[MUSIC] We get to infrastructure as a service here, you get most control, but pretty much, you're doing most of the work. You may be allocated raw disk space that you then have to configure. You get more visibility as you move from software as a service to infrastructure as a service, but you have a lot more work to do. Configuring and maintaining the operating system that maybe even configuring and maintaining the storage platforms upwards, the operating system, the applications, everything. Now, you're in pretty much the same space as managing an on-premise data center, the difference being, physically it is not located in your data center, but otherwise you're doing the same amount of technical work. Let's just look at the overview then of these three models. We've gone through on-premise, where we manage everything, we said at the other end of the spectrum with software as a service. Now, somebody else manages everything. So two extreme options, infrastructure is a service we gain access to most of these things, platform as a service, some of these things software as a service, less again. Now those are the most common types of cloud model however, there are others. And in fact we're at the point where pretty much anything can be delivered as a cloud model, people have almost come up with a catchall. So backend as a service, where you get access to some complex backend systems, but you don't have to deal with the infrastructure involved with them. Identity as a service when you guys logged in today, to learn that iscsquare.org, you logged in, using identity as a service using an identity coud based Identity service provider. And I said there's that casual XaaS now is commonly referenced it's anything as a service. We can get virtual switches, firewalls, gateways, load balances, servers, storage platforms, pretty much anything is available as a service now. Just thinking about our network then, and coming back to what we looked at in the first chapter. The idea of splitting the network up, breaking it into smaller zone security zones. So, one big flat network, if you have something like a worm, that infects all of the hosts, it will take down everything on that network by breaking that network up. If we have a threat, it may not pass between the security boundaries. Also, there may be no need for people in different security groups to know about, the other areas information or traffic so we can break those up as well. Maybe a research laboratory on the left, versus a finance team on the right. They don't need to interoperate so we can segment them. And we have the idea that we looked at a defense in depth but here we have a slide just showing this from a more networking perspective. So I mentioned the idea of it being more like an onion, a layered approach. Well here we see different layers within a network different segments, are physical perimeter, are logical perimeter, our local network, our applications, to each of them with different securities. And defense in depth has been developed out, into a more complex model of segmentation. So this is a slightly different one, I said it's been developed out it's an evolution in thinking, but it's a completely different model. Zero trust is about micro segmentation. From a network perspective [COUGH] became very popular in 2021 there was an executive order from the White House, that focused on advancing towards a zero trust architecture. So this has become really big news certainly since then, it was already popular as a model. And the idea is not to trust, never trust always verify just because somebody is authenticated, it doesn't mean you trust. Somebody is in your building with an ID badge, they must have been authenticated by the reception area, by the lobby, or the security. Without zero trust we might accept that, in a zero trust environment we would still challenge them as they move between different parts of the building. And this is the same is true from a network perspective which is what we're talking about right now. And the way we achieve that in the network perspective is by further segmenting the network micro segmentation. Just because an entity is in a trusted zone it doesn't mean it can be treated as trustworthy. This makes us think about how we segment the network, what security boundaries we have, and also how we manage this within cloud environment as well. We have a concept of Network Access Control. Network Access Control, is about managing access to your network, and the most fundamental this can be disabling unused ports. One of my favorite tricks when doing undertaking security testing, is to go into a reception area, to sit down in the comfortable seating, and to look for a floor box. One of those floor panels that has network connections in and power, and I will try the network connections in the reception area. Commonly, not always but usually those are left live, at that point I've gained physical access to the network, but I have not cleared the physical security perimeter. I've entered the building, but I haven't approached the reception, I've not been authenticated, I've not been registered. I've detected an unused ports, you can find unused ports in parking garages all kinds of weird and wonderful places. Sometimes even on the external perimeter of the building. This is really bad practice. Your physical perimeter may be secure but you've extended your logical perimeter in an insecure way. Disable unused ports. Wireless, again commonly extends beyond your physical boundary. Think about the risk that that entails, can you modify your wireless in such a way that it lowers the power as it moves towards the edge of your building? What kind of security do you have for your wireless, does it actually meet the needs of the organization? Your physical boundary is rarely contiguous, rarely matches your wireless boundary. What we can use for Network Access Control in a more sophisticated environment, is a piece of software on each client, and this reports to a server. And when you try to connect to your organization's network, the client and server have a conversation, and what they're doing is looking at your posture. Do you have the right configuration? So what it will check is things like your patching level, are you fully patched? Have you updated your antivirus signatures and so on? If you meet the security requirements of the organization you are admitted. The Network Access Control system allows you access to the network, if not, commonly then it will do one of two things. It will either give you access to an update part of the network only, so you can perform your updates and then come back and reapply for network access, or it will give you Internet only access, again usually to perform updates. That's quite a clever way of working. If you have for example a sales team, that are rarely in the office maybe they are away from the office for three months come back, their laptops, their devices may not be patched, may not be up to date. May have malware [LAUGH] who knows, and this network access control is making sure that they are in the right posture that they have the right conditions met before allowing access to your network. We can also break our network up virtually. We can segment our networks at layer 2. Now layer 3 we can create different IP subnets different type groups, and require routers to connect them. But here what we're doing, and that's effectively creating different networks, different local area networks. But we can do something smart at layer 2 as well. Our switch can label individual ports as belonging to different virtual local area networks, different VLANs, very commonly used. So a single network cable can carry traffic for many different virtual networks, switches forward frames then only to those ports that are within the same VLAN. So you could have a VLAN for the finance team, or the research team, and they can only communicate with each other. In order for those VLANs now to talk to each other, you need a router. So if you have a single switch with four VLANs, those four VLANs can no longer talk to each other. The switch would have to forward all the traffic to a router, and a router would have to reconnect those four different VLANs. We have Virtual Private Networks, massively popular post pandemic. Lots of home working lots of people working in different ways and Virtual Private Networks, are ways of connecting either a device, or even a remote site, to your main network. So you're connecting to a network over an untrusted medium, either the Internet or somebody else's network,if you're working from a supplier's network for example. And usually we tunnel, we've got some fairly significant challenges in terms of trust. And so when we come to asymmetric encryption in the next chapter, will reference VPNs. We'll actually look at how that key exchange works. What we're doing is connecting individual devices though, if your remote working you take your laptop home, you connect back to your corporate network, or to your education network or whichever. And we can actually use this to connect entire offices together, you can have two firewalls connecting each other over a VPN or two network devices connecting each other over a VPN. Again across a private connection or across a public connection. VPNs commonly used where you have that untrusted medium where you're worried about somebody snooping on your traffic or being able to read your traffic, and it encapsulates all network communications going across the network. Something that's becoming recognized as an issue is low visibility devices. I would say increasingly recognized as an issue. I recently bought a new fridge freezer, to my keep my produce cool. It came with a wireless network card. Now, I wasn't really interested in my free Teresa being connected to the Internet. But, everything washing machines, smart lighting, lots of consumer devices are now being network connected. An Internet of Things devices typically what we call these cyber physical systems often. They're a device that sits logically on a network, but actually interacts with the real world. You can start your washing machine, from the office when you get home, the washing machine has completed its job maybe. All of this is great as a capability, but these devices may or may not have appropriate levels of security. And often the investment in IoT platforms, in terms of the processing capability and security capabilities varies. So just bear in mind, that you can have a very good secure IoT device and also something that is incredibly insecure. IoT devices have been a target of attackers wanting to perform denial of service attacks those bots that we talked about, IoT devices make for very popular devices, you can hijack them. The fact that the low visibility as well, may mean that we forget to update them. So if I look around my home or my office, the things that I look at needing updating, are things like my laptop, my desktop. I wouldn't necessarily remember to upgrade the firmware on my fridge freezer or my washing machine. And also with IoT devices, support for them their support lifecycle may be very short one year, two years there may be no patches available. My fridge freezer, I disabled the wireless card, I didn't really need it to be wirelessly enabled. Risk management, avoid the risk by turning it off, or else make sure that you are patching these things as best you can. Again, coming back to zero trust and micro segmentation, create a separate network segment for these IoT devices is best practice, very common to see that now. [MUSIC]
