1 00:00:00,810 --> 00:00:01,643 These days, 2 00:00:01,643 --> 00:00:02,920 cloud computing seems to be 3 00:00:02,920 --> 00:00:04,980 the big trend within our industry. 4 00:00:04,980 --> 00:00:07,280 But what exactly is cloud computing? 5 00:00:07,280 --> 00:00:08,910 Well, cloud computing is defined as 6 00:00:08,910 --> 00:00:10,970 a way of offering on-demand services 7 00:00:10,970 --> 00:00:12,700 that extend the traditional capabilities 8 00:00:12,700 --> 00:00:14,320 of a computer or a network, 9 00:00:14,320 --> 00:00:15,810 out into the Internet. 10 00:00:15,810 --> 00:00:17,730 With the promise of increased availability, 11 00:00:17,730 --> 00:00:18,690 higher resiliency, 12 00:00:18,690 --> 00:00:20,310 and unlimited elasticity, 13 00:00:20,310 --> 00:00:21,740 the cloud definitely can provide 14 00:00:21,740 --> 00:00:23,910 our organizations a lot of advantages 15 00:00:23,910 --> 00:00:26,300 over our traditional network architectures. 16 00:00:26,300 --> 00:00:28,140 But cloud computing can also bring 17 00:00:28,140 --> 00:00:30,190 a number of unique security challenges 18 00:00:30,190 --> 00:00:31,944 into our environments, too. 19 00:00:31,944 --> 00:00:33,690 For cloud computing to gain its 20 00:00:33,690 --> 00:00:35,970 intended cost savings and efficiencies, though, 21 00:00:35,970 --> 00:00:39,200 it relies heavily on the concept of virtualization. 22 00:00:39,200 --> 00:00:40,740 By using virtualization, 23 00:00:40,740 --> 00:00:42,750 numerous logical servers can be placed 24 00:00:42,750 --> 00:00:44,690 on a single physical server. 25 00:00:44,690 --> 00:00:45,523 This, in turn, 26 00:00:45,523 --> 00:00:47,750 can help us reduce the amount of physical space, 27 00:00:47,750 --> 00:00:48,980 power, and cooling 28 00:00:48,980 --> 00:00:51,360 that's needed inside your data center. 29 00:00:51,360 --> 00:00:52,193 Additionally, 30 00:00:52,193 --> 00:00:53,450 by using virtualization, 31 00:00:53,450 --> 00:00:55,660 we can achieve higher levels of availability 32 00:00:55,660 --> 00:00:59,080 by spinning up additional virtual servers, when necessary. 33 00:00:59,080 --> 00:01:00,840 This ability to dynamically provision 34 00:01:00,840 --> 00:01:02,700 memory and CPU resources, 35 00:01:02,700 --> 00:01:05,520 is one of the key benefits to cloud computing. 36 00:01:05,520 --> 00:01:08,140 While there are a lot of benefits to cloud computing, 37 00:01:08,140 --> 00:01:09,440 such as decreased cost, 38 00:01:09,440 --> 00:01:10,460 increased scalability, 39 00:01:10,460 --> 00:01:12,170 and unlimited elasticity, 40 00:01:12,170 --> 00:01:13,980 there are also numerous security issues 41 00:01:13,980 --> 00:01:15,280 that we have to consider. 42 00:01:15,280 --> 00:01:16,650 Most of the same security issues 43 00:01:16,650 --> 00:01:18,030 that we have with physical servers 44 00:01:18,030 --> 00:01:19,330 also get carried over into 45 00:01:19,330 --> 00:01:21,320 the cloud computing environment, too. 46 00:01:21,320 --> 00:01:22,153 Oftentimes, 47 00:01:22,153 --> 00:01:24,040 I hear executives think that all of their problems 48 00:01:24,040 --> 00:01:25,840 will be solved by moving to the cloud. 49 00:01:25,840 --> 00:01:28,040 This is simply not the case. 50 00:01:28,040 --> 00:01:29,360 To gain these efficiencies, 51 00:01:29,360 --> 00:01:31,640 cloud providers rely on virtualization 52 00:01:31,640 --> 00:01:33,210 to allow multiple logical servers 53 00:01:33,210 --> 00:01:35,070 to be placed on that single physical server, 54 00:01:35,070 --> 00:01:36,520 as we said before. 55 00:01:36,520 --> 00:01:38,070 Many cloud service providers, though, 56 00:01:38,070 --> 00:01:40,310 have taken virtualization a step further 57 00:01:40,310 --> 00:01:43,270 with the concept of hyper-converged infrastructure. 58 00:01:43,270 --> 00:01:45,960 This allows providers to fully integrate the storage, 59 00:01:45,960 --> 00:01:47,380 network, and servers 60 00:01:47,380 --> 00:01:49,730 without having to perform hardware changes. 61 00:01:49,730 --> 00:01:50,563 Instead, 62 00:01:50,563 --> 00:01:52,990 they rely on a software and virtualization technology 63 00:01:52,990 --> 00:01:55,520 to perform all of the needed integrations. 64 00:01:55,520 --> 00:01:56,640 All of this can be managed from 65 00:01:56,640 --> 00:01:58,530 a single interface or a device, 66 00:01:58,530 --> 00:02:01,480 without any worry about the underlying vendor solutions. 67 00:02:01,480 --> 00:02:03,420 Many cloud providers are also offering 68 00:02:03,420 --> 00:02:06,620 Virtual Desktop Infrastructure as one of their services. 69 00:02:06,620 --> 00:02:08,810 VDI allows a cloud provider to offer 70 00:02:08,810 --> 00:02:10,800 a full desktop operating system 71 00:02:10,800 --> 00:02:13,480 to an end user from a centralized server. 72 00:02:13,480 --> 00:02:16,040 There are a lot of security benefits to this approach. 73 00:02:16,040 --> 00:02:16,900 For example, 74 00:02:16,900 --> 00:02:18,730 one organization that I worked with 75 00:02:18,730 --> 00:02:21,750 creates a new virtual desktop image for each user 76 00:02:21,750 --> 00:02:23,840 every time they log on in the morning. 77 00:02:23,840 --> 00:02:25,860 This desktop is non-persistent. 78 00:02:25,860 --> 00:02:27,800 So, even if it's exploited by an attacker, 79 00:02:27,800 --> 00:02:28,880 it is destroyed as soon as 80 00:02:28,880 --> 00:02:30,570 the user logs off at the end of the day, 81 00:02:30,570 --> 00:02:32,290 or at midnight each night. 82 00:02:32,290 --> 00:02:34,250 This effectively destroys the attacker's ability 83 00:02:34,250 --> 00:02:36,530 to remain persistent on the end user's desktop, 84 00:02:36,530 --> 00:02:39,120 and adds a lot of security for us. 85 00:02:39,120 --> 00:02:41,450 Now, when we look at these numerous logical servers 86 00:02:41,450 --> 00:02:43,360 being stored on a single physical server, 87 00:02:43,360 --> 00:02:45,680 we also have to consider that there has to be a way 88 00:02:45,680 --> 00:02:48,100 to keep the data confidential and separated 89 00:02:48,100 --> 00:02:50,390 from the other logical servers, too. 90 00:02:50,390 --> 00:02:51,223 To do this, 91 00:02:51,223 --> 00:02:54,020 we use Secure Enclaves and Secure Volumes. 92 00:02:54,020 --> 00:02:56,730 Secure Enclaves utilize two distinct areas 93 00:02:56,730 --> 00:02:59,350 that the data may be stored and accessed from. 94 00:02:59,350 --> 00:03:02,630 Each enclave can be accessed by the proper processor. 95 00:03:02,630 --> 00:03:05,070 This is a technique that's used by Microsoft Azure 96 00:03:05,070 --> 00:03:07,467 and many other cloud service providers. 97 00:03:07,467 --> 00:03:09,300 Secure volumes, on the other hand, 98 00:03:09,300 --> 00:03:11,000 are a method of keeping data at rest, 99 00:03:11,000 --> 00:03:12,920 secure from prying eyes. 100 00:03:12,920 --> 00:03:14,610 When data on the volume is needed, 101 00:03:14,610 --> 00:03:16,180 a secure volume is mounted 102 00:03:16,180 --> 00:03:19,180 and it's properly decrypted to allow that access. 103 00:03:19,180 --> 00:03:21,130 Once the volume is no longer needed, though, 104 00:03:21,130 --> 00:03:24,290 it's encrypted again and unmounted from the virtual server. 105 00:03:24,290 --> 00:03:26,470 This is the same concept that's used by BitLocker 106 00:03:26,470 --> 00:03:27,760 on a Windows laptop, 107 00:03:27,760 --> 00:03:29,979 or FileVault on a MacBook.