0.1.1.1. Clouds

1. Intro

Tester here.

Cloud technology makes me dizzy. There are too many concepts, services, and so much lingo. Even though cloud computing has been around for over a decade, it still feels overwhelming.

As a simple person, I decided to approach cloud computing with a systems engineering mindset—stepping back to get a 50,000 ft view of the big picture.

2. What & Why Systems Engineering?

A systems engineering approach breaks down complex systems into manageable pieces. This helps us understand, analyze, and eventually test and exploit them.

Let’s oversimplify the process:

Need: Define the problem (use cases & feasibility)
Requirements: Identify functional, physical, interface, and constraint requirements
Architecture & Design: Develop high-level and low-level blueprints
Implementation: Build and configure the solution
Integration: Connect the new system with existing ones
Verification & Validation: Ensure the system works as expected
Deployment & Operations: Maintain, monitor, and scale the solution

A side note

On that note, Cost, Schedule, and Performance (CSP) are core constraints that guide decision-making and trade studies in Systems Engineering (SE). Systems engineers balance these factors throughout the system lifecycle to ensure successful delivery of complex systems.

Why am I bringing this up here? Because this is a great way to communicate with stakeholders!

As we can see, security doesn’t naturally show up in the CSP triad. Not many organizations (at least historically—maybe it’s changing now) are going to say, “I want my system to be perfectly secure.”

This makes our position as security engineers especially interesting. We’re the ones who have to convince them to fix their system. If we can tie our findings to cost, schedule, or performance, then non-cyber folks will understand the impact of a vulnerability much better—which ultimately leads to a stronger, more resilient product.

Before smart people build cool things, they follow this structured process. Let’s see how this works with a couple of examples.

2.1 Use Case 1: The Individual (Bob’s Home Server Journey)

Imagine Bob wants to access his data from anywhere. He’s probably tired of buying a new laptop every year. Instead of dropping cash on another machine, maybe he decides to build a home server.

This home server could run his own local LLM, store a bunch of photos, run Kali Linux, and more. Basically, a personal powerhouse that he can tap into whenever he wants. As long as Bob has internet access, he can remote into his super-duper machine and grab anything he needs. Sounds awesome, right?

To make that happen, Bob needs to take the following steps:

Steps:

The DIY Approach:
- Bob exposes his router to the internet.
  - Simple: Bob → Router → Home Computer
- He soon gets random connection requests from hackers.
The First Fix:
- Bob adds a firewall and basic username/password protection.
- System Progression:
  - Enhanced: Bob → Firewall → IdM (Identity Management) → Router → Home Computer
Expanding Storage:

Bob runs out of space and adds an external hard drive.
- Enhanced+: Bob → Firewall → (IdM) → Router → Home Server (NAS) → Storage

Hardware Upgrades:
- After upgrading his CPU, Bob realizes that maintenance costs (RAM, CPU, RAID, UPS, etc.) are spiraling out of control.
  - Enhanced++: Bob → Firewall → (IdM) → Router → Home Server (NAS) → Storage → RAID → UPS → @

The Problem: Even for one person, maintaining an IT setup can quickly become expensive and overly complex.

2.2 Use Case 2: The Business (AtoZ Cyber LLC)

AtoZ Cyber LLC is a small business that sells books and educational materials. They have employees distributed across the globe. Since their website is a major revenue source, it must be available 24/7 — any downtime results in lost profit. As a small company, their network started out relatively simple.

Stage 1: A Basic Setup

Scenarios:

In-Person Workers: IdM → Internal Server
Remote Workers: IdM → VPN → Firewall → Internal Server
Customers: Firewall → Website → Data Server

Stage 2: Growth & Complexity

-As AtoZ Cyber grows:

The customer base increases, requiring more scalable infrastructure.
The volume of data grows, demanding better storage and redundancy.

New Architecture:

Customers:
Load Balancer → Firewall/WAF → Web Servers → Data Server (High Availability Setup) → CDN
Remote Workers:
IdM → VPN Gateway → Firewall → Internal Network

Business Pain Points:

Rising hardware and maintenance costs
The need for 24/7 availability and scalability
Increased security risks with more complex architectures

3. Enter the Cloud

Both use cases highlight two major challenges:

Scalability: Systems shall grow on demand.
Availability: Systems shall be online 24/7 without downtime.

3.1 How Cloud Solves This?

Cloud computing addresses these issues by outsourcing infrastructure management. Instead of buying, maintaining, and securing physical hardware, businesses leverage cloud providers like AWS, Azure, and GCP.

💡 With just an internet connection, businesses can scale globally—without the headache of managing hardware.

4. Cloud Services Mapping: AWS, Azure, and GCP

Function / Category	AWS	Azure	GCP
Compute - Virtual Machines	EC2	Virtual Machines	Compute Engine
Compute - Serverless	Lambda	Functions	Cloud Functions
Compute - Containers	ECS, EKS, Fargate	Kubernetes Service (AKS), Container Instances	Kubernetes Engine (GKE), Cloud Run
Storage - Object Storage	S3	Blob Storage	Cloud Storage
Storage - Block Storage	EBS	Managed Disks	Persistent Disk
Storage - File Storage	EFS	Azure Files	Filestore
Networking - Virtual Networks	VPC	Virtual Network	VPC
Networking - Load Balancing	Elastic Load Balancer (ALB, NLB, etc.)	Load Balancer, Application Gateway	Cloud Load Balancing
Networking - Content Delivery (CDN)	CloudFront	Azure CDN	Cloud CDN
Networking - DNS	Route 53	Azure DNS	Cloud DNS
Networking - VPN & Direct Connect	VPN, Direct Connect	VPN Gateway, ExpressRoute	Cloud VPN, Interconnect
Database - Relational	RDS (supports MySQL, PostgreSQL, etc.)	SQL Database, Managed Instances	Cloud SQL
Database - NoSQL	DynamoDB	Cosmos DB	Firestore, Bigtable
Database - Data Warehouse	Redshift	Synapse Analytics (formerly SQL Data Warehouse)	BigQuery
Database - In-Memory	ElastiCache	Azure Cache for Redis	Memorystore
Analytics - Big Data Processing	EMR	HDInsight	Dataproc
Analytics - ETL / Data Integration	Glue	Data Factory	Dataflow, Data Fusion
Analytics - Interactive Query / Analytics	Athena	Synapse (serverless SQL pool)	BigQuery
AI/ML - Model Training & Deployment	SageMaker	Azure Machine Learning	Vertex AI
AI/ML - Prebuilt AI APIs	AI Services (e.g., Rekognition, Polly, Comprehend, etc.)	Cognitive Services	AI APIs (e.g., Vision API, Speech-to-Text, Natural Language API, etc.)
Security - Identity & Access Management	IAM	Azure Active Directory (Entra ID)	IAM
Security - Single Sign-On & Identity Management	IAM Identity Center (SSO)	Azure AD SSO	Cloud Identity (integrates with Google Workspace)
Security - WAF & DDoS Protection	AWS WAF, Shield	Azure WAF, DDoS Protection	Cloud Armor
Security - Monitoring & Threat Detection	Security Hub, GuardDuty, Detective	Security Center / Defender for Cloud, Sentinel	Security Command Center, Chronicle
Management - Infrastructure as Code	CloudFormation	ARM Templates, Bicep	Deployment Manager
Management - CI/CD	CodePipeline, CodeBuild, CodeDeploy	Azure DevOps, GitHub Actions (integrated with Azure)	Cloud Build
Management - Monitoring & Logging	CloudWatch, CloudTrail	Azure Monitor, Log Analytics	Cloud Monitoring, Cloud Logging (Operations Suite)
Messaging - Message Queues	SQS	Service Bus	Pub/Sub
Messaging - Event Bus / Event Routing	EventBridge	Event Grid	Eventarc
Messaging - API Management	API Gateway	API Management	Apigee, Cloud Endpoints
Developer Tools - Code Repositories	CodeCommit	Azure Repos	Cloud Source Repositories
Developer Tools - Cloud Shell	CloudShell	Cloud Shell	Cloud Shell
Developer Tools - Artifact Repositories	CodeArtifact	Azure Artifacts	Artifact Registry
Migration - Data Migration Services	Database Migration Service (DMS)	Database Migration Service	Database Migration Service
Migration - Physical Data Transfer	Snowball, Snowmobile	Data Box	Transfer Appliance
Internet of Things (IoT)	IoT Core	IoT Hub	IoT Core (Deprecated as of August 2023)

5. Cloud Development Framework

Let’s map the structured systems engineering approach to cloud development, incorporating the customer's perspective at each stage.

Stage	Cloud Example
1. Need	Business wants to scale globally without hardware.
2. Requirements	Define compute, storage, security, and cost constraints. "I expect my data to be secure and services to be affordable."
3. Architecture & Design	Cloud blueprints (e.g., microservices, multi-region setup).
4. Implementation	Deploy services (e.g., AWS Lambda, S3, IAM policies).
5. Integration	Connect with other systems (e.g., on-prem to cloud VPN).
6. Verification & Validation	Load testing, security testing, monitoring setup.
7. Deployment & Operations	Monitor with CloudWatch, auto-scaling, disaster recovery.

Cloud Development Requirements Specification

1. General Requirements

1.1 The cloud-based system shall provide scalable infrastructure to support business growth.
1.2 The system shall ensure high availability (99.9% uptime or higher) to meet customer expectations.
1.3 The cloud platform shall support multi-region deployment to enhance performance and redundancy.
1.4 The solution shall integrate with on-premises systems when necessary.

2. Security Requirements

2.1 The system shall enforce Identity and Access Management (IAM) policies to restrict unauthorized access.
2.2 The cloud infrastructure shall comply with industry security standards (e.g., ISO 27001, SOC 2, NIST).
2.3 Data at rest shall be encrypted using AES-256, and data in transit shall be secured with TLS 1.2 or higher.
2.4 The system shall provide DDoS protection and Web Application Firewall (WAF) capabilities.
2.5 Multi-Factor Authentication (MFA) shall be enforced for privileged accounts.

3. Performance & Scalability Requirements

3.1 The cloud infrastructure shall auto-scale to handle peak traffic loads without service degradation.
3.2 The system shall provide low-latency content delivery through a CDN for global users.
3.3 Cloud services shall support serverless computing to optimize cost and resource efficiency.

4. Reliability & Availability Requirements

4.1 The system shall implement disaster recovery mechanisms with an RTO (Recovery Time Objective) ≤ 30 minutes.
4.2 The cloud provider shall offer SLA-backed uptime guarantees for critical services.
4.3 The cloud architecture shall support multi-zone redundancy for fault tolerance.

5. Compliance & Governance Requirements

5.1 The cloud environment shall support audit logging and monitoring to detect security incidents.
5.2 All deployments shall follow Infrastructure-as-Code (IaC) best practices for consistency.
5.3 The system shall enforce least privilege access for all cloud resources.

6. Customer Experience Requirements

6.1 The system shall provide a fast, responsive, and intuitive user interface for customers.
6.2 Authentication and login processes shall be secure yet user-friendly (e.g., SSO & OAuth support).
6.3 Customer support shall be available 24/7 to handle critical issues.

1. Clouds testing Scoping

Learn how to attack clouds

0. Attack Clouds
1. Search for Credentials - Services
2. Search for Credentials - File