why any agreement that an organization enters into with the provider should address each of these concerns very clearly. That’s not going to be an issue with the big players. In other words, they will have agreements that address all of these. You have to go looking for them, but they will have that as a part of your subscription and readily available to you. And we really should be doing some environmental reconnaissance testing. We want to test all these different improper access issues. And then any issues that are identified, you should immediately address with the vendor. Bye.
- Cloud Service Models
Earlier we were saying that there were a lot of different cloud options and then we just went on to describe basically public, private, hybrid and community. And really that wasn’t that many. Most of us will use the public or we have some form of hybrid cloud. So why is that confusing? Well, it’s actually the cloud service model that ultimately determines exactly what the provider is responsible for and what the customer controls. And this is where you can have a lot of variance.
Okay, so there is a tradeoff to consider as to what architecture you’re going to use. Right? Private solution gives us the most control over the safety of the data, but requires people who know what they’re doing to deploy, manage and secure the solution. The public situation puts your data safety in the hands of a third party, but they’re typically more capable, more knowledgeable about protecting the environment. In the public solution, there are cloud service models and a private solution. This doesn’t exist because we own the resources, but in the public cloud model we have these different delivery options or service models. There are more than this, but these are the primary three that have always existed. So the first one is software as a service, or SaaS. In this case, the vendor is providing the entire solution. The vendor is providing the operating system, they’re providing software, they’re providing applications, they might provide email and it’s going to host and manage everything for your company. The key behind software as a service is you are subscribing to whatever collection of software is made available by the vendor.
And the other key part about that is that you don’t have any access to the underlying machines. Okay, and we’ll see this with Office 365. Office 365, probably one of the most, if not the most popular software as a service. Out there today is a collection of utilities, including Exchange Email, hosted in Exchange Online. Well if you know anything about on prem email, you know that there are mailboxes that are stored in databases. Those databases are hosted on servers. Those databases have log files and physical disk space that’s being consumed, and other things like virtual directories on the server and certificates, et cetera. Essentially it will just say it like this, anything that has anything to do with the actual server, you don’t see as a SAS customer, I don’t see the servers.
I don’t have to choose a database, I just create mailbox. I just assign a license and it creates a mailbox for that person and I give them an email address and a username and a password and we’re off and running. And I can set a bunch of other attributes because they’re a part of the software, they don’t have anything to do with the underlying infrastructure. So when you use software as a service, it completely frees the customer company from doing any sort of updates, any sort of maintenance on the applications, it completely frees them from having to worry about disaster recovery, high availability, those elements you are subscribing to the software. So the primary thing to remember about software as a service is it gives the customer as little control as there can possibly be.
They have no control over the infrastructure, they have no control over the virtual machines, the operating systems, the applications, they’re just simply subscribing to what’s there. But that’s actually nice because without having any control, that actually alleviates a lot of burden from customers. The next one in the list, and I really should reorder these, so I’m going to go down to Platform as a Service, PaaS, with PaaS, the vendors providing the hardware platform and the software running on a platform. And that software is going to include operating systems and infrastructure software. So at this point, the company is still involved in managing the system. They just are really responsible for data, web applications, SQL database instances, those kinds of things are your best example of Platform as a service. We will see examples of all of this in Azure.
But what you have is you essentially saying, okay, we’ll use the SQL instance. I need a SQL instance. I want to host it in the cloud. I don’t want to actually install the operating system, install SQL, create a database, et cetera. I just want to fire up a cloud based instance of SQL. And Microsoft gives you that option, okay, and other privileges will as well. And that is a Platform as a service. You’re picking a particular platform, you are creating it, you’re getting it provisioned for you, and then all you have to worry about is data. And so you just dump the data in. And a lot of very popular web applications would be the same way. They’d be offered as Platform as a Service.
So you have more control over than over Software as a service, because you actually have control over the application, because you’re pushing the data to a particular platform, but you still don’t have complete control. Infrastructure as a Service from a cloud service model is going to give you the most control that there is. In this case, the vendor is just providing the hardware platform of the data center. That’s it. They’re providing the underlying resources. Remember we said in cloud technologies, if it’s a public cloud, they manage the compute, the network and the storage resources. And as a customer, I would never see those, I’m never going to have anything to do with those resources. But with infrastructure as a service, that’s all that I can’t manage. That’s it. I will create my own virtual machines, I will install operating systems in those virtual machines.
If I need an application, I’ll install an application. If I need a network, I’ll install a network, a virtual network, that is. So the vendor is simply providing access to their data center and then maintaining that access. So if I wanted to move a particular web application to the cloud, I would probably use Platform as a service. If I want to host all my web servers with a third party that provides everything, I’m probably going to use infrastructure as a service. What if I want to offload my VPN servers? Well, I can host VPN servers in the cloud and have a VPN gateway that connects back to the local network for the purposes of maybe remote desktopping into their machine or something like that.
All right, so it depends on what you’re doing. And so I guess a rule of thumb is if you’re actually creating virtual machines, then you have infrastructure as a service. If you’re just worried about data in a particular program, then it’s Platform as a service. And if you’re just latching into software that already exists and you have very little control, then it’s going to be software as a service. So, as I said, those variances can be a little bit confusing. And there are others that aren’t on this list. Storage is a service. We’ll talk about another one, security as a service. It is a service. We’ll, we’ll deal with a number of these. The cloud is ever expanding. But these are your main three cloud service models that exist in the public cloud offerings.
- Demo – Examining Cloud Service Models
In this demonstration, we’re going to just look at the different cloud servicing models that we’ve talked about. I’m going to use Microsoft Azure and then Office 365 just because we have I have subscriptions to those. So the thing about cloud services, of course, is that you do have to have subscriptions. You do have to pay, you know, yes, you can get trial subscriptions, but really, to see anything of worth here, for demonstration purposes, we have to have some sort of a subscription. So I’m actually logged into a legit subscription in Azure. We can go to the dashboard that I have and it will refresh and show me basically the different items that we’ve paid for. Okay, so if I go here and just see more on all resources, then I’m going to get a page of resources. This is actually a customer that is using the infrastructure as a service and the platform as a service.
Okay. Now what it’s going to do is it’s going to show me just a big list of resources. I can also go based on Resource Group, but I think they’re all in the same place. So I have a let’s sort by type here because within this type, I’ve got one Virtual Machine, which is a Web Server. Okay. I’ve got a SQL Database, which is technically I’m sorry, we do have a SQL Server. Never mind. Okay, so I have a virtual machine. I do have an instance of a SQL Server and a SQL Database. Then you just have various IP addresses and networks that go along with that. And this is just showing all of those. I can say I just want to see just the virtual machines. If I’d like. I can just select that one. I guess I have to deselect everything, but I can just see certain objects if I’d like. All right. But I used this one because I think it was both platform SQL Server and Infrastructure, which is your virtual machines, virtual networks.
And for a while there, I had a gateway still, do I have a virtual network gateway, which is like a network device that’s also still infrastructure as a service? Or I’ve created a point to point site to site VPN between Microsoft Azure and the client site. Okay. But as I said in here, since Azure does both platform as a service and infrastructure as a service, it’s not as if you get the distinction when you’re going in to create resources. It just kind of depends on what you’re trying to do. So if I’m trying to create a new Windows Server 2016 VM, well, that’s infrastructure as a service. And so it’s going to create its own virtual network, its own resource group.
It’s going to give it an IP address. We’re going to have a virtual network Firewall that protects that virtual network. We’re going to get all of that. If I want to have multiple virtual networks and routing between them, or I want to set up a VPN back to the site, I can do all that because that’s infrastructure as a service. Remember, you manage the operating systems, the applications, and all the networking. All right. Now they still use templates. We’re still using a template. I’m basically going to have a VM with Server 2016 installed on it in about five minutes.
If I were to select this. Again, this is a live customer, so they’ll start getting charged. So I’m not going to do that. But within there, we also see some other things like platforms, web apps, content delivery, network, web app for containers, and so forth. And so you can kind of go through and you can decide exactly what you want. Honestly, the storage, I’m not exactly sure where this would fall in. There is storage as a service, and it depends on how you’re using this. Okay, so, like, for instance, azure file. Sync. Well, that would be an infrastructure as a service because you’re actually actually, I take that back. That would be a platform as a service.
You’re setting up a platform storage in the cloud that you can connect to and sync from an on premises environment. This is also a storage account in the cloud that you can actually physically map drives to, assuming they have Windows Ten. Or you can use Blob and Table and queue storage as well. So as I say, it’s going to depend on exactly what you’re doing. You’ve got apps in here. Databases are probably one of the best examples of a platform because again, you’re just, you’re basically saying, just stand me up a SQL database. Well, I know there’s a server that’s in charge of that SQL database, but I don’t actually log into it. I don’t have to set it up. And so it’s a little bit different. And we go down here and they actually do have a software as a service, and they have a few.
These are all third party vendors, which is kind of funny because Office 365, of course, is, you know, is software as a service, but these are a few software as a service that’s built into built into Azure. What was I going to go through? The other one was the Web, and they may have gotten rid of it. Used to have a WordPress search for that. They got to still have that. WordPress would be another type of platform that you could create. Okay. And so at any point, you can just kind of filter in. There are hundreds of things in here. So, yeah, if I want a WordPress site click, I don’t have to worry about the virtual machine that’s hosting the site. I just want to stand up the site.
All right. In the case of Azure Active Directory, another platform is Azure Ad Domain Services, which is sort of a cloud version of Active Directory that allows you to have machines joined to it, push out group policy, push out mobile device management and things of that nature. So anyway, those are the different options. If we go over to Portal Office, then we would see the Office 365 administration. And I’ll just point out something here, let’s get into it first, and then I just want to point out one quick thing. So once we go into the Admin Center, and I suppose if you don’t but it’s something I was talking about, something I was trying to illustrate, and I think it’ll be easier if we see it. If you don’t know Exchange, then it’s not necessarily going to be, I guess that meaningful. But if I go down here and go to the Exchange Administrative Center, in the Exchange Administrative Center, typically if you were in an on prem environment, you would see information about databases, servers, server certificates, et cetera. It’s not there. It’s just completely missing.
It doesn’t exist because I can’t access it. When I go in here to mailboxes in an on prem environment, I would be able to create mailboxes at this location. In this scenario, as soon as it refreshes here or finally finishes loading in this scenario, I won’t be able to add mailboxes. Now, it doesn’t mean I can’t, it just means they force me to go over here and add users this way and then assign a license to them. And that is the process by which a mailbox is created. And I don’t have any ability to choose where it gets created or anything like that. This thing is still taking a while.
So my point is there’s stuff missing. You’re getting access to the software, you don’t see the VMs behind it, you don’t have any control over them. And in this case, I don’t even have the ability to add mailboxes, only edit. Okay? So that’s the difference. And certainly these are not the only providers. You’ve got AWS, Amazon Web Services, you’ve got Google, and then you’ve got countless third party organizations that will allow you or that will host your content for you. But it’s just pay as you go and whatever you need. As long as they can provide, then that’s good. But of course, as we’ve discussed and we’ll continue to discuss, we need to make sure we are addressing the security implications of utilizing the cloud.
- Security and Virtualization
So as we’ve mentioned, virtualization does provide a number of benefits and that’s why it’s become a key part of reducing the physical footprint of data centers. We talked about reduction in overall use of power, high availability and enhanced disaster recovery, the dynamic allocation of resources, et cetera. But it doesn’t alleviate physical security concerns. In fact, it even raises some additional security issues that need to be mitigated in the physical environment and the virtual environment. So the physical host does need to be secured, right? As well as the individual virtual machines needing to be secured. Just to make sure everybody’s clear here. In a virtual environment, instances of an operating system are called virtual machines. The host system can contain many virtual machines and the software referred to as the hypervisor is on the host system and manages distributing resources like CPU, memory and disk to those virtual machines.
And so we can see that here in the graphic where you have the host operating system, the hypervisor, and then the guest operating systems and their associated applications. Okay? Now you need to keep in mind that in any virtual environment, each virtual server that’s hosted on the physical server has to be configured by itself. It has to be secured and it needs antivirus, it needs anti malware, it needs all the way to service packs, software updates for applications as well as the OS, right? That stands to reason. I mean, it is an independent machine, but it is still a machine. It is still running a version of Windows or Linux or Unix and would therefore need to be updated. You also need to remember that all the virtual servers share the resources of the physical device.
When virtualization is hosted on a Linux machine, any sensitive application that needs to be installed on the host should be installed in what’s called the ch root environment. Ch root on a Unix based operating system is an operation that changes the root directory for the current running process and its children. And a program that’s run in that modified environment can’t name, and that usually means can’t access files outside the designated directory tree. Some additional considerations we need to certainly choose the right type of hypervisor. The hypervisor is the underlying virtualization platform. There are only two types. Type one, type two. A type one hypervisor is one that manages the distribution of resources at the same level as the operating system. Okay? And this graphic is not really showing that. In fact, the graphic is really kind of indicating a type two hypervisor where the hypervisor is running on top of the operating system environment. It’s a distinct second software layer and then guest operating systems are running the third layer.
So the graphic that we have here is a type two hypervisor. Type one hypervisors are far more efficient because the hypervisor is running at the same level as the host operating system. It means it has direct control to the hardware it’s not susceptible to some performance issues and availability issues that a type two hypervisor would be. So you get out there and you get programs like Sun Microsystems VirtualBox program which is free that’s type two hypervisor VMware workstation. That’s a type two hypervisor. Microsoft Virtual PC, same thing type two, the type one are your server level components. So citrix zen server VMware vsphere.
Six, Microsoft HyperV those are all type one hypervisors and in production environments for production servers then you definitely want that type one hypervisor. Now, a newer approach to virtualization is referred to as container based virtualization. You could also call this operating system virtualization. This kind of virtualization is a technique in which the kernel allows for multiple isolated instances of user space and these are known as containers.
It’s like a virtual environment, it’s like your own little virtual private server. So using this model, the hypervisor is replaced with operating system level virtualization. So it just means the kernel of the OS allows for multiple isolated containers. So in this case, a virtual machine is not an actual complete operating system instance but it’s just another partial instance of the same operating system and the graphic there can describe that it’s used mostly in Linux environments.
There are a couple of examples are Parallels Virtuoso and Open Source Open Project program like Docker which is a Linux based program that is used to manage containers. This is supported in Windows Server 2016 and later it’s supported in Azure as well but it’s primarily used still to this point in Linux environment. So a little bit easier to provision, performs a little bit better and it’s not an entire VM which just makes it work more efficiently but containers are a relatively new concept as it relates to everything else that we’ve talked about.