DevOps Security

Concepts • Dr Viet Nguyen – Curtin University

ISEC6000
Cloud
computing • Simply put, cloud computing is the
delivery of computing services—
including servers, storage,
databases, networking, software,
analytics, and intelligence—over the
Internet (“the cloud”) to offer faster
innovation, flexible resources, and
economies of scale.
• You typically pay only for cloud
services you use, helping you lower
your operating costs, run your
infrastructure more efficiently, and
scale as your business needs change.
Benefits of Cloud computing

Cost
Cloud computing eliminates the capital expense of buying hardware and
software and setting up and running on-site datacenters—the racks of servers,
the round-the-clock electricity for power and cooling, and the IT experts for
managing the infrastructure. It adds up fast.

Speed
Most cloud computing services are provided self service and on demand, so
even vast amounts of computing resources can be provisioned in minutes,
typically with just a few mouse clicks, giving businesses a lot of flexibility and
taking the pressure off capacity planning.
Benefits of Cloud computing

Productivity
On-site datacenters typically require a lot of “racking and stacking”—
hardware setup, software patching, and other time-consuming IT
management chores. Cloud computing removes the need for many of
these tasks, so IT teams can spend time on achieving more important
business goals.

Reliability
Cloud computing makes data backup, disaster recovery, and business
continuity easier and less expensive because data can be mirrored at
multiple redundant sites on the cloud provider’s network.
Benefits of Cloud computing

Performance
The biggest cloud computing services run on a worldwide network of
secure datacenters, which are regularly upgraded to the latest
generation of fast and efficient computing hardware. This offers several
benefits over a single corporate datacenter, including reduced network
latency for applications and greater economies of scale.
           

Security
Many cloud providers offer a broad set of policies, technologies, and
controls that strengthen your security posture overall, helping protect
your data, apps, and infrastructure from potential threats.
Benefits of Cloud computing

Global scale
The benefits of cloud computing services include the ability to scale
elastically. In cloud speak, that means delivering the right amount
of IT resources—for example, more or less computing power,
storage, bandwidth—right when they’re needed, and from the
right geographic location.
Types of
cloud
computing
architectures
• Public cloud
• Private cloud
• Hybrid cloud
Public cloud • Public clouds are owned and operated
by a third-party cloud service providers,
which deliver their computing resources,
like servers and storage, over the
Internet
• With a public cloud, all hardware,
software, and other supporting
infrastructure is owned and managed by
the cloud provider
• You access these services and manage
your account using a web browser
• Examples: Microsoft Azure, Amazon
Web Services (AWS), Google Cloud
Platform (GCP), Alibaba Cloud
Public cloud

• Cloud service providers use groups of data

centers that are partitioned into virtual
machines and shared by tenants.
• Tenants may simply rent the use of those
virtual machines, or they may pay for
additional cloud-based services such as
software applications, application
development tools, or storage.
AWS Data centers
What is multitenancy?

• Because multiple organizations

share a public cloud, multiple
organizations will sometimes
be using the same physical
server at the same time. This is
called multitenancy.
• Multitenancy is when multiple
customers of a cloud provider
are accessing the same server.
Data from two different
companies could be stored on
the same server, or processes
from two different applications
could be running on the same
server.
Private cloud
• A private cloud refers to cloud computing
resources used exclusively by a single
business or organization.
• A private cloud can be physically located
on the company’s on-site datacenter. Some
companies also pay third-party service
providers to host their private cloud.
• A private cloud is one in which the services
and infrastructure are maintained on a
private network.
Private Cloud vs Public Cloud
Private Many companies choose private cloud
over public cloud (cloud computing
cloud services delivered over infrastructure
shared by multiple customers) because
private cloud is an easier way (or the
only way) to meet their regulatory
compliance requirements.

Others choose private cloud because

their workloads deal with confidential
documents, intellectual property,
personally identifiable information
(PII), medical records, financial data, or
other sensitive data.
 Full control over hardware and software choices.
Benefits of Private cloud customers are free to purchase the
hardware and software they prefer, vs. the hardware
Private and software the cloud provider offers.

Cloud Freedom to customize hardware and software in any

way. Private cloud customers can customize servers in
any way they want and can customize software as
needed with add-ons or through custom development.

Greater visibility into security and access control,

because all workloads run behind the customers’ own
firewall.

Fully enforced compliance with regulatory standards.

Private cloud customers aren’t forced to rely on the
industry and regulatory compliance offered by the
cloud service provider.
Hybrid A hybrid cloud integrates public and
private cloud infrastructures. In this
Cloud model, the two types of cloud are joined
together into a single, flexible
infrastructure, and the enterprise can
choose the optimal cloud environment for
each individual application or workload.

To make best use of this type of cloud

computing, an enterprise must rely on
technologies and orchestration tools that
allow it to move workloads seamlessly
across the two environments in order to
meet performance, cost, compliance, and
security requirements.
AWS File Gateway
Virtual Private Cloud

A virtual private cloud (VPC) is a service from a public

cloud provider that creates a private cloud-like
environment on public cloud infrastructure. In a VPC,
virtual network functions and security features give a
customer the ability to define and control a logically
isolated space in the public cloud, mimicking the
private cloud’s enhanced security within a multi-
tenant environment.
VPC customers can benefit from the public cloud’s
resource availability, scalability, flexibility, and cost-
effectiveness, all while retaining much of the security
and control of private cloud. In most cases, a VPC will
be less expensive to build and simpler to manage than
an on-premises private cloud.
 Infrastructure as a service (IaaS)
The most basic category of cloud computing services.
With IaaS, you rent IT infrastructure—servers and
virtual machines (VMs), storage, networks, operating
systems—from a cloud provider on a pay-as-you-go
basis.
Platform as a Service (PaaS)
Types of Platforms as a service remove the need for

cloud organizations to manage the underlying infrastructure

(usually hardware and operating systems) and allow

services you to focus on the deployment and management of

your applications. This helps you be more efficient as
you don’t need to worry about resource procurement,
capacity planning, software maintenance, patching, or
any of the other undifferentiated heavy lifting involved
in running your application.
Examples: AWS Elastic Container Service (ECS), AWS
Elastic Beanstalk
 Software as a Service (SaaS)
Software as a Service provides you with a completed
product that is run and managed by the service
Types of provider. In most cases, people referring to Software as
a Service are referring to end-user applications.
cloud With a SaaS offering you do not have to think about
how the service is maintained or how the underlying
services infrastructure is managed; you only need to think about
how you will use that particular piece of software.
Examples: AWS Relational Database Services (RDS),
AWS S3
Amazon Web Services
(AWS) Deep Dive
Identity and Access
Management (IAM)
• AWS Identity and Access Management (IAM) is a
web service that helps you securely control access to
AWS resources. You use IAM to control who is
authenticated (signed in) and authorized (has
permissions) to use resources.
• When you create an AWS account, you begin with
one sign-in identity that has complete access to all
AWS services and resources in the account. This
identity is called the AWS account root user and is
accessed by signing in with the email address and
password that you used to create the account.
IAM Terms

• IAM Resources The user, group, role, policy, and identity provider objects that are
stored in IAM. As with other AWS services, you can add, edit, and remove
resources from IAM.
• IAM Identities The IAM resource objects that are used to identify and group. You
can attach a policy to an IAM identity. These include users, groups, and roles.
• IAM Entities The IAM resource objects that AWS uses for authentication. These
include IAM users and roles.
• Principals A person or application that uses the AWS account root user, an IAM
user, or an IAM role to sign in and make requests to AWS. Principals include
federated users and assumed roles.
 • JSON documents to specify
authorisations granted for a
particular IAM identity on specific
resources
• Identity-based policies – Attach
managed and inline policies to IAM
identities (users, groups to which
users belong, or roles). Identity-
based policies grant permissions to
an identity.
• Resource-based policies – Attach
inline policies to resources. The
IAM Policy most common examples of
resource-based policies are Amazon
S3 bucket policies and IAM role trust
policies. Resource-based policies
grant permissions to the principal
that is specified in the policy.
Principals can be in the same
account as the resource or in other
accounts.
IAM Policy
AWS Simple Storage Service (S3)

• Amazon Simple Storage Service (Amazon S3) is an object

storage service offering industry-leading scalability, data
availability, security, and performance.
• Data is stored as objects within resources called “buckets”, and
a single object can be up to 5 terabytes in size.
• S3 features include capabilities to append metadata tags to
objects, move and store data across the S3 Storage Classes,
configure and enforce data access controls, secure data
against unauthorized users, run big data analytics, monitor
data at the object and bucket levels, and view storage usage
and activity trends across your organization
S3 Storage classes

• S3 Intelligent-Tiering
• S3 Standard
• S3 Standard-Infrequent Access (S3 Standard-IA)
• S3 One Zone-Infrequent Access (S3 One Zone-IA)
• S3 Glacier Instant Retrieval
• S3 Glacier Flexible Retrieval
• S3 Glacier Deep Archive
• S3 Outposts
 See https://aws.amazon.com/s3/storage-classes /
AWS Elastic Compute Cloud (EC2)

• Amazon Elastic Compute Cloud (Amazon EC2)

offers the broadest and deepest compute
platform, with over 500 instances and choice of
the latest processor, storage, networking,
operating system, and purchase model to help
you best match the needs of your workload.
• Supports Intel, AMD, and Arm processors, the
only cloud with on-demand EC2 Mac instances,
and the only cloud with 400 Gbps Ethernet
networking.
Questions