1
00:00:02,340 --> 00:00:04,870
Let's talk about assessing security in the

2
00:00:04,870 --> 00:00:09,330
cloud. Now there's really three key areas

3
00:00:09,330 --> 00:00:10,690
that you want to look at when you're

4
00:00:10,690 --> 00:00:13,310
assessing security in your cloud. The

5
00:00:13,310 --> 00:00:16,440
first one is a security assessment itself.

6
00:00:16,440 --> 00:00:18,590
Now this can either be done manually by

7
00:00:18,590 --> 00:00:21,060
you or a third‑party company like a

8
00:00:21,060 --> 00:00:24,270
consulting company, or this can be done

9
00:00:24,270 --> 00:00:28,290
using tools. And then you'll want to do

10
00:00:28,290 --> 00:00:30,400
some penetration testing of your cloud

11
00:00:30,400 --> 00:00:33,340
environment, and again, this can be done

12
00:00:33,340 --> 00:00:35,730
by your team or it can be done by a

13
00:00:35,730 --> 00:00:37,730
third‑party company like a consulting

14
00:00:37,730 --> 00:00:42,290
firm. And the last is vulnerability

15
00:00:42,290 --> 00:00:45,940
scanning, and this is really an ongoing

16
00:00:45,940 --> 00:00:48,900
activity that you continue to do for your

17
00:00:48,900 --> 00:00:51,250
cloud environment over its entire

18
00:00:51,250 --> 00:00:54,550
lifecycle. And vulnerability scanning can

19
00:00:54,550 --> 00:00:57,480
be done using tools to make this easy,

20
00:00:57,480 --> 00:01:00,910
such as Security Center that's a service

21
00:01:00,910 --> 00:01:04,160
in Microsoft Azure Cloud. Now there are

22
00:01:04,160 --> 00:01:07,860
many vulnerability scanning tools out

23
00:01:07,860 --> 00:01:11,000
there, and many cloud providers today will

24
00:01:11,000 --> 00:01:13,800
have their own vulnerability scanning tool

25
00:01:13,800 --> 00:01:15,870
that you can leverage while you're running

26
00:01:15,870 --> 00:01:19,700
workloads on their cloud. Let's talk about

27
00:01:19,700 --> 00:01:22,650
penetration testing. So with Microsoft

28
00:01:22,650 --> 00:01:25,500
Azure, you don't have to go and ask

29
00:01:25,500 --> 00:01:28,700
Microsoft for permission to do penetration

30
00:01:28,700 --> 00:01:31,550
testing, you can just do it, but there are

31
00:01:31,550 --> 00:01:34,830
permitted and prohibited activities that

32
00:01:34,830 --> 00:01:40,220
you can do, and here's a list of some of

33
00:01:40,220 --> 00:01:43,290
the permitted activities. So you could do

34
00:01:43,290 --> 00:01:45,930
things like port scans, you can do

35
00:01:45,930 --> 00:01:48,080
vulnerability assessments, if you're

36
00:01:48,080 --> 00:01:51,300
using, you know, the non‑Azure tooling to

37
00:01:51,300 --> 00:01:55,030
do that. You can do, you know, increase

38
00:01:55,030 --> 00:01:58,030
like the load against certain applications

39
00:01:58,030 --> 00:02:00,650
that you're running in Azure, and you can

40
00:02:00,650 --> 00:02:04,250
basically attempt to break some of the

41
00:02:04,250 --> 00:02:08,850
services, within reason. If you do happen

42
00:02:08,850 --> 00:02:10,880
to breach some of the services, you'll

43
00:02:10,880 --> 00:02:13,520
want to contact Microsoft right away, and

44
00:02:13,520 --> 00:02:15,900
you'll want to actually stop and contact

45
00:02:15,900 --> 00:02:18,310
Microsoft right away and let them know.

46
00:02:18,310 --> 00:02:21,280
Some of the prohibited services are listed

47
00:02:21,280 --> 00:02:26,900
here, and a big one is basically scanning

48
00:02:26,900 --> 00:02:30,430
or testing other Microsoft Cloud

49
00:02:30,430 --> 00:02:34,150
customers, so trying to do penetration

50
00:02:34,150 --> 00:02:38,950
testing techniques against other Microsoft

51
00:02:38,950 --> 00:02:42,970
customers. That's a big no‑no. Also

52
00:02:42,970 --> 00:02:45,520
another big no‑no, and this is common not

53
00:02:45,520 --> 00:02:48,390
just in, you know, Microsoft Cloud but

54
00:02:48,390 --> 00:02:52,490
across other clouds, is not being allowed

55
00:02:52,490 --> 00:02:55,220
to do denial‑of‑service attacks, also

56
00:02:55,220 --> 00:02:58,160
known as DDoS attacks, so they don't allow

57
00:02:58,160 --> 00:03:02,510
this. If you do a DDoS attack, you're

58
00:03:02,510 --> 00:03:04,270
probably going to get a call from

59
00:03:04,270 --> 00:03:08,600
Microsoft. Now AWS is kind of the same

60
00:03:08,600 --> 00:03:11,100
thing, you don't have to ask them for

61
00:03:11,100 --> 00:03:13,440
approval before you do penetration

62
00:03:13,440 --> 00:03:17,610
testing. They do have eight services that

63
00:03:17,610 --> 00:03:21,540
are listed where you don't have to ask for

64
00:03:21,540 --> 00:03:23,890
approval. If it's services outside of

65
00:03:23,890 --> 00:03:26,100
these eight, you will have to ask for

66
00:03:26,100 --> 00:03:28,450
approval. And here are those eight

67
00:03:28,450 --> 00:03:31,360
services that are permitted for trying

68
00:03:31,360 --> 00:03:34,730
your penetration testing. Now they have

69
00:03:34,730 --> 00:03:37,530
prohibited activities as well, and these

70
00:03:37,530 --> 00:03:40,740
are things like zone walking using their

71
00:03:40,740 --> 00:03:44,930
Route 53 service, and again, DDoS, they

72
00:03:44,930 --> 00:03:48,320
don't want you doing DDoS attacks against

73
00:03:48,320 --> 00:03:55,000
the cloud environment, and things like request flooding.