CCT 072: A Comprehensive Exploration of CISSP's Cloud Security (Domain 4.3)

Eager to demystify the cloud environment and its cost-effectiveness compared to an on-premise setup? Well, gear up, because today, we're taking you on an enlightening journey through the world of cloud networking. We will be tackling everything from cloud security and its various models to the critical role of cloud security posture management (CSPM) in AWS deployment. So, whether you're a budding IT professional or an established one looking to enhance your CISSP knowledge and expertise, this episode has something for you.

Ever wondered how security groups, network ACLs, platform as a service, and software as a service work in tandem to uphold cloud security? Or perhaps, you've been intrigued by the utilization of VLANs and traffic shaping for prioritization and quality of service. Well, curiosity ends here as we uncover these topics and more. And we'll also be spilling the beans on cloud access security brokers (CASBs), the pros of data loss prevention, tokenization, and the different types of cloud storage. Rest assured, by the end of the conversation, your understanding of cloud storage technologies and security will be second to none. 

In the grand finale of the episode, we unravel the secrets of cloud connectivity and the costs associated with it. We'll enlighten you on the importance of service endpoints, routing tables, and DNS resolution. Plus, we'll share a real-world use case of a public service endpoint. And of course, we touch upon the role of CSPM in maintaining a secure AWS deployment. So, buckle up and get ready to be armed with the knowledge and expertise that can take your CISSP skills to the next level.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Content

Transcript:

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all it's Sean Gerber with CISSP Cyber Training, and I hope that you'll be able to see you all are having a great day today. Today is an amazing day here in the United States. Actually, the weather today has been beautiful. It's been gorgeous. The temperature has dropped off, so it's not like melting your face off. So things are amazing. I'm so excited about this. The fall is coming and, yeah, it's great. My brother just actually sent me pictures. He is in Innsbruck, austria. Yeah, it's pretty amazing. So if you're over in Innsbruck, yeah, your country and your area is a beautiful, very, very pretty. But, needless to say, you aren't here to talk about Innsbruck, austria. You are here to talk about CISSP Cyber Training stuff, right? Yes, you are, and today we're going to be talking about the cloud. So this is probably one of the areas that has a lot of questions around because a lot of people don't necessarily deal with it. The standard VPN type communications and contacts and all of that type of data is well used and well understood. But as we get into the cloud, it is a new area, relatively speaking, and it's been around for quite a while, obviously, but it is in relationship to the normal networking stuff that you all deal with. It is relatively new. So we're going to get into some of these questions as it relates to. We'll actually first going to go over the cloud and then next episode will be over some of the questions you may anticipate seeing on the CISSP exam, but we're just going to kind of touch on what are some key components that you need to know as it relates to the cloud. This is domain four is what you'll be focused on and the title of this obviously is cloud infrastructure in network components, and we're going to kind of go into the various components that are tied with the cloud. Okay, so let's get started. So, as we're talking about the cloud service, there are some various models and the networking pieces that we have kind of brushed or talked about here on CISSP cyber training a couple of times and they become a very important factor in the cloud. Now, when you take what you do from a networking standpoint in your day to day activities from a standard network right, your, your ACLs, which is your access control lists, your firewalls, your network switching all of those pieces they will transmit or transpose themselves to the cloud. Now they may have some different terms that go with them, but in reality they're very similar concepts because all you're really doing if you kind of put your brain around this and many of you may be much smarter on this than I am but the aspect that comes into the cloud is you're just taking your data center that you would have at your business or at your location and you're moving it to a third party. So the same concepts that are you would have in your own networking data center you have now within this various third parties data center. The differences are is that they've had to come with a standard nomenclature on how can you manage these remote systems, and it's really the main difference is that you're developing a way to work with remote systems that are more or less doing the same thing you would do within your own data center at your location, and you're just basically taking the cost that you had from your own place and migrating that out to the cloud, out to a location in a third party. Now the positives that come with this. Obviously, costs can be a driver, and it can be go down. However, in my experience with dealing with the cloud, the cost really is kind of a wash at this point. And what does that mean? It means the cost that you would just typically say by moving to a third party that's in a different location. That's the initial savings, but as you add more functionality to this environment, then your costs start to increase, and as your costs increase, what I've found is a fully deployed third party system, such as an AWS or Azure, is going to be very cost competitive to what you would have on your on-prem environment, so you're going to pay about the same. However, the difference is that you now have much more flexibility with the software to be able to do things that you really probably wouldn't do on-prem without having to one buy expensive software or two. You just may not be able to get that opportunity, so it's really changed the way you can operate with this third party data center. However, the downside on that, though, is is you need people that are smart enough, that have got the experience, that can go and configure this third party, this environment, this cloud environment, in a way that will be useful. That's another issue that I've noticed. I've worked with some local churches on the various types of security and one. There's one company out there that does media, for basically they try to they spread out how they spread their gospel. They use it in a media format. So there's a format that you, they have a cloud environment, they have a third party environment and then these, basically, churches, can upload content. This content can be available, and a reason I tell you all that is because they're looking for a cloud engineer to help them with their overall setup. And this cloud engineer is an AWS cloud engineer no-transcript, they don't, just they're hard to find. Now this is a non-profit, so they don't necessarily pay the kind of income that many cloud engineers out there are asking for and getting. So the point I'm trying to make with that is, as things are changing, the amount of technology and resources needed to be able to do this and the experience is going to continue to climb and to grow. Therefore, if you are a security person, then this kind of information was going to be very valuable to. Okay, so let's get into the different cloud secure service models and the various networking pieces. So, when we're going to talk about IAAS, so let's India, alpha Alpha Sierra, paaas, which is Papa, alpha Alpha Sierra, and then SAAAS, which is your Sierra, alpha Alpha Sierra. Okay so, iaas, pas and SAS. So infrastructure service is what you get when you move a lot of this information or a lot of this data up there to this cloud and they have what they call a virtual private cloud. Now, this virtual private cloud is an isolated cloud based network that is designed specifically for you and this VPC. You can have multiple VPCs, but this VPC is designed as your overall infrastructure, with your switches, your routers, all of those aspects, and they're done from a virtualized standpoint. So there is hardware, but this hardware is in their third party data center and it is virtualized to a point where it can be used amongst many, many people. So it's just. It's an opportunity for the company to be able to spend a lot of money on infrastructure, but that can be used among multiple companies. Now you have security groups. Now, with a security group, you'll hear this, especially as it relates to AWS I'll tell you that's the one that I've worked primarily in. I don't really have a lot of experience in Azure, so we'll. If I do reference back to any sort of context, it would be the Amazon AWS environment. Now you have a thing called security groups. What these basically are is they're just a virtual firewall at the instance level. So when you have an instance, you have a virtual instance. They are acting as a firewall there. They allow access in, they allow access out. They utilize basically an ACL. You know, like your access control list, you will use an ACL to gain access. Now, what they do allow you for is much more granular access into these. The data that leaves that moves between the VPCs, and so it's important for you to understand that a traditional firewall can give you that level of granularity. However, look at it this way if you have a Palo Alto firewall and you have a Fortinet firewall, well, how they configure those can be a bit different. Now, they still produce the same outcome, but how you would configure them would be potentially a little bit more different different dashboards, different interfaces and so forth. Well, the security groups is a one interface that allows you to make those those granular changes to your network. So security groups are a very important aspect. Then you have a thing called network ACLs. These are virtual firewalls at the subnet level. So it's just basically, now you're, instead of having a routing table that would route from one area to another area, you can actually go and break this down even further and get into these network ACLs, these network access control lists that will then get very granular, where this computer can talk to this computer. This Lambda function can talk to this computer and that computer and to the subnet, or it cannot talk to any other than this one VPC, which would be a much larger group. So you can get very tight and very granular. So, as you can see, the infrastructure of the service, it's just you're keeping the platform as being platform agnostic, which basically means there you don't have to know Palo Alto, you don't have to know Fortinet, you just have to know the terms that are used within that environment and how to be able to configure those networks. Then there's platform as a service. Now this pass. This is where you have various that the platform itself has been designed and integrated within AWS. Now you have service, what they call service endpoints, and these integrate with the various networking components. Now you can have a setup where this. Only this pass environment will work within this area. So as an example, let's go if you have an application and this application is in on a built on this platform, when the past you may have had to go out and buy all of the aspects that go with this, so maybe you had to buy the software, then you had to buy the hardware. This platform as a service basically has that all set up for you. So you now have your virtual networks embedded, you have your networking components embedded and you have your software all built into this platform environment. So it's just, it's taking it from an infrastructure standpoint down to a specific virtual platform. Now you can also go to the next level, which is your software as a service. Now this is where you get down into the specific software and maybe that is the only thing running on this environment. Now we'll say you'll see more of the SAS type environment, the software as a services within the networks. Then you will see many other things, because it's easy for a developer. So let's just say I own a company and I have this really good software. Well, in the past I would develop it on brand new servers and then I would host it in the cloud and then you would come to my server, you would be able to access it and you would do whatever you do. And you come to the server. My software is on top. Now I just take that software and instead of putting it on my own environment and on my own server, I now put that software in AWS or Azure environment and so now you have access to all the software you need. So my wife's Kona Ice business there is various software that we use and we log into and that software then is running in the background and it tells us what she needs to do to maintain her trucks, to maintain events, to go visit these events, scheduling employees. All of that is done through this software as a service product. Now we get into virtual network components. In a virtual network component we have different levels to these. You have virtual switches, routers, and then cloud based firewalls, which we kind of talked about a little bit. Now you have in your virtual switches you have a thing called VLAN tagging. Now VLAN tagging is how you can. Actually VLAN is a virtual LAN and you can go in in a traditional firewall and set up VLANs and you can route that up where, or firewall or with switch and you can set up a specific VLAN that your network can be Segregated off to. Now you can do that with your virtual network components as well, and it but the nice part about using these VLANs within a virtual environment is it's much more standardized. So if I go to a link, this firewall, and set up a VLAN is how I set that up might be a little bit different than I would set it up and I'll afford in that and so therefore, this VLAN that you can do tagging, you can specifically tag traffic to go to specific VLANs. You don't have to have a lot of networking understanding to be able to do that. The other thing is traffic shaping. You can do with your virtual switches. Now the nice part about your with the prioritization of this with traffic shaping is that you have a thing called QOS which is your quality of service. You can, in a traditional switch you'll set up QOS to work where it will prioritize the traffic for it to go to a certain location. Now, if you prioritize some traffic. So, like I say at my church again, they have a wireless environment and within the sanctuary we want that QOS to be a certain level when I have the people that are singing up front. I want them to have the maximum amount of bandwidth available to them, because it's important for that information to actually make it to the speakers, whereas if somebody is surfing on their phone or looking at their Bible app or whatever they're doing in the sanctuary, that isn't as important as it is for me to send the data back and forth with the music. So therefore, the QOS would be different. Same thing. You can do traffic shaping with these virtual systems. That will allow the data to go in a way that you prioritize it over other data, and it gives you a real easy way to do that. Now, when you deal with virtual routers again, you have also the ability to do dynamic routing. This will support for border gateway protocols, open short path frameworks. It'll also do all of those aspects that you would typically get within a normal networking environment. You can have within these virtual environments as well. You have high availability. There's a nice part about having it within the cloud is you can actually have the systems high available, which basically means if something were to go down, it will automatically roll over to something else. So you can have high availability set up in a failover situation for these routers versus having to go out in a traditional router that I have within our network. I may have multiple routers in place. I may have multiple firewalls in place because they're a physical firewalls, because if one was to fail and all the traffic is going through both firewalls if one was to fail, it would fail open or it would fail over to the other firewall allowing the traffic to pass through. Another one is cloud based firewalls. They have various states. We have a stateful and a stateless firewalls. Those are all available to you in the cloud and there's virtual implementation on how you would put those together. They have IDS, which is your intrusion detection and prevention systems, and then they also have deep packet inspections. So each of these things that we've talked about within the standard networking environments are available to you within the virtual eyes components. So all of that's out there and it makes it really nice. So I'd highly recommend that you go out and you test it and play around with it. See what you can do. Now, when it comes to AWS, I do have. Some of my students are actually in college. When I was teaching college at our local university, as a student, you can sign up for $100 of free credits with AWS. Now we use it within the IoT core environment, but you can use it in other pieces of AWS as well, so I'd highly recommend you go out and just play with it. Go, use it, see what you can do. But the key on this, though, is and it's very inexpensive Just don't forget about what you did, because you will have a bill at the end of the month. You can do a lot with $100, because most of these systems, when you set them up, it's all based on the amount of traffic that goes through them, and if you have very little traffic, you probably will never go through the $100 of free credit that they actually give you. Another area that you're going to see in the cloud that you talk about is a cloud access security brokers. Now these CASBs which you typically talked about CASB Charlie, alpha, sierra, bob Bravo these CASBs are designed as a security broker that you can log into, and they give you a lot of capability just for what they can do. Another thing I forgot to mention is, if you are listening to this or if you're watching it, you'll be able to see these. Video will be put on YouTube. It's also on CIS, psap or training, as well as some of the content that I have I'm talking about here. It's actually in a document form, so you can kind of look at that as well. But the cloud access security brokers, they are set up in a different couple of different ways. They are API based and they have proxy based CASBs. They really kind of comes down to is how does it fit within your network? An API based CASB will allow any APIs that connect into it and be able to feed data, and then you'll be able to log into and see how that environment is working. Your proxy based as CASB is working from a proxy standpoint, where now it's a proxy of your network. It's incorporated within your network and now the data that is typically on-prem is now going to this proxy CASB. The nice part about the CASBs and we'll get into those in a little bit they give you the security appliance and the security dashboards that you typically wouldn't have unless you have invested in a very expensive product such as ArcSight or Splunk, something along those lines. It gives you that ability to turn knobs, flip switches and to really truly understand the security posture of your environment. Another thing around CASBs that they can do is they can provide you data loss prevention, and it can scan the data before it leaves your network. As an important factor in this, I would say I'm just going to point fingers at myself completely. There are ways that I'm not using CASBs as much as I should. As I talk about this, I realize, oh yeah, you know what. I could probably use this in other ways within my own organization. There's different aspects to think about as it relates to these tools. You can use all of these tools like a Swiss Army knife, which basically means you flip open one blade and you have a blade. You flip over another part of the Swiss Army knife and you have a corkscrew. You flip over another one. You have a scissors. The point is that there's a lot of things you can do with these various tools. The key is is one doing the research and then truly understanding what the tool can give you. I'd say that's probably one of the biggest challenges that security folks have is understanding what each of these tools can do and how we can utilize them in a way that's cost effective and reduces the risk for our organization. The other thing that CASBs can do is provide tokenization, which basically means if you're dealing with GDPR, you have to remove the sensitive data before you share that sensitive data with people. Well, the CASB can remove that or substitute that sensitive data before it's in transit. So it does give you the ability to anonymize data before it goes or leaves the environment. So that's a really great tool and a great capability that it has. Now, when we get into cloud storage, there's different types of storage within the cloud that you are going to be exposed to. You have object storage, you have block storage and you have file storage, so your object storage. This is where you can have data replication. This data can be copied across the network and across regions. It can also be crossed copied across VPCs themselves. So it's the same type of situation you would run into on your on-prem network, but it can be done on a virtualized environment. You also have the ability to do data transmission with secure protocols such as HTTPS and SFTP. Now you know what we deal with HTTPS you all have dealt with that from your web browsing and SFTP is your secure file transport protocol. The nice thing is is that setting up these SFTP connections and even using IPsec, which is your IPsec protocol, in the past has been very challenging In the cloud environment. It's just a matter of clicking a few little buttons. It can be overwhelming on how to do it, but once you figure it out it can be very, very intuitive and very easy. But it makes it much more capable, much more easy to be able to turn these kind of protocols on. Where in the past I would have to call a network engineer to make that IPsec connection between two systems, now I can do it myself through the cloud. When you're dealing with block storage, there is the same type of thing you would do with your network is you can attach and detach these different block storages to your virtual environment and you can get these. You can basically say I have a server, I wanna add block storage to it, and it's a matter of just a few clicks and you have that already set up. Now, obviously, the cost it's not free, so the more storage you provide, the more it will cost you, but it is a very easy process by which you can add storage to these systems. You also can add volume encryption much quicker than a standard encryption on a database. So, as an example, if you use encryption on a SQL environment, you can do this, but I have to rely on the database engineers, like we talked about before, to be able to enable that for me. I can't just go do it, whereas if I am managing my virtual environment through AWS, I can actually turn on the overall volume encryption by myself. Now the downside of this comes into is that if I don't know what are the ramifications of doing that, I could actually cause myself a little bit of headache, and then I have to troubleshoot why I I put the encryption on, but why are things breaking? So you still need these database folks to help you with that. But it's much more useful and easier for me is to actually turn the stuff, the security tools, on, versus just letting someone else do that for me. Now we're gonna get into file storage. This is where you have network file systems, or NFS. This is where you can mount storage over your specific network, and it does allows the network to be as that conduit to store this information. That's a really cool option. Now you have this right now. Right, if you look at networking, you're probably going yawn. I've done network file storage forever. Well, you have, and it's been stuck within your own network for in most cases not always, but in most cases. Here it's the same concept, but now it's done and it's scattered across your overall virtual environment, so it's great. The downside is, though, from a security standpoint, the more network file systems that you have, the more places you're storing data now, the harder it becomes to secure and to know where all that data is going. So there's a downside to that. The server message block this is also a Windows based network file storage system, and that SMB is something you've dealt with, as it relates to standard networking, most likely, but you get that same capability with the cloud. So now we're gonna talk about hybrid and multi-cloud networking. So what is that? So, when you have a direct connect, what? This deals with AWS. So if you have an environment, that's say your machine shop, in somewhere, you can have a direct connect with AWS, which basically means anything that I drop on my network within my environment, within my little machine shop, will automatically get pushed to the AWS environment. That's a direct connect. Azure calls it express route, but basically what it comes right down to is is it bypasses? You have two different options you have a private peering and you have a public peering. The private peering will bypass the public internet and goes directly. You have a direct connection from your house or from your machine shop to the AWS servers. There's a public peering where it will access these same cloud services over the internet that are on a dedicated link. So the whole point of it comes into is, if you wanna have it private, you would have a direct connect, that's a private link to AWS. Then you have a public, more or less a public, link. Use it with over the internet to AWS. Each of those. The standard default would be the public peering. If you want a private network, then you will have to pay for it, but there is the ability for you to do that and so it's just. You keep that in mind as you're looking at your overall cost, and that's considered what they call a hybrid environment. So when you have that direct connect, they consider that a hybrid environment. Now, if you have a multi-cloud well, so let's say, in instance, you have a cloud between AWS and you have a cloud that is with Azure If you have these clouds set up, then what will happen is is that you can actually transfer data between these various clouds. Now, if you do that, there is some cost that's associated with it and there's some optimization techniques that you will have to occur to do that. That isn't as simple, as I wanna connect my AWS environment to my Azure environment, and if they talk the same, they go everything's the same giddy up. Now, relatively speaking, it is relatively easy to connect the two. However, there are some costs that can be associated and there's some potential optimizations that you would need to take care of and put in place to make that happen. But again, bottom line is it's not as difficult as it may seem to be, but there will be some aspects you'll have to work through. Now, when we deal with cloud network security, there is a different kinds of models that we'll talk about. There's a cloud network security model, which is a shared responsibility model, and this is where the cloud provider shares the same responsibility. You have network infrastructure, it gives you basic security controls, et cetera, and that the cool part about the shared responsibility model I can't speak, sorry is the fact that you are then you push it off to the cloud. So if you have a situation where the cloud has to provide all of these aspects your infrastructure, your security controls and so forth that is what the expectations are and that is what they are supposed to do when you're dealing with the customer's responsibility around this. This may be the fact that you are responsible to put an encryption. You're responsible to put in IAM or identity and access management. That is your responsibility. The cloud doesn't the AWS provider of the world right, they are not responsible for that information. Now they may provide that for you and they may be able to help you set it up, but if you don't want it, they're not gonna put it in place for you just because of the added complexity and cost that goes with it. So it's important for you to understand what is the cloud's responsibility and what is the infrastructure or the company's responsibility. So, as you're looking at these questions for the CISSP, think about that and you want to make sure that you understand the differences between what is AWS's responsibility and Azure and what is your responsibility as the person deploying it. Another thing to think about is a cloud security posture management, what it's called a CSPM. That's Charlie, sierra, papa Management. Again, the thing with M is Mike, mike. It doesn't have to be mango, it's not mango. Well, it could be a mango, but no, but Charlie Sierra, papa Mango, the mango part of this. So when you're doing configuration audits, it will help you with your overall security posture of your company and of your AWS deployment, and that's a really great thing, especially when you're dealing with compliance and auditing and assessing. So having that ability to do that is really important. It also will help you with compliance monitoring to ensure you're meeting regulations such as GDPR and HIPAA. So the CSPM is a good add-on to be able to do that, and there's also companies out that will help you just even get that started and set up. But the CSPM is a really good way to help from a compliance slash, audit and assessment capability. Now we talked about different types of service endpoints. You have public endpoints. You have private endpoints. So when you're dealing with an endpoint, what a public endpoint is? This allows you to access data over the internet. Now it's the basics of public services and how they are potentially accessed. Now the problem when you're dealing with a public endpoint is that there are risks associated with them. You have man in the middle attacks that could be a potential risk that you may have to deal with. So it's important for you to understand any sort of endpoint that you put out on the internet. You ensure that, if it has to be a public endpoint, the same kind of issues you come into. When you have a web application or some sort of web application service of some kind, you would have people have access to it through the public internet. So it's just important for you to understand. If you're putting an endpoint out there a public endpoint what exactly is it and what are you exposing? Private endpoints? These are basically internal network access. These are accessible through your VPC. The good thing about this is they are available internally to your network and they are relatively secure. The bad part is they're not available to the world. So you have to decide is the private endpoint something I want, or is it a public endpoint that I want? The private endpoint are secure and there are aspects that you will want to determine. If my data is staying within my network and my data is to communicate with the cloud, then that system is would be staying inside and so, therefore, it would be private. And if I have individuals that are accessing this data from around the globe, then I would want to consider a public endpoint. Okay, so how do service endpoints work? So, when we're dealing with endpoints, the service endpoints are endpoints that are actually communicating, providing services for you. Now, the service endpoint, if you have with packet flow and you have data that's moving to and from a routed endpoint. It will have the source and destination that's tied to it and then, as you deal with with any sort of IP, other IP networking is that you have a source and you have a destination and then you have the data that transmitted between those two destinations, between those two points. You also have routing tables which will provide you a static and dynamic routing and these endpoints. You can configure this routing to be very similar to you would be able to do on a firewall. That with a point of this is, then, is that each of these will affect the overall routing table and, like I said, you can get very granular so that these two systems, these two endpoints, can talk to each other, and maybe that's a static route where this is a specific IP address to a similar specific IP address and those, only those two, can communicate. Or you can get very great or very Gucci and have dynamic routing in place where one device, one endpoint, can talk to many, or can talk to whatever's endpoints actually pop up. You get into this, especially when you're dealing with IoT, which is your internet of things that can get really complex if you start getting into granular routing tables, and you can. You can make your IoT environment extremely tight, extremely tight, but it does take a lot of management to be able to do that. And so the same thing with this any endpoint that you work with, you can get very granular with it or you can make it much more open and broad. You just have to decide how much level of risk are you willing to accept when you do that. You also can get DNS resolution through the service endpoints. They will. You can provide custom DNS names, which is your domain name service, and these names can be mapped to specific service endpoints themselves. So you can have a DNS name that's set up for Sean dot Gerber at job, sean at Sean dot com, whatever you want to say, and that service could be your. You make a service name. Scratch your nose at Sean dot Gerber dot com, and that scratch your nose will actually, when you hit that, will run a Lambda function or run something on a specific endpoint. So you can get very customized with your DNS names. And again, these are things that you would can typically do in your normal networking environment, but I have to bring in a plethora of people to help me do that, so you can configure all of this on your own. So I'm going to give you just a one use case around a public service endpoint and how that would work within a cloud database, and this can happen. You have a public service endpoint that's out there accessing a cloud database from any specific location. So how would this setup? You have your initial setup, and your public endpoint would be set up for an AWS RDS instance. So what that means is your AWS RDS. That's Romeo, delta, sierra is your relational database service, and it's the same as your sequel, my sequel. It's just a database environment, so you'd set up a public endpoint specifically to tie into this RDS environment, and then you'd set up your DNS resolution would be a setup specifically for this public endpoint, such as my db-instance.12345678910. Whatever you want to do, you know, whatever you want to do, go to AS abuse website at asbingliteratureusest. It's a big, long instance. If you go check out my site, you'll be able to see this specific use case called out intentionally, and the point of it is, though, is you find that DNS name. Now, that DNS name is specifically designed for that RDS endpoint. Now, from a configuration standpoint, you would then set up firewall rules I can't say that firewall rules to allow incoming traffic from specific IP addresses or IP address names, and only those would be allowed to access that specific cloud database. Then the accessing that database. The user of the application would then access the database by connecting to the public endpoint DNS. So they'd have the DNS, they know the name. They don't know the IP address, but they know the name and they would connect to that and then once they connect to that, that would automatically point them to that cloud environment and that's where the internet traffic goes through your AWS network and the firewall before reaching the RDS instance. So it's about a five step process and it's relatively easy to do. So the great part about this is is you can do this as your own. Now, as a security professional, you're going. What am I supposed to know with all of this? The bottom line with this is that you need to understand how it works. Do you need to understand the super nuances of it? No, I don't understand all those super nuances of the AWS environment. I will tell you, though, that's one of the goals that I have in the rest of my career is really try to understand AWS. I have not dedicated enough time to it, and that's something I want to do more of, and therefore I would recommend you pick something and go with it. But there's so much training out there available for you today on YouTube and other areas, that you can really get smart on it in a way that will help you become more conversational, especially if your your network people are starting to put this in place. When you do a security for AWS. There's a lot of different areas that you can have access to, and what will end up happening is is we're just going to focus on a couple just for this, this podcast and for this video. One is identifying access, identity and access management, and this is based on role based access controls, and role based access controls are how permissions are set specifically on the endpoint, so the endpoint may have it where you only one certain type of role can access the data, and that's how the roles are set up. You can do this with I am and you can configure I am within your AWS environment, and it's relatively easy. Another one is firewall rules, which we've kind of already talked about. Today is as it relates to how do you configure those rules allowing specific IPs to access these endpoints? This can be done through IP whitelisting and through port restrictions so you can have specific IPs can access the endpoints and then you also can limit the range of what are the accessible ports that can gain access through the firewalls. So there's a lot of areas you can do, a lot of granular connections you can make with within the AWS environment. So I highly recommend you kind of go check that out as well. But those are some of the security measures. Now, this isn't these are. There's many more that you can do, but those are the basics. Right, you have your, I am your roles and then you have set up your firewall rules to allow IPs communicating between the various environments. You can also set up Lambda functions, which with AWS, they call it Lambda, but it's basically a script that will trigger in the event something happens. So it's an if this, then that kind of thing the Lambda function can trip. Now you've integration with services. You can integrate with databases, sql, no SQL. You can do all of those aspects. You can integrate with other types of relational databases that are out there. Aws has a plethora of databases that you connect, connect to. You can use their own RDS environment as well. They have storage services which you have object block and file storage, which we kind of talked about already. They have API's. They have the restful API and if you're not familiar with what a restful API is, it's basically an API that when anything is posted to that API, it automatically runs. So it's how you can define those APIs. That's the restful state, but it also you can secure them based on how you integrate with your restful API's. I just know enough to be really dangerous with restful API is just talking to some of my developers, but at the end of the day, there's a lot you can do just from API standpoint. Now, from a security standpoint, I would say API's are one of my biggest concerns and they should be yours as well, just because there's so many ways you can. In the past, you had only certain VPNs and connections into your environment. Now you have all these API's. You're adding more and more connections into your environment and in many cases, people don't have good visibility into what is actually coming and going out of their environment. Next one is serverless architecture. You have functional endpoints. These are triggering a serverless function, which basically means a script. It doesn't need a full up server to run this capability. Now, I don't mean it's a script is probably a little bit too generic. You know, a script is just a couple kilobytes of data and you run it. This is you can. Instead of having an entire server designed to run maybe a small couple processes, you now can just run these processes and it utilizes a certain percentage of the overall server to run these processes. So it's a step beyond a script, but it's kind of like a script. But there you have that. Overall serverless architecture is a very helpful part. And then the various use cases we kind of talked about again, where you have hybrid cloud scenarios and you also have multi cloud deployments. You can connect, interconnecting of the clouds can occur very, very easily and you can have endpoints that can communicate between these clouds. However, keep in mind, the cost associated with inter cloud connectivity can go up quite substantially, especially if you're dealing with any sort of data replication between one cloud and another. You really got to watch your expenses because it can get out of hand very fast. All right, that's all I've got for today. I hope you guys had a wonderful experience. I'm going to hope you learned a lot about cloud essentials. As it relates to the CISSP, go check out everything out at CISSP cyber trainingcom, you can get access to my free question, cissp questions. Just go to free CISSP questionscom and you can get some access to those. Also, just go to CISSP cyber training and you can get access to all of this content. I have $1 free trials that are $1 trials that are set up to try out the content. Just spend a buck and go check it out, see if you like it. If you don't just cancel, it's not a big deal. But there's all of this data information is available for you. The best thing about this CISSP training over other of my competitors out there. I'll just going to be honest. I'm giving you the expertise from an ASISO that someone has dealt with all of these aspects. I can help you and it's more than just learning to pass the CISSP exam. You are actually going to get the information you need to be successful in the role and learn what you need to learn to be to be able to be that CISO or to be that director of IT security or just lead whatever you want to be as it relates to security in your environment. I've been there, done that, I got the t-shirt. I can help you. So just check it out, cisspcybertrainingcom, and go and see what we can help you with. Alright, we'll catch you on the flip side, see ya.