Supply chain security is talking about third party suppliers and that's how you-, you're interacting with different providers. Now for our purposes, we'll be interacting with maybe a Cloud service provider which could be for example Amazon Web Services or Microsoft Azure. And if you think of the example of Office 365, which is a software as a service, we'll be accessing maybe Microsoft products, so we might be accessing Microsoft Office 365. Obviously, we're accessing as a user, we would have to be using the system so obviously we'd have to have some form of access control that allows the users of those systems, they need to be able to verify who we are and make sure that nothing's been tampered with in the provision of the information of the providing tourist. Obviously, it could be other types of applications as well but that's the main one in relation to supply chain security. 

So, secure user management is talking about phone or web applications. So, if I wanted use Office 365, I would-, I can use it on my laptop, I can use it on my phone, even an iPhone I can use. And those applications have to be verified and validated as a user on it, that could be like Duo as an example. So, if I wanted to use Microsoft on my applications, they'd need to verify and check who I am, make sure that the laptop I'm using is one that's a build and requirement for the business allowing me to access those Cloud resources. If suddenly I'm a completely different resource, then quite rightly they should challenge me and block access to it ‘cause that could be unauthorised access.  

So, identity and authentication is talking about a user, so a username and password, an email address and a password. We might want to build on top of that multi-factor authentication, which could be a token, could be biometrics, could be your eyes or fingers, to help authenticate a user. We need to make sure the person who's accessing the systems is an authorised user, the problem we have is and how people want to attack people in the Cloud, and this goes for other areas of cyber-security, it's unauthorised access. And they may try to do that through trying to steal your data, try to modify your data, or try to bring your systems through a DDoS attack, and that could bring the systems down. All social engineering where they're trying to make a phone call, a phishing technique, making a phone call to try to perpetuate to be you as opposed to anybody else, and then to gain unauthorised access to your account system through that. 

External interface protection is talking about the barriers of security around your network and systems. Physical security of people accessing your servers, having lockable doors so people can't access those controls, people want to steal data and obviously your data's on the Cloud but if you can access the interface itself, they could steal the data, bypass controls, take advantage of that, and get unauthorised access and steal your information. So that's things we have to put in place to help protect against this type of activity.   

Secure service administration is talking about users and admin, a lot of people-, let's just take an example, discretionary access control, we've covered this in earlier modules. Discretionary access control is talking about like a Windows user. A Windows user has an admin account and they have a user account, most people will create an account and they'll use themselves as admin, that's dangerous cause if you go onto the internet as an admin user, and someone compromises you, you can automatically activate malware straight away without any checks and balances. Whereas if you go as a user to connector sites and you accidentally click on a link or do something, it has to seek permission from the administrator to do that. So, we're talking about high privileged access, trying to limit the damage by doing that by just having the right controls in place to limit the damage mechanisms that could happen from them.  

Audit information of users is a two-pronged approach, one is where verifying and checking systems to make sure there's no malicious activity, inappropriate activity, misuse of activity, and potentially identifying any issues in terms of activity of the systems themselves. The second part of it is looking at it from a regulatory requirement, regulatory and compliance requirements. And obviously we'd have to-, we'd need to look to make sure that we are meeting a certain standard in relation to usage of the Cloud-, the Cloud itself. So, we have to follow certain guidelines, like we've discussed already about GDPR, PCI DSS, and these auditing process can give us a snapshot to see how effective they are running in terms of the function.  

So, secure use of the service, we're talking about getting the aggregate protection in place to protect our data. A lot of people may use systems poorly, and if you use the systems poorly, the outcome is that you are going to make ourselves vulnerable.  

So, we need to make sure that we use robust systems, only user accounts preferably have secure configurations, so not just by default, you know, default accounts are, are treacherous for organisations. And education and training are key elements to this cause you're obviously tackling inappropriate behaviour and reinforcing security mechanisms to help support and promote the business security. It's a cultural aspect that we have to look at.  

The fourteen security principles that we have outlined already, which relate to the Cloud security which is promoted-, created by the National Cyber Security, are there to help us protect our data, and users, and audit, and check, and balance of information. We're gonna obviously unpack this as the course progresses and we'll go into each area and expand on this just to learn about information security requirements and processes, policy, processes, procedures. Technical controls to help us deal with these types of security and eliminate as much as possible potential vectors that could be exploited by hackers.